A Comment on the "Basic Security Theorem" of Bell and LaPadula*

Similar documents
Report Documentation Page

Use of Wijsman's Theorem for the Ratio of Maximal Invariant Densities in Signal Detection Applications

Diagonal Representation of Certain Matrices

Attribution Concepts for Sub-meter Resolution Ground Physics Models

REGENERATION OF SPENT ADSORBENTS USING ADVANCED OXIDATION (PREPRINT)

P. Kestener and A. Arneodo. Laboratoire de Physique Ecole Normale Supérieure de Lyon 46, allée d Italie Lyon cedex 07, FRANCE

System Reliability Simulation and Optimization by Component Reliability Allocation

Crowd Behavior Modeling in COMBAT XXI

Metrology Experiment for Engineering Students: Platinum Resistance Temperature Detector

CRS Report for Congress

Analysis Comparison between CFD and FEA of an Idealized Concept V- Hull Floor Configuration in Two Dimensions. Dr. Bijan Khatib-Shahidi & Rob E.

Optimizing Robotic Team Performance with Probabilistic Model Checking

uniform distribution theory

Estimation of Vertical Distributions of Water Vapor and Aerosols from Spaceborne Observations of Scattered Sunlight

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION REPORT NUMBER

SW06 Shallow Water Acoustics Experiment Data Analysis

Sums of the Thue Morse sequence over arithmetic progressions

Babylonian resistor networks

PIPS 3.0. Pamela G. Posey NRL Code 7322 Stennis Space Center, MS Phone: Fax:

Report Documentation Page

Quantitation and Ratio Determination of Uranium Isotopes in Water and Soil Using Inductively Coupled Plasma Mass Spectrometry (ICP-MS)

THE EULER FUNCTION OF FIBONACCI AND LUCAS NUMBERS AND FACTORIALS

A report (dated September 20, 2011) on. scientific research carried out under Grant: FA

Estimation of Vertical Distributions of Water Vapor from Spaceborne Observations of Scattered Sunlight

On Applying Point-Interval Logic to Criminal Forensics

USER S GUIDE. ESTCP Project ER

Report Documentation Page

Closed-form and Numerical Reverberation and Propagation: Inclusion of Convergence Effects

VLBA IMAGING OF SOURCES AT 24 AND 43 GHZ

An Invariance Property of the Generalized Likelihood Ratio Test

Real-Time Environmental Information Network and Analysis System (REINAS)

Predicting Tropical Cyclone Formation and Structure Change

Predictive Model for Archaeological Resources. Marine Corps Base Quantico, Virginia John Haynes Jesse Bellavance

Sensitivity of West Florida Shelf Simulations to Initial and Boundary Conditions Provided by HYCOM Data-Assimilative Ocean Hindcasts

Broadband matched-field source localization in the East China Sea*

NAVGEM Platform Support

Comparative Analysis of Flood Routing Methods

Determining the Stratification of Exchange Flows in Sea Straits

USMC Enlisted Endstrength Model

High Resolution Surface Characterization from Marine Radar Measurements

HIGH PERFORMANCE CONTROLLERS BASED ON REAL PARAMETERS TO ACCOUNT FOR PARAMETER VARIATIONS DUE TO IRON SATURATION

DIRECTIONAL WAVE SPECTRA USING NORMAL SPREADING FUNCTION

Dynamics of Droplet-Droplet and Droplet-Film Collision. C. K. Law Princeton University

Expressions for the Total Yaw Angle

Internal Tide Generation in the Indonesian Seas

A GENERAL PROCEDURE TO SET UP THE DYADIC GREEN S FUNCTION OF MULTILAYER CONFORMAL STRUCTURES AND ITS APPLICATION TO MICROSTRIP ANTENNAS

Development and Application of Acoustic Metamaterials with Locally Resonant Microstructures

REPORT DOCUMENTATION PAGE

Marginal Sea - Open Ocean Exchange

Computer Simulation of Sand Ripple Growth and Migration.

