The Bell-LaPadula Model (BLP) model was first proposed and published in 1973, refined in 1974, interpreted in 1976, and retrospected in 2005 by authors David Elliott Bell et al. Which of the following statements about the model is incorrect? (Wentz QOTD)
A. The model considers clearance levels only but not need-to-know.
B. The model introduces five access attributes: read-only, append, execute, read/write, and control access.
C. The model formally defines the access matrix which remembers a list of access attributes associated with a subject-object pairing.
D. The model provides a clear definition of “security” being addressed.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. The model considers clearance levels only but not need-to-know.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
“Our initial work focused on a definition of ‘security’ within a mathematical (conceptual) framework,” as mentioned in the paper, Back at the Bell–LaPadula Model (2005).
The first publication of the BLP model, Secure Computer Systems: Mathematical Foundations (1973), states the problem of security to be solved:
PROBLEMS OF SECURITY
Let us consider a security compromise to be unauthorized access to information, where unauthorized means that an inappropriate clearance or a lack of need-to-know is involved in the access to the information. Then a central problem to be solved within the computing system is how to guarantee that unauthorized access (by a process) to information (file, program, data) does not occur.
The First Publication of the BLP Model
Discretionary Access Control (DAC) and Need-to-know
In the paper, Secure Computer System: Unified Exposition and Multics Interpretation (1976), the authors mentioned that “there is one further aspect of security that we address: the problem is called discretionary security and it is also based on current military/governmental policy (known as ‘need-to-know’).”
Need-to-know is the “decision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties.”
Source: CNSSI 4009-2015
That said, the model aims to guarantee unauthorized access to information does not occur by enforcing appropriate clearance and need-to-know. According to Wikipedia, the model defines one discretionary access control (DAC) rule and two mandatory access control (MAC) rules with three security properties:
- The Simple Security Property states that a subject at a given security level may not read an object at a higher security level.
- The * (star) Security Property states that a subject at a given security level may not write to any object at a lower security level.
- The Discretionary Security Property uses an access matrix to specify the discretionary access control.
BLP and TCSEC (Orange Book)
The BLP model plays a vital role in the TCSEC (Orange Book), which explicitly relates need-to-know to discretionary controls:
Discretionary controls are not a replacement for mandatory controls. In an environment in which information is classified (as in the DoD) discretionary security provides for a finer granularity of control within the overall constraints of the mandatory policy. Access to classified information requires effective implementation of both types of controls as precondition to granting that access. In general, no person may have access to classified information unless:
(a) that person has been determined to be trustworthy, i.e., granted a personnel security clearance — MANDATORY, and
(b) access is necessary for the performance of official duties, i.e., determined to have a need-to-know — DISCRETIONARY. In other words, discretionary controls give individuals discretion to decide on which of the permissible accesses will actually be allowed to which users, consistent with overriding mandatory policy restrictions.
Source: TCSEC (Orange Book)
Need-to-know can be enforced by identity-based Discretionary Access Control (DAC) or lattice-based Mandatory Access Control (MAC) using non-hierarchical labels for compartments.
- Dr. David Elliott Bell
- Co-author of the Bell-LaPadula model of computer security
- Bell–LaPadula model
- Secure Computer Systems: Mathematical Foundations (1973)
- Secure Computer Systems: A Mathematical Model (1973)
- Secure Computer Systems: A Refinement of the Mathematical Model (1974)
- Secure Computer System: Unified Exposition and Multics Interpretation (1976)
- Looking Back at the Bell–LaPadula Model (2005)
Bell-LaPadula 模型 (BLP) 模型於 1973 年首次提出及出版，1974 年進行完善，1976 年展示並解釋，2005 年由作者David Elliott Bell 等人進行回顧。 以下關於該模型的敍述哪個是不正確的？ (Wentz QOTD)
C. 該模型正式定義了訪問矩陣(access matrix)，該矩陣記住了與該主客體配對相關聯的訪問屬性列表。