BLP and BIBA Flashcards
what is Bell La Padula model
a security model used to enforce mandatory access controls for confidentiality in information systems
BLP - data classification model
> each subject or object is assigned to a security class
security classes form a strict hierarchy called security levels
e.g:
top secret > secret > confidential > unclassified
BLP - security clearance
> subjects go through a background check
security clearance indicates their level of trustworthiness
BLP - security classification
> data (objects) are assigned classification level which indicates the level of sensitivity
BLP - 4 access modes
> read
append: write only (no read)
write: read+write
execute: neither read nor write, but may invoke object for execution
BLP - partial ordering
(c1, d1)<=(c2,d2) IF (d1<=d2) AND (c1<=c2)
- c is clearance
- d is classification level
BLP - NO READ UP, NO WRITE DOWN, DS properties
> no read up property: a subject can only read an object of less or equal security level
no write down property: a subject can only write an object of greater or equal security level
discretionary property: a subject can exercise only accesses for which it has the necessary authorization and which satisfy the MAC rules
the idea with discretionary properties
the idea is that site policy overrides discretionary access controls, so a user cannot give away data to unauthorized persons.
- basically you are an employee with your own key to your office, you can control who enters your office or even borrow the key
- but just because you can does not mean that is fully authorized, because your boss might have specific policies which will override your rules
BLP formal description
- current state of system:
> (b, M, f, H)
> behavior, Matrix, function, Hierarchy - current access set b
- access matrix M
- level function
- hierarchy
BLP - current access set b
set of triples {subject, object, access mode}
- set a is currently accessing object o in access mode a
BLP - access matrix M
Mij
- i = Si (rows)
- j = Oj (col)
- shows permitted access of Si to Oj
BLP - level function f
- f0(Oj)
- classification level of Object j - fs(Si)
- security clearance of subject Si = max security level of Si - fc(Si)
- current security classification level of Subject i
BLP - hierarchy H
a directed rooted tree whose nodes are objects in the system. The security level of an object must dominate the security level of its parent
BLP - no read up formal description
(Si, Oj, read) has fc(Si)>=f0(Oj)
can only read an object of less or equal security level
BLP - no write down formal description
(Si, Oj, append) has fc(Si) <= F0(Oj)
can only write
(Si, Oj, write) has fc(Si)=F0(Oj)
BLP - discretionary formal description
(Si, Oj, Ax) implies Ax belongs in M{Si, Oj}
BLP - when to characterize a system as secure
- the current state of the system (b,M,f,H) is secure:
IF AND ONLY IF: every element of b, satisfies the 3 BLP properties
what is BIBA model
a computer security model that enforces integrity by preventing information flow from lower integrity levels to higher integrity levels, aiming to maintain data consistency and prevent unauthorized changes
BLP VS BIBA
similarities:
- both use access control rules to determine access
- both assign security levels to subjects and objects
differences:
- BIBA addresses integrity
- BLP addresses confidentiality
BIBA - what is integrity
- integrity is usually defined in terms of preventing improper or authorized change to data
- in BIBA, integrity refers to the trustworthiness of data or resources
BIBA - model rules
information can only flow down
> higher levels are not allowed to read down
> lower levels are not allowed to write up
BIBA - access modes
> modify: write or write info
observe: read info
execute: execute an object
invoke: communication from one object to another
BIBA - integrity rules
- simple integrity:
subject can only modify an object if its integrity is higher I(S)>=I(O) - confinement integrity:
subject can only read an object if its integrity is lower I(S)<=I(O) - invocation integrity:
subject S1 can only invoke another subject S2 if I(S1)>=I(S2)
subject low watermark property
subject can read (observe) an object of any integrity level
> after the reading, the subject’s integrity is changed by using Inf(I(S),I(O))
> it uses subjects previous integrity level and objects current integrity level, and chooses the minimum of the both
object low watermark property
subject can modify (write/update) an object of any integrity level
> after the modification, the object’s integrity is changed by using Inf(I(S),I(O))
> it uses object’s previous integrity level and subject’s current integrity level, and chooses the minimum of the both
Discuss the relative ease with which a virus can spread through a system that implements mandatory access controls. Consider both the Bell-Lapadula model and the Biba model.
- Which model will have the greatest impact on the spread of a virus?
- How is the spread of a virus or worm on more common systems affected by the privileges with which the users run?
- What about the privileges with which servers run?
BLP
a. virus attached to a file at system low
> all labels dominate system log, so all users can read and execute the infected file
> on execute, the infected process will most likely run at the invoking users label and thus can spread to all other files at that label
b. virus attached to a file at system high
> propagation would be limited at system high
> the virus-infected file could only be read and executed by a process also running at a system high
> a process running at a system high cannot downgrade data, so only other system high-files have the possibility for infection
BIBA
a. virus attached to a file at low integrity
> the infection will be contained at low level integrity because subjects cannot modify higher integrity objects
> so the infection will only spread to other system low integrity data
b. virus attached to a file at high integrity
> all users can read/execute the high integrity file
> so infected file will be available to processes running at low level integrity
> that process can propagate its data to other files at its level
