The Bell-LaPadula (BLP) model is a formal security model based on the state machine and prevents information flow from a higher security level to a lower one. Which of the following is correct about the BLP model?
A. The BLP model provides mandatory protection from unauthorized information alternation.
B. The BLP model doesn’t rely on infinite states to avoid attacks that might predict its behavior.
C. The BLP model prescribes all subjects at a higher security level shall not write to an object at a lower level.
D. The BLP model maintains both secure and insecure states and enforce secure transition between states.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. The BLP model doesn’t rely on infinite states to avoid attacks that might predict its behavior.
Option C is commonly accepted. However, trusted subjects are exceptions.
- The BLP model is a finite state machine in which all states are secure states, state transitions shall lead to a secure state, and failure or exceptions shall fall into a secure state as well (fail secure).
- The BLP is a formal model that enforces confidentiality only or unauthorized information disclosure. “Unauthorized information alternation” is an issue of integrity, which can be addressed by the Biba model.
- Trusted subjects, not restricted by the Star-property, at a higher security level can write to an object at a lower level.
What Is Unauthorized Access?
Let us consider a security compromise to be unauthorized access to information, where unauthorized means that an inappropriate clearance or a lack of need-to-know is involved in the access to the information. Then a central problem to be solved within the computing system is how to guarantee that unauthorized access (by a process) to information (file, program, data) does not occur.
Source: “Secure Computer Systems: Mathematical Foundations” by D. Elliott Bell and Leonard J. LaPadula
Not All Subjects Are Constrained By The Star Property
Official Study Guide
An exception in the Bell-LaPadula model states that a “trusted subject” is not constrained by the * Security Property. A trusted subject is defined as “a subject that is guaranteed not to consummate a security-breaching information transfer even if it is possible.” This means that a trusted subject is allowed to violate the * Security Property and perform a write-down, which is necessary when performing valid object declassification or reclassification.
Stewart, James M.; Chapple, Mike; Gibson, Darril. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide.
The Orange Book
In its treatment of subjects (processes acting on behalf of a user), the model distinguishes between trusted subjects (i.e., not constrained within the model by the *Property) and untrusted subjects (those that are constrained by the *Property).
Source: The Orange Book
The model defines one discretionary access control (DAC) rule and two mandatory access control (MAC) rules with three security properties:
– The Simple Security Property states that a subject at a given security level may not read an object at a higher security level.
– The * (star)Security Property states that a subject at a given security level may not write to any object at a lower security level.
– The Discretionary Security Property uses an access matrix to specify the discretionary access control.
The transfer of information from a high-sensitivity document to a lower-sensitivity document may happen in the Bell–LaPadula model via the concept of trusted subjects. Trusted Subjects are not restricted by the Star-property.
The Orange Book
The following is a digest from the Orange Book:
- A formal state transition model of computer security policy that describes a set of access control rules. In this formal model, the entities in a computer system are divided into abstract sets of subjects and objects.
- The notion of a secure state is defined and it is proven that each state transition preserves security by moving from secure state to secure state; thus, inductively proving that the system is secure.
- A system state is defined to be “secure” if the only permitted access modes of subjects to objects are in accordance with a specific security policy.
- In order to determine whether or not a specific access mode is allowed, the clearance of a subject is compared to the classification of the object and a determination is made as to whether the subject is authorized for the specific access mode.
- The clearance/classification scheme is expressed in terms of a lattice.
- See also: Lattice, Simple Security Property, *Property.
Simple Security Condition – A Bell-LaPadula security model rule allowing a subject read access to an object only if the security level of the subject dominates the security level of the object.
*-Property (Star Property) – A Bell-LaPadula security model rule allowing a subject write access to an object only if the security level of the subject is dominated by the security level of the object. Also known as the Confinement Property.
The Bell and LaPadula model
Following the publication of the Anderson report, considerable research was initiated into formal models of security policy requirements and of the mechanisms that would implement and enforce those policy models as a security kernel.
Prominent among these efforts was the ESD-sponsored development of the Bell and LaPadula model, an abstract formal treatment of DoD security policy.
- Using mathematics and set theory, the model precisely defines the notion of secure state, fundamental modes of access, and the rules for granting subjects specific modes of access to objects.
- Finally, a theorem is proven to demonstrate that the rules are security-preserving operations, so that the application of any sequence of the rules to a system that is in a secure state will result in the system entering a new state that is also secure. This theorem is known as the Basic Security Theorem.
Invariant Relationships: User, Process, and Device
A subject can act on behalf of a user or another subject. The subject is created as a surrogate for the cleared user and is assigned a formal security level based on their classification. The state transitions and invariants of the formal policy model define the invariant relationships that must hold between:
- the clearance of the user,
- the formal security level of any process that can act on the user’s behalf, and
- the formal security level of the devices and other objects to which any process can obtain specific modes of access.
Modes of Access
The Bell and LaPadula model, for example, defines a relationship between formal security levels of subjects and objects, now referenced as the “dominance relation.” From this definition, accesses permitted between subjects and objects are explicitly defined for the fundamental modes of access, including:
- read-only access,
- read/write access, and
- write-only access.
The Rules for Granting Subjects Modes of Access to Objects
The model defines the Simple Security Condition to control granting a subject read access to a specific object, and the *-Property (read “Star Property”) to control granting a subject write access to a specific object.
Both the Simple Security Condition and the *-Property include mandatory security provisions based on the dominance relation between formal security levels of subjects and objects the clearance of the subject and the classification of the object.
The Discretionary Security Property is also defined, and requires that a specific subject be authorized for the particular mode of access required for the state transition. In its treatment of subjects (processes acting on behalf of a user), the model distinguishes between trusted subjects (i.e., not constrained within the model by the *Property) and untrusted subjects (those that are constrained by the *Property).
From the Bell and LaPadula model there evolved a model of the method of proof required to formally demonstrate that all arbitrary sequences of state transitions are security-preserving. It was also shown that the *- Property is sufficient to prevent the compromise of information by Trojan Horse attacks.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
Bell-LaPadula(BLP)模型是一種基於狀態機(state machine)的正式(formal)安全模型，該模型可防止信息從較高的安全等級流向較低的安全等級。 以下哪項關BML模型的敍述是正確的？