Zusammenfassung der Ressource
U4. Bell-LaPladula
- a confidentiality policy that forbids information flows
from ‘high’ security levels down to ‘low’ security levels
- only considers information flows that occur
when a subject observes or alters an object
- BLP is a state machine model
- To define the BLP State Set
consider 3 separate aspects
- Current access operations
- Current assignment of security levels.
- Current permissions.
- Access permissions are defined through an
access control matrix & through security levels
that form a partial ordering
- 2 Mandatory BLP policies.
- Simple security property (no read-up)
- ss-property simply means that a subject is not allowed to
observe (read) an object of higher security level than itself
- First BLP policy forbids information
flows from ‘high’ to ‘low’ security levels
- when a subject reads an object, the
information flow is from object to subject
- natural to prevent low-level
subjects reading high-level objects
- for example, a user who has been cleared to 'secret'
level is not allowed to read 'top secret' document
- Star Property (no write down)
- ss-property is fine for 'observe' activities, but it does
not prevent improper declassification of information
- does not prevent a high-level subject reading a high-level
object and copying the information to a lower level object and
so possibly allowing a low-level subject to read this object.
- Star property is in place to prevent this
- Problems with no write down
- Using the Maximum Security level no write down would mean
that Higher level users could not communicate with lower level
- using this in the *-property we allow the
temporary downgrade of a subject
- Therefore current security level is used
- Trusted Subjects
- trusted subjects as subjects that are
permitted to violate the *-property
- Star property can be redefined and
demanded for only subjects that are not trusted
- Trusted subjects may violate security policies!
- a trusted subject may be in a position to inflict damage
- Trusted subjects may not be trustworthy
- A trustworthy subject could be defined as one
that will not inflict damage!
- Discretionary security (ds) property:
- ds-property only permits operations that are
expressly stated in the access control matrix