|
|
|
The Bell-LaPadula Model [67, 68] corresponds to military-style classifications. It has influenced the development of many other models and indeed much of the development of computer security technologies.[1]
[1] The terminology in this section follows that of the unified exposition of the Bell-LaPadula Model [68].
The simplest type of confidentiality classification is a set of security clearances arranged in a linear (total) ordering (see Figure 5-1). These clearances represent sensitivity levels. The higher the security clearance, the more sensitive the information (and the greater the need to keep it confidential). A subject has a security clearance. In the figure, Claire's security clearance is C (for CONFIDENTIAL), and Thomas' is TS (for TOP SECRET). An object has a security classification; the security classification of the electronic mail files is S (for SECRET), and that of the telephone list files is UC (for UNCLASSIFIED). (When we refer to both subject clearances and object classifications, we use the term "classification.") The goal of the Bell-LaPadula security model is to prevent read access to objects at a security classification higher than the subject's clearance.
The Bell-LaPadula security model combines mandatory and discretionary access controls. In what follows, "S has discretionary read (write) access to O" means that the access control matrix entry for S and O corresponding to the discretionary access control component contains a read (write) right. In other words, were the mandatory controls not present, S would be able to read (write) O.
Let L(S) = ls be the security clearance of subject S, and let L(O) = lo be the security classification of object O. For all security classifications li, i = 0, ..., k 1, li < li+1.
Simple Security Condition, Preliminary Version:
S can read O if and only if lo 
ls and S has discretionary read access to O.
In Figure 5-1, for example, Claire and Clarence cannot read personnel files, but Tamara and Sally can read the activity log files (and, in fact, Tamara can read any of the files, given her clearance), assuming that the discretionary access controls allow it.
Should Tamara decide to copy the contents of the personnel files into the activity log files and set the discretionary access permissions appropriately, Claire could then read the personnel files. Thus, for all practical purposes, Claire could read the files at a higher level of security. A second property prevents this:
*-Property (Star Property), Preliminary Version:
S can write O if and only if ls lo and S has discretionary write access to O.
Because the activity log files are classified C and Tamara has a clearance of TS, she cannot write to the activity log files.
Define a secure system as one in which both the simple security condition, preliminary version, and the *-property, preliminary version, hold. A straightforward induction establishes the following theorem.
Theorem 51. Basic Security Theorem, Preliminary Version: Let S be a system with a secure initial state s0, and let T be a set of state transformations. If every element of T preserves the simple security condition, preliminary version, and the *-property, preliminary version, then every state si, i
0, is secure.
Expand the model by adding a set of categories to each security classification. Each category describes a kind of information. Objects placed in multiple categories have the kinds of information in all of those categories. These categories arise from the "need to know" principle, which states that no subject should be able to read objects unless reading them is necessary for that subject to perform its functions. The sets of categories to which a person may have access is simply the power set of the set of categories. For example, if the categories are NUC, EUR, and US, someone can have access to any of the following sets of categories: Ø (none), { NUC }, { EUR }, { US }, { NUC, EUR }, {NUC, US }, { EUR, US }, and { NUC, EUR, US }. These sets of categories form a lattice under the operation 
(subset of); see Figure 5-2. (Chapter 30, "Lattices," discusses the mathematical nature of lattices.)
.
Each security level and category form a security level.[2] As before, we say that subjects have clearance at (or are cleared into, or are in) a security level and that objects are at the level of (or are in) a security level. For example, William may be cleared into the level (SECRET, { EUR }) and George into the level (TOP SECRET, { NUC, US }). A document may be classified as (CONFIDENTIAL, {EUR }).
[2] There is less than full agreement on this terminology. Some call security levels "compartments." However, others use this term as a synonym for "categories." We follow the terminology of the unified exposition [68].
