Lattice-Based Access Control Models

1
Lattice-BasedAccess ControlModels
Ravi S. Sandhu Colorado State University CS
681 Spring 2005 John Tesch
2
Motivation

• Examine the theoretical foundations of
  lattice-based access control
• Show how the basic security objectives of
  confidentiality, integrity and availability are
  related to information flow policy
• Relevancy of models to commercial applications
• Support for the Chinese Wall argument

3
Background

• 1975 Bell-LaPadula Secure Computer Systems
• 
  Mathematical Foundations and
• Model
• 1976 Denning A Lattice Model of Secure
  Information
• Flow
• 1977 Biba Integrity Considerations for Secure
• Computer Systems
• 1989 Chinese Wall The Chinese Wall Security
  Policy
• 1992 Sandhu Lattice-Based Enforcement of
  Chinese
• Walls
• 1993 Sandhu Lattice-Based Access Control
  Models

4
Security Models

• Bell-LaPadula Confidentiality
• Biba Integrity
• Chinese Wall (Brewer-Nash) Conflict of Interest

5
Lattice Model

• Denning 1976
• Purpose Guarantee Secure Information Flow
• Use mathematical framework to formulate
  requirements
• Unify all systems that restrict information flow
• Lead to automatic certification programs
• Denning uses a set of axioms to limit program
  code that
• will violate security classes
• Sandhu uses the axioms to control information
  flow at the
• model level

6
Denning Lattice Model

• Dennings Flow Model
• FM ltN, P, SC, ?,?gt
• where N Objects
• P Processes
• SC Security Classes
• ? Join operation on SC
• ? Can-flow relation on SC
• Assumption is static security classes (not
  objects)

7
Denning Lattice

• Example High-Low policy
• (H ? H) H ? H H
• (L ? L) L ? L L
• (L ? H) L ? H H
• (H not ? L) H ? L H

8
Dennings Axioms

• 1. The set of security classes is finite
• 2. The can-flow relation, ?, is a partial order
  on SC
• 3. SC has a lower bound with respect to ?
• 4. The join operator, ?, is a totally defined
  least upper
• bound operator

9
Information Flow Definitions

• 1. Information Flow Policy - ltSC, ?, ?gt
• 2. Dennings axioms
• 3. Dominance A ? B if and only if B ? A.

10
Sandhu Definitions

• Users Humans
• Subjects Processes
• Objects files
• Access matrix subject X objects
• Cell s,o access rights
• Owner can modify cell discretionary

11
Bell-LaPadula Model

• Begin with discretionary control
• Add authorization policy without user control
  (security labels)
• Object security classification
• User security clearance
• Tranquility User cannot change labels

12
Bell-LaPadula Model

• Simple security property (human or process)
• s reads o only if ?(s) ? ?(o)
• or ?(o) ? ?(s)
• - security property (process)
• s reads o only if ?(s) ? ?(o)
• or ?(s) ? ?(o)
• Covert channels out of scope

13
Biba Model

• Flow from top to bottom
• Simple integrity property
• s reads o only if ?(s) ? ?(o)
• Integrity property (process)
• s reads o only if ?(s) ? ?(o)

14
Combining BLP and Biba

• Subject s can read object o only if
• ?(s) ? ?(o) and ?(s) ? ?(o)
• Subject s can write object o only if
• ?(s) ? ?(o) and ?(s) ? ?(o)
• Can make a single lattice but you would have to
  reverse the hierarchy and rules of either BLP or
  Biba

15
Conclusions

• By applying the Dennings lattice model axioms
  to BLP and Biba, information flow can be clearly
  defined.
• The axioms cannot take into effect the problem
  with covert channels
• The lattice is considered to be static
• The paper focus is on the correctness of the
  lattice, not so much on the application to BLP
  and Biba

16
Discussion

• Does Sandhu adequately describe the
  lattice-based control using the semantics from
  Denning?
• Are there systems that use a single lattice with
  both BLP and Biba?
• How much of a performance hit is caused by covert
  channels?
• Can the lattice handle the management of the
  access control in BLP?