Fall 2023 Cp 633 Slide #5-1
Chapter 5: Confidentiality
Policies
• This lecture covers sections: 5.1, 5.2 (with 5.2.1, 5.2.2
and 5.2.2.1 only), and 5.3 .
• Overview
– What is a confidentiality model
• Bell-LaPadula Model
– General idea
– Informal description of rules
• Tranquility
• Controversy
Fall 2023 Cp 633 Slide #5-2
Confidentiality Policy here 11 Sept mon
• Goal: prevent the unauthorized disclosure of information
– Deals with information flow
– Integrity aspect is incidental
• Multi-level security models are best-known examples
– Bell-LaPadula model is basis for many, or most, of
these.
Fall 2023
Cp 633 Slide #5-3
Bell-LaPadula Model, Step 1
• Security levels (i.e. security clearance) for subjects are arranged in
linear ordering, for example:
1. Top Secret: highest
2. Secret
3. Confidential
4. Unclassified: lowest
• User/process levels consist of security clearance L(s)
• Objects have security classification L(o)
• Access is achieved as function of security clearance and document
classification
Fall 2023
Cp 633
Slide #5-4
Example
security level –
clearance L(s)
subject Object –classification , L(o)
Top Secret Tamara Personnel Files
Secret Samuel E-Mail Files
Confidential Claire Activity Logs
Unclassified Ulaley Telephone Lists
• Tamara can read all files
• Claire cannot read Personnel or E-Mail Files
• Ulaley can only read Telephone Lists
Fall 2023
Cp 633 Slide #5-5
Reading Information
• Information flows can occur only in upward direction towards
clearance that subject does not have, not down
– Therefore - “Reads up” are disallowed, “reads down” are allowed
• Simple Security Condition (Step 1)
– Subject s can read object o iff, L(o) ≤ L(s) and s has permission
to read o
• Note: combines mandatory control – MAC (relationship of
security levels) and discretionary control DAC (the required
permission)
– Sometimes called “no reads up” rule
Fall 2023 Cp 633
Slide #5-6
Writing Information
• However, subject with high clearance can copy file with high
classification and write it to the file with low classification.
• But, information is only allowed to travel up, not down
– Therefore “writes down” are disallowed and “Writes up” are
allowed.
• *-Property (Step 1)
– Subject s can write object o iff L(s) ≤ L(o) and s has permission to
write o
• Note: combines mandatory control (relationship of security
levels) and discretionary control (the required permission)
– Sometimes called “no writes down” rule, note we are not interested in integrity.
Fall 2023 Cp 633 Slide #5-7
Basic Security Theorem, Step 1
• Preliminary version of BST:
• If a system is initially in a secure state, and every transition
of the system satisfies the simple security condition, step 1,
and the *-property, step 1, then every state of the system is
secure
– Proof: induct on the number of transitions
Fall 2023
Cp 633 Slide #5-8
Bell-LaPadula Model, Step 2
• Expand notion of security level to include information categories
according to need to know principle.
• Objects are placed into Categories (or compartments).
– Each category is a kind of information, e.g intelligence on a
particular country…
• Security level now becomes a tuple (clearance, category set)
• Examples
– ( Top Secret, { NUC, EUR, US } )
– ( Confidential, { EUR, US } )
– ( Secret, { NUC, US } )
Fall 2023 Cp 633
Slide #5-9
Security lattice by information categories
• Lattice is generated by categories NUC, EUR, and US.
• The lines represent the ordering relation induced by  (subset of).
• The line is placed between A and B iff A  B, and A≠B and there
exists no C so that A C  B, A≠C, B≠C.
