the bell lapadula model
play

The Bell-LaPadula Model CSM27 Computer Security Dr Hans Georg - PowerPoint PPT Presentation

Jan 04, 2023 •350 likes •848 views

The Bell-LaPadula Model CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2008 Week 6 Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 Week 6 1 / 32 The session Outline The session 1 Finite

  1. The Bell-LaPadula Model CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2008 – Week 6 Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 1 / 32

  2. The session Outline The session 1 Finite Automata 2 Bell-LaPadula 3 Security Properties 4 Limitations 5 Multics 6 Conclusion 7 Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 2 / 32

  3. The session Session objectives Be able to use the principle of finite automata to describe security models. Understand the confidentiality policy of Bell-LaPadula Understand the limitations of Bell-LaPadula Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 3 / 32

  4. Finite Automata Outline The session 1 Finite Automata 2 Bell-LaPadula 3 Security Properties 4 Limitations 5 Multics 6 Conclusion 7 Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 4 / 32

  5. Finite Automata A finite automata state-machine ≈ automata 1 0 1 A set of states , Q An input alphabet Σ 0 1 1 0 labels for the state transitions 2 3 0 inital state q 0 ∈ Q 0 accepting states A ⊂ Q 0 1 1 transition function δ : Q × Σ → Q 5 4 1 0 equivalent to the edges (arrows) Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 5 / 32

  6. Finite Automata A finite automata 1 A state can be good or bad 0 1 secure or insecure 0 1 1 Transitions from good to bad 0 states are dangerous. 2 3 0 Two criteria 0 0 1 1 Start state be secure No transition from secure to 5 4 1 0 insecure Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 6 / 32

  7. Finite Automata A finite automata 1 A state can be good or bad 0 1 secure or insecure 0 1 1 Transitions from good to bad 0 states are dangerous. 2 3 0 Two criteria 0 0 1 1 Start state be secure No transition from secure to 5 4 1 0 insecure Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 6 / 32

  8. Finite Automata A finite automata 1 A state can be good or bad 0 1 secure or insecure 0 1 1 Transitions from good to bad 0 1 states are dangerous. 2 3 0 Two criteria 0 0 1 1 Start state be secure No transition from secure to 5 4 1 0 insecure Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 6 / 32

  9. Bell-LaPadula Outline The session 1 Finite Automata 2 Bell-LaPadula 3 Security Properties 4 Limitations 5 Multics 6 Conclusion 7 Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 7 / 32

  10. Bell-LaPadula The principle of an automata model Describe all secure states 1 Describe transitions from secure states 2 Prove that no transition leads from secure to insecure 3 If this is possible, the system is provably secure. Bell-LaPadula is one description of secure states. Similar principles apply to e.g. database development Database has to be maintained in a consistent state No operation (transition) allowed to bring the database to an inconsistent state Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 8 / 32

  11. Bell-LaPadula Elements of Access Control a set of subjects S a set of objects O set of access operations A = { execute , read , append , write } A set of security levels L , with a partial ordering ≤ Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 9 / 32

  12. Bell-LaPadula The State Set A state : ( b , M , f ) , includes Access operations currently in use b List of tuples ( s , o , a ) , s ∈ S , o ∈ O , a ∈ A . Access permission matrix M = ( M s , o ) s ∈ S , o ∈ O , where M s , o ⊂ A Clearance and classification f = ( f S , f C , f O ) f S : S → L maximal security level of a subject f C : S → L current security level of a subject ( f C ≤ f S ) f O : O → L classification of an object Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 10 / 32

  13. Security Properties Outline The session 1 Finite Automata 2 Bell-LaPadula 3 Security Properties 4 Limitations 5 Multics 6 Conclusion 7 Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 11 / 32

  14. Security Properties Simple Security Property (SS-property) A state ( b , M , f ) satisfies the SS-property if ∀ ( s , o , a ) ∈ b , such that a ∈ { read , write } f O ( o ) ≤ f S ( s ) I.e. a subject can only observe objects of lower classification Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 12 / 32

  15. Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32

  16. Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32

  17. Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32

  18. Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32

  19. Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32

  20. Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32

  21. Security Properties *-property A state ( b , M , f ) satisfies the *-property if ∀ ( s , o , a ) ∈ b , such that a ∈ { append , write } f C ( s ) ≤ f O ( o ) and if ∃ ( s , o , a ) ∈ b where a ∈ { append , write } , then ∀ o ′ , a ′ ∈ { read , write } , such that ( s , o ′ , a ′ ) ∈ b f O ( o ′ ) ≤ f O ( o ) I.e. a subject can only alter objects of higher classification, and cannot read a high-level object while writing to a low-level object. Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 14 / 32

  22. Security Properties Discretionary Security Property Previous security properties provide Mandatory Access Control i.e. a centrally defined access policy The security levels are defined by a central policy Discreationary Access Control (DAC) decentralises the control The access control matrix M allows DAC in Bell-LaPadula A state ( b , M , f ) satisfies the DS-property if ∀ ( s , o , a ) ∈ b a ∈ M s , o . Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 15 / 32

