computer security presentation chapter 5
zacktrop
13 views
31 slides
Jun 04, 2024
Slide 1 of 31
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
About This Presentation
computer security
Slide Content
Fall 2023 Cp 633 Slide #5-1
Chapter 5: Confidentiality
Policies
•This lecture covers sections: 5.1, 5.2 (with 5.2.1, 5.2.2
and 5.2.2.1 only), and 5.3 .
•Overview
–What is a confidentiality model
•Bell-LaPadula Model
–General idea
–Informal description of rules
•Tranquility
•Controversy
Chapter 5: Confidentiality
Policies
•This lecture covers sections: 5.1, 5.2 (with 5.2.1, 5.2.2
and 5.2.2.1 only), and 5.3 .
•Overview
–What is a confidentiality model
•Bell-LaPadula Model
–General idea
–Informal description of rules
•Tranquility
•Controversy
Fall 2023 Cp 633 Slide #5-2
Confidentiality Policyhere 11 Sept mon
•Goal: prevent the unauthorized disclosure of information
–Deals with information flow
–Integrity aspect is incidental
•Multi-level security models are best-known examples
–Bell-LaPadula model is basis for many, or most, of
these.
Confidentiality Policyhere 11 Sept mon
•Goal: prevent the unauthorized disclosure of information
–Deals with information flow
–Integrity aspect is incidental
•Multi-level security models are best-known examples
–Bell-LaPadula model is basis for many, or most, of
these.
Fall 2023
Cp 633 Slide #5-3
Bell-LaPadula Model, Step 1
•Security levels (i.e. security clearance) for subjects are arranged in
linear ordering, for example:
1.Top Secret: highest
2.Secret
3.Confidential
4.Unclassified: lowest
•User/process levels consist of security clearance L(s)
•Objects have security classification L(o)
•Access is achieved as function of security clearance and document
classification
Cp 633 Slide #5-3
Bell-LaPadula Model, Step 1
•Security levels (i.e. security clearance) for subjects are arranged in
linear ordering, for example:
1.Top Secret: highest
2.Secret
3.Confidential
4.Unclassified: lowest
•User/process levels consist of security clearance L(s)
•Objects have security classification L(o)
•Access is achieved as function of security clearance and document
classification
Fall 2023
Cp 633
Slide #5-4
Example
security level –
clearance L(s)
subject Object –classification , L(o)
Top Secret Tamara Personnel Files
Secret Samuel E-Mail Files
Confidential Claire Activity Logs
Unclassified Ulaley Telephone Lists
•Tamara can read all files
•Claire cannot read Personnel or E-Mail Files
•Ulaley can only read Telephone Lists
Cp 633
Slide #5-4
Example
security level –
clearance L(s)
subject Object –classification , L(o)
Top Secret Tamara Personnel Files
Secret Samuel E-Mail Files
Confidential Claire Activity Logs
Unclassified Ulaley Telephone Lists
•Tamara can read all files
•Claire cannot read Personnel or E-Mail Files
•Ulaley can only read Telephone Lists
Fall 2023
Cp 633 Slide #5-5
Reading Information
•Information flows can occur only in upward direction towards
clearance that subject does not have, not down
–Therefore -“Reads up” are disallowed, “reads down” are allowed
•Simple Security Condition (Step 1)
–Subject scan read object oiff, L(o) ≤ L(s) and shas permission
to read o
•Note: combines mandatory control –MAC (relationship of
security levels) and discretionary control DAC (the required
permission)
–Sometimes called “no reads up” rule
Cp 633 Slide #5-5
Reading Information
•Information flows can occur only in upward direction towards
clearance that subject does not have, not down
–Therefore -“Reads up” are disallowed, “reads down” are allowed
•Simple Security Condition (Step 1)
–Subject scan read object oiff, L(o) ≤ L(s) and shas permission
to read o
•Note: combines mandatory control –MAC (relationship of
security levels) and discretionary control DAC (the required
permission)
–Sometimes called “no reads up” rule
Fall 2023 Cp 633
Slide #5-6
Writing Information
•However, subject with high clearance can copy file with high
classification and write it to the file with low classification.
•But, information is only allowed to travel up, not down
–Therefore “writes down” are disallowed and “Writes up” are
allowed.
