Chapter 13
Trusted Computing and Multilevel Security


Computer Security Models

•
•

Problems involved both
design and
implementation
Led to development of
formal security models

o

All complex software systems have eventually

All complex software systems have eventually
Two
fundamental computer
revealed flaws or bugs that need to be fixed

security facts:
It is extraordinarily difficult to build computer
hardware/software not vulnerable to security
attacks

•

Initially funded by US
Department of Defense

Bell-LaPadula (BLP) model
very influential


Bell-LaPadula (BLP) Model
•
•
•
•
•
•

Developed in 1970s
Formal model for access control
Subjects and objects are assigned a security class

o
o

Top secret > secret > confidential > restricted > unclassified
Form a hierarchy and are referred to as security levels

A subject has a security clearance
An object has a security classification
Security classes control the manner by which a subject may access an object



Bell-LaPadula (BLP) Model
Access Modes

The subject is
READ
READ

allowed only

APPEND
APPEND

read access
to the object

is allowed
only write
access to
the object

The subject is

The subject

The subject

allowed neither

is allowed

WRITE
WRITE

both read

EXECUTE
EXECUTE

read nor write

and write

access to the

access to the

object but may

object

invoke the
object for

•

execution

Multilevel security

o

o

No read up

•
•

Subject can only read an object of less or equal security level
Referred to as the simple security property (ss-property)

No write down

•
•

A subject can only write into an object of greater or equal security level
Referred to as the *-property


high-level object-1

flow of
information

malicious subject
with high-level
security clearance
low-level object-1

Figure13.1 Information Flow ShowingtheNeed for the*-property



BLP Formal Description
•
•

Based on current state of system (b, M, f, H):
(current access set b, access matrix M, level function f, hierarchy H)

Three BLP properties:
ss-property: (Si, Oj, read) has fc(Si) ≥ fo(Oj).
*-property: (Si, Oj, append) has fc(Si) ≤ fo(Oj) and
(Si, Oj, write) has fc(Si) = fo(Oj)

•

ds-property: (Si, Oj, Ax) implies Ax ∈ M[Si

BLP give formal theorems
o Theoretically possible to prove system is secure
o In practice usually not possible


Release access

•

Change object level

•


Change current level

•

Give access permission

•

Rescind access permission

•

Create an object

•

Delete a group of objects

•

8

7

6

5

4


3

2

1

BLP Rules


Carla

level roles

c1-s

operation
roles
c1-s— read

c1-t

c1-s— write

c1-t — write

f2

c1-t — read


f1

(a) Two newfiles arecreated: f1: c1-t; f2: c1-s

Carla

level roles

operation
roles
c1-s— read

f3
(comments to f2)

Dirk

c1-s

c1-t

c1-s— write

c1-t — write

f2

c1-t — read

f1


(b) A third fileisadded: f3: c1-s

Figure13.2 Exampleof Useof BLP Concepts (page 1 of 3)


Carla

level roles

Dirk

c1-s

operation
roles
c1-s— read

c1-t

c1-s — write

f3 (comments
to f2)

f2

c1-t — write

f4

exam

c1-t — read

exam
template

f1

(c) An exam is created based on an existingtemplate: f4: c1-t

Carla

level roles

operation
roles
c1-s— read

f3 (comments
to f2)

Dirk

c1-s

c1-t

c1-s — write


f2

c1-t — write

f4
exam

f1

c1-t — read

exam
template

(d) Carla, as student, ispermitted acess to theexam: f4: c1-s

Figure13.2 Exampleof Useof BLP Concepts (page 2 of 3)


Carla

Dirk

level roles

operation
roles
c1-s — read

f3 (comments

to f2)

c1-s

c1-t

c1-s — write

f2

c1-t — write

f4
exam

f1

c1-t — read

f5 (exam
answer)

exam
template

(e) Theanswersgiven by Carla areonly accessiblefor theteacher: f5: c1-t

Figure13.2 Exampleof Useof BLP Concepts (page 3 of 3)



root

descriptor segment
current-process

DSBR

segment ptr

process level table

r

parent

e w

segment ACL L s
current-process L u
ACL

Ls = segment security level
Lu = user security level

segment

Figure13.3 Multics Data Structures for MLS

current-process r e w



Limitations to the BLP Model
•

Incompatibility of confidentiality and integrity within a single MLS system

o
o

MLS can work either for powers or for secrets but not readily for both
This mutual exclusion excludes some interesting power and integrity centered technologies from being used effectively in
BLP style MLS environments

•

Cooperating conspirator problem in the presence of covert channels

o
o

In the presence of shared resources the *-property may become unenforceable
In essence, the BLP model effectively breaks down when (untrusted) low classified executable data are allowed to be
executed by a high clearance (trusted) subject


Biba Integrity Model
•
•

Various models dealing with integrity

Strict integrity policy:

o
o
o

Simple integrity:

I(S) ≥ I(O)

Integrity confinement: I(S) ≤ I(O)
Invocation property:

I(S1) ≥ I(S2)

write

High-integrity process

read

write

Low-integrity process

read

High-integrity file

Low-integrity file

disallowed

Figure13.4 Contamination With SimpleIntegrity Controls [GASS88]


