Bell-LaPadula model

From Wikipedia, the free encyclopedia

This article or section may require cleanup to meet Wikipedia's quality standards.
Please help improve this article or replace this tag with a more specific message. This article has been tagged since August 2006. (help, talk)
It has been suggested that High watermark be merged into this article or section. (Discuss)

The Bell-LaPadula Model was developed by David Elliott Bell and Len LaPadula in 1973 [1] [2] [3] to formalize the U.S. Department of Defense multilevel security policy. The model is a formal state transition model of computer security policy that describes a set of access control rules by the use of security labels on objects, from the most sensitive to the least sensitive, and clearances for subjects. For example, a set of security labels for documents might be, from most to least sensitive, "Top Secret", "Secret", "Confidential", "Sensitive but Unclassified" and "Unclassified".

Contents

[edit] Features

The Bell-LaPadula model focuses on the confidentiality of classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity.

In this formal model, the entities in an information system are divided into subjects and objects. The notion of a secure state is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby inductively proving that the system is secure. The Bell-LaPadula model is built on the concept of a state machine with a set of allowable states in a system. The transition from one state to another state is defined by transition functions.

A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a security policy. To determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object to determine if the subject is authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a lattice. The model defines two mandatory access control rules and one discretionary access control rule with three security properties:

  1. The Simple Security Property states that a subject at a given level of confidentiality may not read an object at a higher confidentiality level (no read-up).
  2. The * (star) Property states that a subject at a given level of confidentiality must not write to any object at a lower level of confidentiality (no write-down).
  3. The Discretionary Security Property uses an access matrix to specify discretionary access control.

The transfer of information from a high-sensitivity paragraph to a lower-sensitivity document may happen in the Bell-LaPadula model via the concept of trusted subjects. A Trusted Subject can violate the * property if the intent of the policy is not violated.

This security model is directed toward confidentiality (rather than data integrity) and is characterized by the phrase: "no read up, no write down". Compare this with the Biba model and Clark-Wilson model.

With Bell-LaPadula, users can only create content at or above their own security level (secret researchers can create secret or top-secret files but may not create public files). Conversely, users can only view content at or below their own security level (secret researchers can view public or secret files, but may not view top-secret files).

The Bell-LaPadula model has some weaknesses, including:

  • The model considers normal channels of information exchange not covert channels.
  • The model does not specify how to work with file sharing and servers in modern distributed systems.
  • The model does not explicitly define what is a secure state transition.
  • The model is based on multi-level security policy and does not address other secure policies that an organization might require.

[edit] Strong * Property

The Strong * Property is an alternative to the * Property in which subjects may only write to objects with a matching security level. Thus, the write up operation permitted in the usual * Property is not present, only a write to same operation. The Strong * Property is usually discussed in the context of multilevel database management systems and is motivated by integrity concerns. [4]

[edit] See also

[edit] Footnotes

  1. ^ Bell, D. Elliott and LaPadula, Leonard J. (1973). "Secure Computer Systems: Mathematical Foundations". MITRE Corporation.
  2. ^ Bell, D. Elliott and LaPadula, Leonard J. (1976). "Secure Computer Systems: Unified Exposition and MULTICS Interpretation". MITRE Corporation.
  3. ^ Bell, David (December 2005). "Looking Back at the Bell-La Padula Model". Proc. 21st Annual Computer Security Applications Conference. Slides for the talk
  4. ^ Sandhu, Ravi S. (1994). "Relational Database Access Controls". Handbook of Information Security Management (1994-95 Yearbook), 145-160, Auerbach Publishers. Retrieved on 2006-08-12.

[edit] References

  • Bishop, Matt (2003). Computer Security: Art and Science. Boston: Addison Wesley.
  • McLean, John. (1994). "Security Models". Encyclopedia of Software Engineering 2: 1136–1145. New York: John Wiley & Sons, Inc.
  • Krutz, Ronald L., Russell Dean Vines (2003). The CISSP Prep Guide, Gold Edition, Indianapolis, Indiana: Wiley Publishing.
Retrieved from "http://en.wikipedia.org../../../b/e/l/Bell-LaPadula_model_0b10.html"
In other languages