•*-Property (Step 1)
–Subject scan write object oiffL(s) ≤ L(o) and shas permission to
write o
•Note: combines mandatory control (relationship of security
levels) and discretionary control (the required permission)
–Sometimes called “no writes down” rule, note we are not interested in integrity.
Slide #5-6
Writing Information
•However, subject with high clearance can copy file with high
classification and write it to the file with low classification.
•But, information is only allowed to travel up, not down
–Therefore “writes down” are disallowed and “Writes up” are
allowed.
•*-Property (Step 1)
–Subject scan write object oiffL(s) ≤ L(o) and shas permission to
write o
•Note: combines mandatory control (relationship of security
levels) and discretionary control (the required permission)
–Sometimes called “no writes down” rule, note we are not interested in integrity.
Fall 2023 Cp 633 Slide #5-7
Basic Security Theorem, Step 1
•Preliminary version of BST:
•If a system is initially in a secure state, and every transition
of the system satisfies the simple security condition, step 1,
and the *-property, step 1, then every state of the system is
secure
–Proof: induct on the number of transitions
Basic Security Theorem, Step 1
•Preliminary version of BST:
•If a system is initially in a secure state, and every transition
of the system satisfies the simple security condition, step 1,
and the *-property, step 1, then every state of the system is
secure
–Proof: induct on the number of transitions
Fall 2023
Cp 633 Slide #5-8
Bell-LaPadula Model, Step 2
•Expand notion of security level to include information categories
according to need to know principle.
•Objects are placed into Categories (or compartments).
–Each category is a kind of information, e.g intelligence on a
particular country…
•Security level now becomes a tuple (clearance, category set)
•Examples
–( Top Secret, { NUC, EUR, US } )
–( Confidential, { EUR, US } )
–( Secret, { NUC, US } )
Cp 633 Slide #5-8
Bell-LaPadula Model, Step 2
•Expand notion of security level to include information categories
according to need to know principle.
•Objects are placed into Categories (or compartments).
–Each category is a kind of information, e.g intelligence on a
particular country…
•Security level now becomes a tuple (clearance, category set)
•Examples
–( Top Secret, { NUC, EUR, US } )
–( Confidential, { EUR, US } )
–( Secret, { NUC, US } )
Fall 2023
Cp 633
Slide #5-9
Security lattice by information categories
•Lattice is generated by categories NUC, EUR, and US.
•The lines represent the ordering relation induced by (subset of).
•The line is placed between A and B iffA B, and A≠B and there
exists no C so that AC B, A≠C, B≠C. [NUC, EUR, US]
[NUC, EUR] [EUR, US][NUC, US]
[NUC] [EUR] [US]
Ø
Cp 633
Slide #5-9
Security lattice by information categories
•Lattice is generated by categories NUC, EUR, and US.
•The lines represent the ordering relation induced by (subset of).
•The line is placed between A and B iffA B, and A≠B and there
exists no C so that AC B, A≠C, B≠C. [NUC, EUR, US]
[NUC, EUR] [EUR, US][NUC, US]
[NUC] [EUR] [US]
Ø
Fall 2023
Cp 633 Slide #5-10
Security Levels and Lattices
•We need ordering relation among security levels expressed
as a tuple (clearance, category set) calleddominance
•(A, C) dom(A, C) iff A≤ Aand CC
•Examples
–(Top Secret, {NUC, US}) dom(Secret, {NUC})
–(Secret, {NUC, EUR}) dom(Confidential,{NUC, EUR})
–(Top Secret, {NUC}) dom(Confidential, {EUR})
•Let Abe set of classifications, and Cset of categories. Set of
security levels L = A C, domform lattice
Cp 633 Slide #5-10
Security Levels and Lattices
•We need ordering relation among security levels expressed
as a tuple (clearance, category set) calleddominance
•(A, C) dom(A, C) iff A≤ Aand CC
•Examples
–(Top Secret, {NUC, US}) dom(Secret, {NUC})
–(Secret, {NUC, EUR}) dom(Confidential,{NUC, EUR})
–(Top Secret, {NUC}) dom(Confidential, {EUR})
•Let Abe set of classifications, and Cset of categories. Set of
security levels L = A C, domform lattice
Fall 2023
