MLS

Coming up: Multi-Level Security

MLSDan FleckCS 469: Security Engineering

These slides are modified with permission from Bill Young (Univ of Texas)

1

Coming up: MLS Thought Experiment

Multi-Level Security

An early security problem was protection of confidentiality within a military setting.

Given information at various sensitivity levels and individuals having various degrees of trustworthiness, how do you control access to information within the system to protect confidentiality?

This problem is called multi-level security (MLS) and predates computers.

2

Coming up: Risk Assessment

MLS Thought Experiment

Setting: General Eisenhower’s office in 1943 Europe. Assume an environment in which there are

• information at different “sensitivity” levels: the war plan, the defense budget, the base softball schedule, the cafeteria menu, etc.;

• individuals permitted access to selected pieces of information: Gen. Eisenhower, privates, colonels, secretaries, janitors, spies, etc.

The goal: Understand what “security” might mean in this context and define a policy (some rules) to implement it. 3

Coming up: Confidentiality Questions

Risk Assessment

Question: What are we protecting? Against what threats?

Answer: The confidentiality of information—no person not authorized to view a piece of information may have access to it.

Very important proviso: For this thought experiment we are only concerned with confidentiality, not integrity or availability.

4

Coming up: Categorizing Data

Confidentiality Questions

Some questions appropriate for considering a confidentiality policy:

• Is all of my data equally sensitive? If not, how do I group and categorize data?

• How do I characterize who is authorized to see what? • How are the permissions administered and checked?• According to what rules?• Can authorizations change over time?

5

Coming up: Object Sensitivity Labels

Categorizing Data

Back to Gen. Eisenhower’s office. The relevant “space” of information contains lots of individual atoms or factoids:

1. The base softball team has a game tomorrow at 3pm.2. The Normandy invasion is scheduled for June 6.3. The cafeteria is serving chopped beef on toast today.4. Col. Jones just got a raise.5. Col. Smith didn’t get a raise.6. The British have broken the German Enigma codes.7. and so on.

Not all information is equally sensitive. How do we group and categorize information rationally?

6

Coming up: Sensitivity Labels

Object Sensitivity Labels

Information is parceled out into separate containers (documents/folders/objects/files) labeled according to their sensitivity level.

• One part of the label is taken from a linearly ordered set:• Unclassified, Confidential, Secret, Top Secret.

• There are also “need-to-know” categories, from an unordered set, expressing membership within some interest group, e.g., Crypto, Nuclear, Janitorial, Personnel, etc.

7

Coming up: Mixed Information

Sensitivity Labels

Ideally, the label on any folder reflects the sensitivity of the information contained within that folder. The label contains both a hierarchical component and a set of categories.

For example, two documents might have levels:

(Secret: {Nuclear, Crypto}),(Top Secret: {Crypto}).

One can infer that the first contains somewhat sensitive information related to the categories Nuclear and Crypto. This second contains very sensitive information in category Crypto.

Some security officer makes these labeling decisions. How they are made is outside the scope of our concern.

8

Coming up: Lessons

Mixed Information

Question: How do you label a document that contains “mixed information”?

• Suppose the document contains both sensitive and non-sensitive information? Use the highest appropriate level.

• Suppose it contains information relating to both the Crypto and Nuclear domains? Use both categories.

Aside: Sometimes a decision is made that a document classification should be changed. This is called downgrading (or upgrading).

9

Coming up: MLS Thought Experiment

Lessons for Categorizing Data

• For our MLS example, we partition information into containers and provide labels that reflect the sensitivity of the information.

• The labels are structured, with a hierarchical component and a set of need-to-know categories.

• A folder with “mixed” information must be labeled to protect the information at the highest hierarchical level and protect all categories of information.

10

Coming up: Folder Sensitivity Labels

MLS Thought Experiment

Setting: General Eisenhower’s office in 1943 Europe. Assume an environment in which we have:

• information at different “sensitivity” levels;• individuals permitted access to selected pieces of information.

The goal: Understand what “security” (confidentiality) could mean in this context and define a policy (rules) to implement it.

11

Coming up: Authorization Levels

Folder Sensitivity Labels

Information is parceled out into separate containers (documents/folders) labeled according to sensitivity level.

Examples:(Secret: {Nuclear, Crypto}),(Top Secret: {Crypto}).

A question we suggested for confidentiality policies is: How do I characterize who is authorized to see what?

12

Coming up: Least Privilege: An Aside

Authorization Levels

Let’s assign individuals clearances or authorization levels, of the same form as document sensitivity levels.

That is, each individual has:• a hierarchical security level indicating the degree of

trustworthiness to which he or she has been vetted;

• a set of “need-to-know categories” indicating domains of interest in which he or she is authorized to operate.

Notice that labels on documents indicate the sensitivity of the contained information; “labels” on humans indicate classes of information that person is authorized to access.

13

Coming up: Now What?

