Information Security CS 526 Lecture 20

1
Information Security CS 526Lecture 20

• The Bell-LaPadupa Model

2
First, A Few Slides on Encryption and
Authentication

• Three ways for encryption and authentication
• Authenticate-then-encrypt (AtE), used in SSL
• a MAC(x), CE(x,a), transmit C
• Encrypt-then-authenticate (EtA), used in IPSec
• CE(x), aMAC(C), transmit (C,a)
• Encrypt-and-authenticate (EA), used in SSH
• CE(x), aMAC(x), transmit (C,a)
• Which way provides secure communications when
  embedded in a protocol that runs in a real
  adversarial network setting?
• From the paper The Order of Encryption and
  Authentication for Protecting Communications by
  Hugo Krawzyck.

3
Secure Channel

• Requirement of secure channel
• any message accepted as valid for a session by a
  receiving party was indeed sent by the partner to
  the session
• attacker cannot learn any information about
  messages
• even against an adversary that fully controls the
  communication channel and may learn information
  through responses of the participants
• Encrypt-then-authenticate (EtA) provides secure
  channel
• CE(x), aMAC(C), transmit (C,a)

4
Using Only Encryption Schemes is Insufficient

• Given a secure stream cipher (or even one-time
  pad) E, Consider encryption E
• Ex Eencodex
• encodex replaces each bit 0 with 00, and bit 1
  with either 01 or 10.
• How to decrypt?
• Ex is secure
• Using E does not provide confidentiality in a
  real world protocol setting
• if adversary flips the first two bits of Ex
  and can learn whether decryption succeeds, then
  the adversary learns the first bit of x

5
AtE and EA are insecure

• Authenticate-then-encrypt (AtE) is not secure in
  general
• a MAC(x), CE(x,a), transmit C
• consider flipping the first two bits of C
• if first bit of x is 0, decryption fails
• if first bit of x is 1, decryption MAC
  verification succeeds.
• AtE, however, can be secure for some specific
  encryption schemes, such as CBC or OTP (or stream
  ciphers)
• Encrypt-and-authenticate (EA) is not secure in
  general
• CE(x), aMAC(x), transmit (C,a)
• Why?

6
Review Discretionary Access Control

• No precise definition. Basically, DAC allows
  access rights to be propagated at subjects
  discretion
• often has the notion of owner of an object
• used in UNIX, Windows, etc.
• "A means of restricting access to objects based
  on the identity and need-to-know of users and/or
  groups to which the object belongs. Controls are
  discretionary in the sense that a subject with a
  certain access permission is capable of passing
  that permission (directly or indirectly) to any
  other subject."

7
Mandatory Access Control

• Mandatory access controls (MAC) restrict the
  access of subjects to objects based on a
  system-wide policy
• denying users full control over the access to
  resources that they create. The system security
  policy (as set by the administrator) entirely
  determines the access rights granted

8
Outline

• Overview of BLP
• Details of BLP
• Discussions

9
Bell-LaPadula Model A MAC Model for Achieving
Multi-level Security

• Introduce in 1973
• Air Force was concerned with security in
  time-sharing systems
• Many OS bugs
• Accidental misuse
• Main Objective
• Enable one to formally show that a computer
  system can securely process classified information

10
What is a Security Model?

• A model describes the system
• e.g., a high level specification or an abstract
  machine description of what the system does
• A security policy
• defines the security requirements for a given
  system
• Verification shows that a policy is satisfied by
  a system
• System Model Security Policy Security Model

11
Methodology in the BLP Security Model

• Define an abstract model that can be used to
  describe computer systems.
• the model
• Define what does it mean for a system in the
  model to be secure.
• the policy
• Develop techniques to prove that a system in the
  model is secure

12
Security Goal of BLP

• There are security classifications or security
  levels
• Users/principals/subjects have security
  clearances
• Objects have security classifications
• Example
• Top Secret
• Secret
• Confidential
• Unclassified
• In this case Top Secret gt Secret gt Confidential gt
  Unclassified
• Security goal (confidentiality) ensures that
  information do not flow to those not cleared for
  that level

13
Approach of BLP

• Use state-transition systems to describe computer
  systems
• Define a system as secure iff. every reachable
  state satisfies 3 properties
• simple-security property, -property,
  discretionary-security property
• Prove a Basic Security Theorem (BST)
• so that one can prove a system is secure by
  proving things about the system description

14
Main Contributions of BLP

• The overall methodology to show that a system is
  secure
• adopted in many later works
• The state-transition model
• which includes an access matrix, subject security
  levels, object levels, etc.
• The introduction of -property
• ss-property is not enough to stop illegal
  information flow

15
Main Technical Flaws of BLP

• The BLP notion of security is neither necessary
  nor sufficient to stop illegal information flows
• That BLP defines security as a state-based
  property is too low level and limited in
  expressive power
• The BST fails to provide necessary and sufficient
  conditions for verifying a system is BLP-secure

16
The BLP Security Model Simplified

• A computer system is modeled as a
  state-transition system
• In each state, there are subjects, objects, an
  access matrix, and the current access information
• there are state transition rules describing how a
  system can go from one state to another
• each subject is given a level, and each object is
  given a level

17
The BLP Security Model Simplified

• A state is secure if it satisfies
• Simple Security Condition (no read up)
• S can read O iff L(S) L(O)
• The Star Property (no write down)
• S can write O iff L(S) L(O)
• Discretionary-security property
• every access is allowed by the access matrix
• A system is secure if and only if every reachable
  state is secure.

18
Why Mandatory No Write Down

• Unrestricted DAC allows information from an
  object which can be read to any other object
  which can be written by a subject
• do not provide multi-level security
• Suppose our users are trusted not to do this
  deliberately. It is still possible for Trojan
  Horses to copy information from one object to
  another.

19
TROJAN HORSE EXAMPLE
ACL
File F
Ar Aw
File G
Br Aw
Principal B cannot read file F
20
TROJAN HORSE EXAMPLE
ACL
Principal A
executes
File F
Ar Aw
read
Program Goodies
Trojan Horse
File G
Br Aw
write

• Principal B can read contents of file F copied to
  file G

21
More Details in BLP

• Trusted subjects
• some subjects are identified as trusted subjects,
  the star property does not apply to trusted
  subjects
• why having trusted subjects?
• In the actual model, each subject has two levels
  the maximum level and the current level
• the simple security condition uses the maximum
  level
• the -property uses the current level

22
STAR-PROPERTY

• Applies to subjects (principals) not to users
• Users are trusted (must be trusted) not to
  disclose secret information outside of the
  computer system
• Subjects are not trusted because they may have
  Trojan Horses embedded in the code they execute
• Star-property prevents overt leakage of
  information and does not address the covert
  channel problem

23
Outline

• Overview of BLP
• Details of BLP
• Discussions

24
Alphabet

• A set S of subjects
• A set ST of trusted subjects
• A set A of access modes
• A execute, read, append, write
• observation and alteration
• A set of O of object identifiers
• A partially ordered set ?L, ?? of security levels

25
States Z

• Each state z ? Z is a 4-tuple ?? O, b, M, F ?
• O ? O objects in current state
• b ? S ?O ? A current access set
• M S ? O?? 2A an access matrix
• F ? fS, fO, fC ? security level functions
• fS S ? L subject maximal level
• fO O ? L object level
• fC S ? L subject current level

26
State Transitions

• A set R of requests
• get-access(s,o,a)
• release-acess(s,o,a)
• give-access(s1,s2,o,a)
• rescind-access(s1,s2,o,a)
• create-object(s,o,l)
• reclassify-object(s,o, l)
• destruct-object(s,o)
• change-current-level(s, l)

27
BLP Systems

• Definition A system is given by (z0,W)
• z0 is the initial state
• W½ R ? D ? Z ? Z D yes, no
• (req, d, z, z)2W defines one state transition
• Definition An appearance of the system (z0,W) is
  a sequence h z0, (req1,d1,z1), (req2,d2,z2), ?,
  (reqt,dt,zt) i where
• t is a natural number
• ?? i s.t. 1 ? I ? t (reqi,di,zi,zi-1) ? W

