Chapter 1: Introduction
Fall 2021
Cp 633
Slide #5-*
Chapter 5: Confidentiality Policies
This lecture covers sections: 5.1, 5.2 (with 5.2.1, 5.2.2 and 5.2.2.1 only), and 5.3 .
Overview
What is a confidentiality model
Bell-LaPadula Model
General idea
Informal description of rules
Tranquility
Controversy
Cp 633
*
Fall 2021
Cp 633
Slide #5-*
Confidentiality Policy
Goal: prevent the unauthorized disclosure of information
Deals with information flow
Integrity aspect is incidental
Multi-level security models are best-known examples
Bell-LaPadula model is basis for many, or most, of these.
Cp 633
Fall 2021
Cp 633
Slide #5-*
Bell-LaPadula Model, Step 1
Security levels (i.e. security clearance) for subjects are arranged in linear ordering, for example:
Top Secret: highest
Secret
Confidential
Unclassified: lowest
User/process levels consist of security clearance L(s)
Objects have security classification L(o)
Access is achieved as function of security clearance and document classification
Cp 633
Fall 2021
Cp 633
Slide #5-*
Example
Tamara can read all files
Claire cannot read Personnel or E-Mail Files
Ulaley can only read Telephone Lists
security level subject object
Top Secret Tamara Personnel Files
Secret -Mail Files
Confidential Claire Activity Logs
Unclassified Ulaley Telephone Lists
Cp 633
Fall 2021
Cp 633
Slide #5-*
Reading Information
Information flows can occur only in upward direction towards clearance that subject does not have, not down
Therefore – “Reads up” are disallowed, “reads down” are allowed
Simple Security Condition (Step 1)
Subject s can read object o iff, L(o) ≤ L(s) and s has permission to read o
Note: combines mandatory control – MAC (relationship of security levels) and discretionary control DAC (the required permission)
Sometimes called “no reads up” rule
Cp 633
Fall 2021
Cp 633
Slide #5-*
Writing Information
However, subject with high clearance can copy file with high classification and write it to the file with low classification.
But, information is only allowed to travel up, not down
Therefore “writes down” are disallowed and “Writes up” are allowed.
*-Property (Step 1)
Subject s can write object o iff L(s) ≤ L(o) and s has permission to write o
Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)
Sometimes called “no writes down” rule, note we are not interested in integrity.
Cp 633
Fall 2021
Cp 633
Slide #5-*
Basic Security Theorem, Step 1
Preliminary version of BST:
If a system is initially in a secure state, and every transition of the system satisfies the simple security condition, step 1, and the *-property, step 1, then every state of the system is secure
Proof: induct on the number of transitions
Cp 633
Fall 2021
Cp 633
Slide #5-*
Bell-LaPadula Model, Step 2
Expand notion of security level to include information categories according to need to know principle.
Objects are placed into Categories (or compartments).
Each category is a kind of information, e.g intelligence on a particular country…
Security level now becomes a tuple (clearance, category set)
Examples
( Top Secret, { NUC, EUR, US } )
( Confidential, { EUR, US } )
( Secret, { NUC, US } )
Cp 633
Fall 2021
Cp 633
Slide #5-*
Security lattice by information categories
Lattice is generated by categories NUC, EUR, and US.
The lines represent the ordering relation induced by (subset of).
The line is placed between A and B iff A B, and A≠B and there exists no C so that A C B, A≠C, B≠C.
Cp 633
Fall 2021
Cp 633
Slide #5-*
Security Levels and Lattices
We need ordering relation among security levels expressed as a tuple (clearance, category set) called dominance
(A, C) dom (A, C) iff A ≤ A and C C
Examples
(Top Secret, {NUC, US}) dom (Secret, {NUC})
(Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR})
(Top Secret, {NUC}) dom (Confidential, {EUR})
Let A be set of classifications, and C set of categories. Set of security levels L = A C, dom form lattice
lub(L) = min( max(A), C ) – least upper bound
glb(L) = max( min(A), ) – greatest lower bound
Cp 633
Fall 2021
Cp 633
Slide #5-*
Levels and Ordering
Relation of dominance is relation of partial ordering
Security levels are partially ordered
Any pair of security levels may be related by dom
“dominates” serves the role of “greater than” in step 1
“greater than” is a total ordering, though
Cp 633
Fall 2021
Cp 633
Slide #5-*
Reading Information
Reading information flows up, not down
“Reads up” disallowed, “reads down” allowed
Simple Security Condition (Step 2)
Subject s can read object o iff L(s) dom L(o) and s has permission to read o
Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)
Sometimes called “no reads up” rule
Cp 633
Fall 2021
Cp 633
Slide #5-*
Writing Information
Information flows up, not down
“Writes up” allowed, “writes down” disallowed
*-Property (Step 2)
Subject s can write object o iff L(o) dom L(s) and s has permission to write o
Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)
Sometimes called “no writes down” rule
We are not looking into integrity in this theorem.