[NUC, EUR, US]
[NUC, EUR] [EUR, US]
[NUC, US]
[NUC] [EUR] [US]
Ø
Fall 2023
Cp 633 Slide #5-10
Security Levels and Lattices
• We need ordering relation among security levels expressed
as a tuple (clearance, category set) called dominance
• (A, C) dom (A, C) iff A ≤ A and C  C
• Examples
– (Top Secret, {NUC, US}) dom (Secret, {NUC})
– (Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR})
– (Top Secret, {NUC}) dom (Confidential, {EUR})
• Let A be set of classifications, and C set of categories. Set of
security levels L = A  C, dom form lattice
Fall 2023 Cp 633 Slide #5-11
Levels and Ordering
• Relation of dominance is relation of partial ordering
• Security levels are partially ordered
– Any pair of security levels may be related by dom
• “dominates” serves the role of “greater than” in step 1
– “greater than” is a total ordering, though
(S, [NUC, EUR]) (S, [EUR, US])
(S, [NUC, US])
(S, [NUC]) (S, [EUR]) (S, [US])
(S, Ø)
(TS, [NUC, EUR]) (TS, [EUR, US])
(TS, [NUC, US])
(TS, [NUC]) (TS, [EUR]) (TS, [US])
(TS, Ø)
(TS, [NUC, EUR, US])
(S, [NUC, EUR, US])
Fall 2023 Cp 633 Slide #5-12
Reading Information
• Reading information flows up, not down
– “Reads up” are disallowed, “reads down” are allowed
• Simple Security Condition (Step 2)
– Subject s can read object o iff L(s) dom L(o) and s has
permission to read o
• Note: combines mandatory control (relationship of
security levels) and discretionary control (the
required permission)
– Sometimes called “no reads up” rule
Fall 2023 Cp 633 Slide #5-13
Writing Information
• Information flows up, not down
– “Writes up” allowed, “writes down” disallowed
• *-Property (Step 2)
– Subject s can write object o iff L(o) dom L(s) and s has
permission to write o
• Note: combines mandatory control (relationship of
security levels) and discretionary control (the required
permission)
– Sometimes called “no writes down” rule
– We are not looking into integrity in this theorem.
Fall 2023 Cp 633 Slide #5-14
Basic Security Theorem, Step 2
• If a system is initially in a secure state, and every transition
of the system satisfies the simple security condition, step 2,
and the *-property, step 2, then every state of the system is
secure.
– Proof: induct on the number of transitions.
Fall 2023 Cp 633 Slide #5-15
Problem
• Occasionally subjects from higher security level need to
communicate with subjects on lower security level.
• E.g. colonel needs to talk to major
– Colonel has (Secret, {NUC, EUR}) clearance
– Major has (Secret, {EUR}) clearance
– Colonel cannot talk (write) to major because (Secret, {NUC,
EUR}) dom (Secret, {EUR})
– Major can talk to colonel (“write up” or “read down”)
• Clearly absurd!
Fall 2023
Cp 633
Slide #5-16
Solution
• Define maximum and current security levels for subjects
– maxlevel(s) dom curlevel(s)
• A subject may effectively decrease security level from maximum in order to
communicate with entities at lower security level.
• Example
– Treat Major with (Secret, {EUR}) as an object (Colonel is writing to him/her)
– Colonel has maxlevel (Secret, { NUC, EUR })
– Colonel sets curlevel to (Secret, { EUR })
– Now L(Major) dom curlevel(Colonel)
• Colonel can write to Major without violating “no writes down”
• Temporary downgrading assumes that subject sanitizes the data from the higher
security level (possible for processes, difficult for humans).
• Identify a set of “trusted” subjects which are permitted to violate *-property.
Example: Trusted Solaris here 12 Sept tue
• Provides mandatory access controls
– Subjects and objects have labels.
– Security level of subject or object is represented by sensitivity label
– Sensitivity labels for subjects consist of classifications and a set of categories.
– Each user - subject has a range of sensitivity labels (classification, category)
– Clearance is least upper bound of all sensitivity labels of a user/subject.
• Default labels are ADMIN_HIGH (dominates any other label) with system logs
and configuration files
– and ADMIN_LOW (dominated by any other label) with system objects
• Subject S has controlling user US (i.e user running it)
– SL is a sensitivity label of subject S
– S has also attribute privileged(S, P) which is true if S can override or bypass
part of security policy P
– Attribute asserted (S, P) is true if S has attribute privileged and is overriding P
Fall 2023 cp633 Slide 5-17
Rules for ordinary users
For process S: US is controlling user of S, CL is clearance of S /US,
SL is sensitivity label of S, and OL is sensitivity label of O
1. If ¬privileged(S, “change SL”), then no sequence of operations can
change SL to a value that it has not previously assumed
2. If ¬privileged(S, “change SL”), then asserted(S, “change SL”) is false.
3. If ¬privileged(S, “change SL”), then no value of SL can be outside
the clearance of US
4. For all subjects S and named objects O: if ¬privileged(S, “change
OL”), then no sequence of operations can change OL to a value that it
has not previously assumed.
