220 likes | 426 Views
Access Control and the Bell- LaPadula Model. CS 4235. Historical Background. Physical Access Control No mixing of data (sensitive vs not) Hardwired terminal access No multiplexing of users and data
E N D
Historical Background • Physical Access Control • No mixing of data (sensitive vs not) • Hardwired terminal access • No multiplexing of users and data • What happens when all the data is stored in the same place and users with different trust levels are allowed to access? • Multi-level security problem
Documents vs People • Documents have classifications • Top Secret • Secret • Confidential • Unclassified • Sensitive • Non sensitive • People have Clearances • Top Secret • Secret • Q
There are also code words that are not classifications • ULTRA identified information encrypted with Enigma machines • Categories – now material is handled • Sensitive compartmented information (SCI) - Intelligence • Operations and methods • Nuclear secrets • Stealth • Special Access Programs (SAP) -- Defense • Acknowledged • Unacknowledged • Waived • Solves two logistical problems • Collateral clearances for everyone would be expensive • Need to limit information to those with need to know • SIGMA (Department of Energy) • SAP/SCI requires Secure Compartmented Information Facility (SCIF)
Caveats and Other Codes • NOFORN • RESTRICTED • NO CONTRACTOR • REL TO <Country Code> • ORCON • FOUO • PROPIN • SECRET//<compartment name>//NOFORN//ORCON//25X1
People are cleared to • Classification levels • Categories • Other Labels
Discretionary Access Control • E.g., Unix permissions • Set access conditions on a file so that only a group of your choosing can read it • Anyone with access can propagate the information by resetting permissions
Mandatory Access Control • Security authority sets permissions • Only security authority can propagate information • Violations are very serious
Orderings • TS > S > C • How about • (S//NUC//NOFORN) vs TS? • (TS//EUR/25x1) vs (TS//CRYPTO//PROPIN)?
Access Control Models (S,O,R) YES/NO • Read (observe) • Write (observe, alter) • Execute (no observe, no alter) • Append (alter, no observe)
Accesses take system from state to state All accesses must be allowed by MAC rules σ2 (T,b, append) σ3 (S,a, read) σ1 If you start in a secure state do you end up in a secure state?
Granting Access Should Not Violate MAC High Level Object ? READ Flow of information Subject WRITE Object LowLevel
Simple Security Property • The current level of a subject dominates the level of every object that it observes • Like paper systems • “No read up”
*-Property • If S can observe a and alter b, then a ≤ b • “No write down”
Partial Orders • S = {a1,a2,…,an} • P = (S, ≤) is a PO iff • If a ≤ b and b ≤ a, then a = b (anti-symmetric) • If a ≤ b and b ≤ c, then a ≤ c (transitive) • a ≤ a (reflexive) • Examples • Natural numbers under ≤ • Subsets under • How about • Choices on a ballot under “is preferred to”? • People under “trusts”?
Lattices • A POSET S • Every subset of S has a greatest lower bound • Every subset of S has a least upper bound x3 x4 x5 x1 x2 These are all upper bounds x LUB S Subset of S
Security Levels • A security level is a pair (c,s) where • c is a classification from a POSET of classifications (e.g., U,S,TS but the exact classfications don’t matter) • s is a set of categories (e.g., NUC,CRYPTO,… but the exact categories don’t matter) • (c1,s1) ≥ (c2,s2) iffc1≥ c2 and s2s1 • Levels form a lattice
Assigning Security Levels to Subjects and Objects • level(S), level(O) = security level of S,O • current-level(S) = levels at which S can operate • current-level(S) ≤ level(S) • level(S) = max(current-level(S)) is called S’s clearance
Security Properties • SS-property: For any (S,O,A) if A includes observation then level(S) ≥ level(O) • *-property For any (S,O,A) r A implies current-level(S) ≥ level(O) aA implies current-level(S)≤level(O) w A implies current-level(S) = level(O) No read up No write down If a subject can observe O1 and modify O2 the level(O2)≥level(O1)
Lattice Model Information only flows up the lattice System enforces SS and * properties
A MAC Implementation • Unix file system • Label all files and directory with levels • Assign level(u) to each user u • u is initially assigned the lowest current-level • Allow current-level(u) to float as higher level files are observed • If level(u) ≥ current-level(u) issue kill(u) • If level(f) ≥ level(u) and u writes to f issue kill(u) • Is this secure? / /