Foundations of Computer SecurityLecture 10: Tranquility and BLPDr. Bill YoungDepartment of Computer SciencesUniversity of Texas at AustinLecture 10: 1 Tranquility and BLPChanging LabelsSimple Security and the *-property constrain accesses to objects bysubjects according to the relationship between their labels. Butwhat if the labels are allowed to change?Assume you could somehow change an object’s label from(Top Secret: { Crypto })to(Unclassified: {})independent of the object’s contents. This would clearly violateconfidentiality. Why?John McLean of the Naval Research Lab pointed out that our rulesso far don’t prohibit this.Lecture 10: 2 Tranquility and BLPTranquility PropertiesWe clearly need an additional rule that governs changing labels.You might choose one of these:The Strong Tranquility Property: Subjects and objects do notchange labels during the lifetime of the system.The Weak Tranquility Property: Subjects and objects do notchange labels in a way that violates the “spirit” of the securitypolicy.Are these useful? Are they overly restrictive? What if a user needsto operate at different levels during the course of the day?Lecture 10: 3 Tranquility and BLPWeak TranquilityThe Weak Tranquility Property: Subjects and objects do notchange labels in a way that violates the “spirit” of the securitypolicy.What does this mean?Suppose your system includes a command to lower the level ofa object in an unconstrained way. Does that violate the goalsof simple security or the *-property?Suppose your system includes a command to raise the level ofa object in an unconstrained way. Does that violate the goalsof simple security or the *-property?What about subjects? Can they change levels up or down?Lecture 10: 4 Tranquility and BLPBell and LaPadulaThe Simple Security Property, *-Property and Tranquility Propertyformalize a large portion of multi-level security, which is alsosometimes called military security.This formalization is due to D. Elliott Bell and Len LaPadula(1973–75) and is called the Bell and LaPadula Model (BLP).Despite its age BLP is still a cornerstone of modern computersecurity and is still very widely used as a policy.Lecture 10: 5 Tranquility and BLPLessonsThe ability to change labels arbitrarily can subvert security, sowe need a tranquility property to deal with that threat.Simple Security, the *-Property, and Tranquility together formthe basis of the Bell and LaPadula (BLP) model of security.BLP is a widely used model of military security.Next lecture: Access Control PoliciesLecture 10: 6 Tranquility and
View Full Document
Unlocking...