Foundations of Computer SecurityLecture 12: Lattice-Based Security and the BLP MetapolicyDr. Bill YoungDepartment of Computer SciencesUniversity of Texas at AustinLecture 12: 1 Lattice-Based Security and the BLP MetapolicyLattice Based SecurityRecall that the set of labels within our MLS system form a partialorder under the dominates relation. The following is also true:1any two elements have a least upper bound (supremum orjoin), and2any two elements have a greatest lower bound (infimum ormeet).Thus, the set of labels form an algebraic structure called a lattice.Lecture 12: 2 Lattice-Based Security and the BLP MetapolicyA Lattice(H, {A, B})(H, {B})(H, {A})(L, {B})(L, {A}(L, {A, B})(H, {})(L,{})Assume a BLP systemwith hierarchical levels {H, L} (withH > L) and categories {A, B}. On theright is a directed graph representationof the resulting lattice of labels.The arrows represent (some of)the dominates relationships among thelabels. If there is an path from L1to L2in the graph, then L1≤ L2.To simplify the picture, it does not include the reflexive ortransitive arrows.Lecture 12: 3 Lattice-Based Security and the BLP MetapolicyThe BLP MetapolicyL1L2A path in the graphfrom L1to L2means that “information isallowed to flow” from level L1to level L2.That can happen in either of two ways:1a subject at levelL2can read a level L1object, or2a subject atlevel L1can write a level L2object.If no such path exists from L1to L2, then Simple Security shouldprevent 1 and the *-Property should prevent 2.Lecture 12: 4 Lattice-Based Security and the BLP MetapolicySo What is the Metapolicy?(H, {A, B})(H, {B})(H, {A})(L, {B})(L, {A}(L, {A, B})(H, {})(L,{})Recall that a metapolicy is the collectionof overall security goals of the system.So for any Bell and LaPadulasystem, we only want informationto flow “upward” in the lattice ofsecurity levels. Equivalently, informationmay flow from L1to L2only if L2≥ L1.Any other flow indicates a violation ofthe security goals.Lecture 12: 5 Lattice-Based Security and the BLP MetapolicyThe Bottom LineThe metapolicy of any BLP system is to constrain the flow ofinformation among the different security levels.Recall that the metapolicy is what we really care about from thesecurity standpoint.So, if we can build a system that satisfies the BLP rules yet stillviolates the metapolicy, the BLP rules must not be enough!Lecture 12: 6 Lattice-Based Security and the BLP MetapolicyLessonsBLP is a collection of access control rules: Simple Security,*-Property, some version of Tranquility.The set of BLP labels under dominates forms a lattice; such apolicy is an instance of lattice-based security.The overall goal of BLP (the metapolicy) is to constrain theflow of information among the different security levels withinthe lattice.The metapolicy gives us a means of evaluating whether theBLP rules are up to the job.Next lecture: Covert ChannelsLecture 12: 7 Lattice-Based Security and the BLP