Fall 2023 cp633
Slide 5-18
Rules (con’t)
For process S: US is controlling user of S, CL is clearance of US /S ,
SL is sensitivity label of S, and OL is sensitivity label of O
5. For all subjects S, named objects O: if ¬privileged(S, “override O’s
mandatory read access control”),
-then read access to O is granted only if SL dom OL
–This is instantiation of simple security condition -no read up
6. For all subjects S, named objects O: if ¬privileged(S, “override O’s
mandatory write access control”), then write access to O is granted only if
OL dom SL and CL dom OL .
– This actually means that process with SL should have start property with respect to
OL but with its clearance label CL it should be able to read OL .
– Instantiation of *-property, no write down, is that subject’s and object’s labels are
the same.
Fall 2023 Cp633 Slide 5-19
Initial Assignment of Labels
• Each account is assigned a label range [user’s minimum label,
clearance] (note clearance is the upper bound of label range).
• On login, Trusted Solaris determines if the session is single-level
– If clearance = minimum label, this is single level account and session gets
that label
– If not, multi-level; user asked to specify clearance for session; must be in
the label range
– In multi-level session, user can change to any label in the range of the
session clearance to the minimum
• This is useful if user has several workspaces each with its own sensitivity
level.
– This is kind of role based access control.
Fall 2023 Cp633 Slide 5-20
Writing is a bit unlike BLP
Writing is allowed when subject and object labels are the same OR (if
file has higher label than process but lower than user’s clearance)
• when file is in special downgraded directory D with sensitivity
label DL that admin can create.
• The conditions of subject S with sensitivity label SL and clearance
CL to write into file O with sensitivity label OL which is in directory
D with sensitivity level DL are:
– SL dom DL – i.e subject can read and search the directory
– S has discretionary read and search access to D
– OL dom SL and OL ≠ SL i.e. no write down rule
– S has discretionary write access to O
– CL dom OL i.e. clearance of user dominates the object’s label
• Note: subject cannot read that object Fall 2023
Cp633 Slide 5-21
Fall 2023
Cp 633 Slide #5-22
Directory Problem
• Process p with MAC_A security level tries to create file /tmp/x
• /tmp/x already exists but has MAC label MAC_B
– Assume that MAC_B dom MAC_A
• Create fails because this would be “write down” effectively (if create
succeeded then file /tmp/x would have MAC label MAC_A).
– Now p knows that a file named x with a higher label exists – this
is information flow.
• Fix: only programs with same MAC label as directory can create
files in the directory
– Now compilation won’t work, mail can’t be delivered so further
fix is needed.
Fall 2023 Cp 633
Slide #5-23
Multilevel Directory
• Multilevel Directory has a set of hidden subdirectories, one per
security level (label).
– Not normally visible to user
– Process p with MAC_A creating /tmp/x actually creates /tmp/d/x
where d is directory corresponding to MAC_A
– All p’s references to /tmp actually go to /tmp/d
• p cd’s to /tmp
– System call stat(“.”, &buf) returns information (inode) of real
directory i.e. /tmp/d
– System call mldstat(“.”, &buf) returns information about /tmp
Alternative to MLDs - Labeled Zones
• Used in Trusted Solaris Extensions, and various flavors of Linux
• Zone: virtual environment tied to a unique label
– Each process can only access objects in its zone – isolation among
the zones.
• Global zone encompasses everything on system
– Its label is ADMIN_HIGH
– Only system administrators can access this zone
• Each zone has a unique root directory
– All objects within the zone have that zone’s label
– Each zone has a unique label
Fall 2023 cp633 Slide 5-24
More about Zones
• Other file systems can be imported or mounted from other zones
provided that:
– If importing read-only filesystem, importing zone’s label must
dominate imported zone’s label (no read up)
– If importing read-write, importing zone’s label must equal
imported zone’s label
• since labels are unique this means that the zones are the same;
import unnecessary
– Labels are checked only at time of import
• Objects in imported file system retain their labels
• Therefore process can access object when multilevel constraints allow that
Fall 2023 Cp 633 Slide 5-25
More about Zones
• Imported file systems have names distinct from files in the
importing zone.
