62 CHAPTER 5. VERIFIABLE SECURITY GOALS
4. The join operator is a totally defined least upper bound operator.
The key result comes from axiom 4. In a finite lattice, the join operator is defined for any
combination of security classes. Thus, for X
1
X
2
... X
n
= Z, the security class Z that results
from a combination of data from any security classes in SC must also be in SC. For lattice policies,
the results of any join operation can be modeled because the securit y class of the operation can always
be computed.
Note that the Example 5.5(b) satisfies the Denning axioms, so it is a finite lattice. Any
combination of data can be assigned a security class. For example, when a secret process generates
data read from confidential and unclassified inputs, the data generated is labeled secret, which is the
least upper bound of the three secur ity classes. However, we can see that Example 5.5(a) does not
satisfy axioms 3 and 4, so we cannot label the results from any operation that uses the data from two
different users.
Finally, a useful concept is the inverse of the can-flow relation, called the dominance relation.
Dominance is typically used in the security literature.
Definition 5.7. A B (read as A dominates B) if and only if B A.The strictly dominates relation
> is defined by A>B if and only if A B and A = B. We say that A and B are comparable if
A B or B A. Otherwise, A and B are incomparable.
Dominance indicates which security c lass is more sensitive (i.e., contains data that is more
secret). From a security perspective, dominance defines the information flows that are not allowed.
That is, if A>B, then As data must not flow to B or this constitutes a leak.
5.2.2 BELL-LAPADULA MODEL
The most common information flow model in secure operating systems for enforcing secrecy re-
quirements is the Bell-LaPadula (BLP) model [23]. There are a variety of models associated with
Bell and LaPadula, but we describe a common variant here, known as the Multics interpretation.
This BLP model is a finite lattice model where the security classes represent two dimensions of
secrecy: sensitivity level and need-to-know. The sensitive level of data is a total order indicating se-
crecy regardless of the type of data. In the BLP model, these levels consist of the four governmental
security classes mentioned previously: top-secret, secret, confidential, and unclassified. However, it was
found that not everyone with a particular security class “needs to know all the information labeled
for that class.The BLP model includes a set of categor ies that describe the topic areas for data, defin-
ing the need-to-know access. The BLP model assigns a sensitivity level that defines the secrecy level
that the subject is authorized for, and also a set of categories, called a compartment, to each subject
and object. The combination of sensitivit y level and compartment for a subject are often called its
clearance. For objects, their combination of sensitivity level and compartment are called its access class.
Example 5.8. Figure 5.3 shows a Bell-LaPadula policy with two sensitivity lev els and three cate-
gories. The edges show the direction of information flow authorized by the Bell-LaPadula policy. If
5.2. INFORMATION FLOW SECRECY MODELS 63
Top-
secret:
ALL
Top-
secret:
NUC
Top-
secret:
MIL
Top-
secret:
ST
Top-
secret:
NUC+MIL
Top-
secret:
MIL+ST
Top-
secret:
NUC+ST
Top-
secret:
NONE
Secret:
ALL
Secret:
NUC+MIL
Secret:
MIL+ST
Secret:
NUC+ST
Secret:
NUC
Secret:
MIL
Secret:
ST
Secret:
NONE
Figure 5.3: This a Haase diagram (with the information flow direction added in edges) of a Bell-
LaPadula policy consisting of two sensitivity levels (top-secret and secret where top-secret dominates) and
three categories (NUC, MIL, and ST). The edges show the information flows authorized by the Bell-
LaPadula model for this lattice.
a subject is cleared for top-secret:MIL, it is able to read from this class, top-secret:none,
and secret:MIL. However, information cannot flow to the top-secret:MIL class from
top-secret:MIL+ST or others that include categories besides MIL. Even information that is labeled
with the secret sensitivity level, but has additional categories may not flow to top-secret:MIL.
Of course, subjects at the top-secret:MIL clearance can write to any top-secret class that in-
cludes the category MIL, but none of secret classes.The latter is not possible because the sensitivity
level top-secret dominates or is incomparable to any secret class. Writes may only be allowed
to classes that dominate the subjects clearance.
The BLP model defines two key properties for information flow secrecy enforcement.
Definition 5.9. The simple-security property states that subject s c an read an object o only if SC(s)
SC(o). Thus, a subject can only read data that at their security class or is less secret. Second, the

Get Operating System Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.