62 CHAPTER 5. VERIFIABLE SECURITY GOALS

4. The join operator ⊕ is a totally deﬁned least upper bound operator.

The key result comes from axiom 4. In a ﬁnite lattice, the join operator is deﬁned for any

combination of security classes. Thus, for X

1

⊕ X

2

⊕ ... ⊕ X

n

= Z, the security class Z that results

from a combination of data from any security classes in SC must also be in SC. For lattice policies,

the results of any join operation can be modeled because the securit y class of the operation can always

be computed.

Note that the Example 5.5(b) satisﬁes the Denning axioms, so it is a ﬁnite lattice. Any

combination of data can be assigned a security class. For example, when a secret process generates

data read from conﬁdential and unclassiﬁed inputs, the data generated is labeled secret, which is the

least upper bound of the three secur ity classes. However, we can see that Example 5.5(a) does not

satisfy axioms 3 and 4, so we cannot label the results from any operation that uses the data from two

different users.

Finally, a useful concept is the inverse of the can-ﬂow relation, called the dominance relation.

Dominance is typically used in the security literature.

Deﬁnition 5.7. A ≥ B (read as A dominates B) if and only if B → A.The strictly dominates relation

> is deﬁned by A>B if and only if A ≥ B and A = B. We say that A and B are comparable if

A ≥ B or B ≥ A. Otherwise, A and B are incomparable.

Dominance indicates which security c lass is more sensitive (i.e., contains data that is more

secret). From a security perspective, dominance deﬁnes the information ﬂows that are not allowed.

That is, if A>B, then A’s data must not ﬂow to B or this constitutes a leak.

5.2.2 BELL-LAPADULA MODEL

The most common information ﬂow model in secure operating systems for enforcing secrecy re-

quirements is the Bell-LaPadula (BLP) model [23]. There are a variety of models associated with

Bell and LaPadula, but we describe a common variant here, known as the Multics interpretation.

This BLP model is a ﬁnite lattice model where the security classes represent two dimensions of

secrecy: sensitivity level and need-to-know. The sensitive level of data is a total order indicating se-

crecy regardless of the type of data. In the BLP model, these levels consist of the four governmental

security classes mentioned previously: top-secret, secret, conﬁdential, and unclassiﬁed. However, it was

found that not everyone with a particular security class “needs to know” all the information labeled

for that class.The BLP model includes a set of categor ies that describe the topic areas for data, deﬁn-

ing the need-to-know access. The BLP model assigns a sensitivity level that deﬁnes the secrecy level

that the subject is authorized for, and also a set of categories, called a compartment, to each subject

and object. The combination of sensitivit y level and compartment for a subject are often called its

clearance. For objects, their combination of sensitivity level and compartment are called its access class.

Example 5.8. Figure 5.3 shows a Bell-LaPadula policy with two sensitivity lev els and three cate-

gories. The edges show the direction of information ﬂow authorized by the Bell-LaPadula policy. If

5.2. INFORMATION FLOW SECRECY MODELS 63

Top-

secret:

ALL

Top-

secret:

NUC

Top-

secret:

MIL

Top-

secret:

ST

Top-

secret:

NUC+MIL

Top-

secret:

MIL+ST

Top-

secret:

NUC+ST

Top-

secret:

NONE

Secret:

ALL

Secret:

NUC+MIL

Secret:

MIL+ST

Secret:

NUC+ST

Secret:

NUC

Secret:

MIL

Secret:

ST

Secret:

NONE

Figure 5.3: This a Haase diagram (with the information ﬂow direction added in edges) of a Bell-

LaPadula policy consisting of two sensitivity levels (top-secret and secret where top-secret dominates) and

three categories (NUC, MIL, and ST). The edges show the information ﬂows authorized by the Bell-

LaPadula model for this lattice.

a subject is cleared for top-secret:MIL, it is able to read from this class, top-secret:none,

and secret:MIL. However, information cannot ﬂow to the top-secret:MIL class from

top-secret:MIL+ST or others that include categories besides MIL. Even information that is labeled

with the secret sensitivity level, but has additional categories may not ﬂow to top-secret:MIL.

Of course, subjects at the top-secret:MIL clearance can write to any top-secret class that in-

cludes the category MIL, but none of secret classes.The latter is not possible because the sensitivity

level top-secret dominates or is incomparable to any secret class. Writes may only be allowed

to classes that dominate the subject’s clearance.

The BLP model deﬁnes two key properties for information ﬂow secrecy enforcement.

Deﬁnition 5.9. The simple-security property states that subject s c an read an object o only if SC(s) ≥

SC(o). Thus, a subject can only read data that at their security class or is less secret. Second, the

Get *Operating System Security* now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.