  23. Security Properties Discretionary Security Property Previous security properties provide Mandatory Access Control i.e. a centrally defined access policy The security levels are defined by a central policy Discreationary Access Control (DAC) decentralises the control The access control matrix M allows DAC in Bell-LaPadula A state ( b , M , f ) satisfies the DS-property if ∀ ( s , o , a ) ∈ b a ∈ M s , o . Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 15 / 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

April 21: Bell-LaPadula Model Bell-LaPadula confidentiality model Tranquility

April 21: Bell-LaPadula Model Bell-LaPadula confidentiality model Tranquility

April 21: Bell-LaPadula Model Bell-LaPadula confidentiality model Tranquility Declassification McLeans criticism and System Z April 21, 2017 ECS 235B Spring Quarter 2017 Slide #1 Rule : R V D V Takes a

560 views • 45 slides
ECS 289M Lecture 8 April 17, 2006 Bell-LaPadula Model, Step 2 Expand notion of security

ECS 289M Lecture 8 April 17, 2006 Bell-LaPadula Model, Step 2 Expand notion of security

ECS 289M Lecture 8 April 17, 2006 Bell-LaPadula Model, Step 2 Expand notion of security level to include categories Security level is ( clearance , category set ) Examples ( Top Secret, { NUC, EUR, ASI } ) ( Confidential,

304 views • 18 slides
April 17: Policy Limits on secure and precise mechanisms Bell-LaPadula confidentiality

April 17: Policy Limits on secure and precise mechanisms Bell-LaPadula confidentiality

April 17: Policy Limits on secure and precise mechanisms Bell-LaPadula confidentiality model Tranquility Declassification McLeans criticism and System Z April 17, 2017 ECS 235B Spring Quarter 2017 Slide #1 Types of

449 views • 30 slides
MONTANA NO KID HUNGRY BREAKFAST AFTER THE BELL 1 in 5 Breakfast after the Bell On average,

MONTANA NO KID HUNGRY BREAKFAST AFTER THE BELL 1 in 5 Breakfast after the Bell On average,

MONTANA NO KID HUNGRY BREAKFAST AFTER THE BELL 1 in 5 Breakfast after the Bell On average, school breakfast participation rises to more than 70% when schools implement a Breakfast after the Bell model versus 30% with a traditional model that

116 views • 10 slides
Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats

Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats

Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats Security policies Confidentiality Policies Policy The Bell-LaPadula Model Specification Integrity Policies The Biba

698 views • 49 slides
CSCE 790 Computer Systems Security Malware Professor Qiang Zeng Spring 2020 Previous

CSCE 790 Computer Systems Security Malware Professor Qiang Zeng Spring 2020 Previous

CSCE 790 Computer Systems Security Malware Professor Qiang Zeng Spring 2020 Previous Class Implementation Principles Policy and Mechanism Decoupling Reference Monitor Bell-LaPadula (BLP) Secrecy Model No read up

822 views • 34 slides
Workload Assessment Model You can email questions to Donna.Bell@gov.ab.ca anytime during the

Workload Assessment Model You can email questions to Donna.Bell@gov.ab.ca anytime during the

Workload Assessment Model You can email questions to Donna.Bell@gov.ab.ca anytime during the presentation. 1 Workload Management in Human Services 2015: Revision of CI Resource Forecast and Benchmarks 2013: OPT Resource Forecasting Model

271 views • 11 slides
Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-1 Outline Formal verification techniques Design verification languages Bell-LaPadula and SPECIAL Current verification systems

911 views • 63 slides
EVENTS AND CELEBRATIONS THE BELL AT BELBROUGHTON WWW.THEBELLBELBROUGHTON.CO.UK WELCOME TO THE

EVENTS AND CELEBRATIONS THE BELL AT BELBROUGHTON WWW.THEBELLBELBROUGHTON.CO.UK WELCOME TO THE

EVENTS AND CELEBRATIONS THE BELL AT BELBROUGHTON WWW.THEBELLBELBROUGHTON.CO.UK WELCOME TO THE BELL AT BELBROUGHTON Located just outside the charming village of Belbroughton, Tie Bell is the ideal place for your event or celebration. Our

192 views • 6 slides
From Model Checking to Proof Checking ... and Back Kedar Namjoshi Bell Labs April 29, 2005

From Model Checking to Proof Checking ... and Back Kedar Namjoshi Bell Labs April 29, 2005

From Model Checking to Proof Checking ... and Back Kedar Namjoshi Bell Labs April 29, 2005 Abstraction Model Checking = Deductive Proof MODEL CHECKING PROOF CHECKING M | = M Completeness Abstraction Proof Lifting M | = M

626 views • 36 slides
Duck Duckworth Str h Street (Bell eet (Bell Farm Rd rm Rd to St. Vince to St. ncent t St)

