Multilevel security
Last updated
Last updated
Subjects (or roles) act on different security levels.
Levels do not intersect themselves.
Levels have some partial order.
Hierarchy.
Lattice.
Levels are used as attributes of subjects and objects.
Subjects: security level clearance.
Objects: security classification.
Information flows and security levels.
Same security level → authorized.
Different security levels → controlled.
Authorized or denied on a “need to know” basis.
Typical levels.
Top secret.
Secret.
Confidential.
Restricted.
Unclassified.
Portugal (NTE01, NTE04).
Muito Secreto.
Secreto.
Confidencial.
Reservado.
EU example.
EU TOP SECRET.
EU SECRET.
EU CONFIDENTIAL.
EU RESTRICTED.
EU COUNCIL / COMMISSION.
NATO example.
COSMIC TOP SECRET (CTS).
NATO SECRET (NS).
NATO CONFIDENTIAL (NC).
NATO RESTRICTED (NR).
Typical levels.
Restricted.
Proprietary.
Sensitive.
Public.
Self-contained information environments.
May span several security levels.
Military environments.
Military branches, military units.
Civil environments.
Departments, organizational units.
An object can belong to different compartments and have a different security classification in each of them.
Label = Category + Level
Relative order between labels.
Lb1 Lb2 C1 C2 Lv1 Lv2
Labels form a lattice.
Access control policy for controlling information flows.
Addresses data confidentiality and access to classified information.
Addresses disclosure of classified information.
Object access control is not enough.
One needs to restrict the flow of information from a source to authorized destinations.
Uses a state-transition model.
In each state, there are subjects, objects, an access matrix and the current access information.
State transition rules.
Security levels and clearances.
Objects have security labels.
Subjects have security clearances.
Both refer to security levels (e.g. CONFIDENTIAL).
Simple security condition (no read-up).
S can read O iff L(S) L(O)
*-property (no write down).
S can write O iff L(S) L(O)
aka confinement property.
Discretionary Security Property.
DAC-based access control.
S can read O iff L(S) = L(O)
Strong tranquillity: S/O levels are static for the entire S/O lifetime.
Weak tranquillity: S/O levels may change if the security spirit of the system is not compromised.
S can write to lower levels.
Access control policy for controlling information flows.
To enforce data integrity control.
Uses integrity levels, not security levels.
Subjects cannot corrupt objects at higher levels.
Similar to Bell-La Padula, with inverse rules.
Simple Integrity Property (no read down).
S can read O iff I(S) I(O)
Integrity *-Property (no write-up).
S can write O iff I(S) I(O)
Invocation Property.
S cannot request higher access.