BLP and BIBA

Question 1

what is Bell La Padula model

Answer 1

a security model used to enforce mandatory access controls for confidentiality in information systems

Question 2

BLP - data classification model

Answer 2

> each subject or object is assigned to a security class
security classes form a strict hierarchy called security levels
e.g:
top secret > secret > confidential > unclassified

Question 3

BLP - security clearance

Answer 3

> subjects go through a background check
security clearance indicates their level of trustworthiness

Question 4

BLP - security classification

Answer 4

> data (objects) are assigned classification level which indicates the level of sensitivity

Question 5

BLP - 4 access modes

Answer 5

> read
append: write only (no read)
write: read+write
execute: neither read nor write, but may invoke object for execution

Question 6

BLP - partial ordering

Answer 6

(c1, d1)<=(c2,d2) IF (d1<=d2) AND (c1<=c2)
- c is clearance
- d is classification level

Question 7

BLP - NO READ UP, NO WRITE DOWN, DS properties

Answer 7

> no read up property: a subject can only read an object of less or equal security level
no write down property: a subject can only write an object of greater or equal security level
discretionary property: a subject can exercise only accesses for which it has the necessary authorization and which satisfy the MAC rules

Question 8

the idea with discretionary properties

Answer 8

the idea is that site policy overrides discretionary access controls, so a user cannot give away data to unauthorized persons.
- basically you are an employee with your own key to your office, you can control who enters your office or even borrow the key
- but just because you can does not mean that is fully authorized, because your boss might have specific policies which will override your rules

Question 9

BLP formal description

Answer 9

1. current state of system:
   > (b, M, f, H)
   > behavior, Matrix, function, Hierarchy
2. current access set b
3. access matrix M
4. level function
5. hierarchy

Question 10

BLP - current access set b

Answer 10

set of triples {subject, object, access mode}
- set a is currently accessing object o in access mode a

Question 11

BLP - access matrix M

Answer 11

Mij
- i = Si (rows)
- j = Oj (col)
- shows permitted access of Si to Oj

Question 12

BLP - level function f

Answer 12

1. f0(Oj)
   - classification level of Object j
2. fs(Si)
   - security clearance of subject Si = max security level of Si
3. fc(Si)
   - current security classification level of Subject i

Question 13

BLP - hierarchy H

Answer 13

a directed rooted tree whose nodes are objects in the system. The security level of an object must dominate the security level of its parent

Question 14

BLP - no read up formal description

Answer 14

(Si, Oj, read) has fc(Si)>=f0(Oj)
can only read an object of less or equal security level

Question 15

BLP - no write down formal description

Answer 15

(Si, Oj, append) has fc(Si) <= F0(Oj)
can only write
(Si, Oj, write) has fc(Si)=F0(Oj)

Question 16

BLP - discretionary formal description

Answer 16

(Si, Oj, Ax) implies Ax belongs in M{Si, Oj}

Question 17

BLP - when to characterize a system as secure

Answer 17

• the current state of the system (b,M,f,H) is secure:
  IF AND ONLY IF: every element of b, satisfies the 3 BLP properties

Question 18

what is BIBA model

Answer 18

a computer security model that enforces integrity by preventing information flow from lower integrity levels to higher integrity levels, aiming to maintain data consistency and prevent unauthorized changes

Question 19

BLP VS BIBA

Answer 19

similarities:
- both use access control rules to determine access
- both assign security levels to subjects and objects
differences:
- BIBA addresses integrity
- BLP addresses confidentiality

Question 20

BIBA - what is integrity

Answer 20

• integrity is usually defined in terms of preventing improper or authorized change to data
• in BIBA, integrity refers to the trustworthiness of data or resources

Question 21

BIBA - model rules

Answer 21

information can only flow down
> higher levels are not allowed to read down
> lower levels are not allowed to write up

Question 22

BIBA - access modes

Answer 22

> modify: write or write info
observe: read info
execute: execute an object
invoke: communication from one object to another

Question 23

BIBA - integrity rules

Answer 23

1. simple integrity:
   subject can only modify an object if its integrity is higher I(S)>=I(O)
2. confinement integrity:
   subject can only read an object if its integrity is lower I(S)<=I(O)
3. invocation integrity:
   subject S1 can only invoke another subject S2 if I(S1)>=I(S2)

Question 24

subject low watermark property

Answer 24

subject can read (observe) an object of any integrity level
> after the reading, the subject’s integrity is changed by using Inf(I(S),I(O))
> it uses subjects previous integrity level and objects current integrity level, and chooses the minimum of the both

Question 25

object low watermark property

Answer 25

subject can modify (write/update) an object of any integrity level
> after the modification, the object’s integrity is changed by using Inf(I(S),I(O))
> it uses object’s previous integrity level and subject’s current integrity level, and chooses the minimum of the both

Question 26

Discuss the relative ease with which a virus can spread through a system that implements mandatory access controls. Consider both the Bell-Lapadula model and the Biba model.
- Which model will have the greatest impact on the spread of a virus?
- How is the spread of a virus or worm on more common systems affected by the privileges with which the users run?
- What about the privileges with which servers run?

Answer 26

BLP
a. virus attached to a file at system low
> all labels dominate system log, so all users can read and execute the infected file
> on execute, the infected process will most likely run at the invoking users label and thus can spread to all other files at that label

b. virus attached to a file at system high
> propagation would be limited at system high
> the virus-infected file could only be read and executed by a process also running at a system high
> a process running at a system high cannot downgrade data, so only other system high-files have the possibility for infection

BIBA
a. virus attached to a file at low integrity
> the infection will be contained at low level integrity because subjects cannot modify higher integrity objects
> so the infection will only spread to other system low integrity data

b. virus attached to a file at high integrity
> all users can read/execute the high integrity file
> so infected file will be available to processes running at low level integrity
> that process can propagate its data to other files at its level