The document covers confidentiality policies, particularly focusing on the Bell-LaPadula model, which establishes rules for information flow to prevent unauthorized disclosure. It explains security levels, information flow rules, and addresses the complexity of communication between subjects at different security levels. The lecture emphasizes the model's foundational role in multilevel security and its implications for maintaining confidentiality in computing systems.

1. Fall 2023 Cp 633 Slide #5-1
Chapter 5: Confidentiality
Policies
• This lecture covers sections: 5.1, 5.2 (with 5.2.1, 5.2.2
and 5.2.2.1 only), and 5.3 .
• Overview
– What is a confidentiality model
• Bell-LaPadula Model
– General idea
– Informal description of rules
• Tranquility
• Controversy

2. Fall 2023 Cp 633 Slide #5-2
Confidentiality Policy here 11 Sept mon
• Goal: prevent the unauthorized disclosure of information
– Deals with information flow
– Integrity aspect is incidental
• Multi-level security models are best-known examples
– Bell-LaPadula model is basis for many, or most, of
these.

3. Fall 2023
Cp 633 Slide #5-3
Bell-LaPadula Model, Step 1
• Security levels (i.e. security clearance) for subjects are arranged in
linear ordering, for example:
1. Top Secret: highest
2. Secret
3. Confidential
4. Unclassified: lowest
• User/process levels consist of security clearance L(s)
• Objects have security classification L(o)
• Access is achieved as function of security clearance and document
classification

4. Fall 2023
Cp 633
Slide #5-4
Example
security level –
clearance L(s)
subject Object –classification , L(o)
Top Secret Tamara Personnel Files
Secret Samuel E-Mail Files
Confidential Claire Activity Logs
Unclassified Ulaley Telephone Lists
• Tamara can read all files
• Claire cannot read Personnel or E-Mail Files
• Ulaley can only read Telephone Lists

5. Fall 2023
Cp 633 Slide #5-5
Reading Information
• Information flows can occur only in upward direction towards
clearance that subject does not have, not down
– Therefore - “Reads up” are disallowed, “reads down” are allowed
• Simple Security Condition (Step 1)
– Subject s can read object o iff, L(o) ≤ L(s) and s has permission
to read o
• Note: combines mandatory control – MAC (relationship of
security levels) and discretionary control DAC (the required
permission)
– Sometimes called “no reads up” rule

6. Fall 2023 Cp 633
Slide #5-6
Writing Information
• However, subject with high clearance can copy file with high
classification and write it to the file with low classification.
• But, information is only allowed to travel up, not down
– Therefore “writes down” are disallowed and “Writes up” are
allowed.
• *-Property (Step 1)
– Subject s can write object o iff L(s) ≤ L(o) and s has permission to
write o
• Note: combines mandatory control (relationship of security
levels) and discretionary control (the required permission)
– Sometimes called “no writes down” rule, note we are not interested in integrity.

7. Fall 2023 Cp 633 Slide #5-7
Basic Security Theorem, Step 1
• Preliminary version of BST:
• If a system is initially in a secure state, and every transition
of the system satisfies the simple security condition, step 1,
and the *-property, step 1, then every state of the system is
secure
– Proof: induct on the number of transitions

8. Fall 2023
Cp 633 Slide #5-8
Bell-LaPadula Model, Step 2
• Expand notion of security level to include information categories
according to need to know principle.
• Objects are placed into Categories (or compartments).
– Each category is a kind of information, e.g intelligence on a
particular country…
• Security level now becomes a tuple (clearance, category set)
• Examples
– ( Top Secret, { NUC, EUR, US } )
– ( Confidential, { EUR, US } )
– ( Secret, { NUC, US } )

9. Fall 2023 Cp 633
Slide #5-9
Security lattice by information categories
• Lattice is generated by categories NUC, EUR, and US.
• The lines represent the ordering relation induced by  (subset of).
• The line is placed between A and B iff A  B, and A≠B and there
exists no C so that A C  B, A≠C, B≠C.
[NUC, EUR, US]
[NUC, EUR] [EUR, US]
[NUC, US]
[NUC] [EUR] [US]
Ø