Cp 633
Fall 2021
Cp 633
Slide #5-*
Basic Security Theorem, Step 2
If a system is initially in a secure state, and every transition of the system satisfies the simple security condition, step 2, and the *-property, step 2, then every state of the system is secure.
Proof: induct on the number of transitions.
Cp 633
Fall 2021
Cp 633
Slide #5-*
Problem
Occasionally subjects from higher security level need to communicate with subjects on lower security level.
E.g. colonel needs to talk to major
Colonel has (Secret, {NUC, EUR}) clearance
Major has (Secret, {EUR}) clearance
Colonel cannot talk (write) to major because (Secret, {NUC, EUR}) dom (Secret, {EUR})
Major can talk to colonel (“write up” or “read down”)
Clearly absurd!
Cp 633
Fall 2021
Cp 633
Slide #5-*
Solution
Define maximum and current security levels for subjects
maxlevel(s) dom curlevel(s)
A subject may effectively decrease security level from maximum in order to communicate with entities at lower security level.
Example
Treat Major with (Secret, {EUR}) as an object (Colonel is writing to him/her)
Colonel has maxlevel (Secret, { NUC, EUR })
Colonel sets curlevel to (Secret, { EUR })
Now L(Major) dom curlevel(Colonel)
Colonel can write to Major without violating “no writes down”
Temporary downgrading assumes that subject sanitizes the data from the higher security level (possible for processes, difficult for humans).
Identify a set of “trusted” subjects which are permitted to violate *-property.
Cp 633
Example: Trusted Solaris
Provides mandatory access controls
Subjects and objects have labels.
Security level of subject or object is represented by sensitivity label
Labels for subjects consist of classifications and a set of categories.
Each user i.e. subject has a range of sensitivity labels.
Clearance is least upper bound (lub) of all sensitivity labels of a user/subject.
Default labels are ADMIN_HIGH (dominates any other label) with system logs and configuration files
and ADMIN_LOW (dominated by any other label) with system objects
Subject S has controlling user US (i.e user running it)
SL is a sensitivity label of subject S
S has also attribute privileged(S, P) which is true if S can override or bypass part of security policy P
Attribute asserted (S, P) is true if S has attribute privileged and is overriding P
Fall 2021
cp633
Slide 5-*
cp633
Rules for ordinary users
For process S: US is controlling user of S, CL is clearance of S /US, SL is sensitivity label of S, and OL is sensitivity label of O
If ¬privileged(S, “change SL”), then no sequence of operations can change SL to a value that it has not previously assumed
If ¬privileged(S, “change SL”), then asserted(S, “change SL”) is false.
If ¬privileged(S, “change SL”), then no value of SL can be outside the clearance of US
For all subjects S and named objects O, if ¬privileged(S, “change OL”), then no sequence of operations can change OL to a value that it has not previously assumed.
Fall 2021
cp633
Slide 5-*
cp633
Rules (con’t)
For process S: US is controlling user of S, CL is clearance of US /S , SL is sensitivity label of S, and OL is sensitivity label of O
For all subjects S, named objects O, if ¬privileged(S, “override O’s mandatory read access control”), then read access to O is granted only if SL dom OL
This is instantiation of simple security condition -no read up
For all subjects S, named objects O, if ¬privileged(S, “override O’s mandatory write access control”), then write access to O is granted only if OL dom SL and CL dom OL
Instantiation of *-property, no write down
Fall 2021
Cp633
Slide 5-*
Cp633
Initial Assignment of Labels
Each account is assigned a label range [user’s minimum label, clearance] (note clearance is least upper bound of label).
On login, Trusted Solaris determines if the session is single-level
If clearance = minimum label, this is single level account and session gets that label
If not, multi-level; user asked to specify clearance for session; must be in the label range
In multi-level session, user can change to any label in the range of the session clearance to the minimum
This is useful if user has several workspaces each with its own sensitivity level. Kind of role based access control.
Fall 2021
Cp633
Slide 5-*
Cp633
Writing
Unlike BLP writing is allowed when subject and object labels are the same OR
when file is in special downgraded directory D with sensitivity label DL that admin can create.
The condition of subject S with sensitivity label SL and clearance CL to write into file O with sensitivity label OL are:
SL dom DL – i.e subject can read and search the directory
S has discretionary read and search access to D
OL dom SL and OL ≠ SL i.e. no write down rule
S has discretionary write access to O
CL dom OL i.e. highest label of subject dominates the object’s label
Note: subject cannot read that object
Fall 2021
Cp633
Slide 5-*
Cp633
Fall 2021
Cp 633
Slide #5-*
Directory Problem
Process p with MAC_A security level tries to create file /tmp/x
/tmp/x already exists but has MAC label MAC_B
Assume that MAC_B dom MAC_A
Create fails because this would be “write down” effectively.
