Chapter III BLP Model (Bell-La Padula Model)
It is the first mathematical model of the security policy formation, is a state machine model, with a state variable represents the security status of the system, and uses state conversion rules to describe the system's change process.
First, the basic element of the model
The model defines the following collection:
S = {S1, S2, ..., Sn} The collection, main body: the user, or a process that represents the user, can flow the information flow.
O = {O1, O2, ..., OM} Guest Collection, Object: Document, Program, Reservoir Section, etc. (The main body also thinks as the object S
O)
C = {C1, C2, ..., CQ} main body or portraits of the object (all of the elements are all sequenced), C1 ≤ C2 ≤ ≤ CQ.
K = {K1, K2, ..., KR} sector or category collection
A = {R, W, E, A, C} Access Property Set, where r: read-only; W: Read and write; E: Implement; A: Add (write); C: Control.
Ra = {G, R, C, D} Request Element Set
g: get (get), Give (given)
R: Release, Rescind (revocation)
C: Change (changing the security level of the object), Create (create object)
D: delete (delete object)
D = {YES, NO, Error ,?} Judgment set (result set), where
YES: Request is executed;
NO: Request is rejected;
Error: The system is wrong, there are multiple rules suitable for this request;
?: Request an error, the rule does not apply to this request.
μ = {M1, M2, ..., MP} Access matrix set, the element MK is an element Mij of a N × M matrix, MK
A.
F = CS × CO × (PK) S × (PK) O, where
Cs = {F1 | F1: S → C} F1 gives the level of each body;
CO = {F2 | F2: O → C} F2 gives the level of each guest;
(Pk) S = {F3 | F3: S → PK} f3 gives the department set of each body;
(PK) O = {F4 | F4: O → PK} F4 gives the department set of each guest.
Among them, the PK represents the power set of K (PK = 2K).
F = (F1, F2, F3, F4), give the level and department set of each body in a state, the level and department of each guest, the subject's license level (F1, F3), the security level (F2, F4) of the object.
Second, the system status
V = p (s × o × a) × μ μ × F is a set of state, status V = (B, M, F) is represented by an orderly three-component group, wherein
B
S × O × A is the current access set.
M is an access matrix, its first line, the element Mij
A indicates that the subject Si has access to the object OJ in the current state.
F = (f1, f2, f3, f4), where F1 (S) and F3 (s) represent the slogan and sectors of the main body S, respectively, of the portions and sectors of the object O, respectively. set. Third, safety features
(1) autonomous security
Status V = (B, M, F) satisfies autonomous security, and when and only for all (Si, OJ, X) ∈B, there is x∈ Mij.
(2) Simple safety
Status V = (B, M, F) meets simple security, and only when it is only for all (S, O, X) ∈B, there is
(I) x = e or x = a or x = C
Or (ii) (x = r or x = W) and (F1 (S) ≥ F2 (O), F3 (S)
F4 (O)).
S
O
E, C, A
S
(high)
O
(low)
r, w
(3) * - nature
S
O1
(high)
O2
(low)
a
r
S
O1
(high)
O2
(low)
a
w
status
v = (b, m, f)
Satisfy
*
- Nature, when and only for all
s
∈
S
If the
O1
∈
b (s: w, a)
,
O2
∈
B (s: r, w),
then
F2 (O1)
≥
F2 (O2)
,
F4 (O1)
F4 (O2)
Symbol
b (s: x1,
...
, XN)
Indicate
B
In the main body
s
It has access privileges
xi (1
≤
i
≤
N)
Collection of all objects.
Explanation:
S
O1
(high)
O2
(low)
w
r
S
O1
O2
w
w
(level)
(level)
equal
One state V is satisfied with the above three properties, then V is a security state.
Fourth, request
R = S × Ra × S × O × X request set (not a request element set), its element is a complete request. Where S = S
{
}, X = a
{
}
F.
The elements in R are a five-way group that represents a request or one operation.
