Security Models: Part 3 - Bell-LaPadula Model

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now let's discuss the Bell-LaPadula model,
00:00
and if you've read this
00:00
or done your research and heard
00:00
of the Bell-LaPadula model,
00:00
first thing I want to tell you
00:00
is that's how it's pronounced.
00:00
I bet you I mispronounced this model for years.
00:00
But it's the Bell-LaPadula security model,
00:00
and it's concerned with
00:00
protecting the confidentiality of information.
00:00
As a matter of fact, it was
00:00
originally designed for use in
00:00
the US government to protect
00:00
national secrets and classified information.
00:00
Our focus here is
00:00
confidentiality and confidentiality only.
00:00
This isn't busy with protecting
00:00
integrity or availability or this, that,
00:00
or the other, the Bell-LaPadula model is
00:00
all about keeping secrets secret.
00:00
You'll notice the last bullet point,
00:00
the model is built on the concept
00:00
>> of the state machine or
00:00
>> the secure state model with
00:00
the idea that there are different allowable states,
00:00
which we'll talk about in the last section.
00:00
This idea, this Bell-Lapadula model,
00:00
from this point forward,
00:00
our models are going to contain rules,
00:00
and you can apply one rule or
00:00
all the rules or any number of rules in between.
00:00
What's really important is
00:00
the rules come in and restrict,
00:00
and they restrict access a certain way.
00:00
If a rule doesn't specifically forbid an action,
00:00
then you have to assume the action is allowed.
00:00
You can think of it as
00:00
if you're writing an operating system,
00:00
here are the rules I have to incorporate
00:00
into the operating system. Let's look at this.
00:00
Let's look at Bell-LaPadula
00:00
again in the context of confidentiality.
00:00
Now some of this will make sense to you,
00:00
and basically when we're talking
00:00
about confidentiality of data,
00:00
a system doesn't necessarily inherently
00:00
understand top secret versus secret and so on.
00:00
It does so through the use
00:00
of what are referred to as security labels.
00:00
Basically what that means is when an object is created,
00:00
it's assigned to label,
00:00
and that label might be confidential, secret,
00:00
top secret, unclassified,
00:00
whatever the scheme is in the organization.
00:00
Then when a user is created
00:00
they are assigned a label as well.
00:00
When a user goes to access an object,
00:00
subject access as an object,
00:00
the labels are compared and the users label against
00:00
the resources label is
00:00
what we're talking about here when we
00:00
talk about reading up or down,
00:00
writing up or down,
00:00
it's all about how the labels work together.
00:00
Now this tranquility property,
00:00
which is the first rule of Bell-LaPadula
00:00
says these security labels
00:00
>> can't be arbitrarily changed.
00:00
>> Well, that makes sense, I can't go in and
00:00
right-click and give myself top secret clearance.
00:00
The tranquility property essentially says
00:00
whatever labels have been
00:00
>> assigned by your administrator,
00:00
>> those labels stay and
00:00
are only modified through a process.
00:00
A user has no control over those.
00:00
Now let's get into the big rules because
00:00
we have three main rules of Bell-LaPadula.
00:00
We have the simple security property,
00:00
we have the star security property,
00:00
and we have the strong star property.
00:00
Anytime you see simple because we'll see this
00:00
again in a property or axiom,
00:00
simple always refers to how one can read.
00:00
Can I read data above my level?
00:00
Can I read data below my level?
00:00
Simple is always about read.
00:00
Now the star properties and that's how it's pronounced,
00:00
it's actually an asterisk,
00:00
an underscore security property is how it's written,
00:00
but we pronounce it as the star security property.
00:00
Star is always about how I can write.
00:00
Can I write up or down
00:00
the star security property will tell me.
00:00
If you'll remember the phrase,
00:00
it's written in the stars,
00:00
and a common phrase,
00:00
if you'll remember that, that'll tell you,
00:00
"Okay, right goes with star.
00:00
I'll tell you something funny,
00:00
because the first time I saw this,
00:00
the first 30 times I saw this,
00:00
my question was, why would you call this thing?
