Multilevel Security

1
Multilevel Security
2
Multilevel Security

• Definition and need for MLS
• Bell-LaPadula model
• Biba model
• Multilevel security implementation

3
Definition and need for MLS

• Multilevel security involves a database in which
  the data stored has an associated classification
  and consequently constraints for their access
• MLS allows users with different classification
  levels to get different views from the same data
• MLS cannot allow downward leaking, meaning that a
  user with a lower classification views data
  stored with a higher classification

4
Definition and need for MLS

• Usually multilevel systems are with the federal
  government
• Some private systems also have multilevel
  security needs
• MLS needs to provide the same level of integrity
  that the relational model provides
• Relational model provides entity integrity and
  referential integrity

5
Definition and need for MLS

• MLS relation is split into several single-level
  relations
• A recovery algorithm reconstructs the MLS
  relation from the decomposed single-level
  relations
• At times MLS updates cannot be completed because
  it would result in leakage or destruction of
  secret information

6
Definition and need for MLS

• In relational model, relations are tables and
  relations consist of tuples (rows) and attributes
  (columns)
• Example
• Consider the relation
• SOD(Startship, Objective, Destination)

7
Definition and need for MLS

• The relation in the example has no classification
  associated with it in a relational model
• The same example in MLS will be as follows

8
Definition and need for MLS

• In MLS, access classes can be assigned to
• Individual tuples in a relation
• Individual attributes of a relation
• Individual data elements of tuples in a relation
• Discretionary Access Control allows a user to
  read data. DAC does not control how the user
  uses the data
• Trojan Horse scenario explains this problem and
  how this could be abused in MLS

9
Definition and need for MLS

• Trojan Horse scenario
• Bob owns file f1
• Eve owns file f2
• Eve grants Bob write privilege on f2
• An utility program (such as fancy printing) P
  contains the intended code plus a hidden code to
  read from f1 and write to f2, namely the Trojan
  Horse

10
Trojan Horse

• Bob executes P and it does what it is supposed to
  do plus it reads the contents of file f1 and
  writes it to file f2
• Eve owns f2 and so Eve can now see the contents
  of f1 which was originally not available for Eve
• This Trojan Horse code shows how a DAC has been
  abused

11
Bell LaPadula Model

• Bell-LaPadula model shows how to use Mandatory
  Access Control to prevent the Trojan Horse
• Bell-LaPadula model was developed in 1973
• This is an extension of the Access Matrix model
  with classified data
• This model has two components
• Classification
• Set of categories

12
Bell LaPadula Model

• Classification has four values U, C, S, TS
• U unclassified
• C confidential
• S secret
• TS top secret
• Classifications are ordered TS gt S gt C gt U
• Set of categories consists of the data
  environment and the application area

13
Bell LaPadula Model

• Security level is denoted by the pair
• L1 (X1, Y1)
• Relationship among the security levels is defined
  as follows
• L1 ? L2 if X1 ? X2 and Y1 ? Y2
• In this case L1 is said to dominate L2

14
Bell LaPadula Model

• Bell-LaPadula model is based on a subject-object
  paradigm
• Subjects are active elements of the system that
  execute actions
• Objects are passive elements of the system that
  contain information
• Subjects act on behalf of users who have a
  security level associated with them (indicating
  the level of system trust)

15
Bell LaPadula Model

• Subjects execute access modes on objects
• Access modes are
• Read-only
• Append (writing without reading)
• Execute
• Read-write (writing known data)
• Decentralized administration of privileges on
  objects

16
Bell LaPadula Model

• Two main properties of this model for a secure
  system are
• Simple security property
• Star property
• Simple security means A subject may have read or
  write access to an object only if the clearance
  of the system dominates the security level of the
  object

17
Bell LaPadula Model

• Star property means An untrusted subject may
• append if object security dominates subject
  security
• write if object security equals
  subject security
• read if object security is less than
  subject security
• This model guarantees secrecy by preventing
  unauthorized release of information
• This model does not protect from unauthorized
  modification of information

18
Biba Model

• Developed in 1977
• Overcomes the integrity problem of Bell-LaPadula
• Similar to Bell-LaPadula
• Classifications are
• Crucial (C)
• Very Important (VI)
• Important (I)
• Relationship is C gt VI gt I

19
Biba Model

• Access modes are
• Modify (similar to write in Bell-LaPadula)
• Invoke (applies to two subjects)
• Observe (similar to read in Bell-LaPadula)
• Execute (execute a program)
• Integrity policy involves
• No read-down integrity
• No write-up integrity

20
Biba Model

• Biba models strict integrity policy does not
  have the append feature of Bell-LaPadula model
• Strict integrity policy prevents information from
  being transferred from low-integrity objects to
  other objects

21
Multilevel security implementation

• Commercial DBMSs Oracle, Sybase, and TruData have
  MLS versions of their DBMS
• Because of Bell-LaPadula restrictions, subjects
  having different clearances see different
  versions of a multilevel relation

Figure 1
22
Multilevel security implementation

• User with secret classification sees the entire
  table given above
• User with classification level U sees the
  following table

Figure 2
23
Multilevel security implementation

• User with classification level U wants to
  update the second tuple in Figure 2 with
  (Voyager, Exploration, Talos)
• If this update is rejected, then the user would
  be able to infer something about Voyager
• MLS would allow the secret channel to permit data
  update and protect data integrity as shown in
  Figure 3

24
Multilevel security implementation
Figure 3