T = {1, 2, ..., t, ...} Collection of discrete moments (ID). Used as a request sequence, the result sequence and the subscript of the status sequence;
X = RT = {x | x: t → r}, where element X can be represented as X = x1x2x3 ... XT ... is a request sequence, each time has a request, constitutes a request sequence, so X is a collection of request sequences;
Y = DT = {Y | Y: T → D}, wherein the element Y = Y1Y2Y3 ... YT ... is a result sequence, and the request for each time causes a determination (or result), which constitutes a result sequence, Y is the result sequence set;
Z = Vt = {z | z: t → v}, where element z = z1z2z3 ... Zt ... is a state sequence, each zt∈V, indicating the state of the system when time t. Z is a collection of state sequences
V. State conversion rules
The conversion of the system status is defined by a set of rules, and a rule P is defined as: R × V → D × V. Where: r is the request set, D is the judgment set, V is the state set.
That is, P presented a given state and a request, the system generates a determination and the next state, and only the request is executed when the value is "YES", and the state is converted.
The BLP model defines ten basic rules (later there is scheduled):
Rules 1 to Rule 4 are used for accessibility to the body request (R), add (a), execute (E), and write (W), respectively. (φ, G, Si, Oj, R), (φ, g, si, oj, a), (φ, g, si, oj, e), (φ, g, si, oj, w). Rules 5 are used for the body to release its access to a certain object, including R, or A, or E, or W). (φ, R, Si, Oj, X)
Rules 6 and Rules 7 are used for one subject to grant and revoke another subject to a certain object.
(Sλ, G, Si, Oj, R) (Sλ, R, Si, Oj, R)
Rule 8 is used to change the level and category set of the still object. (φ, C, φ, OJ, f *)
Rules 9 and Rules 10 are used to create and delete (make it still) one object.
(φ, C, Sj, Oj, E) (φ, D, Si, Oj, φ)
(φ, C, Si, Oj, φ)
Rules 1: The main Si request gets R access to the object OJ
Get-Read P1 (RK, V)
IF σ1
φ OR γ
g or x
R OR σ2 = φ THEN
P1 (rk, v) = (?, v)
IF r
Mij OR (F1 (Si) THEN P1 (RK, V) = (NO, V) IF = {o | O B (Si: W, A) AND [F2 (OJ)> F2 (O) OR F4 (OJ) F4 (O)]} = φ THEN P1 (RK, V) = (YES, V * = (B {(Si, Oj, R)}, M, F)) ELSE P1 (RK, V) = (NO, V) end Rule 2: The main Si request gets a A access to the object OJ GET-APPEND: P2 (RK, V) If 1 φ OR γ g or x A OR σ2 = φ, then p2 (rk, v) = (?, v) If A Mij, P2 (RK, V) = (NO, V) in case = {o | O B (Si: R, W) AND [F2 (OJ) F4 (o)]} = φ Then P2 (RK, V) = (Yes, V * = (B {(Si, Oj, a)}, m, f)) Otherwise, P2 (RK, V) = (NO, V) end Rule 3: The main Si request gets e access to the object OJ Get-Execute: P3 (RK, V) IF σ1 φ OR γ g or x e OR σ2 = φ THEN P3 (RK, V) = (?, v) IF e Mij Ten P3 (RK, V) = (NO, V) ELSE P3 (RK, V) = (YES, V * = (B {(Si, Oj, e)}, m, f)) end Rules 4: The main Si request gets W visits to the object OJ Get-Write: P4 (RK, V) IF σ1 φ OR γ g or x W OR σ2 = φ THEN P4 (RK, V) = (?, v) IF W Mij OR [F1 (Si) ] THEN P4 (RK, V) = (NO, V) IF = {o | O B (Si: r) AND [F2 (OJ) F4 (OJ) F4 (O)]} {o | o B (Si: a) AND [F2 (OJ)> F2 (O) OR F4 (OJ) F4 (O)]} {o | o B (Si: w) and [f2 (oj) F2 (O) OR F4 (OJ) F4 (o)]} = φ THEN P4 (RK, V) = (YES, V * = (B {(Si, Oj, W)}, M, F)) ELSE P4 (RK, V) = (NO, V) end Rules 5: The main Si request release R or W or E or A access to the object OJ Release-Read / Write / Append / Execute: P5 (RK, V) IF (1 φ) OR (γ r) or (x R, W, A and E) OR (σ2 = φ) THEN P5 (RK, V) = (?, v) ELSE P5 (RK, V) = (YES, V * = (B - {(Si, Oj, X)}, M, F)) end Rule 6: The main body Sλ requests to grant the main Si R or W or E or A access rights to the object OJ Give-Read / Write / Append / Execute P6 (RK, V) IF (1 S) or (γ g) or (x R, W, A and E) OR (σ2 = φ) THEN P6 (RK, V) = (?, v) IF x Mλj or C Mλj Then P6 (RK, V) = (NO, V) ELSE P6 (RK, V) = (YES, (B, M [x] ij, f)) end Rules 7: The main body Sλ requests the revocation of the main Si R or W or E or A access to the object OJ Rescind-read / write / append / execute: P7 (RK, V) IF (1 S) or (γ r) or (x R, W, a and e) or (σ2 = φ) THEN P7 (RK, V) = (?, v) IF x Mλj or C Mλj Then P7 (RK, V) = (NO, V) ELSE P7 (RK, V) = (YES, (B - {(Si, Oj, x)}, M [x] Ij, f)) end Rules 8: Change the safety level of still guest Change-f: p8 (rk, v) IF (1 φ) OR (γ c) OR (2 φ) or x Fly THEN P8 (RK, V) = (?, v) IF F1 OR F3 OR [ (OJ) F2 (OJ) OR (OJ) F4 (OJ) for J A (m)] Note: A (m) means a collection of objective objects THEN P8 (RK, V) = (NO, V) ELSE P8 (RK, V) = (Yes, (B, M, F *)) end Rule 9: Subject S requests creation of object OJ Create-Object: P9 (RK, V) IF σ1 φ OR γ C OR σ2 = φ or (x e and φ) THEN P9 (rk, v) = (?, v) IF J A (m) THEN P9 (RK, V) = (NO, V) IF x = φ THEN P9 (RK, V) = (YES, (B, M [{R, W, A, C}] ij, f)) ELSE P9 (RK, V) = (Yes, (B, M [{R, W, A, C, E}] ij, f)) end Rule 10: Subject S request to delete object OJ DELETE-OBJECT: P10 (RK, V) IF σ1 φ OR γ D OR σ2 = φ or x φ THEN P10 (rk, v) = (?, v) IF C Mij THEN P10 (RK, V) = (NO, V) ELSE P10 (RK, V) = (YES, (B, M [{R, W, A, C, E}] Ij, 1 ≤ i ≤ N, F))) end 6. Definition of system 1. R × D × V × V = {(RK, DM, V *, V) | RK R, DM D, v *, v V} That is, any one of the requests, any result (judgment) and any two states can form an ordered four-component group, which constitutes a set R × D × V × V. 2. Set ω = {p1, p2, ... ps} is a set of rules, defined W (Ω) R × D × V × V. (1) (rk,?, V, v) W (ω) IFF is per i, 1 ≤ I ≤ S, Pi (RK, V) = (?, v) (2) (RK, Error, V, V) W (ω) IFF has I1, I2, 1 ≤ I1, I2 ≤ S, so that for any V * V has PI1 (RK, V) (?, v *) and pi2 (rk, v) (?, v *). (3) (RK, DM, V *, V) W (ω), DM ?, dm Error, IFF has unique I, 1 ≤ i ≤ s, so that a V * and any V ** v, pi (rk, v) (?, v **), pi (rk, v) = (DM, V *). The above definitions describe W (ω) only contains a portion of the quad groups in R × D × V × V, or some specific four-tuple group. If a (RK, DM, V *, V) W (ω), then the four groups must meet some of the above definitions (3), that is, in the state V, after the request RK is issued, according to a rule, the result is DM, state v Convert to state V *. Therefore, W (ω) is composed of an orderly four-component group defined by a set of rules in Ω. 3. X × y × z = {(x, y, z) | x X, Y Y, Z Z}, where X = x1x2 ... XT ... is the request sequence, X is the request sequence set; Y = Y1Y2 ... YT ... is the result sequence, Y is the result sequence set; Z = Z1Z2 ... ZT ... is a state sequence, Z is a state sequence set. Any request sequence, any result sequence and any one of the state sequences can form an ordered three-component group, X × Y × z is constructed of all such an ordered triplet. 4. The system is expressed as σ (R, D, W (ω), Z0), is defined as: Σ (r, d, w (ω), z0) X × y × z, only one of the ordered three-component groups (x, y, z) in one of the orderly triplets, X × y × z Σ (r, d, w (ω), z0), IFF to each T T, XT, YT, ZT, ZT-1) W (ω). Z0 is the initial state of the system, usually (φ, m, f) Let x = x1x2 ... XT ... is a request sequence; Y = Y1Y2 ... YT ... is the result sequence; Z = Z1Z2 ... ZT ... is a state sequence. If (x, y, z) Σ (r, d, w (ω), z0), means all T T, XT, YT, ZT, ZT-1) W (ω), that is, the operational rules specified in Ω. Z0 Z1 Z2 ZT-1 zt x1 x2 XT Y1 Y2 YT Therefore, the system σ (R, D, W (ω), Z0) is a state machine, starting from a specific initial state Z0, a series of requests to accept the user, give corresponding results according to the rule of W (Ω), And perform corresponding state transitions, all possible (x, y, z) constituting system σ of the above conditions. The system R is composed of all of these ordered terms (X, Y, Z). From the initial state z0, any request sequence can result in a result sequence and state sequence, causing a series of state transitions. Seven, system security definition 1. Safe status One state V = (b, m, f) V, if it meets autonomous security, simple security and * - nature, this state is safe. 2. Safety status sequence Set Z Z is a state sequence, if each T T, ZT is all security status, then z is a safe state sequence. 