BLP and BIBA Flashcards
what is Bell La Padula model
a security model used to enforce mandatory access controls for confidentiality in information systems
BLP - data classification model
> each subject or object is assigned to a security class
security classes form a strict hierarchy called security levels
e.g:
top secret > secret > confidential > unclassified
BLP - security clearance
> subjects go through a background check
security clearance indicates their level of trustworthiness
BLP - security classification
> data (objects) are assigned classification level which indicates the level of sensitivity
BLP - 4 access modes
> read
append: write only (no read)
write: read+write
execute: neither read nor write, but may invoke object for execution
BLP - partial ordering
(c1, d1)<=(c2,d2) IF (d1<=d2) AND (c1<=c2)
- c is clearance
- d is classification level
BLP - NO READ UP, NO WRITE DOWN, DS properties
> no read up property: a subject can only read an object of less or equal security level
no write down property: a subject can only write an object of greater or equal security level
discretionary property: a subject can exercise only accesses for which it has the necessary authorization and which satisfy the MAC rules
the idea with discretionary properties
the idea is that site policy overrides discretionary access controls, so a user cannot give away data to unauthorized persons.
- basically you are an employee with your own key to your office, you can control who enters your office or even borrow the key
- but just because you can does not mean that is fully authorized, because your boss might have specific policies which will override your rules
BLP formal description
- current state of system:
> (b, M, f, H)
> behavior, Matrix, function, Hierarchy - current access set b
- access matrix M
- level function
- hierarchy
BLP - current access set b
set of triples {subject, object, access mode}
- set a is currently accessing object o in access mode a
BLP - access matrix M
Mij
- i = Si (rows)
- j = Oj (col)
- shows permitted access of Si to Oj
BLP - level function f
- f0(Oj)
- classification level of Object j - fs(Si)
- security clearance of subject Si = max security level of Si - fc(Si)
- current security classification level of Subject i
BLP - hierarchy H
a directed rooted tree whose nodes are objects in the system. The security level of an object must dominate the security level of its parent
BLP - no read up formal description
(Si, Oj, read) has fc(Si)>=f0(Oj)
can only read an object of less or equal security level
BLP - no write down formal description
(Si, Oj, append) has fc(Si) <= F0(Oj)
can only write
(Si, Oj, write) has fc(Si)=F0(Oj)