Cp 633
Slide #5-11
Levels and Ordering
•Relation of dominance is relation of partial ordering
•Security levels are partially ordered
–Any pair of security levels may be related by dom
•“dominates” serves the role of “greater than” in step 1
–“greater than” is a total ordering, though(S, [NUC, EUR]) (S, [EUR, US])(S, [NUC, US])
(S, [NUC]) (S, [EUR]) (S, [US])
(S, Ø)
(TS, [NUC, EUR]) (TS, [EUR, US])(TS, [NUC, US])
(TS, [NUC]) (TS, [EUR]) (TS, [US])
(TS, Ø)
(TS, [NUC, EUR, US])
(S, [NUC, EUR, US])
Cp 633
Slide #5-11
Levels and Ordering
•Relation of dominance is relation of partial ordering
•Security levels are partially ordered
–Any pair of security levels may be related by dom
•“dominates” serves the role of “greater than” in step 1
–“greater than” is a total ordering, though(S, [NUC, EUR]) (S, [EUR, US])(S, [NUC, US])
(S, [NUC]) (S, [EUR]) (S, [US])
(S, Ø)
(TS, [NUC, EUR]) (TS, [EUR, US])(TS, [NUC, US])
(TS, [NUC]) (TS, [EUR]) (TS, [US])
(TS, Ø)
(TS, [NUC, EUR, US])
(S, [NUC, EUR, US])
Fall 2023 Cp 633
Slide #5-12
Reading Information
•Reading information flows up, not down
–“Reads up” are disallowed, “reads down” are allowed
•Simple Security Condition (Step 2)
–Subject scan read object oiffL(s) domL(o) and shas
permission to read o
•Note: combines mandatory control (relationship of
security levels) and discretionary control (the
required permission)
–Sometimes called “no reads up” rule
Slide #5-12
Reading Information
•Reading information flows up, not down
–“Reads up” are disallowed, “reads down” are allowed
•Simple Security Condition (Step 2)
–Subject scan read object oiffL(s) domL(o) and shas
permission to read o
•Note: combines mandatory control (relationship of
security levels) and discretionary control (the
required permission)
–Sometimes called “no reads up” rule
Fall 2023 Cp 633 Slide #5-13
Writing Information
•Information flows up, not down
–“Writes up” allowed, “writes down” disallowed
•*-Property (Step 2)
–Subject scan write object oiffL(o) domL(s)and shas
permission to write o
•Note: combines mandatory control (relationship of
security levels) and discretionary control (the required
permission)
–Sometimes called “no writes down” rule
–We are not looking into integrity in this theorem.
Writing Information
•Information flows up, not down
–“Writes up” allowed, “writes down” disallowed
•*-Property (Step 2)
–Subject scan write object oiffL(o) domL(s)and shas
permission to write o
•Note: combines mandatory control (relationship of
security levels) and discretionary control (the required
permission)
–Sometimes called “no writes down” rule
–We are not looking into integrity in this theorem.
Fall 2023 Cp 633 Slide #5-14
Basic Security Theorem, Step 2
•If a system is initially in a secure state, and every transition
of the system satisfies the simple security condition, step 2,
and the *-property, step 2, then every state of the system is
secure.
–Proof: induct on the number of transitions.
Basic Security Theorem, Step 2
•If a system is initially in a secure state, and every transition
of the system satisfies the simple security condition, step 2,
and the *-property, step 2, then every state of the system is
secure.
–Proof: induct on the number of transitions.
Fall 2023 Cp 633 Slide #5-15
Problem
•Occasionally subjects from higher security level need to
communicate with subjects on lower security level.
•E.g. colonel needs to talk to major
–Colonel has (Secret, {NUC, EUR}) clearance
–Major has (Secret, {EUR}) clearance
–Colonel cannot talk (write) to major because (Secret, {NUC,
EUR}) dom (Secret, {EUR})
–Major can talk to colonel (“write up” or “read down”)
•Clearly absurd!
Problem
•Occasionally subjects from higher security level need to
communicate with subjects on lower security level.
•E.g. colonel needs to talk to major
–Colonel has (Secret, {NUC, EUR}) clearance
–Major has (Secret, {EUR}) clearance
–Colonel cannot talk (write) to major because (Secret, {NUC,
EUR}) dom (Secret, {EUR})
–Major can talk to colonel (“write up” or “read down”)
•Clearly absurd!