3. A security appearance of the system (x, y, z) Σ (r, d, w (ω), z0) is called a systematic appearance. If (x, y, z) is an occurrence of the system, and Z is a safe state sequence, referred to as (x, y, z) is a system σ (R, D, W (Ω), Z0) once a security appearance. . 4. Security system If the system σ (R, D, W (Ω), Z0) is secure, the system is called a security system. Eight, the conclusion of security in the model Proof in the BLP model: 1. These ten rules are safe. (Ie if V is a safe state, the state V * after the ten rule conversion is also a security state) 2. If Z0 is a safe state, ω is a set of security remaining rules, then the system σ (R, D, W (Ω), Z0) is safe. Note The system described by the BLP model is a secure system. Nine, evaluation of BLP security model The BLP model is the earliest security model, but also the most famous multi-level security policy model. It gives a mathematical description of military security strategies, defined in a computer implemented manner. It has been used by many operating systems. Since it describes the military security strategy, it is particularly respected by the US Department of Defense, so that people will equate multi-level security strategies in a long period of time to force access control strategies. Advantages: 1 is a model that earlier to multi-level security strategy; 2 is a strict formation model and gives a formal proof; 3 is a very safe model, both independent access control, and forced access control. 4 Control information can only be low-to-high flow, which can meet the needs of a particularly high data confidentiality in the military department. 1. In general, the BLP model "is too safe". 1 The superior is restricted to the subsection of the lower level; 2 The transverse flow between the information between sectors is prohibited; 3 lack of flexible, safe authorization mechanism. Insufficient places: 1 Low security level flows to high security levels, which may destroy data integrity in high security objects, and use viruses and hackers. 2 As long as the information is low-to-high flow, it is legal (high reading), which does not meet the minimum privilege. 3 High-level information is mostly made by the low level information, to solve the problem of reasoning control. 2. Carefully analyze the BLP model, and there is still an unsafe place to describe, thereby reducing, lack of memory, causing unsafe. S r O2 high low O3 r Time T1 Time T2 Release access to O2, O3 For example: O1> O2> O3> O4 , S Safety level O1 S a O3 high low o4 r Time T3 S information contains O2 and O3 At this point, S can transmit the O2 information to O3. (No memory) Another example: OO r S2 high higher S1 a low Improvement: For too security: 1. Allow high security levels to create a low security level in the case of controlled. (Solve problems from top to downstream). 2. Dynamic constraints on the object security level, such as (secret, department-level, time limit). Dynamic constraints in the content of the body (resolve from top down and horizontal). 3. Send temporary licenses to the main body, such as (single, department-level, time limit) or (object, permissions, time limit). For unsafe issues: 1. Can you solve it with "push" and "pull". Use "pull" without "push". How to implement "push" and "pull" in your computer? "Classification" 2. Dynamic control based on semantics; 3. The problem is more complicated.