Least Privilege: An Aside

The need-to-know categories are a reflection that even within a given security level (such as Top Secret) not everyone needs to know everything. This is an instance of:

Principle of Least Privilege: Any subject should have access to the minimum amount of information needed to do its job.

This is as close to an axiom as anything in security. Why does it make sense?

14

Coming up: Lessons

Now What?

Question: Given that we have labels for documents and clearances for individuals, how do we decide which humans are permitted access to which documents?

Answer: Surely it’s some relationship between the subject level and the object level. But what?

Should a human with the given clearance be able to read a document at the given sensitivity?

15

Coming up: MLS Thought Experiment

Lessons

• To control access by individuals to documents/folders, we need “labels” for both.

• For documents the labels indicate the sensitivity of the information contained.

• For individuals, the labels indicate the authorization (clearance) to view certain classes of information.

• An individual should be given the minimal authorization to perform the job assigned. (Least Privilege)

• Whether an individual should be able to view a specific document depends on a relationship between the label of the document and the clearance of the individual.

16

Coming up: A Little Vocabulary

MLS Thought Experiment

Recall that we’ve assigned sensitivity labels to documents and clearances to individuals within our MLS environment. Now we’re attempting to answer the following confidentiality question:

How are the permissions administered and checked? According to what rules?

17

Coming up: The Dominates Relation

A Little Vocabulary

In the type of security policy we’re constructing, the following terms are often used:

Objects: the information containers protected by the system(documents, folders, files, directories, databases, etc.)

Subjects: entities (users, processes, etc.) that execute activities and request access to objects.

Actions: operations, primitive or complex, executed on behalf of subjects that may affect objects.

The subjects in our MLS example are the humans; the objects are the folders containing information.

18

Coming up: Dominates Example

The Dominates Relation

Given a set of security labels (L, S), comprising hierarchical levels and categories, we can define an ordering relation among labels.

Definition: (L1, S1) dominates (L2, S2) iff 1. L1 ≥ L2 in the ordering on levels, and2. S2 S⊆ 1.

We usually write (L1, S1) ≥ (L2, S2).

Note that this is a partial order, not a total order. I.e., there are security labels A and B, such that neither A ≥ B nor B ≥ A.

S2 is a subset of S1 or equal to

19

Can you think of one?

Coming up: Simple Security Property

Dominates Example

In the following table, for which pairs does Label 1 dominate Label 2?

Does this suggest how you might decide whether to allow a subject to read an object?

20

Coming up: Lessons

Simple Security Property

The following rule appears to capture our intuition about when a subject can read an object.

The Simple Security Property: Subject S with clearance (LS , CS ) may be granted read access to object O with classification (LO, CO) if and only if (LS , CS ) ≥ (LO, CO).

Operationally, an individual asking to see a document must show that his clearance level dominates the sensitivity level of the document.

21

Coming up: MLS Thought Experiment

Lessons

• The dominates relation formalizes a relationship between any two labels.

• The Simple Security Property shows how to use dominates to decide whether a read access should be allowed.

22

Coming up: Do We Need Secure Writing?

MLS Thought Experiment

We introduced the following rule, which appears to capture our intuition about when a subject can read an object.

The Simple Security Property: Subject S with clearance (LS , CS ) may be granted read access to object O with classification (LO, CO) only if (LS , CS ) ≥ (LO, CO).

Is it all we need? What about other types of access?

23

Coming up: Secure Writing

Do We Need Secure Writing?

The Simple Security property codifies restrictions on read access to documents. What about write access?

Suppose someone with access to a Top Secret document copies the information onto a piece of paper and sticks it into an Unclassified folder.

Has Simple Security been violated? No! Has confidentiality been violated? Clearly.

24

Coming up: The *-Property

Secure Writing

In general, subjects in the world of military documents are persons trusted not to write classified information where it can be accessed by unauthorized parties.

Subjects in the world of computing are often programs operating on behalf of a trusted user (and with his or her clearance).

Some program I run may have embedded malicious logic (a “trojan horse”) that causes it to “leak” information without my knowledge or consent.

25

Coming up: The *-Property

The *-Property

We restrict write access according to the following rule:

The *-Property: Subject S with clearance (LS , CS ) may be granted write access to object O with classification (LO, CO) only if (LS , CS ) ≤ (LO, CO).

This is pronounced “the star property.” How does it help?

26

Coming up: Lessons

The *-Property

Does this rule make sense? Is it too restrictive? Is it too lax?

• Can a commanding general with a Top Secret clearance email marching orders to a foot soldier with no clearance? No!

• Can a corporal with no clearance overwrite the war plan? Nothing in our rules stops it, but that’s an integrity problem!

Simple security and the *-property are sometimes characterized as “read down” and “write up,” respectively. Alternatively, they’re characterized as “no read up” and “no write down.”

27

End of presentation

Lessons

• Control over read and write operations is needed to prevent confidentiality breaches.

• The *-property uses dominates to decide whether a write access should be allowed.

• Controlling write access is especially crucial for computers because the accessing subject may be a program executing on behalf of a user. The user has been cleared; the program has not.

28