Hierarchies and Security
Part of
22C:169, Computer Security Notes
|
The steriotypical military security system is arranged as follows:
In addition to classifying information, the military security model also attaches a security clearance to each person. The clearances have the same names as the classifications, so a person with a secret clearance is cleared to read documents that are classified as secret, as well as all documents with lower classification levels, as described in the following table.
| Unclassified Documents | Internal Documents | Confidential Documents | Secret Documents | Top Secret Documents | |
|---|---|---|---|---|---|
| The Public | Read | ||||
| Employees | Read | Read | |||
| Confidential Clearance | Read | Read | Read | ||
| Secret Clearance | Read | Read | Read | Read | |
| Top Secret Clearance | Read | Read | Read | Read | Read |
Typically, there are more or less elaborate tests that an employee must pass in order to be cleared for access to information at some level.
Long after systems such as those described above became common, Bell and LaPadula axiomatized the idea. They augmented the basic notion of hierarchic classification with the rule that any document produced by someone with access to information at some level must be classified at that person's level, so if I have access to Secret documents, then all documents I produce are secret.
With this constraint, it is easy to show that no leaks will occur. Unfortunately, real organizations cannot possibly operate this way. There must be some way for the general to issue commands to the troops in the field. As a result, the Bell Lapadula model includes the concept of trusted subjects, that is, people who are entitled to create documents at lower security levels than their own.
The Bell-Lapadula model has motivated a huge amount of system development, because it so closely captures the kind of security thinking that real organizations accept, but at the same time, has caused many problems. The central problem is that real working systems rarely follow clean hierarchies.
An example of the kind of thinking that the Bell Lapadula model has motivated is the idea of a data diode. See, for example, Curt A. Nilsen's patented Method for Transferring Data from an Unsecured Computer to a Secured Computer, U.S. Patent 5,703,562, issued Dec. 30, 1997. He called this a data diode because it allows data to flow in one direction and not in the other.
This patent is phrased strictly in terms of the Bell LaPadula hierarchic view, and it is seen as a mechanism to ensure that data flows from unclassified systems to classified systems. Curiously, it may be the case that data diodes have far more applications outside of this hierarchic world.
For example, a data diode can prevent a vulnerable web server from attacking a secure system that provides the data that is supposed to be visible from the web. In this application, the data diode permits data to flow from the secure system to the insecure web server, while blocking all attempts to inject anything from the insecure system to the secure system. We have been working on this application here at the University of Iowa.
See RFC3114 by W. Nicolls for a discussion of corporate classification policies, with examples.
See the Law on Classified Information of the Republic of Macedonia for a typical example of how classification policies are implemented in law.
As usual, the Wikipedia is a good source. See: http://en.wikipedia.org/wiki/Bell-LaPadula_model
For data diodes, see US Patent Office search page , but you have to type in the number yourself.
There is a web page on data diodes at the University of Iowa.