Fall 2023
Cp 633
Slide #5-16
Solution
•Define maximum and current security levels for subjects
–maxlevel(s) domcurlevel(s)
•A subject may effectively decrease security level from maximum in order to
communicate with entities at lower security level.
•Example
–Treat Major with (Secret, {EUR}) as an object (Colonel is writing to him/her)
–Colonel has maxlevel(Secret, { NUC, EUR })
–Colonel sets curlevelto (Secret, { EUR })
–Now L(Major) dom curlevel(Colonel)
•Colonel can write to Major without violating “no writes down”
•Temporary downgrading assumes that subject sanitizesthe data from the higher
security level (possible for processes, difficult for humans).
•Identify a set of “trusted” subjects which are permitted to violate *-property.
Cp 633
Slide #5-16
Solution
•Define maximum and current security levels for subjects
–maxlevel(s) domcurlevel(s)
•A subject may effectively decrease security level from maximum in order to
communicate with entities at lower security level.
•Example
–Treat Major with (Secret, {EUR}) as an object (Colonel is writing to him/her)
–Colonel has maxlevel(Secret, { NUC, EUR })
–Colonel sets curlevelto (Secret, { EUR })
–Now L(Major) dom curlevel(Colonel)
•Colonel can write to Major without violating “no writes down”
•Temporary downgrading assumes that subject sanitizesthe data from the higher
security level (possible for processes, difficult for humans).
•Identify a set of “trusted” subjects which are permitted to violate *-property.
Example: Trusted Solaris here 12 Sept tue
•Provides mandatory access controls
–Subjects and objects have labels.
–Security level of subject or object is represented by sensitivity label
–Sensitivity labels for subjects consist of classifications and a set of categories.
–Each user -subject has a range of sensitivity labels(classification, category)
–Clearanceis least upper bound of all sensitivity labels of a user/subject.
•Default labels are ADMIN_HIGH (dominates any other label) with system logs
and configuration files
–and ADMIN_LOW (dominated by any other label) with system objects
•Subject Shas controlling user U
S (i.e user running it)
–S
Lis a sensitivity label of subject S
–S has also attribute privileged(S, P) which is true if Scan override or bypass
part of security policy P
–Attributeasserted(S, P) is true if Shas attribute privilegedand is overriding P
Fall 2023 cp633
Slide 5-17
•Provides mandatory access controls
–Subjects and objects have labels.
–Security level of subject or object is represented by sensitivity label
–Sensitivity labels for subjects consist of classifications and a set of categories.
–Each user -subject has a range of sensitivity labels(classification, category)
–Clearanceis least upper bound of all sensitivity labels of a user/subject.
•Default labels are ADMIN_HIGH (dominates any other label) with system logs
and configuration files
–and ADMIN_LOW (dominated by any other label) with system objects
•Subject Shas controlling user U
S (i.e user running it)
–S
Lis a sensitivity label of subject S
–S has also attribute privileged(S, P) which is true if Scan override or bypass
part of security policy P
–Attributeasserted(S, P) is true if Shas attribute privilegedand is overriding P
Fall 2023 cp633
Slide 5-17
Rules for ordinary users
For process S: U
S iscontrolling user of S, C
Lis clearance of S /U
S,
S
Lis sensitivity label of S, and O
Lis sensitivity label of O
1.If ¬privileged(S, “change S
L”), then no sequence of operations can
change S
Lto a value that it has not previously assumed
2.If ¬privileged(S, “change S
L”), then asserted(S, “change S
L”) is false.
3.If ¬privileged(S, “change S
L”), then no value of S
Lcan be outside
the clearance of U
S
4.For all subjects S and named objects O:if ¬privileged(S, “change
O
L”), then no sequence of operations can change O
Lto a value that it
has not previously assumed.
Fall 2023 cp633
Slide 5-18
For process S: U
S iscontrolling user of S, C
Lis clearance of S /U
S,
S
Lis sensitivity label of S, and O
Lis sensitivity label of O
1.If ¬privileged(S, “change S
L”), then no sequence of operations can
change S
Lto a value that it has not previously assumed
2.If ¬privileged(S, “change S
L”), then asserted(S, “change S
L”) is false.
3.If ¬privileged(S, “change S
L”), then no value of S
Lcan be outside
the clearance of U
S
4.For all subjects S and named objects O:if ¬privileged(S, “change
O
L”), then no sequence of operations can change O
Lto a value that it
has not previously assumed.
