Lecture 4: Bell LaPadula - PowerPoint PPT Presentation

About This Presentation
Title:

Lecture 4: Bell LaPadula

Description:

Introduce the Bell LaPadula framework for confidentiality policy ... Proposed fix: tranquility. Strong: Labels never change during operation ... – PowerPoint PPT presentation

Number of Views:611
Avg rating:3.0/5.0
Slides: 13
Provided by: james209
Learn more at: http://web.cecs.pdx.edu
Category:

less

Transcript and Presenter's Notes

Title: Lecture 4: Bell LaPadula


1
Lecture 4Bell LaPadula
CS 591 Introduction to Computer Security
  • James Hook

2
Objectives
  • Introduce the Bell LaPadula framework for
    confidentiality policy
  • Discuss realizations of Bell LaPadula

3
Follow Bishop
  • Presentation follows Bishops slides for Chapter 5

4
Discussion
  • When would you choose to apply a model this
    restrictive?

5
Further Reading
  • Ross Andersons Security Engineering, Chapter 7
    Multilevel security
  • Standard Criticisms
  • Alternative formulations
  • Several more examples
  • Looking Back at the Bell - La Padula Model,
    David Elliott Bell, Proceedings 21st Annual
    Computer Security Applications Conference,
    December, 2005
  • http//www.acsac.org/2005/papers/Bell.pdf

6
Criticisms of Bell LaPadula
  • BLP is straightforward, supports formal analysis
  • Is it enough?
  • McLean wrote a critical paper asserting BLP rules
    were insufficient

7
McLeans System Z
  • Proposed System Z BLP (request for downgrade)
  • User L gets file H by first requesting that H be
    downgraded to L and then doing a legal BLP read
  • Proposed fix tranquility
  • Strong Labels never change during operation
  • Weak Labels never change in a manner that would
    violate a defined policy

8
Historical
  • The BLP retrospective published in December is
    fascinating!
  • What we know as BLP and simple security was the
    trivial case when labels didnt change.
  • Bell and La Padula expected to do a more dynamic
    policy

9
Alternatives
  • Goguen Meseguer, 1982 Noninterference
  • Model computation as event systems
  • Interleaved or concurrent computation can produce
    interleaved traces
  • High actions have no effect on low actions
  • The trace of a low trace of a system is the
    same for all high processes that are added to
    the mix
  • Problem Needs deterministic traces does not
    scale to distributed systems

10
Nondeducibility
  • Sutherland, 1986.
  • Low can not deduce anything about high with 100
    certainty
  • Historically important, hopelessly weak
  • Addressed issue of nondeterminism in distributed
    systems

11
Intranstitive non-interference
  • Rushby, 1992
  • Updates Goguen Meseguer to deal with the
    reality that some communication may be authorized
    (e.g. High can interefere with low if it is
    mediated by crypto)

12
Looking forward
  • Chapter 6 Integrity Policies
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Lecture 4: Bell LaPadula" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!