a confidentiality policy that forbids information flows
from ‘high’ security levels down to ‘low’ security levels
only considers information flows that occur
when a subject observes or alters an object
BLP is a state machine model
To define the BLP State Set
consider 3 separate aspects
Current access operations
Current assignment of security levels.
Current permissions.
Access permissions are defined through an
access control matrix & through security levels
that form a partial ordering
2 Mandatory BLP policies.
Simple security property (no read-up)
ss-property simply means that a subject is not allowed to
observe (read) an object of higher security level than itself
First BLP policy forbids information
flows from ‘high’ to ‘low’ security levels
when a subject reads an object, the
information flow is from object to subject
natural to prevent low-level
subjects reading high-level objects
for example, a user who has been cleared to 'secret'
level is not allowed to read 'top secret' document
Star Property (no write down)
ss-property is fine for 'observe' activities, but it does
not prevent improper declassification of information
does not prevent a high-level subject reading a high-level
object and copying the information to a lower level object and
so possibly allowing a low-level subject to read this object.
Star property is in place to prevent this
Problems with no write down
Using the Maximum Security level no write down would mean
that Higher level users could not communicate with lower level
using this in the *-property we allow the
temporary downgrade of a subject
Therefore current security level is used
Trusted Subjects
trusted subjects as subjects that are
permitted to violate the *-property
Star property can be redefined and
demanded for only subjects that are not trusted
Trusted subjects may violate security policies!
a trusted subject may be in a position to inflict damage
Trusted subjects may not be trustworthy
A trustworthy subject could be defined as one
that will not inflict damage!
Discretionary security (ds) property:
ds-property only permits operations that are
expressly stated in the access control matrix