10. Fall 2023
Cp 633 Slide #5-10
Security Levels and Lattices
• We need ordering relation among security levels expressed
as a tuple (clearance, category set) called dominance
• (A, C) dom (A, C) iff A ≤ A and C  C
• Examples
– (Top Secret, {NUC, US}) dom (Secret, {NUC})
– (Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR})
– (Top Secret, {NUC}) dom (Confidential, {EUR})
• Let A be set of classifications, and C set of categories. Set of
security levels L = A  C, dom form lattice

11. Fall 2023 Cp 633 Slide #5-11
Levels and Ordering
• Relation of dominance is relation of partial ordering
• Security levels are partially ordered
– Any pair of security levels may be related by dom
• “dominates” serves the role of “greater than” in step 1
– “greater than” is a total ordering, though
(S, [NUC, EUR]) (S, [EUR, US])
(S, [NUC, US])
(S, [NUC]) (S, [EUR]) (S, [US])
(S, Ø)
(TS, [NUC, EUR]) (TS, [EUR, US])
(TS, [NUC, US])
(TS, [NUC]) (TS, [EUR]) (TS, [US])
(TS, Ø)
(TS, [NUC, EUR, US])
(S, [NUC, EUR, US])

12. Fall 2023 Cp 633 Slide #5-12
Reading Information
• Reading information flows up, not down
– “Reads up” are disallowed, “reads down” are allowed
• Simple Security Condition (Step 2)
– Subject s can read object o iff L(s) dom L(o) and s has
permission to read o
• Note: combines mandatory control (relationship of
security levels) and discretionary control (the
required permission)
– Sometimes called “no reads up” rule

13. Fall 2023 Cp 633 Slide #5-13
Writing Information
• Information flows up, not down
– “Writes up” allowed, “writes down” disallowed
• *-Property (Step 2)
– Subject s can write object o iff L(o) dom L(s) and s has
permission to write o
• Note: combines mandatory control (relationship of
security levels) and discretionary control (the required
permission)
– Sometimes called “no writes down” rule
– We are not looking into integrity in this theorem.

14. Fall 2023 Cp 633 Slide #5-14
Basic Security Theorem, Step 2
• If a system is initially in a secure state, and every transition
of the system satisfies the simple security condition, step 2,
and the *-property, step 2, then every state of the system is
secure.
– Proof: induct on the number of transitions.

15. Fall 2023 Cp 633 Slide #5-15
Problem
• Occasionally subjects from higher security level need to
communicate with subjects on lower security level.
• E.g. colonel needs to talk to major
– Colonel has (Secret, {NUC, EUR}) clearance
– Major has (Secret, {EUR}) clearance
– Colonel cannot talk (write) to major because (Secret, {NUC,
EUR}) dom (Secret, {EUR})
– Major can talk to colonel (“write up” or “read down”)
• Clearly absurd!

16. Fall 2023
Cp 633
Slide #5-16
Solution
• Define maximum and current security levels for subjects
– maxlevel(s) dom curlevel(s)
• A subject may effectively decrease security level from maximum in order to
communicate with entities at lower security level.
• Example
– Treat Major with (Secret, {EUR}) as an object (Colonel is writing to him/her)
– Colonel has maxlevel (Secret, { NUC, EUR })
– Colonel sets curlevel to (Secret, { EUR })
– Now L(Major) dom curlevel(Colonel)
• Colonel can write to Major without violating “no writes down”
• Temporary downgrading assumes that subject sanitizes the data from the higher
security level (possible for processes, difficult for humans).
• Identify a set of “trusted” subjects which are permitted to violate *-property.

