Trusted Computing &

Multilevel Security

CSCI 262 Fall 2013

Trusted Computing and Multilevel
Security

 Present some interrelated topics:

1. formal models for computer security
2. multilevel security
3. trusted systems
4. mandatory access control
5. security evaluation
 Outline
1. Introduction
2. The Bell – Lapadula Model for computer security
3. The Biba Integrity Model
4. The Clark-Wilson Model
5. The Chinese Wall Model
6. The Concept of trusted systems
7. Application of multilevel security
8. Trusted computing and the trusted platform
module
9. Common criteria for IT security evaluation
10. Assurance and evaluation
The need for Formal Models for
Computer Security
1. Some fundamental computer security facts:
 Real world is complex- Real systems are complex
 Solving complex real world problems call for Complex
software
 All complex software systems have flaw/bugs
 Building computer hardware/software not vulnerable to
attack - extraordinarily difficult task
2. There is a need to prove design and
implementation satisfy security requirements
 System too complex and too costly to experiment on
 led to development of formal security models
 initially funded by US DoD
3. Bell-LaPadula (BLP) model very influential
 Access Control Models
5

 Various models have been developed to

formalize mechanisms to protect the
confidentiality and integrity of
documents stored in a computer system.
 The Bell-La Padula (BLP) model
 The Biba model
 The Low-Watermark model
 The Clark-Wilson model
 The Chinese Wall model (The Brewer
and Nash model)
Bell-LaPadula (BLP) Model
 Developed in 1970s
 as a formal access control model
 subjects and objects have a security
class
 top secret > secret > confidential >
unclassified
 subject has a security clearance level
 object has a security classification level
 class control how subject may access an
object
 applicable if have info and user categories
The Bell Lapadula Model

1. Data classification
2. Security clearance
3. Flow of information
4. Categories
5. Partial ordering
6. Military model
7. Bell – La padula
BLP- Data classification model
 Each object or subject is assigned to a security
class
 Security classes form a strict hierarchy- called
security levels
 Example1: the US military classification
scheme
Top secret > Secret > Confidential >
Restricted > Unclassified
 Example2: corporate environment
Strategic > Sensitive> Confidential> Public
 Security clearance- Security
classification
 Clearance (subject)  Classification (object)
1. After a background 1. Data is assigned a
investigation classification level
2. A subject is assigned 2. This indicates its level of
a security clearance- sensitivity
3. This indicate how
trustworthy he /she is

 The model has four main access modes:

1. Read : the subject is allowed only read access to the object
2. Append: the subject is allowed only write access to the object
3. Write: the subject is allowed both read and write access to the object
4. Execute: the subject is allowed neither write nor read access to the object
but may invoke the object for execution
 Information Flow in multilevel security:
Information Confinement Problem
We want to make sure the information does not flow to wrong
parties ( CONFIDENTIALITY)
I
n If clearance levels =
f { “Top secret”, “Secret”, “Confidential “, “Restricted” , “Unclassified”}
o
r Top secret
m n1  n2
a
t Flow Secret if and only if
i
o = a direct path exists from n1 to n2
n Confidential
write
F Restricted
A subject at a high level
l cannot convey information to
o
a subject at a low level
w Unclassified
Categories

 Real world is complex

 Each security level can be further subdivided into
categories or compartments.
 Example:
1. A general can have access to TOP SECRET
INFORMATION
2. BUT Not ALL TOP SECRET Information
3. ONLY THE TOP SECRET INFORMATION THAT
GENERAL NEEDS TO KNOW.
Categories

 Assume information can be described by the

following set:
 Categories = { “VT”, “NH”, “ME”, “NY”}
 A subject:
 can be labelled with the subset of categories
he/she is allowed to know about
 An object:
 can be labelled with the subset of categories
that indicates what topics are covered by that
object.
 The more topics you add
to a category the stricter
it becomes

Set S 2 "is above" Set S1

when
S1  S 2
"VT ", " NY "  "VT ", " ME"
"VT ", " ME"  "VT ", " NY "

Both
relations
are not
true

"VT ", " NY "  "VT ", " NY ", " ME"
Both relations are true
"VT ", " ME"  "VT ", " NY ", " ME"
Partial ordering

 We were able to order some subsets

 But some subsets remained unordered
We speak or partial ordering
Military model - again

 We want to order
(classify) information
according to: label  c,d
1. the sensitivity level of
the information c  ClearanceLevels
2. The need to know
 A security label is used d  Categories
1. Security label = (c,d)
2. c is a clearance level
3. d is subset of
information categories
Partial order of the security labels
d1 , c1  d 2 , c2 if :   d1  d 2  and  c1  c2  
Multi-Level Security-
1. No read up: A subject can only read an
object of less or equal security level.
This is referred to in the literature as the
simple security property (ss-
property).