Coastal Engineering Technical Note

Z-scan Measurement of Upconversion in Er:YAG

High-Fidelity Computational Simulation of Nonlinear Fluid- Structure Interaction Problems

MTIE AND TDEV ANALYSIS OF UNEVENLY SPACED TIME SERIES DATA AND ITS APPLICATION TO TELECOMMUNICATIONS SYNCHRONIZATION MEASUREMENTS

Improved Parameterizations Of Nonlinear Four Wave Interactions For Application In Operational Wave Prediction Models

Near-Surface Dispersion and Circulation in the Marmara Sea (MARMARA)

Mine Burial Studies with a Large Oscillating Water-Sediment Tunnel (LOWST)

Characterization of Caribbean Meso-Scale Eddies

Thermo-Kinetic Model of Burning for Polymeric Materials

Astronomical Institute of the Romanian Academy, str. Cutitul de. Argint-5, Bucharest 28, Romania,

Study of Electromagnetic Scattering From Material Object Doped Randomely WithThin Metallic Wires Using Finite Element Method

DISTRIBUTION STATEMENT A. Approved for public release; distribution is unlimited.

LAGRANGIAN MEASUREMENTS OF EDDY CHARACTERISTICS IN THE CALIFORNIA CURRENT

REPORT DOCUMENTATION PAGE. Theoretical Study on Nano-Catalyst Burn Rate. Yoshiyuki Kawazoe (Tohoku Univ) N/A AOARD UNIT APO AP

Sea Ice Model for Marginal Ice Zone

A 1/10th Degree Global Ocean Simulation Using the Parallel Ocean Program

Volume 6 Water Surface Profiles

FRACTAL CONCEPTS AND THE ANALYSIS OF ATMOSPHERIC PROCESSES

Abyssal Current Steering of Upper Ocean Current Pathways in an Ocean Model with High Vertical Resolution

Playing Abstract games with Hidden States (Spatial and Non-Spatial).

The Navy Precision Optical Interferometer for SSA applications: an update

Super-Parameterization of Boundary Layer Roll Vortices in Tropical Cyclone Models

Super-Parameterization of Boundary Layer Roll Vortices in Tropical Cyclone Models

Laboratory Benchmark for Models of the Transport in the Kara Sea

Wavelets and Affine Distributions A Time-Frequency Perspective

TIME SERIES ANALYSIS OF VLBI ASTROMETRIC SOURCE POSITIONS AT 24-GHZ

Parametric Models of NIR Transmission and Reflectivity Spectra for Dyed Fabrics

Coupled Ocean-Atmosphere Modeling of the Coastal Zone

Shallow Water Fluctuations and Communications

Analysis of Mixing and Dynamics Associated with the Dissolution of Hurricane-Induced Cold Wakes

MODELING SOLAR UV/EUV IRRADIANCE AND IONOSPHERE VARIATIONS WITH MT. WILSON MAGNETIC INDICIES

Flocculation, Optics and Turbulence in the Community Sediment Transport Model System: Application of OASIS Results

Regional Stratification and Shear of the Various Streams Feeding the Philippine Straits ESR Component

Understanding Near-Surface and In-cloud Turbulent Fluxes in the Coastal Stratocumulus-topped Boundary Layers

Design for Lifecycle Cost using Time-Dependent Reliability

Surface Fluxes and Wind-Wave Interactions in Weak Wind Conditions

The Bernoulli equation in a moving reference frame

An Observational and Modeling Study of Air-Sea Fluxes at Very High Wind Speeds

Molecular Characterization and Proposed Taxonomic Placement of the Biosimulant 'BG'

Exact Solution of a Constrained. Optimization Problem in Thermoelectric Cooling

The Extratropical Transition of Tropical Cyclones

Levinson s Theorem and the Nonlocal Saito Potential

Wavelet Spectral Finite Elements for Wave Propagation in Composite Plates

Catalytic Oxidation of CW Agents Using H O in 2 2 Ionic Liquids

Aviation Weather Routing Tool: A Decision Aid for Manned/Unmanned Aircraft Routing

Scattering of Internal Gravity Waves at Finite Topography

DISTRIBUTION STATEMENT A. Approved for public release; distribution is unlimited.

