1

Multilevel Security

2

Multilevel Security

• Definition and need for MLS

• Bell-LaPadula model

• Biba model

• Multilevel security implementation

3

Definition and need for MLS

• Multilevel security involves a database in which the data stored has an associated classification and consequently constraints for their access

• MLS allows users with different classification levels to get different views from the same data

• MLS cannot allow downward leaking, meaning that a user with a lower classification views data stored with a higher classification

4

Definition and need for MLS

• Usually multilevel systems are with the federal government

• Some private systems also have multilevel security needs

• MLS needs to provide the same level of integrity that the relational model provides

• Relational model provides entity integrity and referential integrity

5

Definition and need for MLS

• MLS relation is split into several single-level relations

• A recovery algorithm reconstructs the MLS relation from the decomposed single-level relations

• At times MLS updates cannot be completed because it would result in leakage or destruction of secret information

6

Definition and need for MLS

• In relational model, relations are tables and relations consist of tuples (rows) and attributes (columns)

• Example:

Consider the relation

SOD(Startship, Objective, Destination)

Starship Objective DestinationEnterprise

Voyager

Exploration

Spying

Talos

Mars

7

Definition and need for MLS

• The relation in the example has no classification associated with it in a relational model

• The same example in MLS will be as follows:

Starship Objective Destination

Enterprise U

Voyager U

Exploration U

Spying S

Talos U

Mars S

8

Definition and need for MLS

• In MLS, access classes can be assigned to:– Individual tuples in a relation– Individual attributes of a relation– Individual data elements of tuples in a relation

• Discretionary Access Control allows a user to read data. DAC does not control how the user uses the data

• Trojan Horse scenario explains this problem and how this could be abused in MLS

9

Definition and need for MLS

• Trojan Horse scenario:– Bob owns file f1

– Eve owns file f2

– Eve grants Bob write privilege on f2

– An utility program (such as fancy printing) P contains the intended code plus a hidden code to read from f1 and write to f2, namely the Trojan Horse

10

Trojan Horse

• Bob executes P and it does what it is supposed to do plus it reads the contents of file f1 and writes it to file f2

• Eve owns f2 and so Eve can now see the contents of f1 which was originally not available for Eve

• This Trojan Horse code shows how a DAC has been abused

11

Bell – LaPadula Model

• Bell-LaPadula model shows how to use Mandatory Access Control to prevent the Trojan Horse

• Bell-LaPadula model was developed in 1973• This is an extension of the Access Matrix model

with classified data• This model has two components:

– Classification– Set of categories

12

Bell – LaPadula Model

• Classification has four values {U, C, S, TS}– U = unclassified– C = confidential– S = secret– TS = top secret

• Classifications are ordered: TS > S > C > U

• Set of categories consists of the data environment and the application area

13

Bell – LaPadula Model

• Security level is denoted by the pair

L1 = (X1, Y1)

• Relationship among the security levels is defined as follows: L1 L2 if X1 X2 and Y1 Y2

In this case L1 is said to dominate L2

14

Bell – LaPadula Model

• Bell-LaPadula model is based on a subject-object paradigm

• Subjects are active elements of the system that execute actions

• Objects are passive elements of the system that contain information

• Subjects act on behalf of users who have a security level associated with them (indicating the level of system trust)

15

Bell – LaPadula Model

• Subjects execute access modes on objects

• Access modes are:– Read-only– Append (writing without reading)– Execute– Read-write (writing known data)

• Decentralized administration of privileges on objects

16

Bell – LaPadula Model

• Two main properties of this model for a secure system are:– Simple security property– Star property

• Simple security means: A subject may have read or write access to an object only if the clearance of the system dominates the security level of the object

17

Bell – LaPadula Model

• Star property means: An untrusted subject may:

append if object security dominates subject security

write if object security equals subject security

read if object security is less than subject security

• This model guarantees secrecy by preventing unauthorized release of information

• This model does not protect from unauthorized modification of information

18

Biba Model

• Developed in 1977• Overcomes the integrity problem of Bell-

LaPadula• Similar to Bell-LaPadula• Classifications are:

– Crucial (C)– Very Important (VI)– Important (I)

• Relationship is C > VI > I

19

Biba Model

• Access modes are:– Modify (similar to ‘write’ in Bell-LaPadula)– Invoke (applies to two subjects)– Observe (similar to ‘read’ in Bell-LaPadula)– Execute (execute a program)

• Integrity policy involves:– No read-down integrity– No write-up integrity

20

Biba Model

• Biba model’s strict integrity policy does not have the ‘append’ feature of Bell-LaPadula model

• Strict integrity policy prevents information from being transferred from low-integrity objects to other objects

21

Multilevel security implementation

• Commercial DBMSs Oracle, Sybase, and TruData have MLS versions of their DBMS

• Because of Bell-LaPadula restrictions, subjects having different clearances see different versions of a multilevel relation

Starship Objective Destination

Enterprise U

Voyager U

Exploration U

Spying S

Talos U

Mars S

Figure 1

22

Multilevel security implementation

• User with secret classification sees the entire table given above

• User with classification level ‘U’ sees the following table:

Starship Objective Destination

Enterprise U

Voyager U

Exploration U

Null U

Talos U

Null U

Figure 2

23

Multilevel security implementation

• User with classification level ‘U’ wants to update the second tuple in Figure 2 with (Voyager, Exploration, Talos)

• If this update is rejected, then the user would be able to infer something about Voyager

• MLS would allow the secret channel to permit data update and protect data integrity as shown in Figure 3

24

Multilevel security implementation

Starship Objective Destination

Enterprise U

Voyager U

Voyager U

Exploration U

Exploration U

Spying S

Talos U

Talos U

Mars S

Figure 3