Multilevel Security

1
 Multilevel Security
• Definition and need for MLS
• Bell-LaPadula model
• Biba model
• Multilevel security implementation

2
 Definition and need for MLS
• Multilevel security involves a database in which
the data stored has an associated classification
and consequently constraints for their access
• MLS allows users with different classification
levels to get different views from the same data
• MLS cannot allow downward leaking, meaning
that a user with a lower classification views data
stored with a higher classification

3
 Definition and need for MLS
• Usually multilevel systems are with the
federal government
• Some private systems also have multilevel
security needs
• MLS needs to provide the same level of
integrity that the relational model provides
• Relational model provides entity integrity
and referential integrity
4
 Definition and need for MLS
• MLS relation is split into several single-
level relations
• A recovery algorithm reconstructs the MLS
relation from the decomposed single-level
relations
• At times MLS updates cannot be
completed because it would result in
leakage or destruction of secret
information
5
 Definition and need for MLS
• In relational model, relations are tables
and relations consist of tuples (rows) and
attributes (columns)
• Example:
Consider the relation
SOD(Startship, Objective, Destination)
Starship Objective Destination
Enterprise Exploration Talos
Voyager Spying Mars
6
 Definition and need for MLS
• The relation in the example has no
classification associated with it in a
relational model
• The same example in MLS will be as
follows:

Starship Objective Destination

Enterprise U Exploration U Talos U
Voyager U Spying S Mars S

7
 Definition and need for MLS
• In MLS, access classes can be assigned to:
– Individual tuples in a relation
– Individual attributes of a relation
– Individual data elements of tuples in a relation
• Discretionary Access Control allows a user to
read data. DAC does not control how the user
uses the data
• Trojan Horse scenario explains this problem and
how this could be abused in MLS

8
 Definition and need for MLS
• Trojan Horse scenario:
– Bob owns file f1
– Eve owns file f2
– Eve grants Bob write privilege on f2
– An utility program (such as fancy printing) P
contains the intended code plus a hidden
code to read from f1 and write to f2, namely the
Trojan Horse

9
 Trojan Horse
• Bob executes P and it does what it is
supposed to do plus it reads the contents
of file f1 and writes it to file f2
• Eve owns f2 and so Eve can now see the
contents of f1 which was originally not
available for Eve
• This Trojan Horse code shows how a DAC
has been abused
10
 Bell – LaPadula Model
• Bell-LaPadula model shows how to use
Mandatory Access Control to prevent the Trojan
Horse
• Bell-LaPadula model was developed in 1973
• This is an extension of the Access Matrix model
with classified data
• This model has two components:
– Classification
– Set of categories

11
 Bell – LaPadula Model
• Classification has four values {U, C, S, TS}
– U = unclassified
– C = confidential
– S = secret
– TS = top secret
• Classifications are ordered: TS > S > C > U
• Set of categories consists of the data
environment and the application area
12
 Bell – LaPadula Model
• Security level is denoted by the pair
L1 = (X1, Y1)
• Relationship among the security levels is
defined as follows:
L1  L2 if X1  X2 and Y1  Y2
In this case L1 is said to dominate L2

13
 Bell – LaPadula Model
• Bell-LaPadula model is based on a
subject-object paradigm
• Subjects are active elements of the
system that execute actions
• Objects are passive elements of the
system that contain information
• Subjects act on behalf of users who have
a security level associated with them
(indicating the level of system trust)
14
 Bell – LaPadula Model
• Subjects execute access modes on
objects
• Access modes are:
– Read-only
– Append (writing without reading)
– Execute
– Read-write (writing known data)
• Decentralized administration of privileges
on objects
15
 Bell – LaPadula Model
• Two main properties of this model for a
secure system are:
– Simple security property
– Star property
• Simple security means: A subject may
have read or write access to an object only
if the clearance of the system dominates
the security level of the object

16
 Bell – LaPadula Model
• Star property means: An untrusted subject may:
append if object security dominates subject security
write if object security equals subject security
read if object security is less than subject security
• This model guarantees secrecy by
preventing unauthorized release of
information
• This model does not protect from
unauthorized modification of information
17
 Biba Model
• Developed in 1977
• Overcomes the integrity problem of Bell-
LaPadula
• Similar to Bell-LaPadula
• Classifications are:
– Crucial (C)
– Very Important (VI)
– Important (I)
• Relationship is C > VI > I
18
 Biba Model
• Access modes are:
– Modify (similar to ‘write’ in Bell-LaPadula)
– Invoke (applies to two subjects)
– Observe (similar to ‘read’ in Bell-LaPadula)
– Execute (execute a program)
• Integrity policy involves:
– No read-down integrity
– No write-up integrity

19
 Biba Model
• Biba model’s strict integrity policy does not
have the ‘append’ feature of Bell-LaPadula
model
• Strict integrity policy prevents information
from being transferred from low-integrity
objects to other objects

20
 Multilevel security implementation
• Commercial DBMSs Oracle, Sybase, and
TruData have MLS versions of their DBMS
• Because of Bell-LaPadula restrictions,
subjects having different clearances see
different versions of a multilevel relation
Starship Objective Destination
Enterprise U Exploration U Talos U
Voyager U Spying S Mars S

Figure 1 21
 Multilevel security implementation
• User with secret classification sees the
entire table given above
• User with classification level ‘U’ sees the
following table:

Starship Objective Destination

Enterprise U Exploration U Talos U
Voyager U Null U Null U

Figure 2
22
 Multilevel security implementation
• User with classification level ‘U’ wants to
update the second tuple in Figure 2 with
(Voyager, Exploration, Talos)
• If this update is rejected, then the user
would be able to infer something about
Voyager
• MLS would allow the secret channel to
permit data update and protect data
integrity as shown in Figure 3
23
Multilevel security implementation

Starship Objective Destination

Enterprise U Exploration U Talos U
Voyager U Exploration U Talos U
Voyager U Spying S Mars S

Figure 3

24