17. Example: Trusted Solaris here 12 Sept tue
• Provides mandatory access controls
– Subjects and objects have labels.
– Security level of subject or object is represented by sensitivity label
– Sensitivity labels for subjects consist of classifications and a set of categories.
– Each user - subject has a range of sensitivity labels (classification, category)
– Clearance is least upper bound of all sensitivity labels of a user/subject.
• Default labels are ADMIN_HIGH (dominates any other label) with system logs
and configuration files
– and ADMIN_LOW (dominated by any other label) with system objects
• Subject S has controlling user US (i.e user running it)
– SL is a sensitivity label of subject S
– S has also attribute privileged(S, P) which is true if S can override or bypass
part of security policy P
– Attribute asserted (S, P) is true if S has attribute privileged and is overriding P
Fall 2023 cp633 Slide 5-17

18. Rules for ordinary users
For process S: US is controlling user of S, CL is clearance of S /US,
SL is sensitivity label of S, and OL is sensitivity label of O
1. If ¬privileged(S, “change SL”), then no sequence of operations can
change SL to a value that it has not previously assumed
2. If ¬privileged(S, “change SL”), then asserted(S, “change SL”) is false.
3. If ¬privileged(S, “change SL”), then no value of SL can be outside
the clearance of US
4. For all subjects S and named objects O: if ¬privileged(S, “change
OL”), then no sequence of operations can change OL to a value that it
has not previously assumed.
Fall 2023 cp633
Slide 5-18

19. Rules (con’t)
For process S: US is controlling user of S, CL is clearance of US /S ,
SL is sensitivity label of S, and OL is sensitivity label of O
5. For all subjects S, named objects O: if ¬privileged(S, “override O’s
mandatory read access control”),
-then read access to O is granted only if SL dom OL
–This is instantiation of simple security condition -no read up
6. For all subjects S, named objects O: if ¬privileged(S, “override O’s
mandatory write access control”), then write access to O is granted only if
OL dom SL and CL dom OL .
– This actually means that process with SL should have start property with respect to
OL but with its clearance label CL it should be able to read OL .
– Instantiation of *-property, no write down, is that subject’s and object’s labels are
the same.
Fall 2023 Cp633 Slide 5-19

20. Initial Assignment of Labels
• Each account is assigned a label range [user’s minimum label,
clearance] (note clearance is the upper bound of label range).
• On login, Trusted Solaris determines if the session is single-level
– If clearance = minimum label, this is single level account and session gets
that label
– If not, multi-level; user asked to specify clearance for session; must be in
the label range
– In multi-level session, user can change to any label in the range of the
session clearance to the minimum
• This is useful if user has several workspaces each with its own sensitivity
level.
– This is kind of role based access control.
Fall 2023 Cp633 Slide 5-20

21. Writing is a bit unlike BLP
Writing is allowed when subject and object labels are the same OR (if
file has higher label than process but lower than user’s clearance)
• when file is in special downgraded directory D with sensitivity
label DL that admin can create.
• The conditions of subject S with sensitivity label SL and clearance
CL to write into file O with sensitivity label OL which is in directory
D with sensitivity level DL are:
– SL dom DL – i.e subject can read and search the directory
– S has discretionary read and search access to D
– OL dom SL and OL ≠ SL i.e. no write down rule
– S has discretionary write access to O
– CL dom OL i.e. clearance of user dominates the object’s label
• Note: subject cannot read that object Fall 2023
Cp633 Slide 5-21

22. Fall 2023
Cp 633 Slide #5-22
Directory Problem
• Process p with MAC_A security level tries to create file /tmp/x
• /tmp/x already exists but has MAC label MAC_B
– Assume that MAC_B dom MAC_A
• Create fails because this would be “write down” effectively (if create
succeeded then file /tmp/x would have MAC label MAC_A).
– Now p knows that a file named x with a higher label exists – this
is information flow.
• Fix: only programs with same MAC label as directory can create
files in the directory
– Now compilation won’t work, mail can’t be delivered so further
fix is needed.