• Imported file system is mounted at the directory “/zone/label”.
• Executable files from system areas, which are in the global zone,
(/usr) are mounted using a special loopback option.
– It makes them appear to be at ADMIN_LOW so that every
process can read and execute them.
• The same trick is used to mount read-only file systems which
label dominates the one of the importing file system.
Fall 2023 CP 633 Slide #5-26
Example: Solaris Trusted Extensions system
note: global zone is at level ADMIN_HIGH
/
Global zone usr
L1 L2 L3
root
export zone usr
L2
export
root
export zone usr
root
export zone usr
L2
export
• L1 dom L2
• L3 dom L2
• Process in L1 can
read any file in the
export directory of
L2 (assuming
discretionary
permissions allow
it)
• L1, L3 disjoint
• Do not share
any files
• System directories
imported from
global zone, at
ADMIN_LOW
• So they can
only be read
Fall 2023
Cp 633 Slide 5-27
Fall 2023 Cp 633 Slide #5-28
Principle of Tranquility –
• Raising object’s security level
– Information once available to some subjects is no longer available
– Usually assume information has already been accessed, so this does
nothing
• Lowering object’s security level
– This is the declassification problem
– Essentially, it is a “write down” violating *-property
– Solution: define set of trusted subjects that sanitize (or remove)
sensitive information before security level lowered
Fall 2023 Cp 633 Slide #5-29
Types of Tranquility
• Strong Tranquility
– The clearances of subjects, and the classifications of
objects, do not change during the lifetime of the system
• Weak Tranquility
– The clearances of subjects, and the classifications of
objects, do not change in a way that violates the simple
security condition or the *-property during the lifetime
of the system
Fall 2023 Cp 633 Slide #5-30
Controversy
• McLean:
– “value of the (basic security theorem) BST is much
overrated since there is a great deal more to security than it
captures. Further, what is captured by the BST is so trivial
that it is hard to imagine a realistic security model for
which it does not hold.”
– Basis: given assumptions known to be non-secure, BST
can prove a non-secure system to be secure
Cp 633 Slide #5-31
Key Points
• Confidentiality models restrict flow of information
• Bell-LaPadula models multilevel security
– Cornerstone of much work in computer security
• Controversy over meaning of security
– Different definitions produce different results
Fall 2023

computer security presentation chapter 5

  • 1.
    Fall 2023 Cp633 Slide #5-1 Chapter 5: Confidentiality Policies • This lecture covers sections: 5.1, 5.2 (with 5.2.1, 5.2.2 and 5.2.2.1 only), and 5.3 . • Overview – What is a confidentiality model • Bell-LaPadula Model – General idea – Informal description of rules • Tranquility • Controversy
  • 2.
    Fall 2023 Cp633 Slide #5-2 Confidentiality Policy here 11 Sept mon • Goal: prevent the unauthorized disclosure of information – Deals with information flow – Integrity aspect is incidental • Multi-level security models are best-known examples – Bell-LaPadula model is basis for many, or most, of these.
  • 3.
    Fall 2023 Cp 633Slide #5-3 Bell-LaPadula Model, Step 1 • Security levels (i.e. security clearance) for subjects are arranged in linear ordering, for example: 1. Top Secret: highest 2. Secret 3. Confidential 4. Unclassified: lowest • User/process levels consist of security clearance L(s) • Objects have security classification L(o) • Access is achieved as function of security clearance and document classification
  • 4.
    Fall 2023 Cp 633 Slide#5-4 Example security level – clearance L(s) subject Object –classification , L(o) Top Secret Tamara Personnel Files Secret Samuel E-Mail Files Confidential Claire Activity Logs Unclassified Ulaley Telephone Lists • Tamara can read all files • Claire cannot read Personnel or E-Mail Files • Ulaley can only read Telephone Lists
  • 5.
    Fall 2023 Cp 633Slide #5-5 Reading Information • Information flows can occur only in upward direction towards clearance that subject does not have, not down – Therefore - “Reads up” are disallowed, “reads down” are allowed • Simple Security Condition (Step 1) – Subject s can read object o iff, L(o) ≤ L(s) and s has permission to read o • Note: combines mandatory control – MAC (relationship of security levels) and discretionary control DAC (the required permission) – Sometimes called “no reads up” rule
  • 6.