Security levels change access. Because categories are based on a "need to know," someone with access to the category set { NUC, US } presumably has no need to access items in the category EUR. Hence, read access should be denied, even if the security clearance of the subject is higher than the security classification of the object. But if the desired object is in any of the security levels Ø, { NUC }, { US }, or { NUC, US } and the subject's security clearance is no less than the document's security classification, access should be granted because the subject is cleared into the same category set as the object.
This suggests a new relation for capturing the combination of security classification and category set. Define the relation dom (dominates) as follows.
Definition 51. The security level (L, C) dominates the security level (L', C') if and only if L'
We write (L, C) ¬dom (L', C') when (L, C) dom (L', C') is false. This relation also induces a lattice on the set of security levels [267].
|
EXAMPLE: George is cleared into security level (SECRET, { NUC, EUR} ), DocA is classified as ( CONFIDENTIAL, { NUC } ), DocB is classified as ( SECRET, { EUR, US}), and DocC is classified as (SECRET, { EUR }). Then:
|
Let C(S) be the category set of subject S, and let C(O) be the category set of object O. The simple security condition, preliminary version, is modified in the obvious way:
Simple Security Condition: S can read O if and only if S dom O and S has discretionary read access to O.
In the example above, George can read DocA and DocC but not DocB (again, assuming that the discretionary access controls allow such access).
Suppose Paul is cleared into security level (SECRET, { EUR, US, NUC }) and has discretionary read access to DocB. Paul can read DocB; were he to copy its contents to DocA and set its access permissions accordingly, George could then read DocB. The modified *-property prevents this:
*-Property: S can write to O if and only if O dom S and S has discretionary write access to O.
Because DocA dom Paul is false (because C(Paul) 
C(DocA)), Paul cannot write to DocA.
The simple security condition is often described as "no reads up" and the *-property as "no writes down."
Redefine a secure system as one in which both the simple security property and the *-property hold. The analogue to the Basic Security Theorem, preliminary version, can also be established by induction.
Theorem 52. Basic Security Theorem: Let S be a system with a secure initial state s0, and let T be a set of state transformations. If every element of T preserves the simple security condition and the *-property, then every si, i
At times, a subject must communicate with another subject at a lower level. This requires the higher-level subject to write into a lower-level object that the lower-level subject can read.
|
EXAMPLE: A colonel with (SECRET, { NUC, EUR }) clearance needs to send a message to a major with (SECRET, { EUR }) clearance. The colonel must write a document that has at most the (SECRET, { EUR }) classification. But this violates the *-property, because (SECRET, { NUC, EUR }) dom (SECRET, { EUR }). |
The model provides a mechanism for allowing this type of communication. A subject has a maximum security level and a current security level. The maximum security level must dominate the current security level. A subject may (effectively) decrease its security level from the maximum in order to communicate with entities at lower security levels.
|
EXAMPLE: The colonel's maximum security level is (SECRET, { NUC, EUR }). She changes her current security level to (SECRET, { EUR }). This is valid, because the maximum security level dominates the current security level. She can then create the document at the major's clearance level and send it to him. |
How this policy is instantiated in different environments depends on the requirements of each environment. The conventional use is to define "read" as "allowing information to flow from the object being read to the subject reading," and "write" as "allowing information to flow from the subject writing to the object being written." Thus, "read" usually includes "execute" (because by monitoring the instructions executed, one can determine the contents of portions of the file) and "write" includes "append" (as the information is placed in the file, it does not overwrite what is already in the file, however). Other actions may be included as appropriate; however, those who instantiate the model must understand exactly what those actions are. Chapter 8, "Noninterference and Policy Composition," and Chapter 17, "Confinement Problem," will discuss this subject in considerably more detail.
The Data General B2 UNIX (DG/UX) system provides mandatory access controls (MACs). The MAC label is a label identifying a particular compartment. This section describes only the default labels; the system enables other labels to be created.