Rogue Wave Statistics and Dynamics Using Large-Scale Direct Simulations

Improvements in Modeling Radiant Emission from the Interaction Between Spacecraft Emanations and the Residual Atmosphere in LEO

INFRARED SPECTRAL MEASUREMENTS OF SHUTTLE ENGINE FIRINGS

Transcription:

A Comment on the "Basic Security Theorem" of Bell and LaPadula* John McLean Center for High Assurance Computer Systems Naval Research Laboratory Washington, D.C. 20375 Many claim that the security model developed by Bell and LaPadula and used as a basis for numerous prototype military computer systems is superior to others partly because its authors prove a "Basic Security Theorem" that applies to it. This paper shows that the theorem does not support such claims since it can be proven for security models that are obviously not secure. Further, the theorem provides little help to those who design and implement secure systems. 1. Introduction The security model developed by Bell and LaPadula [1] has been widely used as a basis for designing systems with specified security properties [2]. It has been argued that one reason developers should have confidence in the security provided by systems based on this model is a theorem, called the "Basic Security Theorem" (BST) [1, p. 20], proven about a formalization of the model by its authors [1,p.90, corollary A1]. Several authors have proven similarly named theorems about related security models [3,4,5]. This note reviews the Bell-LaPadula model briefly and shows that the BST can be proven for systems that directly contradict the notion of security embodied in the Bell-LaPadula model. We conclude that the value of the BST is much overrated since there is a great deal more to security than it captures. Further, what is captured by the BST is so trivial that it is hard to imagine a realistic security model for which it doesn t hold. 2. Bell-LaPadula Model The Bell-LaPadula model is based on a state machine in which subjects apply operations (rules) that may require access to objects. The state of the system includes a set of triples that define the current access mode each subject has to each object in the system. Permissible access is determined partly by a security level (classification or clearance) associated with each object and subject. These security levels are partially ordered. Each subject also has a current security level that is bounded above by its clearance. There is also an access matrix that further constrains the access mode an arbitrary subject is allowed to have to an arbitrary object. The following formal description of the Bell-LaPadula model corresponds to the original notation [1] as closely as possible, but nonessential details are omitted. Consider the sets S, O, and A whose elements are known as subjects, objects, and access modes, respectively. Intuitively, S consists of all system users and programs; O consists of all system files; and A is {read, execute,write,append }, the set of all modes in which an element of S can have access to an element of O. Bell and LaPadula define a system state v as an element of V =(B M F H ), where B is the set of current accesses, a subset of S O A that gives the access modes each subject currently has to each object, M is the access permission matrix, where M ij A is the set of access modes subject i may have to object j, F consists of the three functions f s, which gives the security level (clearance) associated with each subject, f o, which gives the security level (classification) associated with each object, and f c, which gives the current security level for each subject, and H defines the current object hierarchy and is of no concern here. *From Information Processing Letters 20 (1985), pp. 67-70.

Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 1985 2. REPORT TYPE 3. DATES COVERED 00-00-1985 to 00-00-1985 4. TITLE AND SUBTITLE A Comment on the Basic Security Theorem of Bell and LaPadula 5a. CONTRACT NUMBER 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Naval Research Laboratory,Center for High Assurance Computer Systems,4555 Overlook Avenue, SW,Washington,DC,20375 8. PERFORMING ORGANIZATION REPORT NUMBER 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR S ACRONYM(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 15. SUBJECT TERMS 11. SPONSOR/MONITOR S REPORT NUMBER(S) 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT a. REPORT b. ABSTRACT c. THIS PAGE 18. NUMBER OF PAGES 4 19a. NAME OF RESPONSIBLE PERSON Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

