Misplaced Pages

Bell–LaPadula model

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.

The Bell–LaPadula model ( BLP ) is a state machine model used for enforcing access control in government and military applications. It was developed by David Elliott Bell , and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell , to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy. The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g., "Top Secret"), down to the least sensitive (e.g., "Unclassified" or "Public").

#847152

22-511: The Bell–LaPadula model is an example of a model where there is no clear distinction between protection and security . The Bell–LaPadula model focuses on data confidentiality and controlled access to classified information , in contrast to the Biba Integrity Model which describes rules for the protection of data integrity . In this formal model, the entities in an information system are divided into subjects and objects. The notion of

44-498: A computer architecture probably means that protection is provided as a fault tolerance mechanism by hardware / firmware and kernel , whereas the operating system and applications implement their security policies. In this design, security policies rely therefore on the protection mechanisms and on additional cryptography techniques. Examples of models with protection and security separation include access matrix , UCLA Data Secure Unix, take-grant and filter. Such separation

66-401: A " secure state " is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby inductively proving that the system satisfies the security objectives of the model. The Bell–LaPadula model is built on the concept of a state machine with a set of allowable states in a computer system. The transition from one state to another state

88-400: A 2000 article, Chervenak et al. described the principles of mechanism neutrality and policy neutrality . The separation of mechanism and policy is the fundamental approach of a microkernel that distinguishes it from a monolithic one. In a microkernel, the majority of operating system services are provided by user-level server processes. It is important for an operating system to have

110-420: A new policy specification language. In both cases, the systems are usually accompanied by a deferred binding mechanism (e.g. late binding of configuration options via configuration files , or runtime programmability via APIs ) that permits policy specifications to be incorporated to the system or replaced by another after it has been delivered to the customer. An everyday example of mechanism/policy separation

132-421: A room access database. If the rule schema of that database proved too limiting, the entire security server could be replaced while leaving the fundamental mechanisms (readers, locks, and connections) unchanged. Contrast this with issuing physical keys: if you want to change who can open a door, you have to issue new keys and change the lock. This intertwines the unlocking mechanisms with the access policies. For

154-407: A system implementation that control the authorization of operations and the allocation of resources ) should not dictate (or overly restrict) the policies according to which decisions are made about which operations to authorize, and which resources to allocate. While most commonly discussed in the context of security mechanisms (authentication and authorization), separation of mechanism and policy

176-513: Is applicable to a range of resource allocation problems (e.g. CPU scheduling , memory allocation , quality of service ) as well as the design of software abstractions . Per Brinch Hansen introduced the concept of separation of policy and mechanism in operating systems in the RC 4000 multiprogramming system . Artsy and Livny, in a 1987 paper, discussed an approach for an operating system design having an "extreme separation of mechanism and policy". In

198-436: Is defined by transition functions. A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a security policy . To determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object (more precisely, to the combination of classification and set of compartments, making up the security level ) to determine if

220-444: Is not found in models like high-water mark , Bell–LaPadula (original and revisited), information flow , strong dependency and constraints. The line between 'separation of mechanism and policy' and 'separation of protection and security' isn't necessarily clear. The terms 'protection' and 'security' aren't widely considered distinct. For example, 'computer security' is commonly defined as 'the protection of computer systems'. Indeed,

242-486: Is the use of card keys to gain access to locked doors. The mechanisms (magnetic card readers, remote controlled locks, connections to a security server) do not impose any limitations on entrance policy (which people should be allowed to enter which doors, at which times). These decisions are made by a centralized security server, which (in turn) probably makes its decisions by consulting a database of room access rules. Specific authorization decisions can be changed by updating

SECTION 10

#1732895025848

264-470: The separation of protection and security is an application of the separation of mechanism and policy principle. The protection mechanism is supposed to be a component that implements the security policy . However, many frameworks consider both as security controls of varying types. For example, protection mechanisms would be considered technical controls, while a policy would be considered an administrative control . The adoption of this distinction in