When a process (subject) begins, it is assigned the MAC label of its parent. The initial label (assigned at login time) is the label assigned to the user in a database called the Authorization and Authentication (A&A) Database. Objects are assigned labels at creation, but the labels may be either explicit or implicit. The system stores explicit labels as parts of the object's attributes. It determines implicit labels from the parent directory of the object.
The least upper bound of all compartments in the DG/UX lattice has the label IMPL_HI (for "implementation high"); the greatest lower bound has the label IMPL_LO (for "implementation low"). The lattice is divided into three regions, which are summarized in Figure 5-3.[3]
[3] The terminology used here corresponds to that of the DG/UX system. Note that "hierarchy level" corresponds to "clearance" or "classification" in the preceding section.
The highest region (administrative region) is reserved for data that users cannot access, such as logs, MAC label definitions, and so forth. Because reading up and writing up are disallowed (the latter is a DG/UX extension to the multilevel security model; see Section 5.2.2.2), users can neither read nor alter data in this region. Administrative processes such as servers execute with MAC labels in this region; however, they sanitize data sent to user processes with MAC labels in the user region.
System programs are in the lowest region (virus prevention region). No user process can write to them, so no user process can alter them. Because execution requires read access, users can execute the programs. The name of this region comes from the fact that viruses and other forms of malicious logic involve alterations of trusted executables.[4]
[4] The TCB, or trusted computing base, is that part of the system that enforces security (see Section 19.1.2.2).
Problems arise when programs of different levels access the same directory. If a program with MAC label MAC_A tries to create a file, and a file of that name but with MAC label MAC_B (MAC_B dom MAC_A) exists, the create will fail. To prevent this leakage of information, only programs with the same MAC label as the directory can create files in that directory. For the /tmp directory, and the mail spool directory /var/mail, this restriction will prevent standard operations such as compiling and delivering mail. DG/UX introduces a "multilevel directory" to solve this problem.
A multilevel directory is a directory with a set of subdirectories, one for each label. These "hidden directories" normally are not visible to the user, but if a process with MAC label MAC_A tries to create a file in /tmp, it actually creates a file in the hidden directory under /tmp with MAC label MAC_A. The file can have the same name as one in the hidden directory corresponding to label MAC_A. The parent directory of a file in /tmp is the hidden directory. Furthermore, a reference to the parent directory goes to the hidden directory.
|
EXAMPLE: A process with label MAC_A creates a directory /tmp/a. Another process with label MAC_B creates a directory /tmp/a. The processes then change the correct working directory to /tmp/a and then to .. (the parent directory). Both processes will appear to have /tmp as the current working directory. However, the system call
stat(".", &stat_buffer)
returns a different inode number for each process, because it returns the inode number of the current working directorythe hidden directory. The system call
dg_mstat(".", &stat_buffer)
translates the notion of "current working directory" to the multilevel directory when the current working directory is a hidden directory. |
Mounting unlabeled file systems requires the files to be labeled. Symbolic links aggravate this problem. Does the MAC label the target of the link control, or does the MAC label the link itself? DG/UX uses a notion of inherited labels (called implicit labels) to solve this problem. The following rules control the way objects are labeled.
Roots of file systems have explicit MAC labels. If a file system without labels is mounted on a labeled file system, the root directory of the mounted file system receives an explicit label equal to that of the mount point. However, the label of the mount point, and of the underlying tree, is no longer visible, and so its label is unchanged (and will become visible again when the file system is unmounted).
An object with an implicit MAC label inherits the label of its parent.
When a hard link to an object is created, that object must have an explicit label; if it does not, the object's implicit label is converted to an explicit label. A corollary is that moving a file to a different directory makes its label explicit.
If the label of a directory changes, any immediate children with implicit labels have those labels converted to explicit labels before the parent directory's label is changed.
When the system resolves a symbolic link, the label of the object is the label of the target of the symbolic link. However, to resolve the link, the process needs access to the symbolic link itself.