-2- The set of requests (e.g., to acquire or rescind access to objects) is denoted by R, and the set of decisions (e.g., yes, no, error ) is denoted by D. Finally, W R D V V represents the actions of the system: a request r yields a decision d and moves the system from state v to its successor. Let T be the set of positive integers, and X, Y, and Z the set of functions from T to R, D, and V, respectively. The Bell-LaPadula model defines a system Σ(R,D,W,z 0 ) to be a subset of X Y Z such that (x,y,z ) Σ(R,D,W,z 0 ) if and only if (x t, y t, z t, z t 1 ) W for each t T, where z 0 is the initial state of the system. Each triple (x,y,z ) Σ(R,D,W,z 0 ) is called an appearance of the system, and each quadruple (x t,y t,z t,z t 1 ) is called an action of the system. The concept of a secure state is defined by three properties: the simple security (ss) property, the *-property, and the discretionary security (ds) property. A state satisfies the ss-property if, for each element of B that has an access mode of read or write, the clearance of the subject dominates (in the partial order) the classification of the object. A triple (s,o,x ) satisfies the simple security condition relative to f (SSC rel f) if x is execute or append,orifx is read or write and f s (s ) dominates f o (o ). A state satisfies the *-property if, for each (s,o,x )inb, the current security level of s is equal to the classification of o if the access mode is write, dominates the classification of o if the access mode is read, and is dominated by the classification of o if the access mode is append. A state is said to satisfy the *- property relative to S, where S S, if this condition holds for all triples of B in which s S. Subjects not in S (and therefore not bound by the *-property relative to S ) are called trusted subjects. A state satisfies the ds-property if, for each member of B, the specified access mode is included in the access matrix entry for the corresponding subject-object pair. A state is secure if and only if it satisfies the ss-property, *-property relative to S and the ds-property. In addition to restricting subjects from having direct access to information for which they are not cleared, this concept of security is intended to prevent the unauthorized flow of information from a higher security level to a lower one. The *-property relative to S specifically prevents nontrusted subjects from simultaneously having read access to information at one level and write access to information at a lower level. Bell and LaPadula introduce analogous constraints on a system. A system appearance (x,y,z ) Σ(R,D,W,z 0 ) satisfies the ss-property if each state in the sequence <z 0,z 1,... > satisfies it. 1 A system satisfies the ss-property if each of its appearances does. Analogous definitions introduce the notions of a system satisfying the *- and ds-properties and the concept of a secure system. Theorems A1, A2, and A3 [see below], for the ss-, *-, and ds-properties respectively, show that a system Σ(R,D,W,s 0 ) satisfies the property in question for any initial state that satisfies the property if and only if W (1) adds no new elements to B that would violate the property and (2) deletes any elements that, following the state change, would violate that property. The BST is presented without proof as a corollary of theorems A1, A2, and A3: Basic Security Theorem: A system Σ(R,D,W,z 0 ) is secure if and only if z 0 is a secure state and W satisfies the conditions of theorems A1, A2, and A3 for each action. 2 3. Basic Security Theorem for an Alternative Security Model Suppose that a different set of properties were chosen to define the concept of a secure state. If the BST is indeed a basis for having confidence that the Bell-LaPadula model captures the desired notion of security, then it should not be possible to prove a comparable theorem for a security model that has a substantially different definition for "secure state", and it certainly should not be possible to prove the theorem for a security model that is obviously not secure. The example below shows that this is not only possible but simple. Define the property to hold for a state if, for each triple (s,o,write )inb, the current security level of s dominates the classification of o. This is in essence the reverse of the *-property of Bell-LaPadula 1. In [1] an appearance satisfies the ss-property if each state in <z 1,z 2,... >satisfies the property; no restriction is placed on z 0. Nevertheless, the intent is clear since without this restriction, the BST as stated in [1] is false. See n. 2 below. 2. As noted in n. 1 above, this theorem as presented in [1] is actually false since it is possible for a system to be secure even though its initial state is not secure.

-3- and allows subjects to transfer information from higher security levels to lower security levels. Hence, the model is not secure since it allows secret information to be copied into files, e. g., the Washington Post. Define a secure state to be one that satisfies the ss-property, -property and the ds-property. Following Bell and LaPadula, a "Basic Security Theorem" will be proven as a corollary from three other theorems. Theorem A1: Σ(R,D,W,z 0 ) satisfies the ss-property for any initial state z 0 that satisfies the ss-property iff W satisfies the following conditions for each action (R i,d i,(b*,m*,f*,h* ),(b,m,f,h )): (i) each (s,o,x ) b* b satisfies SSC rel f*; (ii) if (s,o,x ) b does not satisfy SSC rel f*, then (s,o,x ) /b*. Proof: Given in [1]. Theorem A2 : Σ(R,D,W,z 0 ) satisfies the -property relative to S, a subset of S, for any initial state z 0 that satisfies the -property relative to S iff W satisfies the following conditions for each action (R i,d i, (b*,m*,f*,h* ),(b,m,f,h )): (i) for each s S, any (s,o,x ) b* b satisfies the -property with respect to f*; (ii) for each s S, if(s,o,x) b does not satisfy the -property with respect to f*, then (s,o,x ) /b*. [N.B.: This is the -property analogue of a simplified statement of the original theorem A2.] Proof: ( ) Proof by strong induction: Assume that for all i<n z i satisfies the theorem and that z n satisfies (i) and (ii). It follows that z n satisfies the -property as can be seen by the following argument: If n =0 then z n satisfies the -property by hypothesis. If n>0, then z n 1. satisfies the -property by hypothesis. The only way z n could fail to satisfy the property is if a new write access has been granted that violates the property with respect to f* or if an old write access is kept that violates the property relative to f*. But the former possibility is ruled out by (i) and the latter by (ii). ( ) Proof by contradiction: Assume that some state ẑ satisfies the -property but not (i). Then there is an s S such that (s,o,x )isinb* b (and hence b* ), but fails to satisfy the -property, yielding a contradiction. Similarly, if ẑsatisfies the -property but fails to satisfy (ii), then there is an s S such that (s,o,x ) is in b, fails to satisfy the -property, and is in b* as well, also yielding a contradiction. Theorem A3: Σ(R,D,W,z 0 ) satisfies the ds-property iff the initial state z 0 satisfies the ds-property and W satisfies the following condition for each action (R i,d i,(b*,m*,f*,h* ),(b,m,f,h )): (i) if (s k, o l,x ) b* b, then x M* k,l ; (ii) if (s k, o l,x ) b and x /M* k,l, then (s k,o l,x ) /b*. Proof: Provided in [1]. Basic Security Theorem: Σ(R,D,W,z 0 )isasecure system (i. e. satisfies the ss-, -, and ds-properties) iff z 0 is a secure state and W satisfies the conditions of theorems A1, A2, and A3 for each action. Clearly this exercise could be repeated, substituting alternative versions of either of the other security properties (e.g., only allowing users to read information classified above their clearances) as well. 4. Discussion We have shown that the Basic Security Theorem does nothing to establish that a system is really secure. An analogue holds for any definition of "secure state" in a system whose states can be indexed to

