Tutorial: Bell LaPadula model

J. Leneutre

Exercise 1: Multi-level access control

2- Let consider a security label lattice built from 4 confidentiality levels Top Secret >Secret >
Confidential > Non Confidential, and 3 confidentiality categories A, B et C. In the following
examples, specify which access mode (observation or alteration) are allowed according to the Bell
LaPadula model (the discretionary rule of Bell LaPadula is not taken into account).
f. Mr V with label (Top Secret,{A,C}) wants to access to a document with label (Secret,{B,C})
g. Mr W with label (Confidential,{C}) wants to access to a document with label
(Confidential,{B,C})
h. Mr X with label (Secret,{C}) wants to access to a document with label (Secret,{C})
i. Mrs Y with label (Top Secret,{A,C}) wants to access to a document with label
(Confidential,{A})
j. Mrs Z with label (Non Confidential,Æ) wants to access to a document with label
(Confidential,{B})

Answer

Subject label Order Objet label Access mode

(Top Secret,{A,C}) Nc (Secret,{B,C})
(Confidential,{C}) < (Confidential,{B,C}) alt
(Secret,{C}) = (Secret,{C}) obs, alt
(Top Secret,{A,C}) > (Confidential,{A}) obs
(Non Confidential,Æ) < (Confidential,{B}). alt

Exercice 2: Lipner Model

In the context of a company, we want to define a security policy that meets the following requirements:
6. the users should not write their own program but should use existing programs and databases
(production applications and production data);
7. the application developers must develop and test their programs (applications under development) in
a separate environment from the production environment; if they need to access real data (production
data), a dedicated procedure will allow them to obtain this data (which they can only use in their
development environment);
8. a dedicated procedure must be followed to move a program from the development system to the
production system;
9. the dedicated procedure of requirement 3 must be controlled and audited;
10. the subjects performing the controls and audits of requirement 4 must have access to the states of the
system5; the subjects performing audit of requirement 4 must have read access to the generated logs.

Lipner has proposed a security model that combines aspects of the Bell-LaPadula model and the Biba model6.
The objective of this exercise is to define, with this Lipner model, a security policy satisfying the previous
informal requirements. We will limit ourselves in this exercise to the part related to the aspects of the Bell-
LaPadula model.

5
That is they have read access to all objects except log files..
6
Lipner, S. B., “Non-Discretionary Controls for Commercial Applications”, Proceedings of the IEEE Symposium on
Security and Privacy, 1982.
5
A- Preliminaries
2. Considering the security concepts below indicate for each whether they are taken into account in the
policy described above (explain why):
• Separation of duty,
• Auditability.

Answer:
Separation of duty: At least 2 subjects must participate to complete a critical task. It appears in requirements 3 & 4:
moving a program from the development environment to the production environment is an example of a critical task. In
the case where an application developer has made an error during development, the probability that this error will be
detected will be greater if the subject who installs (and tests) the application is not the developer himself. Moreover, in
the case where the developer wants to deliberately corrupt production data with a malicious program, the subject certifying
the program will eventually be able to detect it.

Auditability: Allows to analyze which action took place and who performed it (imputability). It appears in requirements
4 & 5. It is particularly important to log any movement of an application from the development environment to the
production environment. The audit is based on log files.

2. The set S of subjects consists of the following:

- users,
- application developers,
- system auditers,
- system controllers.

The set O of objects consists of the following:

- production code,
- production data,
- software tools,
- development code,
- test data,
- logs.

The operations allowed are the following:

- the users use a production code to modify production data;
- the application developers use software tools to develop/manipulate a development code and test
data;
- the system auditors audit all the log files; to perform this task they have access to system states;
- the system controllers have a special privilege giving them the possibility to change the status of a
code: this allows to qualify a development code into a production code; it also allows to change the
status of a production data into a test data; to perform this task they have access to system states
except log files;
- the operations of all subjects are recorded in the logs.
Above "to have access to system states" means having read access to all objects in the system.