Rules 1 and 2 ensure that every file system object has a MAC label, either implicit or explicit. But when a file object has an implicit label, and two hard links from different directories, it may have two labels. Let /x/y/z and /x/a/b be hard links to the same object. Suppose y has an explicit label IMPL_HI and a an explicit label IMPL_B. Then the file object can be accessed by a process at IMPL_HI as /x/y/z and by a process at IMPL_B as /x/a/b. Which label is correct? Two cases arise.
Suppose the hard link is created while the file system is on a DG/UX B2 system. Then the DG/UX system converts the target's implicit label to an explicit one (rule 3). Thus, regardless of the path used to refer to the object, the label of the object will be the same.
Suppose the hard link exists when the file system is mounted on the DG/UX B2 system. In this case, the target had no file label when it was created, and one must be added. If no objects on the paths to the target have explicit labels, the target will have the same (implicit) label regardless of the path being used. But if any object on any path to the target of the link acquires an explicit label, the target's label may depend on which path is taken. To avoid this, the implicit labels of a directory's children must be preserved when the directory's label is made explicit. Rule 4 does this.
Because symbolic links interpolate path names of files, rather than store inode numbers, computing the label of symbolic links is straightforward. If /x/y/z is a symbolic link to /a/b/c, then the MAC label of c is computed in the usual way. However, the symbolic link itself is a file, and so the process must also have access to the link file z.
The DG/UX B2 system uses the Bell-LaPadula notion of dominance, with one change. The system obeys the simple security condition (reading down is permitted), but the implementation of the *-property requires that the process MAC label and the object MAC label be equal, so writing up is not permitted, but writing is permitted in the same compartment.
Because of this restriction on writing, the DG/UX system provides processes and objects with a range of labels called a MAC tuple. A range is a set of labels expressed by a lower bound and an upper bound. A MAC tuple consists of up to three ranges (one for each of the regions in Figure 5-3).
|
EXAMPLE: A system has two security levels, TS and S, the former dominating the latter. The categories are COMP, NUC, and ASIA. Examples of ranges are
The label ( TS, {COMP} ) is in the first two ranges. The label ( S, {NUC, ASIA} ) is in the last two ranges. However,
is not a valid range because ( TS, { COMP, NUC } ) dom ( S, { ASIA } ). |
An object can have a MAC tuple as well as the required MAC label. If both are present, the tuple overrides the label. A process has read access when its MAC label grants read access to the upper bound of the range. A process has write access when its MAC label grants write access to any label in the MAC tuple range.
|
EXAMPLE: Suppose an object's MAC tuple is the single range
A subject with MAC label ( S, { ASIA } ) cannot read the object, because
It can write to the object, because (S, { ASIA }) dominates the lower bound and is dominated by the upper bound. A subject with MAC label ( TS, { ASIA, COMP, NUC } ) can read the object but cannot write the object. A subject with MAC label (TS, { ASIA, COMP } ) can both read and write the object. A subject with MAC label (TS, {EUR} ) can neither read nor write the object, because its label is incomparable to that of the object, and the dom relation does not hold. |
A process has both a MAC label and a MAC tuple. The label always lies within the range for the region in which the process is executing. Initially, the subject's accesses are restricted by its MAC label. However, the process may extend its read and write capabilities to within the bounds of the MAC tuple.
Let S be the set of subjects of a system and let O be the set of objects. Let P be the set of rights r for read, q for write, w for read/write, and e for empty.[5] Let M be a set of possible access control matrices for the system. Let C be the set of classifications (or clearances), let K be the set of categories, and let L = C x K be the set of security levels. Finally, let F be the set of 3-tuples (fs, fo, fc), where fs and fc associate with each subject maximum and current security levels, respectively, and fo associates with each object a security level. The relation dom from Definition 51 is defined here in the obvious way.
[5] The right called "empty" here is called "execute" in Bell and LaPadula [68]. However, they define "execute" as "neither observation nor alteration" (and note that it differs from the notion of "execute" that most systems implement). For clarity, we changed the e right's name to the more descriptive "empty."
