CSC 474/574 Dr. Peng Ning 1Computer ScienceCSC 474/574 Information SystemsSecurityTopic 4.2: Lattice Based AccessControl ModelsCSC 474/574 Dr. Peng Ning 2Computer ScienceLATTICE-BASED MODELS• Information flow policies– Denning’s axioms• Bell-LaPadula model (BLP)• Biba model and its duality (or equivalence)to BLPCSC 474/574 Dr. Peng Ning 3Computer ScienceInformation Flow Policies• Concerned with the flow of information from one securityclass to another.– Not between objects– Does such a policy care about• Information from top secret class to secret class?• Information from file A to file B?• Approach– Assign each object a security class (also called a security label).– Control information flow between objects based on their labels.• Information flows from security class A to security class B– Information flows from an object labeled A to an object labeled B.CSC 474/574 Dr. Peng Ning 4Computer ScienceDenning’s Definition of InformationFlow Policy< SC, , ⊕ >SC set of security classes ⊆ SC X SC flow relation (i.e., can-flow)⊕: SC X SC  SC class-combining operatorIntuitions:AB: Information can flow from security class A tosecurity class B.A⊕BC: Information combined from A and B can flow to C.CSC 474/574 Dr. Peng Ning 5Computer ScienceExample 1• High-low policy– Information can only flow between each classand from low class to high class, but not fromhigh class to low class• In Denning’s formalism:– SC={H, L}– ={______, ______, ______}– ⊕={H ⊕ H=___, H ⊕ L=___, L ⊕ H=___, L ⊕L=___}CSC 474/574 Dr. Peng Ning 6Computer ScienceExample 2• Policy– Two departments A and B.– Four security classes• {}: Public information• {A}: Only people working in A can access• {B}: Only people working in B can access.• {A, B}: Only people working in both A and B can access.– Never disclose any secret information.• In Denning’s formalism:– SC = {____, ____, ____, ____}– ={______, ______, ______, ______, ______, ______,______, ______, ______}– ⊕={______, ______, ______, ______, ______, ______}CSC 474/574 Dr. Peng Ning 7Computer ScienceDENNING'S AXIOMS< SC, →, ⊕ >1. SC is finite1. SC is finite2. 2. →→ is a partial order on SC is a partial order on SC3. SC has a lower bound L such that L 3. SC has a lower bound L such that L →→ A for all A A for all A ∈∈SCSC4. 4. ⊕⊕ is a totally defined least upper bound operator on SC is a totally defined least upper bound operator on SCCSC 474/574 Dr. Peng Ning 8Computer ScienceDENNING'S AXIOMS (Cont’d)• Axiom 2: → is a partial order on SC–  is reflexive:• For all A in SC, AA.• Intuition: Information can flow within each class.–  is transitive:• If AB and BC, then AC.• Intuition: If indirect flow is possible from A to C via B, then weshould allow directly information flow from A to C.• Not always desirable.–  is anti-symmetric:• If AB and BA, then A=B.• Intuition: We don’t need redundant classes.• Equivalently, if AB and A!=B, then B ! A.CSC 474/574 Dr. Peng Ning 9Computer ScienceExample 3• Which of the following are partial orders?– {A, B, C}, AB, BC, AC– {A, B, C}, AA, BB, CC– {A, B, C}, AA, BB, CC, ABCSC 474/574 Dr. Peng Ning 10Computer ScienceDENNING'S AXIOMS (Cont’d)• Axiom 3: SC has a lower bound L such thatLA for all A in SC.– Existence of public information in the system.CSC 474/574 Dr. Peng Ning 11Computer ScienceDENNING'S AXIOMS (Cont’d)• Axiom 4: ⊕ is a totally defined least upperbound (lub) operator on SC– A ⊕ B is defined for each pair of A and B in SC.• Intuition: It is possible to combine information fromany two classes.– The ⊕ operator is a least upper bound• AA ⊕ B and BA ⊕ B for all A, B in SC• If AC and BC, then A ⊕ BC.– A ⊕ B is the least one among all the upper bounds of A andB.– The ⊕ operator can be applied to any number ofsecurity classes.CSC 474/574 Dr. Peng Ning 12Computer ScienceDENNING'S AXIOMS IMPLY• SC is a universally bounded lattice• there exists a Greatest Lower Bound (glb)operator ⊗ (also called meet)• there exists a highest security class HCSC 474/574 Dr. Peng Ning 13Computer ScienceLATTICE STRUCTURES• reflexive and transitive edges are impliedbut not shownUnclassifiedConfidentialSecretTop SecretHierarchicalClassescan-flowCSC 474/574 Dr. Peng Ning 14Computer ScienceLATTICE STRUCTURESUnclassifiedConfidentialSecretTop Secretcan-flowdominance≥CSC 474/574 Dr. Peng Ning 15Computer ScienceCategories and Compartments• Categories: individual elements• Compartments: set of categories.– The set of compartments is the power set of theset of categories.– Compartments form a subset lattice over the setof categories.• Example:– The set of categories: {A, B}– The set of Compartments:• {______, ______, ______, ______}CSC 474/574 Dr. Peng Ning 16Computer ScienceLATTICE STRUCTURES{ARMY, CRYPTO}Compartmentsand Categories{ARMY }{CRYPTO}{}CSC 474/574 Dr. Peng Ning 17Computer ScienceLATTICE STRUCTURES{ARMY, NUCLEAR, CRYPTO}Compartmentsand Categories{ARMY, NUCLEAR}{ARMY, CRYPTO}{NUCLEAR, CRYPTO}{ARMY}{NUCLEAR} {CRYPTO}{}CSC 474/574 Dr. Peng Ning 18Computer ScienceCombining Different Lattices• Two lattices L1= (SC1, , ⊗) and L2 = (SC2, , ⊗) canbe combined into L = (SC, , ⊗) as follows:– SC = SC1 × SC2• Intuition: The result security classes are all combinations ofthose in L1 and L2.– For (c1, c2) and (c1’, c2’) in SC, (c1, c2)  (c1’, c2’) ifand only if c1c1’ and c2c2’.• Intuition: Information can flow from (c1, c2) to (c1’, c2’) if andonly if L1 permits information flow from c1 to c1’ and L2permits information flow from c2 to c2’– (c1, c2) ⊗ (c1’, c2’) = (c1 ⊗ c1’, c2 ⊗ c2’).• Intuition: Combining security classes in L is equivalent tocombining security classes in L1 and L2 separately.CSC 474/574 Dr. Peng Ning 19Computer ScienceLATTICE STRUCTURESCombined Lattice:TSS{A,B}{}{A}{B}The product of the two lattices.CSC 474/574 Dr. Peng Ning 20Computer ScienceSMITH'S LATTICE• With large lattices a vanishingly smallfraction of the labels will actually be used• Smith's lattice: 4 hierarchical levels, 8categatories, therefore– number of possible labels = 4*2^8 = 1024– Only 21 labels are actually used (2%)– Consider 16 hierarchical levels, 64compartments which gives 10^20