Your organization implements the multi-level mandatory access control which is based on the Bell-LaPadula model. An employee with “Secret” clearance complained that he cannot write to a file classified as “Top Secret”. Which of the following is the most likely reason?
A. The employee is assigned the * (star) Property
B. The employee is not assigned the Simple Security Property
C. The employee and the file belong to the different lattice of need-to-know
D. The employee is under a race condition against the file locked by another user
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. The employee is under a race condition against the file locked by another user.
The model defines one discretionary access control (DAC) rule and two mandatory access control (MAC) rules with three security properties:
- The Simple Security Property states that a subject at a given security level may not read an object at a higher security level.
- The * (star) Property states that a subject at a given security level may not write to any object at a lower security level.
- The Discretionary Security Property uses an access matrix to specify the discretionary access control.
In this question, the employee is writing up, from Secret to Top Secret. However, the BLP Model doesn’t restrict write-up. The Simple Security Property bans read-up, while the * (star) Property bans write-down.
The “lattice of need-to-know” is a distractor. Besides, need-to-know is applied to people, not resources. A lattice is a partially ordered set as the mathematical basis to restrict information flow between different hierarchical levels with sensitivity labels. The need-to-know can be enforced by the “compartment” or “category” using the non-hierarchical labels.
Race condition against resources is common that hinders availability. A system should address concurrency issues properly.