The D set of rights consists of the following:

- r (« read »),
- w (« readless write »), corresponding to write only,
- e (« execute »),
- a (« append »), corresponding to concatenation ay the end of a file (« write only »)
- cs (« change status »), allowing to move a program from the development system to the production
system, or to transform production data into test data.

Build an access control matrix for the subjects, objects and operations defined above.

6
Answer:

Access control matrix

Production Production Software Dev. Code Test Data Logs

Code Data Tools
Users e r,w a
Appli. Dev. e r,e,w r,w a
Syst. Audit. r r r r r r,a
Syst. Contr. r r,cs r r, cs r a

3. If we also want a system controller to be able to execute an application object during development, what
rights should be added?

Answer:
It would be necessary to add an execution right on the application Development Code, but also a write right on Test Data.

4. Rewrite the access control matrix obtained in question 2 by considering only the rights r, w, e and a and
replacing them with their respective access mode (observation and alteration), according to the table above 7:

Access Right r e w a
Access Mode
Observation x x
Alteration x x

Answer:
The matris becomes:

Production Production Software Dev. Code Test Data Log Label

Code Data Tools
Users obs obs,alt alt (SL,{PC,PD})
Appli. Dev. obs obs,alt obs,alt alt (SL,{D,T})
Syst. Audit. obs obs obs obs obs obs,alt (AM,{D,PC,PD,T})
Syst. Contr. obs obs obs obs obs alt (SL,{D,PC,PD,T})
Labels (SL,{PC}) (SL,{PC,PD}) (SL,{T}) (SL,{D,T}) (SL,{D,T}) (AM,{D,PC,PD,T})

B- Use of the Bell-Lapadula model

Confidentiality labels

We consider the following set of confidentiality levels, NC:

- AM (« Audit Manager »): this level allows the use of system and management audit functions
(system auditors will have this classification);
- SL (« System Low »): this will be the level of all subjects except system auditors.

The first level is strictly superior to the second: AM>SL.

We consider the following set of confidentiality categories, CC:

• D (« Development »): development code and test data,

7
This correspondence between rights and access modes is not the one initially considered in Bell LaPadula: for example
in Bell LaPadula the access right e has no effect in term of observation.
7
 • PC (« Production Code »): corresponding to production code,
• PD (« Production Data »): corresponding to production data,
• T (« Software Tools »): programs provided by the development environment.

The set LC of privacy labels is defined as usual by : NC x P(CC) (where P(CC) denotes the set of parts of
CC).

The assignment of confidentiality labels to subjects is defined as follows:

- users: (SL,{PC,PD})
- application developers: (SL,{D,T})
- system auditors: (AM,{D,PC,PD,T})
- systeme controllers: (SL,{D,PC,PD,T})

Privacy labels will be assigned to objects in such a way that the simple security and confinement properties
(property *) of BLP are verified (we do not consider a current label for subjects, nor the discretionary rule)..

1- The confidentiality label associated with the production data object is (SL,{PC,PD}): explain why ?

Answer:
The label of the production data object must be the same as the label fro user subject, i.e. (SL,{PC,PD}), in
order to satisfy the simple security and confinement rules.
Moreover, this choice is appropriate because:
- the application developer subject can neither observe nor alter the production data object because its
label (SL,{D,T}) is not comparable with (SL,{PC,PD}).
- the system auditors and system controllers subjects can only observe the production data object
because their respective labels (AM,{D,PC,PD,T}) and (SL,{D,PC,PD,T}) strictly dominates
(SL,{PC,PD}).

2- Which confidentiality label(s) can be assigned to production code object?

Answer:
The label assigned to the production code object is (SL,{PC}):
- a user can observe it (simple security property), but cannot alter it (property *) because its label
(SL,{PC,PD}) strictly dominates (SL,{PC});
- an application developer can neither observe nor alter it because its label (SL,{D,T}) is not comparable
with (SL,{PC});
- a system auditor and a system controller will only be able to observe it because their respective labels
(AM,{D,PC,PD,T}) et (SL,{D,PC,PD,T}) strictly dominates (SL,{PC}).