Now p knows that a file named x with a higher label exists – this is information flow.
Fix: only programs with same MAC label as directory can create files in the directory
Now compilation won’t work, mail can’t be delivered so further fix is needed.
Cp 633
Fall 2021
Cp 633
Slide #5-*
Multilevel Directory
Multilevel Directory has a set of hidden subdirectories, one per security level (label).
Not normally visible to user
Process p with MAC_A creating /tmp/x actually creates /tmp/d/x where d is directory corresponding to MAC_A
All p’s references to /tmp actually go to /tmp/d
p cd’s to /tmp
System call stat(“.”, &buf) returns information (inode) of real directory i.e. /tmp/d
System call mldstat(“.”, &buf) returns information about /tmp
Cp 633
Alternative to MLDs – Labeled Zones
Used in Trusted Solaris Extensions, and various flavors of Linux
Zone: virtual environment tied to a unique label
Each process can only access objects in its zone – isolation among the zones.
Global zone encompasses everything on system
Its label is ADMIN_HIGH
Only system administrators can access this zone
Each zone has a unique root directory
All objects within the zone have that zone’s label
Each zone has a unique label
Fall 2021
cp633
Slide 5-*
cp633
More about Zones
Other file systems can be imported or mounted from other zones provided that:
If importing read-only filesystem, importing zone’s label must dominate imported zone’s label (no read up)
If importing read-write, importing zone’s label must equal imported zone’s label
since labels are unique this means that the zones are the same; import unnecessary
Labels are checked only at time of import
Objects in imported file system retain their labels
Therefore process can access object when multilevel constraints allow that
Fall 2021
Cp 633
Slide 5-*
Cp 633
More about Zones
Imported file systems have names distinct from files in the importing zone.
Imported file system is mounted at the directory “/zone/label”.
Executable files from system areas, which are in the global zone, are mounted using a special loopback option.
It makes them appear to be at ADMIN_LOW so that every process can read and execute them.
The same trick is used to mount read-only file systems which label dominates the one of the importing file system.
Fall 2021
CP 633
Slide #5-*
CP 633
Example: Solaris Trusted Extensions system
note: global zone is at level ADMIN_HIGH
L1 dom L2
L3 dom L2
Process in L1 can read any file in the export directory of L2 (assuming discretionary permissions allow it)
L1, L3 disjoint
Do not share any files
System directories imported from global zone, at ADMIN_LOW
So they can only be read
Fall 2021
Cp 633
Slide 5-*
/
Global zone
usr
L1
L2
L3
root
export
zone
usr
L2
export
root
export
zone
usr
root
export
zone
usr
L2
export
Cp 633
Fall 2021
Cp 633
Slide #5-*
Principle of Tranquility
Raising object’s security level
Information once available to some subjects is no longer available
Usually assume information has already been accessed, so this does nothing
Lowering object’s security level
This is the declassification problem
Essentially, it is a “write down” violating *-property
Solution: define set of trusted subjects that sanitize (or remove) sensitive information before security level lowered
Cp 633
Fall 2021
Cp 633
Slide #5-*
Types of Tranquility
Strong Tranquility
The clearances of subjects, and the classifications of objects, do not change during the lifetime of the system
Weak Tranquility
The clearances of subjects, and the classifications of objects, do not change in a way that violates the simple security condition or the *-property during the lifetime of the system
Cp 633
Fall 2021
Cp 633
Slide #5-*
Controversy
McLean:
“value of the (basic security theorem) BST is much overrated since there is a great deal more to security than it captures. Further, what is captured by the BST is so trivial that it is hard to imagine a realistic security model for which it does not hold.”
Basis: given assumptions known to be non-secure, BST can prove a non-secure system to be secure
Cp 633
Cp 633
Slide #5-*
Key Points
Confidentiality models restrict flow of information
Bell-LaPadula models multilevel security
Cornerstone of much work in computer security
Controversy over meaning of security
Different definitions produce different results
Cp 633
[NUC, EUR, US]
[NUC, EUR]
[EUR, US]
[NUC, US]
[NUC]
[EUR]
[US]
Ø
(S, [NUC, EUR])
(S, [EUR, US])
(S, [NUC, US])
(S, [NUC])
(S, [EUR])
(S, [US])
(S, Ø)
(TS, [NUC, EUR])
(TS, [EUR, US])
(TS, [NUC, US])
(TS, [NUC])
(TS, [EUR])
(TS, [US])
(TS, Ø)
(TS, [NUC, EUR, US])
(S, [NUC, EUR, US])