23. Fall 2023 Cp 633
Slide #5-23
Multilevel Directory
• Multilevel Directory has a set of hidden subdirectories, one per
security level (label).
– Not normally visible to user
– Process p with MAC_A creating /tmp/x actually creates /tmp/d/x
where d is directory corresponding to MAC_A
– All p’s references to /tmp actually go to /tmp/d
• p cd’s to /tmp
– System call stat(“.”, &buf) returns information (inode) of real
directory i.e. /tmp/d
– System call mldstat(“.”, &buf) returns information about /tmp

24. Alternative to MLDs - Labeled Zones
• Used in Trusted Solaris Extensions, and various flavors of Linux
• Zone: virtual environment tied to a unique label
– Each process can only access objects in its zone – isolation among
the zones.
• Global zone encompasses everything on system
– Its label is ADMIN_HIGH
– Only system administrators can access this zone
• Each zone has a unique root directory
– All objects within the zone have that zone’s label
– Each zone has a unique label
Fall 2023 cp633 Slide 5-24

25. More about Zones
• Other file systems can be imported or mounted from other zones
provided that:
– If importing read-only filesystem, importing zone’s label must
dominate imported zone’s label (no read up)
– If importing read-write, importing zone’s label must equal
imported zone’s label
• since labels are unique this means that the zones are the same;
import unnecessary
– Labels are checked only at time of import
• Objects in imported file system retain their labels
• Therefore process can access object when multilevel constraints allow that
Fall 2023 Cp 633 Slide 5-25

26. More about Zones
• Imported file systems have names distinct from files in the
importing zone.
• Imported file system is mounted at the directory “/zone/label”.
• Executable files from system areas, which are in the global zone,
(/usr) are mounted using a special loopback option.
– It makes them appear to be at ADMIN_LOW so that every
process can read and execute them.
• The same trick is used to mount read-only file systems which
label dominates the one of the importing file system.
Fall 2023 CP 633 Slide #5-26

27. Example: Solaris Trusted Extensions system
note: global zone is at level ADMIN_HIGH
/
Global zone usr
L1 L2 L3
root
export zone usr
L2
export
root
export zone usr
root
export zone usr
L2
export
• L1 dom L2
• L3 dom L2
• Process in L1 can
read any file in the
export directory of
L2 (assuming
discretionary
permissions allow
it)
• L1, L3 disjoint
• Do not share
any files
• System directories
imported from
global zone, at
ADMIN_LOW
• So they can
only be read
Fall 2023
Cp 633 Slide 5-27

28. Fall 2023 Cp 633 Slide #5-28
Principle of Tranquility –
• Raising object’s security level
– Information once available to some subjects is no longer available
– Usually assume information has already been accessed, so this does
nothing
• Lowering object’s security level
– This is the declassification problem
– Essentially, it is a “write down” violating *-property
– Solution: define set of trusted subjects that sanitize (or remove)
sensitive information before security level lowered

29. Fall 2023 Cp 633 Slide #5-29
Types of Tranquility
• Strong Tranquility
– The clearances of subjects, and the classifications of
objects, do not change during the lifetime of the system
• Weak Tranquility
– The clearances of subjects, and the classifications of
objects, do not change in a way that violates the simple
security condition or the *-property during the lifetime
of the system

30. Fall 2023 Cp 633 Slide #5-30
Controversy
• McLean:
– “value of the (basic security theorem) BST is much
overrated since there is a great deal more to security than it
captures. Further, what is captured by the BST is so trivial
that it is hard to imagine a realistic security model for
which it does not hold.”
– Basis: given assumptions known to be non-secure, BST
can prove a non-secure system to be secure

31. Cp 633 Slide #5-31
Key Points
• Confidentiality models restrict flow of information
• Bell-LaPadula models multilevel security
– Cornerstone of much work in computer security
• Controversy over meaning of security
– Different definitions produce different results
Fall 2023