2. No write down: A subject can only

write into an object of greater or equal
security level. This is referred to in the
literature as the *-property (star
property).
Bell –LaPadula Model: developed for
the military- main focus is
confidentiality
1. In Mandatory Access 1. In Discretionary access
Mode mode:
2. Uses 2 properties 2. Uses 3 Properties
 No-read up property  No-read up property
 No write down  No write down
property property
 The ds-property
( discretionary
Discretionary property: ds-property property)
A subject can exercise only accesses for which it has
the necessary authorization and which satisfy the
MAC rules.
A subject S can perform an access on an Object O
only if that access is permitted in the S-O entry of the
current access control matrix.
Exam
ple
Exam
ple
IF several security levels THEN Multi-
Level Security

The Need for the *

property
 BLP properties
 • No read up: simple security property (ss­property).
 A subject can only read an object of less or equal security level. 
 • No write down: *­property (star property).
 A subject can only write into an object of greater or equal security level. 
 • ds­property: 
 An individual (or role) may extend to another individual (or role) access 
to a document based on the owner's discretion, constrained by the 
MAC rules. 
 Thus, a subject can exercise only accesses for which it has the necessary 
authorization and which satisfy the MAC rules. 
 The idea is that site policy overrides discretionary access controls, so a 
user cannot give away data to unauthorized persons.
 BLP Formal Description
 The current state of system (b, M, f, H):
 Current Access set b:
 Set of triples (subject, object, access mode)
 (s,o, a) = subject s has currently access to object o by
access mode a.
 Access Matrix M: (Mij= access mode in which subject Si
is permitted access to object Oj
 Level function f
 Assigns a security level to each object and subject
fo O j  Classification level of object Oj
f s  Si  Security Clearance of subject Si = max security

f c  Si 
level of Si
Current security Classification level of subject
Si
BLP Formal Description
 based on current state of system (b, M, f,
H):
(current access set b, access matrix M, level function f,
hierarchy H)
 three BLP properties:
ss-property: (Si, Oj, read) has fc(Si) ≥
fo(Oj).
*-property: (Si, Oj, append) has fc(Si) ≤ fo(Oj)
and
(Si, Oj, write) has fc(Si) = fo(Oj)
ds-property: (Si, Oj, Ax) implies Ax  M[Si,
Oj]
 A BLP secure system
properties
 A secure system is characterized by:
1. The current state of the system (b, M, f , H) is secure iff
every element of satisfies the three BLP properties
2. The security state of the system is changed by any operation
that causes a change in any of the four components of the
system (b, M, f , H)
3. A secure system remains secure as long as any state changde
does not violate the 3 prpoerties
 BLP give formal theorems
 theoretically possible to prove system is secure
 in practice usually not possible
BLP Rules
1. get access
2. release access
3. change object level
4. change current level
5. give access permission
6. rescind access permission
7. create an object
8. delete a group of objects
BLP Example
 We assume a role-based access control system.
 Carla and Dirk are users of the system.
 Carla is a student (s) in course c1.
 Dirk is a teacher (t) in course c1, but may also
access the system as a student;
 Roles:
 Carla: (c1-s); one role
 and Dirk: (c1-t), (c1-s). Two roles.
Dirk creates F1 as C1-t and Carla creates
F2 as C1-s
F1 c1-t F2c1-s
R A R A
Carla
Dirk (c1-
Dirk creates F1 as C1-t and Carla creates
F2 as C1-s
F1 c1-t F2c1-s
R W R W
Carla n y y y
Dirk (c1- y y y n
 Dirk reads f2 and wants to create a new file f3
with comments to carla as feedback- can he
do that in his teacher role?
F1 (cl-t) F2 (cl –s) F3 (cl s)
R W R W R W
Carla (cl n y y y
s)
 Dirk reads f2 and wants to create a new file f3
with comments to carla as feedback- can he
do that in his teacher role?
F1 (cl-t) F2 (cl –s) F3 (cl s)
R W R W R W
Carla (cl n y y y
s)
He can do it if
he logs in as a
student.