Fall 2023 cp633
Slide 5-18
Rules (con’t)
For process S: U
Sis controlling user of S, C
Lis clearance of U
S /S ,
S
Lis sensitivity label of S, and O
Lis sensitivity label of O
5.For all subjects S,named objects O:if ¬privileged(S, “override O’s
mandatory read access control”),
-then readaccess to Ois granted only if S
LdomO
L
–This is instantiation of simple security condition -no read up
6.For all subjects S,named objects O:if ¬privileged(S, “override O’s
mandatory write access control”), then writeaccess to Ois granted only if
O
LdomS
Land C
LdomO
L .
–This actually means that process with S
Lshould have start property with respect to
O
Lbut with its clearance label C
L it should be able to read O
L.
–Instantiation of *-property, no write down, is that subject’s and object’s labels are
the same.
Fall 2023 Cp633 Slide 5-19
For process S: U
Sis controlling user of S, C
Lis clearance of U
S /S ,
S
Lis sensitivity label of S, and O
Lis sensitivity label of O
5.For all subjects S,named objects O:if ¬privileged(S, “override O’s
mandatory read access control”),
-then readaccess to Ois granted only if S
LdomO
L
–This is instantiation of simple security condition -no read up
6.For all subjects S,named objects O:if ¬privileged(S, “override O’s
mandatory write access control”), then writeaccess to Ois granted only if
O
LdomS
Land C
LdomO
L .
–This actually means that process with S
Lshould have start property with respect to
O
Lbut with its clearance label C
L it should be able to read O
L.
–Instantiation of *-property, no write down, is that subject’s and object’s labels are
the same.
Fall 2023 Cp633 Slide 5-19
Initial Assignment of Labels
•Each account is assigned a label range [user’s minimum label,
clearance] (note clearance is the upper bound of label range).
•On login, Trusted Solaris determines if the session is single-level
–If clearance = minimum label, this is single level account and session gets
that label
–If not, multi-level; user asked to specify clearance for session; must be in
the label range
–In multi-level session, user can change to any label in the rangeof the
session clearance to the minimum
•This is useful if user has several workspaces each with its own sensitivity
level.
–This is kind of role based access control.
Fall 2023 Cp633
Slide 5-20
•Each account is assigned a label range [user’s minimum label,
clearance] (note clearance is the upper bound of label range).
•On login, Trusted Solaris determines if the session is single-level
–If clearance = minimum label, this is single level account and session gets
that label
–If not, multi-level; user asked to specify clearance for session; must be in
the label range
–In multi-level session, user can change to any label in the rangeof the
session clearance to the minimum
•This is useful if user has several workspaces each with its own sensitivity
level.
–This is kind of role based access control.
Fall 2023 Cp633
Slide 5-20
Writing is a bit unlike BLP
Writing is allowed when subject and object labels are the same OR (if
file has higher label than process but lower than user’s clearance)
•when file is in special downgradeddirectory Dwith sensitivity
label D
Lthat admin can create.
•The conditions of subject S with sensitivity label S
Land clearance
C
Lto write into file O with sensitivity labelO
L which is in directory
D with sensitivity level D
Lare:
–S
LdomD
L –i.esubject can read and search the directory
–Shas discretionary read and search access to D
–O
LdomS
Land O
L≠ S
L i.e. no write down rule
–Shas discretionary write access to O
–C
LdomO
L i.e. clearance of user dominates the object’s label
•Note: subject cannot read that object Fall 2023Cp633 Slide 5-21
Writing is allowed when subject and object labels are the same OR (if
file has higher label than process but lower than user’s clearance)
•when file is in special downgradeddirectory Dwith sensitivity
label D
Lthat admin can create.
•The conditions of subject S with sensitivity label S
Land clearance
C
Lto write into file O with sensitivity labelO
L which is in directory
D with sensitivity level D
Lare:
–S
LdomD
L –i.esubject can read and search the directory
–Shas discretionary read and search access to D
–O
LdomS
Land O
L≠ S
L i.e. no write down rule
–Shas discretionary write access to O
–C
LdomO
L i.e. clearance of user dominates the object’s label
•Note: subject cannot read that object Fall 2023Cp633 Slide 5-21
Fall 2023
Cp 633 Slide #5-22
Directory Problem
•Process pwith MAC_A security level tries to create file /tmp/x
•/tmp/xalready exists but has MAC label MAC_B
–Assume that MAC_B domMAC_A
•Create fails because this would be “write down” effectively (if create
succeeded then file /tmp/x would have MAC label MAC_A).
