Multilevel Security
Transcript of Multilevel Security
1
Multilevel Security
2
Multilevel Security
• Definition and need for MLS
• Bell-LaPadula model
• Biba model
• Multilevel security implementation
3
Definition and need for MLS
• Multilevel security involves a database in which the data stored has an associated classification and consequently constraints for their access
• MLS allows users with different classification levels to get different views from the same data
• MLS cannot allow downward leaking, meaning that a user with a lower classification views data stored with a higher classification
4
Definition and need for MLS
• Usually multilevel systems are with the federal government
• Some private systems also have multilevel security needs
• MLS needs to provide the same level of integrity that the relational model provides
• Relational model provides entity integrity and referential integrity
5
Definition and need for MLS
• MLS relation is split into several single-level relations
• A recovery algorithm reconstructs the MLS relation from the decomposed single-level relations
• At times MLS updates cannot be completed because it would result in leakage or destruction of secret information
6
Definition and need for MLS
• In relational model, relations are tables and relations consist of tuples (rows) and attributes (columns)
• Example:
Consider the relation
SOD(Startship, Objective, Destination)
Starship Objective DestinationEnterprise
Voyager
Exploration
Spying
Talos
Mars
7
Definition and need for MLS
• The relation in the example has no classification associated with it in a relational model
• The same example in MLS will be as follows:
Starship Objective Destination
Enterprise U
Voyager U
Exploration U
Spying S
Talos U
Mars S
8
Definition and need for MLS
• In MLS, access classes can be assigned to:– Individual tuples in a relation– Individual attributes of a relation– Individual data elements of tuples in a relation
• Discretionary Access Control allows a user to read data. DAC does not control how the user uses the data
• Trojan Horse scenario explains this problem and how this could be abused in MLS
9
Definition and need for MLS
• Trojan Horse scenario:– Bob owns file f1
– Eve owns file f2
– Eve grants Bob write privilege on f2
– An utility program (such as fancy printing) P contains the intended code plus a hidden code to read from f1 and write to f2, namely the Trojan Horse
10
Trojan Horse
• Bob executes P and it does what it is supposed to do plus it reads the contents of file f1 and writes it to file f2
• Eve owns f2 and so Eve can now see the contents of f1 which was originally not available for Eve
• This Trojan Horse code shows how a DAC has been abused
11
Bell – LaPadula Model
• Bell-LaPadula model shows how to use Mandatory Access Control to prevent the Trojan Horse
• Bell-LaPadula model was developed in 1973• This is an extension of the Access Matrix model
with classified data• This model has two components:
– Classification– Set of categories
12
Bell – LaPadula Model
• Classification has four values {U, C, S, TS}– U = unclassified– C = confidential– S = secret– TS = top secret
• Classifications are ordered: TS > S > C > U
• Set of categories consists of the data environment and the application area
13
Bell – LaPadula Model
• Security level is denoted by the pair
L1 = (X1, Y1)
• Relationship among the security levels is defined as follows: L1 L2 if X1 X2 and Y1 Y2
In this case L1 is said to dominate L2
14
Bell – LaPadula Model
• Bell-LaPadula model is based on a subject-object paradigm
• Subjects are active elements of the system that execute actions
• Objects are passive elements of the system that contain information
• Subjects act on behalf of users who have a security level associated with them (indicating the level of system trust)
15
Bell – LaPadula Model
• Subjects execute access modes on objects
• Access modes are:– Read-only– Append (writing without reading)– Execute– Read-write (writing known data)
• Decentralized administration of privileges on objects
16
Bell – LaPadula Model
• Two main properties of this model for a secure system are:– Simple security property– Star property
• Simple security means: A subject may have read or write access to an object only if the clearance of the system dominates the security level of the object
17
Bell – LaPadula Model
• Star property means: An untrusted subject may:
append if object security dominates subject security
write if object security equals subject security
read if object security is less than subject security
• This model guarantees secrecy by preventing unauthorized release of information
• This model does not protect from unauthorized modification of information
18
Biba Model
• Developed in 1977• Overcomes the integrity problem of Bell-
LaPadula• Similar to Bell-LaPadula• Classifications are:
– Crucial (C)– Very Important (VI)– Important (I)
• Relationship is C > VI > I
19
Biba Model
• Access modes are:– Modify (similar to ‘write’ in Bell-LaPadula)– Invoke (applies to two subjects)– Observe (similar to ‘read’ in Bell-LaPadula)– Execute (execute a program)
• Integrity policy involves:– No read-down integrity– No write-up integrity
20
Biba Model
• Biba model’s strict integrity policy does not have the ‘append’ feature of Bell-LaPadula model
• Strict integrity policy prevents information from being transferred from low-integrity objects to other objects
21
Multilevel security implementation
• Commercial DBMSs Oracle, Sybase, and TruData have MLS versions of their DBMS
• Because of Bell-LaPadula restrictions, subjects having different clearances see different versions of a multilevel relation
Starship Objective Destination
Enterprise U
Voyager U
Exploration U
Spying S
Talos U
Mars S
Figure 1
22
Multilevel security implementation
• User with secret classification sees the entire table given above
• User with classification level ‘U’ sees the following table:
Starship Objective Destination
Enterprise U
Voyager U
Exploration U
Null U
Talos U
Null U
Figure 2
23
Multilevel security implementation
• User with classification level ‘U’ wants to update the second tuple in Figure 2 with (Voyager, Exploration, Talos)
• If this update is rejected, then the user would be able to infer something about Voyager
• MLS would allow the secret channel to permit data update and protect data integrity as shown in Figure 3
24
Multilevel security implementation
Starship Objective Destination
Enterprise U
Voyager U
Voyager U
Exploration U
Exploration U
Spying S
Talos U
Talos U
Mars S
Figure 3