The system objects may be organized as a set of hierarchies (trees and single nodes). Let H represent the set of hierarchy functions h: O 
P(O).[6] These functions have two properties. Let oi, oj, ok 
O. Then:
[6] P(O) is the power set of Othat is, the set of all possible subsets of O.
If oi 
oj, then h(oi) 
h(oj) = Ø.
There is no set { o1, o2, …, ok } O such that for each i = 1, …, k, oi+1 h(oi), and ok+1 = o1.
(See Exercise 6.)
A state n n of a system is a 4-tuple (b, m, f, h), where b P(S x O x P) indicates which subjects have access to which objects, and what those access rights are; m M is the access control matrix for the current state; f F is the 3-tuple indicating the current subject and object clearances and categories; and h H is the hierarchy of objects for the current state. The difference between b and m is that the rights in m may be unusable because of differences in security levels; b contains the set of rights that may be exercised, and m contains the set of discretionary rights.
R denotes the set of requests for access. The form of the requests affects the instantiation, not the formal model, and is not discussed further here. Four outcomes of each request are possible: y for yes (allowed), n for no (not allowed), i for illegal request, and o for error (multiple outcomes are possible). D denotes the set of outcomes. The set W R x D x n x n is the set of actions of the system. This notation means that an entity issues a request in R, and a decision in D occurs, moving the system from one state in n to another (possibly different) state in n. Given these definitions, we can now define the history of a system as it executes.
Let N be the set of positive integers. These integers represent times. Let X = RN be a set whose elements x are sequences of requests, let Y = DN be a set whose elements y are sequences of decisions, and let Z = VN be a set whose elements z are sequences of states. The ith components of x, y, and z are represented as xi, yi, and zi, respectively. The interpretation is that for some t N, the system is in state zt1 n; a subject makes request xt R, the system makes a decision yt D, and as a result the system transitions into a (possibly new) state zt n.
A system is represented as an initial state and a sequence of requests, decisions, and states. In formal terms, S(R, D, W, z0) X x Y x Z represents the system, and z0 is the initial state of the system. (x, y, z) S(R, D, W, z0) if and only if (xt, yt, zt, zt1) W for all t N. (x, y, z) is an appearance of S(R, D, W, z0).
|
EXAMPLE: Consider a system with two levels (HIGH and LOW), one category (ALL), one subject s, one object o, and two rights, read (r) and write (w). Then:
For every function f Now suppose S = { s,s' },fs,1(s')=(LOW, { ALL}), and m1 gives s' write access over o as well as giving s read access over o. Becauses s' has not yet written o, b1 is unchanged. Take z0=(b1,m1,f1) and consider the system S(R, D, W, z0). If s' makes the request r1 to write to o, the system will decide d1 = y (yes), and will transition to the state n1 = (b2, m1, f1) |
The next request r2 is for s to write to o; however, this is disallowed (d2 = n, or no). The resulting state is the same as the preceding one. Now x = (r1, r2), y = (y, n), and z = (n0, n1, n2), where n2 = v1.
The Basic Security Theorem combines the simple security condition, the *-property, and a discretionary security property. We now formalize these three properties.
Formally, the simple security condition is:
Definition 52. (s, o, p)
p = e or p = a
p = r or p = w and fc(s) dom fo(o)
In other words, if s can read o (or read and write to it), s must dominate o. A state (b, m, f, h) satisfies the simple security condition if all elements of b satisfy ssc rel f. A system satisfies the simple security condition if all its states satisfy the simple security condition.
Define b(s: p1, ..., pn) to be the set of all objects that s has p1, ..., pn access to:
b(s: p1, ..., pn) = { o | o
[ (s, o, p1)
Definition 53. A state (b, m, f, h) satisfies the *-property if and only if, for each s
b(s: a)
[
o
b(s: w)
b(s: r)
This definition says that if a subject can write to an object, the object's classification must dominate the subject's clearance ("write up"); if the subject can also read the object, the subject's clearance must be the same as the object's classification ("equality for read"). A system satisfies the *-property if all its states satisfy the *-property. In many systems, only a subset S' of subjects satisfy the *-property; in this case, we say that the *-property is satisfied relative to S' S.