–Now pknows that a file named xwith a higher label exists –this
is information flow.
•Fix: only programs with same MAC label as directory can create
files in the directory
–Now compilation won’t work, mail can’t be delivered so further
fix is needed.
Cp 633 Slide #5-22
Directory Problem
•Process pwith MAC_A security level tries to create file /tmp/x
•/tmp/xalready exists but has MAC label MAC_B
–Assume that MAC_B domMAC_A
•Create fails because this would be “write down” effectively (if create
succeeded then file /tmp/x would have MAC label MAC_A).
–Now pknows that a file named xwith a higher label exists –this
is information flow.
•Fix: only programs with same MAC label as directory can create
files in the directory
–Now compilation won’t work, mail can’t be delivered so further
fix is needed.
Fall 2023 Cp 633
Slide #5-23
Multilevel Directory
•Multilevel Directory has a set of hidden subdirectories, one per
security level (label).
–Not normally visible to user
–Process p with MAC_A creating /tmp/xactually creates /tmp/d/x
where dis directory corresponding to MAC_A
–All p’s references to /tmpactually go to /tmp/d
•pcd’s to /tmp
–System call stat(“.”, &buf) returns information (inode) of real
directory i.e. /tmp/d
–System call mldstat(“.”, &buf) returns information about /tmp
Slide #5-23
Multilevel Directory
•Multilevel Directory has a set of hidden subdirectories, one per
security level (label).
–Not normally visible to user
–Process p with MAC_A creating /tmp/xactually creates /tmp/d/x
where dis directory corresponding to MAC_A
–All p’s references to /tmpactually go to /tmp/d
•pcd’s to /tmp
–System call stat(“.”, &buf) returns information (inode) of real
directory i.e. /tmp/d
–System call mldstat(“.”, &buf) returns information about /tmp
Alternative to MLDs -Labeled Zones
•Used in Trusted Solaris Extensions, and various flavors of Linux
•Zone: virtual environment tied to a unique label
–Each process can only access objects in its zone –isolation among
the zones.
•Global zone encompasses everything on system
–Its label is ADMIN_HIGH
–Only system administrators can access this zone
•Each zone has a unique root directory
–All objects within the zone have that zone’s label
–Each zone has a unique label
Fall 2023 cp633 Slide 5-24
•Used in Trusted Solaris Extensions, and various flavors of Linux
•Zone: virtual environment tied to a unique label
–Each process can only access objects in its zone –isolation among
the zones.
•Global zone encompasses everything on system
–Its label is ADMIN_HIGH
–Only system administrators can access this zone
•Each zone has a unique root directory
–All objects within the zone have that zone’s label
–Each zone has a unique label
Fall 2023 cp633 Slide 5-24
More about Zones
•Other file systems can be imported or mounted from other zones
provided that:
–If importing read-only filesystem, importing zone’s label must
dominate imported zone’s label (no read up)
–If importing read-write, importing zone’s label must equal
imported zone’s label
•since labels are unique this means that the zones are the same;
import unnecessary
–Labels are checked only at time of import
•Objects in imported file system retaintheir labels
•Therefore process can access object when multilevel constraints allow that
Fall 2023 Cp 633 Slide 5-25
•Other file systems can be imported or mounted from other zones
provided that:
–If importing read-only filesystem, importing zone’s label must
dominate imported zone’s label (no read up)
–If importing read-write, importing zone’s label must equal
imported zone’s label
•since labels are unique this means that the zones are the same;
import unnecessary
–Labels are checked only at time of import
•Objects in imported file system retaintheir labels
•Therefore process can access object when multilevel constraints allow that
Fall 2023 Cp 633 Slide 5-25
More about Zones
•Imported file systems have names distinct from files in the
importing zone.
•Imported file system is mounted at the directory “/zone/label”.
•Executable files from system areas, which are in the global zone,
(/usr) are mounted using a special loopback option.
–It makes them appear to be at ADMIN_LOW so that every
process can read and execute them.