Dirk reads f2 and wants to create a new file f3

with comments to carla as feedback- can he
do that in his teacher role?
F1 (cl-t) F2 (cl –s) F3 (cl s)
R W R W R W
Carla (cl n y y y y y
s)
Dirk creates an exam based (f4) on an existing template
file store at level c1-t. How should he sign in to read the
template? Why? What should be the calssification level of
f4?
a. Dirk must sign in as c1-t to read the template
b. The file f4 he creates must also be at level c1-t
Exam time
 Dirk wants Carla to take the exam
 The exam file f4 is c1-t
 Carla clearance is c1-s
 She cant have read access to the
file?
 Solutions?
 Can Dirk downgrade the classification of
f4 from c1-t to c1-s?
 No , violation of the *-property.
Only a security administrator can
downgrade f4 (dotted line)
The exam …….
 Carla writes the answers to the exam into a file f5.
 She creates the file at level c1-s so that only Dirk
can read the file.
 This is an example of writing up, which is not
forbidden by the BLP rules.
 Carla can still see her answers at her workstation
but cannot access f5 for reading. Why ?
Answer: no other students should
be able to read the file
MULTICS Example
 The Biba Model
40

 The Biba model has a similar structure to the BLP model,

but it addresses integrity rather than confidentiality.
 Objects and users are assigned integrity levels that
form a partial order, similar to the BLP model.
 The integrity levels in the Biba model indicate degrees
of trustworthiness, or accuracy, for objects and users,
rather than levels for determining confidentiality.
 For example, a file stored on a machine in a closely monitored
data center would be assigned a higher integrity level than a
file stored on a laptop.
 In general, a data-center computer is less likely to be
compromised than a random laptop computer. Likewise, when
it comes to users, a senior employee with years of experience
would have a higher integrity level than an intern.
Integrity in the BIBA Model
 Integrity refers to the trustworthiness of
data or resources.
 Integrity is usually defined in terms of
preventing improper or authorized
change to data.
 There are three main goals of integrity:
1. Preventing unauthorized users from making
modifications to data or programs.
2. Preventing authorized users from making
improper or unauthorized modifications.
3. Maintaining internal and external consistency
of data and programs.
 The Biba Model
42

 The Biba integrity model (Biba 1977)

addresses the modification problem by
mathematically describing read and
write restrictions based on integrity
access classes of subjects and
objects
 (Biba uses the terms integrity level
and integrity compartment).
 The integrity model looks exactly the
same as the multilevel security
model, except that read and write
Biba model- levels of
integrity (Whitman2010)
 Interaction during
the Middle ages of:
 priests,
Priests
 a monk named Biba,
 and some parishioners Monks
1. Priests are considered
to be holier ( greater
integrity) than monks Parishioners
2. Monks are holier than
parishioners
Biba model- levels of
integrity (Whitman2010)
1. A priest cannot read or
offer Prayers written by
Biba the monk, who Priests
cannot read items
written by parishioners
Monks
2. This is to prevent low
integrity of the low
level from corrupting Parishioners
the holliness of the
upper level.
3. But high level entities
can share their writing
with low level without
 The Biba Model Rules
45

 That is, Biba does not allow reading from lower levels
and writing to upper levels. NO read Down, NO
Write UP
 If we let I(u) denote the integrity level of a user u and
I(x) denote the integrity level for an object, x, THEN:
 A user u can read an object x only if
I(u) < I(x).
 A user u can write (create, edit or append to) an
object x only if
I(x) < I(u).
 Biba rules : information can only flow down,
going from higher integrity levels to lower
integrity levels.
 Bibal model
Access modes:
a. Modify: to write or update information in an object
b. Observe: to read information in an object
c. Execute: to execute an object
d. Invoke: communication from one object to another
Integrity Rules:
a. Simple integrity: A subject S can modify an object O only if the integrity level
of the subject dominates the integrity level of the object: I(S) ≥ I(O).
b. Integrity confinement: A subject S can read on object O only if the integrity
level of the subject is dominated by the integrity level of the object: I(S) ≤ I(O).
c. Invocation property: A subject S can invoke another subject O only if the
integrity level of the 1st subject dominates the integrity level of the 2nd subject:
I(S1) ≥ I(S2).
Biba Integrity Model
 various models dealing with integrity
 strict integrity policy:
a. simple integrity: I(S) ≥ I(O)
b. integrity confinement: I(S) ≤ I(O)
c. invocation property: I(S1) ≥ I(S2)
What may happen without
the of integrity confinement
rule?
A low-integrity process is not
allowed to write into and
contaminate a high-integrity file;
but through some error, the high-
integrity process may receive low-
integrity data and may
Integrity write that
confinement
data into the high-integrity file.

