Confidentiality PolicyGoals of Confidentiality PoliciesBell-LaPadula ModelInformal DescriptionMandatory and Discretionary Access ControlStar Property (Preliminary Version)Basic Security TheoremCategories and Need to Know PrincipleSecurity LatticeDominate (dom) RelationNew Security Condition and *-PropertyAllow Write Down?Data General B2 Unix SystemThree MAC Regions in DG/UX MAC LatticeAccesses with MAC LabelsMultilevel DirectoryMounting Unlabeled File SystemInteresting Case with Hard LinksEnable Flexible Write in DG/UX1cs691chowC. Edward ChowC. Edward ChowConfidentiality PolicyConfidentiality PolicyCS691 – Chapter 5 of Matt Bishop2cs691chowGoals of Confidentiality PoliciesGoals of Confidentiality PoliciesConfidentiality Policies emphasize the protection of confidentiality.Confidentiality policy also called information flow policy, prevents unauthorized disclosure of information.Example: Privacy Act requires that certain personal data be kept confidential. E.g., income tax return info only available to IRS and legal authority with court order. It limits the distribution of documents/info.Confidentiality Policies emphasize the protection of confidentiality.Confidentiality policy also called information flow policy, prevents unauthorized disclosure of information.Example: Privacy Act requires that certain personal data be kept confidential. E.g., income tax return info only available to IRS and legal authority with court order. It limits the distribution of documents/info.3cs691chowBell-LaPadula ModelBell-LaPadula Modelalso called the multi-level model, was proposed by Bell and LaPadula of MITRE for enforcing access control in government and military applications.It corresponds to military-style classifications. In such applications, subjects and objects are often partitioned into different security levels. A subject can only access objects at certain levels determined by his security level. For instance, the following are two typical access specifications: ``Unclassified personnel cannot read data at confidential levels'' and ``Top-Secret data cannot be written into the files at unclassified levels'' also called the multi-level model, was proposed by Bell and LaPadula of MITRE for enforcing access control in government and military applications.It corresponds to military-style classifications. In such applications, subjects and objects are often partitioned into different security levels. A subject can only access objects at certain levels determined by his security level. For instance, the following are two typical access specifications: ``Unclassified personnel cannot read data at confidential levels'' and ``Top-Secret data cannot be written into the files at unclassified levels''4cs691chowInformal DescriptionInformal DescriptionSimplest type of confidentiality classification is a set of security clearances arranged in a linear (total) ordering.Clearances represent the security levels. The higher the clearance, the more sensitive the info.Basic confidential classification system:individuals documentsTop Secret (TS) Tamara, Thomas Personnel FilesSecret (S) Sally, Samuel Electronic MailsConfidential (C) Claire, Clarence Activity Log FilesUnclassified (UC)Ulaley, Ursula Telephone ListsSimplest type of confidentiality classification is a set of security clearances arranged in a linear (total) ordering.Clearances represent the security levels. The higher the clearance, the more sensitive the info.Basic confidential classification system:individuals documentsTop Secret (TS) Tamara, Thomas Personnel FilesSecret (S) Sally, Samuel Electronic MailsConfidential (C) Claire, Clarence Activity Log FilesUnclassified (UC)Ulaley, Ursula Telephone Lists5cs691chowMandatory and Discretionary Access ControlMandatory and Discretionary Access ControlBell-LaPadula model combines Mandatory and Discretionary Access Controls.“S has discretionary read (write) access to O” means that the access control matrix entry for S and O corresponding to the discretionary access control component contains a read (write) right. A B C D OQS read(D)TIf the mandatory controls not present, S would be able to read (write) O.Bell-LaPadula model combines Mandatory and Discretionary Access Controls.“S has discretionary read (write) access to O” means that the access control matrix entry for S and O corresponding to the discretionary access control component contains a read (write) right. A B C D OQS read(D)TIf the mandatory controls not present, S would be able to read (write) O.6cs691chowStar Property (Preliminary Version)Star Property (Preliminary Version)Let L(S)=ls be the security clearance of subject S.Let L(O)=lo be the security classification of object ).For all security classification li, i=0,…, k-1, li<li+1Simple Security Condition: S can read O if and only if lo<=ls and S has discretionary read access to O.*-Property (Star property): S can write O if and only if ls<=lo and S has discretionary write access to O.TS guy can not write documents lower than TS.  Prevent classified information leak.But how can different groups communicate?Let L(S)=ls be the security clearance of subject S.Let L(O)=lo be the security classification of object ).For all security classification li, i=0,…, k-1, li<li+1Simple Security Condition: S can read O if and only if lo<=ls and S has discretionary read access to O.*-Property (Star property): S can write O if and only if ls<=lo and S has discretionary write access to O.TS guy can not write documents lower than TS.  Prevent classified information leak.But how can different groups communicate?7cs691chowBasic Security TheoremBasic Security TheoremLet  be a system with secure initial state 0Let T be the set of state transformations.If every element of T preserves the simple security condition, preliminary version, and the *-property, preliminary version, Then every state i, i≥0, is secure.Let  be a system with secure initial state 0Let T be the set of state transformations.If every element of T preserves the simple security condition, preliminary version, and the *-property, preliminary version, Then every state i, i≥0, is secure.8cs691chowCategories and Need to Know PrincipleCategories and Need to Know PrincipleExpand the model by adding a set of categories.Each category