-4- support induction. As such, it is a property of state indexing, not of security. The real problems to be dealt with in considering a security model are (1) is the definition of "security" offered in the model a good one, i. e., does it capture what we really mean by "security", and (2) can we prove that a real system meets the definition. The first problem is not addressed by the BST since it is hard to imagine an explication of security for which there is not an analogous theorem, and the second problem is not made any simpler by the BST owing to the uninformativeness of the theorem s hypothesis. This latter point deserves emphasis. It may seem as though the Basic Security Theorem is a significant tool in that it provides a means for proving security of every reachable system state by only considering the initial state and the rules that transform a system from one state to the next. However, the triviality of the tool renders it all but useless. Stripped of all formalism, the theorem states that if a system starts in a secure state and if all its transitions are such that at each state any old access that violates security under the new state s clearance functions is withdrawn and no new access is introduced that violates security, then the system will remain secure. But this is so obvious that it is of virtually no help. In short, the theorem does not address the real problems. Nevertheless, the theorem has been advanced [1,3,6] as a substantial argument in favor of adopting the Bell-LaPadula model as a basis for developing secure systems, probably because people have confused the theorem with the nontrivial task of proving that an implementation meets the conditions of a given security definition. What is perhaps more damaging is that every new explication of "security" is expected to be accompanied by an analogue of the BST even though the time spent proving the theorem is, as should be clear by now, wasted. By focusing on the theorem, the security community has lost track of what needs to be done. In fairness to Bell and La Padula, they do not seem to have suggested that the theorem addresses the above problems. They merely wanted to show that security is an "inductive" property, unlike (according to them) deadlock. Given the previous discussion, it should be obvious that an analogue of the theorem holds for deadlock as well. In any event, once security has been shown to be inductive, why insist on proving it over and over again? Acknowledgments The exposition of the Bell-LaPadula model owes much to Carl Landwehr. Marv Schaefer, when confronted with my doubts about the BST, first formulated the -property and challenged me to prove the BST for the resulting security model. References [1] D. E. Bell and L. J. LaPadula, Secure computer system: unified exposition and Multics interpretation, MITRE MTR-2997, March 1976. Available as NTIS AD-A023 588. [2] C. E. Landwehr, Best available technologies for computer security, IEEE Computer, July, 1983. [3] K. G. Walter, W. F. Ogden, W. C. Rounds, F. T. Bradshaw, S. R. Ames, and D. G. Shumway, Primitive models for computer security, ESD-TR-74-117, January, 1974. Available as NTIS AD-778 467. [4] J. McLean, C. E. Landwehr, and C. L. Heitmeyer, A formal statement of the MMS security model, Proc. 1984 Symposium on Security and Privacy, (IEEE Computer Society Press, 1984). [5] C. E. Landwehr, C. L. Heitmeyer, and J. McLean, A security model for military message systems, Transactions on Computer Systems, to appear August, 1984. [6] Panel session on Bell-LaPadula and alternative models of security, S. B. Lipner moderator, IEEE Symposium on Security and Privacy, April 1983.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback