1. Describe the working process of the BellaPadula model in full
The Bell-La Padula Model (BLP) is a computer security model that focuses on mandatory and discretionary access control. The security model therefore focuses on confidentiality - keeping different users in different terminals on the mainframe from accessing their respective files. In addition, because funds for their research (and many computer security studies throughout history) came from the military, they adjusted to the Top Secret / Secret / Classified / Unclassified hierarchy. Therefore, the purpose of BLP is to maintain the confidentiality of confidential data, and share confidential data when permitted to be shared.
· Read Down
The first goal of the Bell-La Padula security model is to prevent users from accessing information on their security permissions. In other words, users with "Classification" access (low-level permissions) should not be able to read files marked as "Top Secret" (higher level of confidentiality), but someone with "Top Secret Access" must. The paper calls this a Simple Security Property, because a naive security model might consider this enough. Wikipedia has a good concise definition of this property: "subjects at a certain level of security may not read objects at a higher level of security."
· Write Up
Fortunately, MULTICS researchers acknowledge the vulnerability behind only relying on Simple Security Properties: "The expected interpretation of the model anticipates the protection of the information container rather than the information itself. Therefore, malicious programs (interpretations of a subject) may pass the classification of information by entering it into in information containers labeled at a level lower than the information itself ". {B / P page 16} In other words, there is nothing in the Simple Security Property to stop dangerous Top Secret level users from reading information in one file, then copying that information to a new file that can be read by users with low-level security permissions.
· Trusted Write Down
However, with these two properties, information will naturally switch "up" to the most secret classification. To overcome this, we also have the concept of "trusted users", which are special users who have the ability to "write" data to a lower classification level.
· Legacy
2. Give an example of a case study that uses the BellaPadula model to associate with computer security.
More formally, each object is associated with the level of security of the form (level of classification, set of categories). Each subject is also associated with maximum and current security levels, which can be changed dynamically. The set of classification levels is sorted by relationship $ <$. For example, it can be a top-secret set, secret, confidential, unclassified, where
top-secret <secret <secret <unclassified <secret
Categories are a series of names such as Nuclear and NATO. The level of security A dominates B if and only if the level of classification A> level classification B, and group A category contains B. Example,
top-secret, {Nuclear, NATO}
dominates
secret, {NATO}
because of
top-secret> secret
and set
{Nuclear, NATO}
Include
{NATO}
In the model, requests for access (sub, obj, acc) are given if and only if all of the following properties are fulfilled:
simple security property (no read up): if acc is read, then the level (sub) must dominate the level (obj).
No comments:
Post a Comment