Foundations of Computer SecurityLecture 7: MLS Example: Part IIDr. Bill YoungDepartment of Computer SciencesUniversity of Texas at AustinLecture 7: 1 MLS Example: Part IIMLS Thought ExperimentSetting: General Eisenhower’s office in 1943 Europe. Assume anenvironment in which we have:information at different “sensitivity” levels;individuals permitted access to selected pieces of information.The goal: Understand what “security” (confidentiality) couldmean in this context and define a policy (rules) to implement it.Lecture 7: 2 MLS Example: Part IIFolder Sensitivity LabelsInformation is parcelled out into separate containers(documents/folders) labeled according to sensitivity level.Examples:(Secret: {Nuclear, Crypto}),(Top Secret: {Crypto}).A question we suggested for confidentiality policies is: How do Icharacterize who is authorized to see what?Lecture 7: 3 MLS Example: Part IIAuthorization LevelsLet’s assign individuals clearances or authorization levels, of thesame form as document sensitivity levels.That is, each individual has:a hierarchical security level indicating the degree oftrustworthiness to which he or she has been vetted;a set of “need-to-know categories” indicating domains ofinterest in which he or she is authorized to operate.Notice that labels on documents indicate the sensitivity of thecontained information; “labels” on humans indicate classes ofinformation that person is authorized to access.Lecture 7: 4 MLS Example: Part IILeast Privilege: An AsideThe need-to-know categories are a reflection that even within agiven security level (such as Top Secret) not everyone needs toknow everything. This is an instance of:Principle of Least Privilege: Any subject should have access tothe minimum amount of information needed to do its job.This is as close to an axiom as anything in security. Why does itmake sense?Lecture 7: 5 MLS Example: Part IINow What?Question: Given that we have labels for documents and clearancesfor individuals, how do we decide which humans are permittedaccess to which documents?Answer: Surely it’s some relationship between the subject leveland the object level. But what?Should a human with the given clearance be able to read adocument at the given sensitivity?ClearanceSensitivity Access?(Secret: {Crypto}) (Confidential: {Crypto}) Yes?(Secret: {Crypto, Nuclear}) (Top Secret: {Crypto}) No?(Secret: {Nuclear}) (Unclassified: {}) Yes?Lecture 7: 6 MLS Example: Part IILessonsTo control access by individuals to documents/folders, weneed “labels” for both.For documents the labels indicate the sensitivity of theinformation contained.For individuals, the labels indicate the authorization(clearance) to view certain classes of information.An individual should be given the minimal authorization toperform the job assigned. (Least Privilege)Whether an individual should be able to view a specificdocument depends on a relationship between the label of thedocument and the clearance of the individual.Next lecture: MLS Example: Part IIILecture 7: 7 MLS Example: Part
View Full Document