00:00
Why would you name it asterisk
00:00
underscore security property?
00:00
The funny answer is that
00:00
>> the gentleman that were writing
00:00
>> this mathematical model couldn't
00:00
think of a good name for it,
00:00
so they use the asterisk and
00:00
the underscore as a place holder.
00:00
Then at the end of the day,
00:00
at the end of developing this model,
00:00
they just decided not to go back and change it.
00:00
It was the asterisk for, "Hey,
00:00
we'll call this something fun later,
00:00
and then if we did so that kind of cracks me up.
00:00
Let's look at the simple security property
00:00
with Bell-LaPadula.
00:00
The simple security property about
00:00
reads says, "No read up."
00:00
If I have secret clearance,
00:00
I can't read top secret data.
00:00
That makes sense.
00:00
I think most of us understand the Bell-LaPadula model,
00:00
is something that we've seen before.
00:00
Now remember, if the policy isn't
00:00
expressly restricted, then you can do it.
00:00
If all you apply is the simple security property,
00:00
you cannot read up,
00:00
but you could read down.
00:00
You could write down,
00:00
you could write up.
00:00
The simple security property only says no read up.
00:00
Now we could add a second policy
00:00
called the star security property,
00:00
the star security property says, "No write down."
00:00
If I'm at an upper level,
00:00
I can't write down to lower levels.
00:00
That would keep me from divulging secrets,
00:00
I can't save a top secret document
00:00
down to a secret folder.
00:00
That idea is all about
00:00
protecting against leaking
00:00
>> secrets down to lower levels.
00:00
>> Now again, if it's not
00:00
expressly restricted, then it's allowed.
00:00
If I just implement the star security property,
00:00
I can't write down.
00:00
Can I write up?
00:00
Yeah. Can I read up?
00:00
Yes. Well, I don't want people to read
00:00
above their level of classification.
00:00
Well then you also need to apply
00:00
the simple security property as well.
00:00
Each one of these rules provides a specific function,
00:00
and if a rule doesn't forbid it, then it's allowed.
00:00
If you want to keep people from reading up,
00:00
you'll apply the simple security property,
00:00
if you also want to keep them from writing down,
00:00
you can also apply the star security property.
00:00
Now there's also the strong star property that says,
00:00
"No read or write up or down."
00:00
The hardest thing for people to get about this
00:00
is if it's not expressly forbidden, then it's allowed.
00:00
That means in many cases,
00:00
I will need more than one rule
00:00
to really get the security I need.
00:00
Let me give you an example.
00:00
Let's say Tavera has
00:00
confidential clearance, that's her label.
00:00
According to Bell-LaPadula's star security property,
00:00
which files can Tavera read?
00:00
Stat right there, the star security property,
00:00
it's written in the stars
00:00
that does not address what Tavera can read,
00:00
if all that's applied is
00:00
the star security property Tavera can read everything.
00:00
It feels weird, but that's how it is,
00:00
if that's the only policy you apply.
00:00
Let's say according to
00:00
Bell-LaPadula's star security property
00:00
to which files can Tavera write?
00:00
I have to stop and say, "Okay,
00:00
star is about write.
00:00
We've got confidentiality, so no write down."
00:00
Tavera has confidential clearance,
00:00
she cannot write below
00:00
her level to keep her from leaking secrets downward.
00:00
She can right above her Level,
00:00
A's above her level,
00:00
B's above her level,
00:00
and she can also write to
00:00
her own level which is confidential.
00:00
Really the only file she cannot write to is file
00:00
C. That wraps up the Bell-LaPadula model,
00:00
some folks will mistakenly say, "Hey,
00:00
Bell-LaPadula says no read up, no write down."
00:00
That's not really true.
00:00
The Bell-LaPadula has models,
00:00
it has rules that dictate, read and write.
00:00
The simple security property says," No read up."
00:00
The star security property says, "No right down."
00:00
Then the strong star property says,
00:00
"No read or write up or down."
00:00
Then there's that tranquility model that says,
00:00
"You can't arbitrarily change security labels."
Up Next