Simple integrity
Invoke rule
 Subject S1 can invoke subject S1 only if
I(S1) ≥ I(S2)
 Subjects are only allowed to invoke
tools at a lower level
 Why?
 Otherwise, a dirty subject can use a
clean tool to access a clean tool to
access and contaminate a clean
object.
 The Low-Watermark Model
or the dynamic integrity
50
levels of Biba
 The low-watermark model is an extension
to the Biba model that relaxes the “no read
down” restriction, but is otherwise similar to
the Biba model.
a. In other words, users with higher
integrity levels can read objects with
lower integrity levels.
b. After such a reading, the user
performing the reading is demoted such
that his integrity level matches that of
the read object.
 Low watermark property
1. Subject low watermark property
 Subject S can read (observe) an object O at any integrity
level
 The new integrity level of the subject is Inf (I(S), I(O))
where I(S), and I(O) are the integrity levels of S
and O before the operation.
2. Object low watermark property
 Subject S can modify (alter) an object O at any integrity
level
 The new integrity level of the object is Inf (I(S), I(O))
where I(S), and I(O) are the integrity levels of S
and O before the operation.
 Low watermark property
1. Examples of policies with dynamically
changing access rights
2. They carry the risk that all subjects and
objects will eventually end up at the
lowest integrity level.
3. Why ?
Clark-Wilson Model

Clark, D.R. and Wilson, D.R., A Comparison of

Commercial and Military Computer Security
Policies, Proceedings of the 1987 IEEE Symposium
on Security and Privacy, pages 184-194, 1987
The Clark-Wilson Model
 The Clark-Wilson (CW) model does not
deal with document confidentiality and/or
integrity,
 Rather, the Clark-Wilson (CW) model deals
with systems that perform transactions.
 It describes mechanisms for assuring that the
integrity of such a system is preserved across
the execution of a transaction.

54
Overview of Clark-Wislon
1. Subjects have to be identified and
authenticated
2. Objects can be manipulated only by a
restricted set of programs
3. A proper audit log has to be maintained
4. The system has to be certified to work
properly.
 The Clark-Wilson Model-key components

1. Integrity constraints:
 Express relationships among objects that must be satisfied for
the system state to be valid.
 A classic example of an integrity constraint:
the final balance of a bank account after a withdrawal transaction must
be equal to the initial balance minus the amount withdrawn.
2. Certification methods
 Verify that transactions meet given integrity constraints.
 Once the program for a transaction is certified, the integrity
constraints do not need to be verified at each execution of the
transaction.
3. Separation of duty rules
 Prevent a user that executes transaction from certifying it.
 In general, each transaction is assigned disjoint sets of users that can
certify and execute it, respectively. 56
Clark-Wilson Integrity Model
 Integrity defined by a set of constraints
 Data is in a consistent or valid state when it
satisfies these
 Example: Bank
 D today’s deposits, W withdrawals, YB yesterday’s
balance, TB today’s balance
 Integrity constraint: TB=D + YB –W
 Well-formed transactions move system from
one consistent state to another
 Issue: who examines, certifies transactions
done correctly?
 Two basic concepts

 Traditionally used to enforce commercial

security policies
1. Well-formed transactions
 A user should not manipulate data
arbitrarily, but only in constrained ways that
preserve or ensure the integrity of the data
2. Separation of duties among users
 Any person permitted to create or certify a
well-formed transaction may not be
permitted to execute it.
 Example
 Assume a company receives an invoice.
 The purchasing Dpt. requires several steps to pay for

it.
1. Someone must have requested service and
determined the account that would pay for the
service
2. Someone must validate the invoice ( was the service
being billed actually performed?)
3. The account authorized to pay for the service must
be debited,
4. And the check must be written and signed.
 What if only one persons performs all these

steps?
Entities
 CDIs: constrained data items
 Data subject to integrity controls
 UDIs: unconstrained data items. Unchecked
data items.
 Data not subject to integrity controls
 IVPs: integrity verification procedures
 Procedures that assure the CDIs conform to the
integrity constraints
 TPs: transaction procedures
 Procedures that take the system from one valid
state to another, by manipulating CDIs .
Entities- bank accounts
example
 CDIs: constrained data items
 The balances of the accounts are CDI because they
are cruvial to the integrity of the bank.
 UDIs: unconstrained data items
 Petty cash may not be subject to the same
procedures as bank accounts
 IVPs: integrity verification procedures
 Checking that the accounts are balanced are IVP’s
 TPs: transaction procedures
 Depositing money, withdrawing money,
transferring money between accounts are TP’s.
Clark-Wilson: Access Control
 Subjects & objects are ‘labeled’ with programs.
 Programs are used as intermediate layer between subjects and
objects.
 Access control:
a) define access operations (transformation procedures)
that can be performed on each data item (data types).
b) define the access operations that can be performed by
subjects (roles).
Access Control in
CW- five basic
principles
1. Subjects must be user
identified and
authenticated authentication
2. Objects can be authorization
manipulated only by a
restricted set of
programs TP
3. Subjects can only append must be validated
execute a restricted
set of programs integrity checks,
4. A proper audit log has Log permissions checked UDI
to be maintained CDI
5. The system has to be
certified to work CDIa CDIb
properly
 CW: Certification Rules
 Five certification rules suggest how one should check that
the security policy is consistent with the application
requirements.