286-1059: The concept of trusted subjects. Trusted Subjects are not restricted by the Star-property. Trusted Subjects must be shown to be trustworthy with regard to the security policy. The Bell–LaPadula security model is directed toward access control and is characterized by the phrase "write up, read down" (WURD). Compare the Biba model , the Clark–Wilson model , and the Chinese Wall model. With Bell–LaPadula, users can create content only at or above their own security level (i.e. secret researchers can create secret or top-secret files but may not create public files; no write-down). Conversely, users can view content only at or below their own security level (i.e. secret researchers can view public or secret files, but may not view top-secret files; no read-up). The Bell–LaPadula model explicitly defined its scope. It did not treat

308-822: The first instance, this could be accomplished merely by segregating mechanisms and their policies into distinct modules: by replacing the module which dictates a policy (e.g. CPU scheduling policy) without changing the module which executes this policy (e.g. the scheduling mechanism), we can change the behaviour of the system. Further, in cases where a wide or variable range of policies are anticipated depending on applications' needs, it makes sense to create some non-code means for specifying policies, i.e. policies are not hardcoded into executable code but can be specified as an independent description. For instance, file protection policies (e.g. Unix's user/group/other read/write/execute ) might be parametrized. Alternatively an implementing mechanism could be designed to include an interpreter for

330-424: The flexibility of providing adequate mechanisms to support the broadest possible spectrum of real-world security policies. It is almost impossible to envision all of the different ways in which a system might be used by different types of users over the life of the product. This means that any hard-coded policies are likely to be inadequate or inappropriate for some (or perhaps even most) potential users. Decoupling

352-449: The following extensively: The Strong Star Property is an alternative to the *-Property, in which subjects may write to objects with only a matching security level. Thus, the write-up operation permitted in the usual *-Property is not present, only a write-to-same operation. The Strong Star Property is usually discussed in the context of multilevel database management systems and is motivated by integrity concerns. This Strong Star Property

374-441: The major hardware approach of hierarchical protection domains considers its use to be both for security and protection. A prominent example of this approach is the ring architecture with " supervisor mode " and "user mode". Such an approach adopts a policy already at the lower levels (hardware/firmware/kernel), restricting the rest of the system to rely on it. Therefore, the choice to distinguish between protection and security in

396-457: The mechanism implementations from the policy specifications makes it possible for different applications to use the same mechanism implementations with different policies. This means that those mechanisms are likely to better meet the needs of a wider range of users, for a longer period of time. If it is possible to enable new policies without changing the implementing mechanisms, the costs and risks of such policy changes can be greatly reduced. In

418-509: The normal operation of the system. The "principle of weak tranquility" states that security levels may never change in such a way as to violate a defined security policy. Weak tranquility is desirable as it allows systems to observe the principle of least privilege . That is, processes start with a low clearance level regardless of their owners clearance, and progressively accumulate higher clearance levels as actions require it. Separation of protection and security In computer sciences ,

440-410: The overall architecture design implies rejection of the hierarchical approach in favour of another one, the capability-based addressing . This computer security article is a stub . You can help Misplaced Pages by expanding it . Separation of mechanism and policy The separation of mechanism and policy is a design principle in computer science . It states that mechanisms (those parts of

462-471: The subject is authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a partial order. The model defines one discretionary access control (DAC) rule and two mandatory access control (MAC) rules with three security properties: The transfer of information from a high-sensitivity document to a lower-sensitivity document may happen in the Bell–LaPadula model via

SECTION 20

#1732895025848

484-463: Was anticipated in the Biba model where it was shown that strong integrity in combination with the Bell–LaPadula model resulted in reading and writing at a single level. The tranquility principle of the Bell–LaPadula model states that the classification of a subject or object does not change while it is being referenced. There are two forms to the tranquility principle: the "principle of strong tranquility" states that security levels do not change during

#847152