28
BLP Secure States

• Definition z?O, b, M, F?fS,fO,fC?? is a secure
  state if and only if
• z satisfies the ss-property,
• i.e., ? (s,o,a) ? b (a2 read,write ) fS(s) ?
  fO(o)
• z satisfies the -property, i.e., ? (s,o,a)
  ? b where s ? ST
• a ? read,write ?? fC(s) ? fO(o) no read up
• a ? append,write?? fC(s) ? fO(o) no write down
• z satisfies the ds-property,
• i.e., ? (s,o,a) ? b ? a ? Ms,o

29
The -property

• Does -property imply ss-property? No.
• The ss-property uses maximal level.
• The -property applies only to untrusted subjects
• Can one say -property is just no-write-down?
  No.
• The original BLP model doesnt require that
  fC(s) ? fS(s)
• setting ones current level higher only gets less
  access right

30
BLP Secure Systems

• Definition A system (z0,W) is secure iff. every
  state in every appearance of the system is
  secure.
• State-based definition is limited in expressive
  power
• cannot express a policy that says a state z2
  occurs after a state z1 in an appearance is not
  acceptable

31
Is BLP Notion of Security Good?

• The objective of BLP security is to ensure
• a subject cleared at a low level should never
  read information classified high
• The ss-property and the -property are sufficient
  to stop such information flow at any given state.
• What about information flow across states?

32
BLP Security Is Not Sufficient!

• Consider a system with s1,s2,o1,o2
• fS(s1)fC(s1)fO(o1)high
• fS(s2)fC(s2)fO(o2) low
• And the following execution
• s1 gets access to o1, read something, release
  access, then change current level to low, get
  write access to o2, write to o2
• Every state is secure, yet illegal information
  exists

33
How to Deal With This?

• The following have been proposed
• subject cannot change current levels
• require a subject to forgot everything when
  changing levels
• But the original BLP security is wrong!
• And all the fixes limit the applicability of the
  model
• It is not the model that is wrong, it is the
  definition of security that is wrong.

34
BLP Security Is Not Necessary!

• Consider a system with only s1,s2,o1,o2
• fS(s1)fC(s1)fO(o1)high
• fS(s2)fC(s2)fO(o2) low
• And an access matrix s.t. s2 cannot access o2
• And the following execution
• s1 gets access to o1, and get write access to o2,
  then the state violates -property
• Why is this system bad?

35
Summary of Issues with BLP Notion of Security

• BLP notion of security is neither sufficient nor
  necessary to stop illegal information flow
  (through overt channels)
• The state based approach is too low level and
  limited in expressive power

36
How to Fix The BLP Notion of Security?

• May need to differentiate externally visible
  objects from other objects
• e.g., a printer is different from a memory object
• State-sequence based property
• e.g., exists no sequence of states so that there
  is an information path from a high object to a
  low externally visible object or to a low subject

37
Outline

• Overview of BLP
• Details of BLP
• Discussions

38
Basic Security Theorem

• Restatement of The Basic Security Theorem A
  system (z0,W) is a secure system if and only if
  z0 is a secure state and each action of the
  system leads the system into a secure state.
• Given a system (z0,W), ?? W is an action of the
  system iff. there is an appearance of the system
  that uses ?

39
Observations of the BST

• The BST is a result of defining security as a
  state-based property.
• The BST cannot be used to justify the BLP notion
  of security
• This is McLeans main point in his papers
• A Comment on the Basic Security Theorem of Bell
  and LaPadula 1985
• Reasoning About Security Models 1987
• The Specification and Modeling of Computer
  Security 1990

40
Observations of the BST

• The BST intends to provide a necessary and
  sufficient condition for verifying that a system
  is secure without running the system
• McLean 90 The most notable theorem known
  about BLP-security is called the Basic Security
  Theorem (BST), which gives necessary and
  sufficient conditions for a system starting in a
  secure state to never reach a non-secure state.