Definition 54. A state (b, m, f, h) satisfies the discretionary security property (ds-property) if and only if, for each triple (s, o, p)
The access control matrix allows the controller of an object to condition access based on identity. The model therefore supports both mandatory and discretionary controls, and defines "secure" in terms of both. A system satisfies the discretionary security property if all its states satisfy the discretionary security property.
Definition 55. A system is secure if it satisfies the simple security condition, the *-property, and the discretionary security property.
The notion of an action, or a request and decision that moves the system from one state to another, must also be formalized, as follows.
Definition 56. (r, d, v, v')
Thus, an action is a request/decision pair that occurs during the execution of the system.
We now can establish conditions under which the three properties hold.
Theorem 53. S(R, D, W, z0) satisfies the simple security condition for any secure state z0 if and only if, for every action (r, d, (b, m, f, h), (b', m', f', h')), W satisfies the following:
Every (s, o, p)
Every (s, o, p)
Proof Let (x, y, z)
(
(
) By induction on t.
Induction basis. z0 = (b0, m0, f0, h0) is secure, by the hypothesis of the claim.
Induction hypothesis. zt1 = (bt1, mt1, ft1, ht1) is secure, for t < n
Induction step. Let (xt, yt, zt, zt1)
= { (s, o, p) | (s, o, p)
Theorem 54. S(R, D, W, z0) satisfies the *-property relative to S'
Every (s, o, p)
Every (s, o, p)
Proof See Exercise 8.
Theorem 55. S(R, D, W, z0) satisfies the ds-property for any secure state z0 if and only if, for every action (r, d, (b, m, f, h), (b', m', f', h')), W satisfies the following:
Every (s, o, p)
Every (s, o, p)
Proof See Exercise 9.
Theorems 53, 54, and 55 combine to give us the Basic Security Theorem:
Theorem 56. Basic Security Theorem: S(R, D, W, z0) is a secure system if z0 is a secure state and W satisfies the conditions of Theorems 53, 54, and 55.
Proof Immediate from Theorems 53, 54, and 55.
A rule is a function r:R x nD x n. Intuitively, a rule takes a state and a request, and determines if the request meets the conditions of the rule (the decision). If so, it moves the system to a (possibly different) state. The idea is that a rule captures the means by which a system may transition from one state to another.
Of course, the rules affect the security of a system. For example, a rule that changes all read rights so that a subject has the ability to read objects with classifications higher than the subject's clearance may move the system from a secure state to a nonsecure state. In this section we develop constraints that rules must meet to preserve security, and we give an example rule.
Definition 57. A rule r is ssc-preserving if, for all (r, v)
Similar definitions hold for the *-property and the ds-property. If a rule is ssc-preserving, *-property-preserving, and ds-property-preserving, the rule is said to be security-preserving.
We define a relation with respect to a set of rules w = { r1, ..., rm } in such a way that each type of request is handled by at most one rule; this eliminates ambiguity and ensures that the mapping from R x n to D x n is one-to-one.
Definition 58. Let w = { r1, ..., rm } be a set of rules. For request r
This definition says that if the request is legal and there is only one rule that will change the state of the system from n to n', the corresponding action is in W(w).
The next theorem presents conditions under which a set of rules preserves the simple security condition.
Theorem 57. Let w be a set of ssc-preserving rules, and let z0 be a state satisfying the simple security condition. Then S(R, D, W, z0) satisfies the simple security condition.
Proof By contradiction. Let (x, y, z)
When does adding a state preserve the simple security property?
Theorem 58. Let n = (b, m, f, h) satisfy the simple security condition. Let (s, o, p)
{ (s, o, p) }, and n' = (b', m, f, h). Then n' satisfies the simple security condition if and only if either of the following conditions is true.
