Bell and LaPadula model - pagesweturned

Developed by a DoD funded research in 1970s. Also called **multi-level security (MLS)**. Focused on [[CIA triad#Confidentiality|confidentiality]]. Labels in the BLP model - Label = (Sensitivity-level, Compartment or Categories) - Sensitivity-level = Top secret (TS), Secret (S), Confidential (C) and Unclassified/Public (P) - Compartment is a subset of categories that describe nature of data (geography, type of arms, etc.) - User label → Clearance - Object label → Classification ### BLP access rules - **Simple security** → A subject $S$ can read $O$, if the label of $S$ dominates the label of $O$ - The subject must dominate the object in levels, and in this sense the object feels like it’s a level down. You can read at your level or below. It is also called **read down rule**. - **\*-Property** → A subject $S$ can write object $O$ if the label of $S$ is dominated by the label of the object $O$ - It is also called **write up rule**. You are giving information you have. You can write into top secret clearance level, because subjects at that level are allowed to read it anyway. >[!faq]- Can we read/write when labels are the same? >Yes! [[TCB - Trusted Computing Base|TCB]] knows labels of users & objects, and checks clearance and classification when access request is received. #### Does BLP stop unwanted information flow? An arrow going out of a subject is writing an object. An arrow going into a subject is the subject reading the object. ![[attachments/Screenshot 2023-06-10 at 7.11.50 PM.png]] ### BLP States A state $S$ of a system satisfies simple and star properties if and only if - In state $S$, subject $s$ has *read permission* for object $o$ (or, $ACM[s,o]$ entry contains read access right), then - $Label(s)$ dominates $Label(o)$ - In state $S$, subject $s$ has *write permissions* for object $o$ (or $ACM[s,o]$ entry contains write access right), then - $Label(s)$ is dominated by $Label(o)$ >[!faq]- How does the state $S$ change? >System API calls such as `get_access()`, `release_access()`, `read()`, `write()`, `grant()`, `revoke()`, `create()`/`delete()` object or subject, `change_sensitivity_level()`, etc. ### When does TCB allow a call? #### Tranquility principle A subject cannot change the security class of an active object. This addresses the [[Attacks against access control#TOCTOU vulnerability|TOCTOU vulnerability]]. #### Non-accessibility of inactive objects An object cannot be accessed until activated #### Declassification Must be done by trusted users >[!faq]- What is a trusted user? >A user that doesn’t need to follow the BLP rules