USERS
CDI = constrained data item
IVP = integrity verification procedure
TP = transformation procedure
UDI = unconstrained data item

E3: Users areauthenticated

E2: Users authenticated for TP
C3: Suitableseparation of duty

C1: IVP validates CDI state
C5: TPs validateUDI

C2: TPs preservevalid state

CDI

IVP

CDI
log
CDI

System in

somestate

UDI

CDI

TP

E4: Authorization
lists changed only
by security officer

CDI
log
CDI

C4: TPs writeto log
E1: CDIs changed only by authorized TP

Figure13.5 Summary of Clark-Wilson System Integrity Rules [CLAR87]


Set of all objects

Conflict of
interest classes

CI 1

Company

datasets Bank A
Individual
objects

a

b

CI 2

Bank B
c

d

e

CI 3

GasA

Oil A

f

g

Oil B
h


i

(a) Exampleset

Set of all objects

CI 1

Bank A
g

b

CI 2

Bank B
c

Set of all objects

d

e

CI 3

GasA

Oil A


f

g

CI 1

Oil B
h

(b) J ohn has accessto Bank A and Oil A

i

Bank A
g

b

CI 2

Bank B
c

d

e

CI 3

GasA


Oil A

f

g

Oil B
h

(c) J anehasaccessto Bank A and Oil B

Figure13.6 Potential Flow of Information Between Two CIs

i


Table
13.1

Terminology
Related
to
Trust


Audit
file

Subjects


Reference
Monitor
(policy)

Security kernel
database
Subject: security
clearance
Object: security
classification

Figure13.7 ReferenceMonitor Concept

Objects


Bob

Bob: RW

Reference
Monitor

Bob

Bob: RW

"CPE170KS"
Program


"CPE170KS"
Program

Data file

Alice: RW
Bob: W

Alice

Program

Alice: RW
Bob: W

Alice

Back-pocket
file

Back-pocket
file

Program

(a)

Bob


Data file

(c)

Bob: RW

Reference
Monitor

Bob

Bob: RW

"CPE170KS"
Program

"CPE170KS"
Program

Data file

Alice: RW
Bob: W

Alice

Program

Back-pocket
file


(b)

Data file

Alice: RW
Bob: W

Alice
Back-pocket
file

Program

(d)

Figure13.8 Trojan Horseand SecureOperatingSystem


Multilevel Security (MLS)
RFC 4949 defines multilevel security as follows:
“A mode of system operation wherein (a) two or more
security levels of information are allowed to be handled concurrently within the same
system when some users having access to the system have neither a security clearance
nor need-to-know for some of the data handled by the system and (b) separation of the
users and the classified material on the basis, respectively, of clearance and classification
level are dependent on operating system control.”


Table

13.2

RBAC
Elements


Department Table- U

Employee- R

Did

Name

Mgr

Name

Did

Salary

Eid

4

accts

Cathy


Andy

4

43K

2345

8

PR

James

Calvin

4

35K

5088

Cathy

4

48K

7712


James

8

55K

9664

Ziggy

8

67K

3054

(a) Classified by table

Department Table

Employee

Did -U

Name -U

Mgr -R

Name -U


Did -U

Salary -R

Eid -U

4

accts

Cathy

Andy

4

43K

2345

8

PR

James

Calvin

4


35K

5088

Cathy

4

48K

7712

James

8

55K

9664

Ziggy

8

67K

3054

(b) Classified by column (attribute)


Figure
13.9 Approaches to DatabaseClassification (page 1 of 2)
Figure
13.10


Department Table
Did

Name

Mgr

4

accts

Cathy

8

PR

James

Employee
Name

Did


Salary

Eid

R

Andy

4

43K

2345

U

U

Calvin

4

35K

5088

U

Cathy


4

48K

7712

U

James

8

55K

9664

R

Ziggy

8

67K

3054

R

(c) Classified by row (tuple)


Department Table
Did
4-U
8-U

Name

Mgr

accts - U Cathy - R
PR - U

James -R

Employee
Name

Did

Salary

Eid

Andy - U

4-U

43K - U

2345 - U


Calvin - U

4-U

35K - U

5088 - U

Cathy - U

4-U

48K - U

7712 - U

James - U

8-U

55K - R

9664 - U

Ziggy - U

8-U

67K - R


3054 - U

(d) Classified by element

Figure
13.10
Approaches to DatabaseClassification (page 2 of 2)
Figure
13.9


Database Security
Read Access

•
•
•
•
•

DBMS enforces simple security rule (no read up)
Easy if granularity is entire database or at table level
Inference problems if have column granularity

o
o

If can query on restricted data can infer its existence


•

SELECT Ename FROM Employee WHERE Salary > 50K

Solution is to check access to all query data

Also have problems if have row granularity

o

Null response indicates restricted/empty result

No extra concerns if have element granularity


Database Security
Write Access

•
•
•
•

Enforce *-security rule (no write down)
Have problem if a low clearance user wants to insert a row with a primary
key that already exists in a higher level row:

o
o
o


Can reject, but user knows row exists
Can replace, compromises data integrity
Polyinstantiation and insert multiple rows with same key, creates conflicting entries

Same alternatives occur on update
Avoid problem if use database/table granularity