Either p = e or p = a.
Either p = r or p = w, and fs(s) dom fo(o).
Proof For (a), the theorem follows from Definition 53 and n' satisfying ssc rel f. For (b), if n' satisfies the simple security condition, then, by definition, fs(s) dom fo(o). Moreover, if fs(s) dom fo(o), then (s, o, p)
Similar theorems hold for the *-property:
Theorem 59. Let w be a set of *-property-preserving rules, and let z0 be a state satisfying the *-property. Then S(R, D, W, z0) satisfies the *-property.
Proof See Exercise 11.
Theorem 510. Let n = (b, m, f, h) satisfy the *-property. Let (s, o, p)
p = a and fo(o) dom fc(s)
p = w and fo(o) = fc(s)
p = r and fc(s) dom fo(o)
Proof If n' satisfies the *-property, then the claim follows immediately from Definition 53. Conversely, assume that conditions (a), (b), and (c) hold. Let (s', o', p')
Theorem 511. Let w be a set of ds-property-preserving rules, and let z0 be a state satisfying the ds-property. Then S(R, D, W, z0) satisfies the ds-property.
Proof See Exercise 11.
Theorem 512. Let n = (b, m, f, h) satisfy the ds-property. Let (s, o, p)
Proof If n' satisfies the ds-property, then the claim follows immediately from Definition 54. Conversely, assume that p
Finally, we present the following theorem.
Theorem 513. Let r be a rule and r(r, v) = (d, v'), where n = (b, m, f, h) and n' = (b', m', f', h'). Then:
If b'
If b'
If b'
Proof Suppose that n satisfies the simple security property. Because b'
The proofs of the other two parts are analogous.
We now examine the modeling of specific actions. The Multics system [68, 788] has 11 rules affecting the rights on the system. These rules are divided into five groups. Let the set Q contain the set of request operations (such as get, give, and so forth). Then:
R(1) = Q x S x O x M. This is the set of requests to request and release access. The rules are get-read, get-append, get-execute, get-write, and release-read/execute/write/append. These rules differ in the conditions necessary for the subject to be able to request the desired right. The rule get-read is discussed in more detail in Section 5.2.4.1.
R(2) = S x Q x S x O x M. This is the set of requests to give access to and remove access from a different subject. The rules are give-read/execute/write/append and rescind-read/execute/write/append. Again, the rules differ in the conditions needed to acquire and delete the rights, but within each rule, the right being added or removed does not affect the conditions. Whether the right is being added or deleted does affect them. The rule give-read/execute/write/append is discussed in more detail in Section 5.2.4.2.
R(3) = Q x S x O x L. This is the set of requests to create and reclassify objects. It contains the create-object and change-object-security-level rules. The object's security level is either assigned (create-object) or changed (change-object-security-level).
R(4) = S x O. This is the set of requests to remove objects. It contains only the rule delete-object-group, which deletes an object and all objects beneath it in the hierarchy.
R(5) = S x L. This is the set of requests to change a subject's security level. It contains only the rule change-subject-current-security-level, which changes a subject's current security level (not the maximum security level).
Then, the set of requests R = R(1) R(2) R(3) R(4) R(5).
The Multics system includes the notion of trusted users. The system does not enforce the *-property for this set of subjects ST S; however, members of ST are trusted not to violate that property.
For each rule r, define D(r) as the domain of the request (that is, whether or not the components of the request form a valid operand for the rule).
We next consider two rules in order to demonstrate how to prove that the rules preserve the simple security property, the *-property, and the discretionary security property.
