Multilevel security

Subjects (or roles) act on different security levels.

• Levels do not intersect themselves.

• Levels have some partial order.

  • Hierarchy.

  • Lattice.

Levels are used as attributes of subjects and objects.

• Subjects: security level clearance.

• Objects: security classification.

Information flows and security levels.

• Same security level → authorized.

• Different security levels → controlled.

  • Authorized or denied on a “need to know” basis.

Levels

Military / Intelligence organizations

Typical levels.

• Top secret.

• Secret.

• Confidential.

• Restricted.

• Unclassified.

Portugal (NTE01, NTE04).

• Muito Secreto.

• Secreto.

• Confidencial.

• Reservado.

EU example.

• EU TOP SECRET.

• EU SECRET.

• EU CONFIDENTIAL.

• EU RESTRICTED.

• EU COUNCIL / COMMISSION.

NATO example.

• COSMIC TOP SECRET (CTS).

• NATO SECRET (NS).

• NATO CONFIDENTIAL (NC).

• NATO RESTRICTED (NR).

Civil organizations

Typical levels.

• Restricted.

• Proprietary.

• Sensitive.

• Public.

Security categories (or compartments)

Self-contained information environments.

• May span several security levels.

Military environments.

• Military branches, military units.

Civil environments.

• Departments, organizational units.

An object can belong to different compartments and have a different security classification in each of them.

Labels

• Label = Category + Level

• Relative order between labels.

  • Lb1 $\le$ Lb2 $\implies$ C1 $\subseteq$ C2 $\wedge$ Lv1 $\leq$ Lv2

• Labels form a lattice.

Bell-La Padula MLS Model

Access control policy for controlling information flows.

• Addresses data confidentiality and access to classified information.

• Addresses disclosure of classified information.

  • Object access control is not enough.

  • One needs to restrict the flow of information from a source to authorized destinations.

Uses a state-transition model.

• In each state, there are subjects, objects, an access matrix and the current access information.

• State transition rules.

• Security levels and clearances.

  • Objects have security labels.

  • Subjects have security clearances.

  • Both refer to security levels (e.g. CONFIDENTIAL).

Secure state-transition model

Simple security condition (no read-up).

• S can read O iff L(S) $\ge$ L(O)

*-property (no write down).

• S can write O iff L(S) $\le$ L(O)

• aka confinement property.

Discretionary Security Property.

• DAC-based access control.

Secure state-transition model

Strong Star Property

• S can read O iff L(S) = L(O)

Tranquility Principle

• Strong tranquillity: S/O levels are static for the entire S/O lifetime.

• Weak tranquillity: S/O levels may change if the security spirit of the system is not compromised.

Trusted Subjects

• S can write to lower levels.

Biba Integrity Model

Access control policy for controlling information flows.

• To enforce data integrity control.

• Uses integrity levels, not security levels.

• Subjects cannot corrupt objects at higher levels.

Similar to Bell-La Padula, with inverse rules.

• Simple Integrity Property (no read down).

  • S can read O iff I(S) $\le$ I(O)

• Integrity *-Property (no write-up).

  • S can write O iff I(S) $\ge$ I(O)

Invocation Property.

• S cannot request higher access.