    Fall 2023 Cp633 Slide #5-6 Writing Information • However, subject with high clearance can copy file with high classification and write it to the file with low classification. • But, information is only allowed to travel up, not down – Therefore “writes down” are disallowed and “Writes up” are allowed. • *-Property (Step 1) – Subject s can write object o iff L(s) ≤ L(o) and s has permission to write o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) – Sometimes called “no writes down” rule, note we are not interested in integrity.
  • 7.
    Fall 2023 Cp633 Slide #5-7 Basic Security Theorem, Step 1 • Preliminary version of BST: • If a system is initially in a secure state, and every transition of the system satisfies the simple security condition, step 1, and the *-property, step 1, then every state of the system is secure – Proof: induct on the number of transitions
  • 8.
    Fall 2023 Cp 633Slide #5-8 Bell-LaPadula Model, Step 2 • Expand notion of security level to include information categories according to need to know principle. • Objects are placed into Categories (or compartments). – Each category is a kind of information, e.g intelligence on a particular country… • Security level now becomes a tuple (clearance, category set) • Examples – ( Top Secret, { NUC, EUR, US } ) – ( Confidential, { EUR, US } ) – ( Secret, { NUC, US } )
  • 9.
    Fall 2023 Cp633 Slide #5-9 Security lattice by information categories • Lattice is generated by categories NUC, EUR, and US. • The lines represent the ordering relation induced by  (subset of). • The line is placed between A and B iff A  B, and A≠B and there exists no C so that A C  B, A≠C, B≠C. [NUC, EUR, US] [NUC, EUR] [EUR, US] [NUC, US] [NUC] [EUR] [US] Ø
  • 10.
    Fall 2023 Cp 633Slide #5-10 Security Levels and Lattices • We need ordering relation among security levels expressed as a tuple (clearance, category set) called dominance • (A, C) dom (A, C) iff A ≤ A and C  C • Examples – (Top Secret, {NUC, US}) dom (Secret, {NUC}) – (Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR}) – (Top Secret, {NUC}) dom (Confidential, {EUR}) • Let A be set of classifications, and C set of categories. Set of security levels L = A  C, dom form lattice
  • 11.
    Fall 2023 Cp633 Slide #5-11 Levels and Ordering • Relation of dominance is relation of partial ordering • Security levels are partially ordered – Any pair of security levels may be related by dom • “dominates” serves the role of “greater than” in step 1 – “greater than” is a total ordering, though (S, [NUC, EUR]) (S, [EUR, US]) (S, [NUC, US]) (S, [NUC]) (S, [EUR]) (S, [US]) (S, Ø) (TS, [NUC, EUR]) (TS, [EUR, US]) (TS, [NUC, US]) (TS, [NUC]) (TS, [EUR]) (TS, [US]) (TS, Ø) (TS, [NUC, EUR, US]) (S, [NUC, EUR, US])
  • 12.
    Fall 2023 Cp633 Slide #5-12 Reading Information • Reading information flows up, not down – “Reads up” are disallowed, “reads down” are allowed • Simple Security Condition (Step 2) – Subject s can read object o iff L(s) dom L(o) and s has permission to read o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) – Sometimes called “no reads up” rule
  • 13.
    Fall 2023 Cp633 Slide #5-13 Writing Information • Information flows up, not down – “Writes up” allowed, “writes down” disallowed • *-Property (Step 2) – Subject s can write object o iff L(o) dom L(s) and s has permission to write o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) – Sometimes called “no writes down” rule – We are not looking into integrity in this theorem.
  • 14.
    Fall 2023 Cp633 Slide #5-14 Basic Security Theorem, Step 2 • If a system is initially in a secure state, and every transition of the system satisfies the simple security condition, step 2, and the *-property, step 2, then every state of the system is secure. – Proof: induct on the number of transitions.
  • 15.
    Fall 2023 Cp633 Slide #5-15 Problem • Occasionally subjects from higher security level need to communicate with subjects on lower security level. • E.g. colonel needs to talk to major – Colonel has (Secret, {NUC, EUR}) clearance – Major has (Secret, {EUR}) clearance – Colonel cannot talk (write) to major because (Secret, {NUC, EUR}) dom (Secret, {EUR}) – Major can talk to colonel (“write up” or “read down”) • Clearly absurd!
