BLP, HRU, & Common Criteria question

nel · May 2009

Hi Guys,

Does anyone have any good links to these which can put them in laymens terms to help me understand/cement them into my brain. I am trying to study these for my uni exam as it was one of the modules but i cant seem to get it to stick. Most of the material i have read too seems to be overly complex when it comes to explaining the models.

Any help or advice for these? Or even explanation in laymens terms

JDMurray · May 2009

Well, something certainly won't stick if you don't understand it. CC and BLP are abstract models that are operational in nature and not very visual. (I have no idea what "HRU" is.) I understood CC by comparing it to TSEC; BLP I learned by understanding how it was different from CW and Biba, and how it related to RBAC/DAC/MAC. Wikipedia is a good start; there are a lot of discussions about these topics at www.cccure.org.

nel · May 2009

Hi JD.

Thanks for the link, i'll have a dig. My lecturer claimed the HRU was another important model spawned from the access matrix model in the early 70's. However, he neglected to give much more info on any of these models!!

Ive done further research and found a post from Johan back in 2005 which helped me understand too:

It's the Bell-La Padula "access control model". A model developers can use when they need to build access control (Identification, authentication, and authorization) for a device or software system. Instead of having to design their own system, they can use Bell-La Padula's model as Bell and La Padula did the thinking for them already.

You won't find a system based on Bell-La Padula's model(s) in corporate environements. It's used (and originally developed) for military mainframe systems where confidentiality has the highest priority.

Last but not least, Bell-La Padula's model is a MAC (Mandatory Access Control) model, in which, as you know from your Sec+ studies , an admin (or 'security officer') sets the permissions. In a access control model it's all about subjects (users, programs) and objects (file, printers, etc.), an access control model defines how and if a subject can access an object. In Bell-La Padula's model both subjects and objects are labeled. Subjects receive a clearance label, objects receive a classification label (I.e. Top Secret, Secret, Classified, Public). Subjects can read objects if their labels match, or the security level is higher than the object's label.

In Bell-La Padula's model there are two main rules:
- Simple security rule which dictates that a subject cannot read up.
- * security rule which dictates that a subject cannot write down.

Both of these ensure confidentiality, the first rule is obvious, it means a user cannot read data with a higher security label than himself. The second rule means a user cannot read write data with a lower security label than himself. The latter prevents people with a high security level of create files with a lower level, so someone with Top secret clearance (hence top secret knowledge) cannot create files readable by people with a lower level. It's all about keeping those secrets secret. Note again, the subjects are not able to create files and assign a label/security level to it other than their own.

Another important term in this context is lattice, which defines the lower and upper bounds of a subjects security level.

Bell-La Padula's model is originally developed around 1970. I don't know if it is still in use in a system. Likely some principals from this model are still used, but mostly combined with, or established a basis for, other models, hence other systems.

One thing i have to ask is, my lecturer claims the BLP model contradicts itself. I understand alot more now how it actually functions. But how does the BLP contradicts itself?

JDMurray · May 2009

nel wrote: »

One thing i have to ask is, my lecturer claims the BLP model contradicts itself. I understand alot more now how it actually functions. But how does the BLP contradicts itself?

I don't remember encountering anything in BLP that was an obvious contradiction. The no-read-up/no-write-down aspect of the model may seems like a contradiction, but it's not. These rules prevent reading information from higher security objects and writing it to lower security objects. The other direction is OK because a single object may contain information of differing security classification levels.

BLP's lattice isn't the best model for all types of information. In fact, it's very insufficient in some ways. BLP only insures information confidentiality and not integrity. Once an object is assigned a security level is can't be changed. And there's no provision for hiding objects; only the content of an object can be hidden, but not the object itself.

nel · May 2009

JDMurray wrote: »

I don't remember encountering anything in BLP that was an obvious contradiction. The no-read-up/no-write-down aspect of the model may seems like a contradiction, but it's not. These rules prevent reading information from higher security objects and writing it to lower security objects. The other direction is OK because a single object may contain information of differing security classification levels.

BLP's lattice isn't the best model for all types of information. In fact, it's very insufficient in some ways. BLP only insures information confidentiality and not integrity. Once an object is assigned a security level is can't be changed. And there's no provision for hiding objects; only the content of an object can be hidden, but not the object itself.

Thanks JD.

At least its not just me who thinks there isnt a contradiction - or at least an obvious one to me. From my research it seems to have a few issues but i cant see any contradictions. I'll keep looking anyway.

Thanks for the help JD.

BLP, HRU, & Common Criteria question

Comments