The (SL,{PD}) label could also have been suitable for the same reasons. We choos (SL,{PC}) because its
category (Production Code) corresponds to the type of the object.

3- Could we replace the current lattice of labels with a new one with a single category P (Production) gathering
PC and PD?

Answer:
No, it is not possible to consider a single category P instead of PC and PD, because otherwise the user subject
could then alter the production code object.

4- What are the confidentiality labels associated with development code and test data objects?

Answer:
The development code and test data objects will receive the label (SL,{D,T}) because they must be observed
and altered by an application developer subject. Moreover this label is not comparable with the label

8
(SL,{PC,PD}) of the user subject and is strictly dominated by the respective labels (AM,{D,PC,PD,T}) and
(SL,{D,PC,PD,T}) of the system auditor and system controller subjects.

5- Which confidentiality label(s) can be assigned to the software tools object?

Answer :

The label of the software tool object is (SL,{T}): the simple security property must be satisfied for all subjects
except the user subject.

6- Knowing that log files are alterable by all subjects, but only observable by a system auditor subject, what is
the confidentiality label assigned to log objects?

Answer :

The log file object must receive the label (AM,{D,PC,PD,T}): to satisfy the simple security property its label
must be dominated by the label of a system auditor subject, and dominate the labels of all other subjects to
respect the *-property.

7- Show that the set of authorized accesses allowed by the Bell LaPadula policy previously obtained is larger
than the set of accesses allowed by the matrix constructed in question A2. Which additional rule of the Bell
LaPadula model must be considered for the two sets to coincide?

Answer :

For example, all subjects have access to the subject log with attributes a and w according to the Bell LaPadula
model, while they should only have access with attribute a. To remedy this, it is sufficient to take into account
the discretionary (ds) property by considering the matrix of question A.2.

8- In the context of Bell LaPadula model, how can the "dedicated procedures" of requirements 2 and 3 be
implemented.

Answer :

Requirement 2: an application developer who does not have the PD category in his label cannot access
production data; if he needs data to test his program, the category of the data must be changed from {PC,PD}
to {D,T}; the label change requires the intervention of a system controller which is a dedicated procedure as
defined in requirement 2.

Requirement 3: the installation of a program requires that the category of the program be changed from {D,T}
to {PC}: only a system controller can change the label and thus perform the installation of an application in
the production system.

The cs privilege introduced in question A.2 allows its holder to modify a security label.

9- Imagine that you add a system program object such that all subjects should be able to use it, but none should
be able to modify it. What would be its label?

9
Answer :

The label of the system program object must be (SL,Æ): it must be strictly dominated by the labels of all
subjects.

10- We wish to add a new subject S, which can modify the production code object without having access to
the production data (this would allow us to model, for example, the deletion of a version of an obsolete
application, or the update of a version). Show that there is no confidentiality label lattice allowing to take into
account the subject S.

Answer :

Subject S should have an alter mode access (at least) on the production code object, without being able to alter
the production data subject, nor observe it.

The access control matrix should therefore be as follows:

Prod. Appli. Prod. Data Label

User Obs obs, alt L1
S Alt L2
Label L3 L4

Supposed that there exists a label for each subject and object so that it is possible to model the previous
matrix. The labels indicated in the matrix should satisfy the following conditions when reading each
line of the table from left to right:
- cond1 : L1>L3
- cond2 : L1=L4
- cond3 : L3>L2
- cond 4 : L2 n.c. L4 (L2 and L4 are not comparable)

According to conditions 1 and 2, L4>L3. Using condition 3, we deduce that L4>L2, which is in
contradiction with condition 4. Therefore there does not exist a lattice of labels so that it is possible to
model the previous matrix.