  • 16.
    Fall 2023 Cp 633 Slide#5-16 Solution • Define maximum and current security levels for subjects – maxlevel(s) dom curlevel(s) • A subject may effectively decrease security level from maximum in order to communicate with entities at lower security level. • Example – Treat Major with (Secret, {EUR}) as an object (Colonel is writing to him/her) – Colonel has maxlevel (Secret, { NUC, EUR }) – Colonel sets curlevel to (Secret, { EUR }) – Now L(Major) dom curlevel(Colonel) • Colonel can write to Major without violating “no writes down” • Temporary downgrading assumes that subject sanitizes the data from the higher security level (possible for processes, difficult for humans). • Identify a set of “trusted” subjects which are permitted to violate *-property.
  • 17.
    Example: Trusted Solarishere 12 Sept tue • Provides mandatory access controls – Subjects and objects have labels. – Security level of subject or object is represented by sensitivity label – Sensitivity labels for subjects consist of classifications and a set of categories. – Each user - subject has a range of sensitivity labels (classification, category) – Clearance is least upper bound of all sensitivity labels of a user/subject. • Default labels are ADMIN_HIGH (dominates any other label) with system logs and configuration files – and ADMIN_LOW (dominated by any other label) with system objects • Subject S has controlling user US (i.e user running it) – SL is a sensitivity label of subject S – S has also attribute privileged(S, P) which is true if S can override or bypass part of security policy P – Attribute asserted (S, P) is true if S has attribute privileged and is overriding P Fall 2023 cp633 Slide 5-17
  • 18.
    Rules for ordinaryusers For process S: US is controlling user of S, CL is clearance of S /US, SL is sensitivity label of S, and OL is sensitivity label of O 1. If ¬privileged(S, “change SL”), then no sequence of operations can change SL to a value that it has not previously assumed 2. If ¬privileged(S, “change SL”), then asserted(S, “change SL”) is false. 3. If ¬privileged(S, “change SL”), then no value of SL can be outside the clearance of US 4. For all subjects S and named objects O: if ¬privileged(S, “change OL”), then no sequence of operations can change OL to a value that it has not previously assumed. Fall 2023 cp633 Slide 5-18
  • 19.
    Rules (con’t) For processS: US is controlling user of S, CL is clearance of US /S , SL is sensitivity label of S, and OL is sensitivity label of O 5. For all subjects S, named objects O: if ¬privileged(S, “override O’s mandatory read access control”), -then read access to O is granted only if SL dom OL –This is instantiation of simple security condition -no read up 6. For all subjects S, named objects O: if ¬privileged(S, “override O’s mandatory write access control”), then write access to O is granted only if OL dom SL and CL dom OL . – This actually means that process with SL should have start property with respect to OL but with its clearance label CL it should be able to read OL . – Instantiation of *-property, no write down, is that subject’s and object’s labels are the same. Fall 2023 Cp633 Slide 5-19
  • 20.
    Initial Assignment ofLabels • Each account is assigned a label range [user’s minimum label, clearance] (note clearance is the upper bound of label range). • On login, Trusted Solaris determines if the session is single-level – If clearance = minimum label, this is single level account and session gets that label – If not, multi-level; user asked to specify clearance for session; must be in the label range – In multi-level session, user can change to any label in the range of the session clearance to the minimum • This is useful if user has several workspaces each with its own sensitivity level. – This is kind of role based access control. Fall 2023 Cp633 Slide 5-20
  • 21.
    Writing is abit unlike BLP Writing is allowed when subject and object labels are the same OR (if file has higher label than process but lower than user’s clearance) • when file is in special downgraded directory D with sensitivity label DL that admin can create. • The conditions of subject S with sensitivity label SL and clearance CL to write into file O with sensitivity label OL which is in directory D with sensitivity level DL are: – SL dom DL – i.e subject can read and search the directory – S has discretionary read and search access to D – OL dom SL and OL ≠ SL i.e. no write down rule – S has discretionary write access to O – CL dom OL i.e. clearance of user dominates the object’s label • Note: subject cannot read that object Fall 2023 Cp633 Slide 5-21
  • 22.