The get-read rule enables a subject s to request the right to read an object o. Represent this request as r = (get, s, o, r) R(1), and let the current state of the system be n = (b, m, f, h). Then get-read is the rule r1(r, v):
if (r D(r1)) then r1(r, v) = (i, n);
else if (fs(s) dom fo(o) and [s ST or fc(s) dom fo(o)] and r m[s, o])
then r1(r, v) = (y, (b { (s, o, r) }, m, f, h));
else r1(r, v) = (n, n);
The first if tests the parameters of the request; if any of them are incorrect, the decision is "illegal" and the system state remains unchanged. The second if checks three conditions. The simple security property for the maximum security level of the subject and the classification of the object must hold. Either the subject making the request must be trusted, or the simple security property must hold for the current security level of the subject (this allows trusted subjects to read information from objects above their current security levels but at or below their maximum security levels; they are trusted not to reveal the information inappropriately). Finally, the discretionary security property must hold. If these three conditions hold, so does the Basic Security Theorem. The decision is "yes" and the system state is updated to reflect the new access. Otherwise, the decision is "no" and the system state remains unchanged.
We now show that if the current state of the system satisfies the simple security condition, the *-property, and the ds-property, then after the get-read rule is applied, the state of the system also satisfies those three conditions.
Theorem 514. The get-read rule r1 preserves the simple security condition, the *-property, and the ds-property.
Proof Let n satisfy the simple security condition, the *-property, and the ds-property. Let r1(r, v) = (d, v'). Either n' = n or n' = (b
Consider the simple security condition. From the choice of n', either b' b = Ø or b' b = { (s2, o, r) }. If b' b = Ø, then { (s2, o, r) }
Consider the *-property. From the definition of the get-read rule, either s
Finally, consider the ds-property. The condition in the get-read rule requires that r
Hence, the get-read rule preserves the security of the system.
The give-read rule[7] enables a subject s to give subject s2 the (discretionary) right to read an object o. Conceptually, a subject can give another subject read access to an object if the giver can alter (write to) the parent of the object. If the parent is the root of the hierarchy containing the object, or if the object itself is the root of the hierarchy, the subject must be specially authorized to grant access.
[7] Actually, the rule is give-read/execute/write/append. The generalization is left as an exercise for the reader.
Some terms simplify the definitions and proofs. Define root(o) as the root object of the hierarchy h containing o, and define parent(o) as the parent of o in h. If the subject is specially authorized to grant access to the object in the situation just mentioned, the predicate canallow(s, o, v) is true. Finally, define m m[s, o]
r as the access control matrix m with the right r added to entry m[s, o].
Represent the give-read request as r = (s1, give, s2, o, r) R(2), and let the current state of the system be n = (b, m, f, h). Then, give-read is the rule r6(r, v):
if (r D(r6)) then r1(r, v) = (i, n);
else if ( [ o root(o) and parent(o) root(o) and parent(o) b(s1: w)] or
[ parent(o) = root(o) and canallow(s1, o, v) ] or
[ o = root(o) and canallow(s1, root(o), n) ])
then r1(r, v) = (y, (b, m m[s2, o]r, f, h));
else r1(r, v) = (n, n);
The first if tests the parameters of the request; if any of them are incorrect, the decision is "illegal" and the system state remains unchanged. The second if checks several conditions. If neither the object nor its parent is the root of the hierarchy containing the object, then s1 must have write rights to the parent. If the object or its parent is the root of the hierarchy, then s1 must have special permission to give s2 the read right to o. The decision is "yes" and the access control matrix is updated to reflect the new access. Otherwise, the decision is "no" and the system state remains unchanged.
We now show that if the current state of the system satisfies the simple security condition, the *-property, and the ds-property, then after the give-read rule is applied, the state of the system also satisfies those three conditions.
Theorem 515. The give-read rule r6 preserves the simple security condition, the *-property, and the ds-property.
Proof Let n satisfy the simple security condition, the *-property, and the ds-property. Let r6(r, v) = (d, v'). Either n' = n or n' = (b, m
Here, b' = b, f' = f, and m[x, y] = m'[x, y] for all x
Hence, the get-read rule preserves the security of the system.
|
|
|
| Top |