10
Exercise 3: Unix Data General B2 System
The operating system Unix Data General B2 (DG/UX B2) implements a mandatory acces control policy
(MAC) based on a multi-level security model. This access control Policy uses security labels corresponding

A&A database, audit Administrative region

User data and applications User region

Security
labels VP-1 : Site executables Virus Prevention region

VP-2 : Trusted data

VP-3 : Executables not part of the TCB (“Trusted Computing Base”)

VP-4 : Executables part of the TCB (“Trusted Computing Base”)

VP-5 : Reserved for future use

to distinct “regions” as detailed on Figure 1. The “Administrative region” is reserved for security data: the
log files, the definition of the security labels … The system programs are located in the “Virus Prevention
region”.

The access control Policy of DG/UX B2 applies the simple security rule and the confinement rule (or *-
property) from Bell Lapadula model (a third rule is discussed in question c).

The subjects are the users and the processes. The security labels are affected to subjects as follows:
- The initial label of a user is stored in the “A&A database” from the “Administrative region”.
- When a process is created, it inherits the label of the parent process.

The objects are the files and the directories. The labels of the objects can be either explicit, or implicit. An
explicit label will be stored by the system in the attributes of the object. An implicit label is determined from
the parent directory label. This notion of implicit label is used for symbolic links. How the labels are affected
is not in the scope of this exercise.

f- Why is the “Virus Prevention region” dominated by the “User region”?

Answer : The “Virus Prevention region” contains the system programs. According to the confinement
Figure 2: Unix Data Genral B2 System regions

property of BLP, no subject from the “User region”, i.e. no user is able to modify them. A virus running in
“User region” will therefore never be able to modify system programs in “Virus Prevention region” to copy
itself.

g- Why is the “Administrative region” dominated by the “User region”?

Answer: According to the simple property of BLP, users cannot read the datas in “Administrative region”
which is reserved to data relevant to the management of security (definition of labels, logs).

h- The system DG/UX B2 adds a supplementary access control rule:

A subject with label l1 is not authorized to alterate an object with label l2, such that l2 strictly dominates l1.
Explain why?

Answer: It prevents a user from modifying the data in “Administrative region”.

11
 i- To avoid information leaks, a process with label l1 will be able to create a file in a directory with label
l2 if l1=l2. In case this condition is removed, describe a scenario proving the existence of a covert
channel.

Answer: Let consider two labels l1 and l2 such that l2> l1, two processes p1 with label 11 and p2 with label
l2, and two files f1 with label l1 and f2 with label l2, a directory d with label l1.

Suppose p1 and p2 are synchronized:

• p2 reads the first bit of f2;

• if this bit equals to 1, p2 creates a file “bit” in directory d (according to *-property rule p2 cannot
write or append information in “bit” directly readable by p1), otherwise p2 do nothing;
• after a while, p1 tries to create a file “bit” in directory d; If p1 succeeds, p1 writes 0 in f1; if it fails
(because the file already exists), p1 writes 1 in f2;
• after a while, p2 removes the file « bit ».

By reiterating the previous protocol, p1 can write the content of f2 inside f1, therefore creating an
information flow from an upper label to a lower label: this is a covert channel!

The synchronization could be achieved by the same kind of protocol.

With the restriction, p2 cannot create the file “bit” in d.

j- The restriction of question d forbids usual manual operations such as compilation or the access to mail
(which requires the access to directories /tmp8 and /var/mail). To avoid this limitation, DG/UX B2
introduces a mechanism called “multi-level directory”. Imagine what could be this mechanism.

Answer: A “multi-level directory” is a directory with a set of hidden sub-directories, one for each
possible value of label. These sub-directories are invisible for a user, and if a process with lavel l tries
to create a file in /tmp, the file will be in fact created in the sub-directory of /tmp with label l.

8
Temporary directory in which files from all the users maybe be stored for a given period of time.
12