41
BST and Static Verification of Security

• Can one use BST to verify whether a system is
  secure or not without running the system?
• Repeat of BST A system (z0,W) is a secure system
  if and only if z0 is a secure state and each
  action of the system leads the system into a
  secure state.

42
BST and Static Verification of Security

• Yes and No.
• if every ?2W leads the system into a secure
  state, then the system is secure
• if some ?2W leads the system into an insecure
  state, then we dont know whether the system is
  secure
• as we dont know whether ? is an action or not
• BST provides effectively only sufficient (but not
  necessary) conditions.

43
McLeans Criticism of BLP

• BST cannot be used to justify BLP security
• McLean 1985 If one define security to be any
  other state-based property, BST still holds
• Defense Bell 1988 exactly what is security is
  outside the model
• McLean 1987 System Z, defines a state change
  that downgrade everything
• Defense 1 Tranquility principle disallows that
• Defense 2 If such state change is desired, then
  fine.

44
McLeans Criticism of BLP

• In McLean 1990, McLean try to justify BLP
  security using an alternative notion of secure
  transition, but admitted failure
• We believe that BLP notion of security is
  inherent problematic
• Tranquility principle
• the classification of active objects will not
  change during the normal operation.

45
Issues with BLP

• Deal only with confidentiality,
• does not deal with integrity at all
• Does not deal with information flow through
  covert channels
• The approach of defining a secure system to be
  one in which every reachable state is secure is
  flawed
• in a system that is secure according to BLP, a
  subject can read high, change current level to
  low, then write low.
• to address this problem, need to require
• subject cannot change current levels
• or ensures a subject to forgot everything when
  changing levels
• information flow security is not a per-state
  property

46
Overt (Explicit) Channels vs. Covert Channels

• Security objective of MLS in general, BLP in
  particular
• high-classified information cannot flow to
  low-cleared users
• Overt channels of information flow
• read/write an object
• Covert channels of information flow
• communication channel based on the use of system
  resources not normally intended for communication
  between the subjects (processes) in the system

47
Examples of Covert Channels

• Using file lock as a shared boolean variable
• By varying its ratio of computing to input/output
  or its paging rate, the service can transmit
  information to a concurrently running process
• Covert channels are often noisy
• However, information theory and coding theory can
  be used to encode and decode information through
  noisy channels

48
More on Covert Channels

• Covert channels cannot be blocked by -property
• It is generally very difficult, if not
  impossible, to block all cover channels
• One can try to limit the bandwidth of covert
  channels
• Military requires cryptographic components be
  implemented in hardware
• to avoid trojan horse leaking keys through covert
  channels

49
More on MLS Security Levels

• Used as attributes of both subjects objects
• clearance classification
• Typical military security levels
• top secret ?? secret ? confidential ?
  unclassified
• Typical commercial security levels
• restricted ? proprietary ? sensitive ? public

50
Security Categories

• Also known as compartments
• Typical military security categories
• army, navy, air force
• nato, nasa, noforn
• Typical commercial security categories
• Sales, RD, HR
• Dept A, Dept B, Dept C

51
Security Labels

• Labels Levels ? P (Categories)
• Define an ordering relationship among Labels
• (e1, C1) ? (e2, C2) iff. e1 ?e2 and C1 ? C2
• This ordering relation is a partial order
• reflexive, transitive, anti-symmetric
• e.g., ?
• All security labels form a lattice

52
An Example Security Lattice

• levelstop secret, secret
• categoriesarmy,navy

Top Secret, army, navy
Top Secret, army
Top Secret, navy
Secret, army, navy
Top Secret,
Secret, navyy
Secret, army
Secret,
53
The need-to-know principle

• Even if someone has all the necessary official
  approvals (such as a security clearance) to
  access certain information they should not be
  given access to such information unless they have
  a need to know that is, unless access to the
  specific information necessary for the conduct of
  one's official duties.
• Can be implemented using categories and or DAC

54
Coming Attractions

• Non-interference and non-deducability