•The same trick is used to mount read-only file systems which
label dominates the one of the importing file system.
Fall 2023 CP 633
Slide #5-26
•Imported file systems have names distinct from files in the
importing zone.
•Imported file system is mounted at the directory “/zone/label”.
•Executable files from system areas, which are in the global zone,
(/usr) are mounted using a special loopback option.
–It makes them appear to be at ADMIN_LOW so that every
process can read and execute them.
•The same trick is used to mount read-only file systems which
label dominates the one of the importing file system.
Fall 2023 CP 633
Slide #5-26
Example: Solaris Trusted Extensions system
note: global zone is at level ADMIN_HIGH
/
Global zone usr
L
1 L
2 L
3
root
exportzoneusr
L
2
export
root
exportzoneusr
root
exportzoneusr
L
2
export
•L
1domL
2
•L
3domL
2
•Process in L
1can
read any file in the
export directory of
L
2(assuming
discretionary
permissions allow
it)
•L
1, L
3disjoint
•Do not share
any files
•System directories
imported from
global zone, at
ADMIN_LOW
•So they can
only be read
Fall 2023
Cp 633 Slide 5-27
note: global zone is at level ADMIN_HIGH
/
Global zone usr
L
1 L
2 L
3
root
exportzoneusr
L
2
export
root
exportzoneusr
root
exportzoneusr
L
2
export
•L
1domL
2
•L
3domL
2
•Process in L
1can
read any file in the
export directory of
L
2(assuming
discretionary
permissions allow
it)
•L
1, L
3disjoint
•Do not share
any files
•System directories
imported from
global zone, at
ADMIN_LOW
•So they can
only be read
Fall 2023
Cp 633 Slide 5-27
Fall 2023 Cp 633 Slide #5-28
Principle of Tranquility –
•Raising object’s security level
–Information once available to some subjects is no longer available
–Usually assume information has already been accessed, so this does
nothing
•Lowering object’s security level
–This is the declassificationproblem
–Essentially, it is a “write down” violating *-property
–Solution: define set of trusted subjects that sanitize(or remove)
sensitive information before security level lowered
Principle of Tranquility –
•Raising object’s security level
–Information once available to some subjects is no longer available
–Usually assume information has already been accessed, so this does
nothing
•Lowering object’s security level
–This is the declassificationproblem
–Essentially, it is a “write down” violating *-property
–Solution: define set of trusted subjects that sanitize(or remove)
sensitive information before security level lowered
Fall 2023 Cp 633 Slide #5-29
Types of Tranquility
•Strong Tranquility
–The clearances of subjects, and the classifications of
objects, do not change during the lifetime of the system
•Weak Tranquility
–The clearances of subjects, and the classifications of
objects, do not change in a way that violates the simple
security condition or the *-property during the lifetime
of the system
Types of Tranquility
•Strong Tranquility
–The clearances of subjects, and the classifications of
objects, do not change during the lifetime of the system
•Weak Tranquility
–The clearances of subjects, and the classifications of
objects, do not change in a way that violates the simple
security condition or the *-property during the lifetime
of the system
Fall 2023 Cp 633 Slide #5-30
Controversy
•McLean:
–“value of the (basic security theorem) BST is much
overrated since there is a great deal more to security than it
captures. Further, what is captured by the BST is so trivial
that it is hard to imagine a realistic security model for
which it does not hold.”
–Basis: given assumptions known to be non-secure, BST
can prove a non-secure system to be secure
Controversy
•McLean:
–“value of the (basic security theorem) BST is much
overrated since there is a great deal more to security than it
captures. Further, what is captured by the BST is so trivial
that it is hard to imagine a realistic security model for
which it does not hold.”
–Basis: given assumptions known to be non-secure, BST
can prove a non-secure system to be secure
Cp 633 Slide #5-31
Key Points
•Confidentiality models restrict flow of information
•Bell-LaPadula models multilevel security
–Cornerstone of much work in computer security
•Controversy over meaning of security
–Different definitions produce different results
Fall 2023
Key Points
•Confidentiality models restrict flow of information
•Bell-LaPadula models multilevel security
–Cornerstone of much work in computer security
•Controversy over meaning of security
–Different definitions produce different results
Fall 2023
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 13
- Slides 31
- Age 547 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
46 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
46 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
21 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views