While controlling user access to protected networks and sensitive data is important in the private sector, it’s crucial to maintaining security in government and military circles. So much so that a specific protocol was adopted for these applications. Known as the multi-level or Bell-LaPadula Model (BLM, or sometimes BLP), this access control system forms the basis of our discussion today.
The Need for Security Models
Setting up a security policy isn’t enough to guarantee security. There has to be enforcement and implementation of what that policy defines – and some means of measuring and assessing how effective it is.
A security model formally describes a security policy, in such measurable terms. Models are typically used in security evaluations to provide assurances that policies are meeting required standards (e.g. for regulatory compliance purposes).
State Machine Models
State machines or automata are abstract models used to record features such as the security of a computer system, in its current state. The state of each feature that’s recorded may change from time to time, e.g. as scheduled events take place, or users input data. So state machine models may be used in a number of ways, such as the design of programming languages or computer systems, and in assessing security.
While working at the Mitre Corporation, D. E. Bell and L. J. LaPadula developed a state machine model during the 1970s for analyzing Multi-Level Security (MLS) operating systems. Their model was constructed using the language of General Systems Theory first proposed by M. D. Mesarovi´c, and uses a linear non-discretionary approach in handling the control of information flows. It has since gone on to become one of the principal foundations of the methodologies used to verify the security properties of real systems.
Subjects and Objects
In apportioning access controls for military or government applications, there are typically several levels of security or clearance involved (“Eyes Only”, “Secret”, “Most Secret”, “Top Secret”, etc.). Bell-LaPadula describes these levels in terms of the subjects and objects to which they apply.
A subject (which could be an individual human being, a device, application, computer system, organization, or corporate entity) is assigned a security clearance and a current clearance level, which cannot exceed its assigned clearance. So within a protected system, a subject may only change down, to a level below its assigned security clearance.
Objects (which could be portions of computer memory, Input/Output devices, files, documents, datasets, etc.) are also assigned a security level, a classification based on the sensitivity of the information they contain. A subject may only access objects at those levels determined by the subject’s own security level.
Mandatory Access Control
The United States Department of Defense Trusted Computer System Evaluation Criteria spell this condition out further, by describing mandatory access control as:
“a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (e.g., clearance) of subjects to access information of such sensitivity”.
Discretionary Access Control
In contrast to mandatory access, discretionary access control restricts access to objects on the basis of the identity of the subject trying to access them, and/or any relevant groups to which they belong. It’s a looser condition, and Bell-LaPadula supports mandatory access controls for most applications based on the security levels associated with various subjects and objects.
But the model also supports discretionary access, with the controls applied in reference to an access matrix.
The Access Matrix
An access control matrix completes the picture, when used in conjunction with a set of subjects and objects. It can be expressed in mathematical terms as (s,o,a), where
s = subject
o = object and
a = access rights associated with the subject.
The model defines the following access rights, which may be given to a subject:
- Read-Only: The subject may only read an object, without acting on it in any way.
- Append: The subject can modify or write to an object, but has no clearance to read it.
- Execute: The subject can use, run, or execute an object – but cannot write to it, or read it.
- Read-Write: The subject has clearance to read an object and/or write to it.
In addition, the creator of any object (programmer, document author, etc.) is assigned a Control Attribute, which gives them the right to assign any of these access rights to any subject – in respect of the object they created. The creator (also known as a controller) cannot however pass their Control Attribute on to any third party.
The multi-level model supports the addition of arbitrary specifications to the access matrix. It also groups protected objects together under different security labels, and assigns user privileges based on a subject’s authorized levels of security clearance.
Security Clearance Levels
Each object’s associated security level takes the form (classification level, set of categories). And each subject has an associated maximum and current security level, which can alter at any given point.
Security classifications follow a mathematical pattern of “less than” (<). So for example:
unclassified < eyes only < secret < top secret
Categories consist of a set of names denoting usage labels, market sectors, organizations, and so on. So “Pentagon” and “Nuclear” would be examples. They’re used to further qualify security classifications and set clearance levels based on case or job-specific criteria.
BLM imposes the following restrictions on the use of objects within the model:
- Reading Down ensures that a subject only gets read access to objects whose security level is below the subject’s own current clearance.
- Writing Up means that a subject is limited to attaching information to objects at a security level higher than their own current clearance. This prevents subjects from passing information down to unauthorized users at lower clearance levels.
Bell-LaPadula also defines a set of operations to guarantee the security integrity of the system as a whole. These include:
- get access: A protocol which must be used by a subject before they can gain access to read, append, or execute an object.
- release access: This must be given by a subject to surrender their access to an object, once they’ve acted on it.
- give access: Used by a controller (the creator of an object) to allow an instance of access to their creation.
- rescind access: A right given to controllers which allows them to revoke a subject’s access to their created object.
- create object: This protocol allows a subject to activate an inactive object.
- delete object: The reverse case, where a subject may deactivate an active object.
- change security level: Here, a subject may change their clearance level – but only to a level below their designated clearance.
The Bell-LaPadula Model was put to practical use in the development of Multics, a multi-user operating system in which computing processes were interpreted as subjects, and the likes of memory segments and Input/Output devices were defined as objects.
While secure and operating in accordance with BLM principles, Multics proved too cumbersome and problematic for some project members, who took off on a tangent and designed the simpler and more commercially viable Unix.
Beyond its historically clunky implementation in the Multics case, Bell-LaPadula suffers from its insistence that the security level of objects remain static. And its properties of hierarchical access control don’t effectively support the “need to know” principle which is often necessary outside the strict military operations in which this ideal best functions.
The model is primarily intended for systems having largely static security levels, with a strict emphasis on confidentiality. There are no inherent policies for changing access rights.
Even with the emphasis on confidentiality, there exist covert channels by which a subject at a lower clearance may intuit the existence of high-level objects through the simple act of the subject’s being denied access to them.
Share this Post