    Fall 2023 Cp 633Slide #5-22 Directory Problem • Process p with MAC_A security level tries to create file /tmp/x • /tmp/x already exists but has MAC label MAC_B – Assume that MAC_B dom MAC_A • Create fails because this would be “write down” effectively (if create succeeded then file /tmp/x would have MAC label MAC_A). – Now p knows that a file named x with a higher label exists – this is information flow. • Fix: only programs with same MAC label as directory can create files in the directory – Now compilation won’t work, mail can’t be delivered so further fix is needed.
  • 23.
    Fall 2023 Cp633 Slide #5-23 Multilevel Directory • Multilevel Directory has a set of hidden subdirectories, one per security level (label). – Not normally visible to user – Process p with MAC_A creating /tmp/x actually creates /tmp/d/x where d is directory corresponding to MAC_A – All p’s references to /tmp actually go to /tmp/d • p cd’s to /tmp – System call stat(“.”, &buf) returns information (inode) of real directory i.e. /tmp/d – System call mldstat(“.”, &buf) returns information about /tmp
  • 24.
    Alternative to MLDs- Labeled Zones • Used in Trusted Solaris Extensions, and various flavors of Linux • Zone: virtual environment tied to a unique label – Each process can only access objects in its zone – isolation among the zones. • Global zone encompasses everything on system – Its label is ADMIN_HIGH – Only system administrators can access this zone • Each zone has a unique root directory – All objects within the zone have that zone’s label – Each zone has a unique label Fall 2023 cp633 Slide 5-24
  • 25.
    More about Zones •Other file systems can be imported or mounted from other zones provided that: – If importing read-only filesystem, importing zone’s label must dominate imported zone’s label (no read up) – If importing read-write, importing zone’s label must equal imported zone’s label • since labels are unique this means that the zones are the same; import unnecessary – Labels are checked only at time of import • Objects in imported file system retain their labels • Therefore process can access object when multilevel constraints allow that Fall 2023 Cp 633 Slide 5-25
  • 26.
    More about Zones •Imported file systems have names distinct from files in the importing zone. • Imported file system is mounted at the directory “/zone/label”. • Executable files from system areas, which are in the global zone, (/usr) are mounted using a special loopback option. – It makes them appear to be at ADMIN_LOW so that every process can read and execute them. • The same trick is used to mount read-only file systems which label dominates the one of the importing file system. Fall 2023 CP 633 Slide #5-26
  • 27.
    Example: Solaris TrustedExtensions system note: global zone is at level ADMIN_HIGH / Global zone usr L1 L2 L3 root export zone usr L2 export root export zone usr root export zone usr L2 export • L1 dom L2 • L3 dom L2 • Process in L1 can read any file in the export directory of L2 (assuming discretionary permissions allow it) • L1, L3 disjoint • Do not share any files • System directories imported from global zone, at ADMIN_LOW • So they can only be read Fall 2023 Cp 633 Slide 5-27
  • 28.
    Fall 2023 Cp633 Slide #5-28 Principle of Tranquility – • Raising object’s security level – Information once available to some subjects is no longer available – Usually assume information has already been accessed, so this does nothing • Lowering object’s security level – This is the declassification problem – Essentially, it is a “write down” violating *-property – Solution: define set of trusted subjects that sanitize (or remove) sensitive information before security level lowered
  • 29.
    Fall 2023 Cp633 Slide #5-29 Types of Tranquility • Strong Tranquility – The clearances of subjects, and the classifications of objects, do not change during the lifetime of the system • Weak Tranquility – The clearances of subjects, and the classifications of objects, do not change in a way that violates the simple security condition or the *-property during the lifetime of the system
  • 30.
    Fall 2023 Cp633 Slide #5-30 Controversy • McLean: – “value of the (basic security theorem) BST is much overrated since there is a great deal more to security than it captures. Further, what is captured by the BST is so trivial that it is hard to imagine a realistic security model for which it does not hold.” – Basis: given assumptions known to be non-secure, BST can prove a non-secure system to be secure
  • 31.
    Cp 633 Slide#5-31 Key Points • Confidentiality models restrict flow of information • Bell-LaPadula models multilevel security – Cornerstone of much work in computer security • Controversy over meaning of security – Different definitions produce different results Fall 2023