Duck Duckworth Str h Street (Bell eet (Bell Farm Rd rm Rd to St. Vince to St. ncent t St)

Public Information Centre (PIC) Duck Duckworth Str h Street (Bell eet (Bell Farm Rd rm Rd to St. Vince to St. ncent t St) St) Transpor ansportatio tion Impr mprovements ements Schedule hedule C Class EA Class EA

534 views • 24 slides
Silver Bell & St. Lawrence (SBSL), MT Silver Bell & St. Lawrence (SBSL), MT

Silver Bell & St. Lawrence (SBSL), MT Silver Bell & St. Lawrence (SBSL), MT

Silver Bell & St. Lawrence (SBSL), MT Silver Bell & St. Lawrence (SBSL), MT SBSL is 100% owned and is comprised of a 520 acre claim package, subject to 2% NSR. SBSL Property Hosts two historic Montana gold mines (the Silver

305 views • 9 slides
Gates open 8:40 Mineweaser: First bell 8:55 Day 1: Music/Library Last Bell 9:00 Day 2:

Gates open 8:40 Mineweaser: First bell 8:55 Day 1: Music/Library Last Bell 9:00 Day 2:

Gates open 8:40 Mineweaser: First bell 8:55 Day 1: Music/Library Last Bell 9:00 Day 2: Art/Mandarin Day 3: PE/STEM 9:00-9:50 Science/Social Studies 9:50-10:30 Specials Herr: Day 1: Art/Mandarin 10:30-12:00 Math Day 2: PE/STEM

876 views • 48 slides
Random access and massive wireless networks Philippe Jacquet Nokia Bell Labs Terminal network

Random access and massive wireless networks Philippe Jacquet Nokia Bell Labs Terminal network

Random access and massive wireless networks Philippe Jacquet Nokia Bell Labs Terminal network interface model Packets internally generated Network interface buffer Network interface Server (one packet max) Traffic Poisson model Finite

601 views • 38 slides
captured in New Zealand fisheries ELIZABETH BELL & MIKE BELL Wildlife Management

captured in New Zealand fisheries ELIZABETH BELL & MIKE BELL Wildlife Management

INT 2016/02: Identification of seabirds captured in New Zealand fisheries ELIZABETH BELL & MIKE BELL Wildlife Management International Limited, PO Box 607, Blenheim 7240, New Zealand, biz@wmil.co.nz Presentation of results from seabirds

585 views • 16 slides
Sidan 1 The activation concept The activation concept 1. Wakes up, Son starts executing

Sidan 1 The activation concept The activation concept 1. Wakes up, Son starts executing

Problem: The activation concept ! bell ! help ! ! 1 ! 2 ! ! Bal help ! ! ! ! Bal bell ! 3 Jr $31 ! ! ! ! What happend Main ! here? ! 1. Executing program, wants bell ! Jr $31 2. Creates son, Tells

274 views • 4 slides
I Heard It through the Firewall: Exploiting Cloud Management Services as an Information Leakage

I Heard It through the Firewall: Exploiting Cloud Management Services as an Information Leakage

I Heard It through the Firewall: Exploiting Cloud Management Services as an Information Leakage Channel Hyunwook Baek , Eric Eide, Robert Ricci, Jacobus Van der Merwe University of Utah 1 Motivation Information leakage in cloud has

874 views • 49 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confiden5ality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ applica5on Hardware/

985 views • 46 slides
Information flow and policy In five minutes, you learn what the average college graduate

Information flow and policy In five minutes, you learn what the average college graduate

Information flow and policy In five minutes, you learn what the average college graduate remembers five years after he or she is out of school. If you want to know more about something... Ask me Man pages, manuals, papers, books

451 views • 18 slides
Cloud security CS642: Computer Security Professor Ristenpart

Cloud security CS642: Computer Security Professor Ristenpart

Cloud security CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642

567 views • 43 slides
Anlisis y Desarrollo de un canal encubierto en una red de sensores ! Jose A. Onieva, Ruben Rios,

Anlisis y Desarrollo de un canal encubierto en una red de sensores ! Jose A. Onieva, Ruben Rios,

Anlisis y Desarrollo de un canal encubierto en una red de sensores ! Jose A. Onieva, Ruben Rios, Bernardo Palenciano* ! NICS Lab University of Mlaga ! http://www.nics.uma.es ! *Dpto. de Infraestructura de TTI ! ! RECSI 2014, Alicante,

618 views • 19 slides
Layered Encapsulation of Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-00.txt Bob

Layered Encapsulation of Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-00.txt Bob

Layered Encapsulation of Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-00.txt Bob Briscoe , BT IETF-69 tsvwg Jul 2007 initial draft Layered Encapsulation of Congestion Notification initial draft:

350 views • 10 slides
Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels Covert Channels References Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall. 1st May 2017 Daniel Bosk MIUN ICS Side Channels and Covert

689 views • 32 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides

More recommend