1. CR1: IVPs (integrity verification procedures) must

ensure that all CDIs (constrained data items) are in a
valid state when the IVP is run.
2. CR2: TPs (transformation procedures) must be
certified to be valid, i.e. valid CDIs must always be
transformed into valid CDIs. Each TP is certified to
access a specific set of CDIs.
3. CR3: Access rules must satisfy any separation of
duties requirements.
4. CR4: All TPs must write to an append-only log.
5. CR5: Any TP that takes an UDI (unconstrained data
item) as input must either convert the UDI into a CDI
or reject the UDI and perform no transformation at all.
 CW: Enforcement Rules
 Describe mechanisms within the computer system
that should enforce the security policy:
1. ER1: For each Tp the system must maintain and
protect the list of entries (CDIa,CDIb,...) giving the
CDIs that TP is certified to access.
2. ER2: For each user , the system must maintain and
protect the list of entries (TP1, TP2,...) specifying the
TPs that user can execute and the CDI’s that the TP’s
can reference on behalf of the user.
3. ER3: The system must authenticate each user
requesting to execute a TP.
4. ER4: Only subjects that may certify an access rule for
a TP may modify the respective list; this subject must
not have execute rights on that TP.
Clark-Wilson Integrity Model
Certification Rules 1 and 2
CR1 When any IVP is run, it must ensure all CDIs
are in a valid state
CR2 For some associated set of CDIs, a TP must
transform those CDIs in a valid state into a
(possibly different) valid state
 Defines relation certified that associates a set
of CDIs with a particular TP
 Example: TP balance, CDIs accounts, in bank
example
Enforcement Rules 1 and 2
ER1 The system must maintain the certified
relations and must ensure that only TPs
certified to run on a CDI manipulate that
CDI.
ER2 The system must associate a user with
each TP and set of CDIs. The TP may access
those CDIs on behalf of the associated user.
The TP cannot access that CDI on behalf of
a user not associated with that TP and CDI.
 System must maintain, enforce certified
relation
 System must also restrict access based on
user ID (allowed relation)
Users and Rules
CR3 The allowed relations must meet the
requirements imposed by the principle of
separation of duty.
ER3 The system must authenticate each user
attempting to execute a TP
Logging
CR4 All TPs must append enough
information to reconstruct the
operation to an append-only CDI.
 This CDI is the log
 Auditor needs to be able to determine
what happened during reviews of
transactions
Handling Untrusted Input
CR5 Any TP that takes as input a UDI may
perform only valid transformations, or no
transformations, for all possible values of
the UDI. The transformation either rejects
the UDI or transforms it into a CDI.
 In bank, numbers entered at keyboard are
UDIs, so cannot be input to TPs.
 TPs must validate numbers (to make them a
CDI) before using them; if validation fails, TP
rejects UDI
Separation of Duty In Model
ER4 Only the certifier of a TP may change
the list of entities associated with
that TP. No certifier of a TP, or of an
entity associated with that TP, may
ever have execute permission with
respect to that entity.
 Enforces separation of duty with
respect to certified and allowed
relations
 Chinese Wall Model-
Slide #7-
73
overview
Problem:
 Tony advises American Bank about
investments
 He is asked to advise Toyland Bank about
investments
 He has a potential Conflict of interest
(COI), because his advice for either
bank would affect his advice to the other
bank

Computer Security: Art and Science

June 1, 2004
©2002-2004 Matt Bishop
 Organization of the model
Slide #7-
74

 Organize entities into “conflict of

interest” (COI) classes
 Control subject accesses to each class.
 Control writing to all classes to ensure
information is not passed along in
violation of rules
 Allow sanitized data to be viewed by
everyone

Computer Security: Art and Science

June 1, 2004
©2002-2004 Matt Bishop
 Informal description
 Assume a Database of an investment house
 The DB includes :
 Companies' records about investment

 And also other data that investors may request

 Analysts use these records to guide the

companies’ investments, as well as those of
individuals.
 Assume Anthony counsels Bank of America in its
investments.
 If he also counsels Citibank, he has a potential
conflict of interest.
 So, he cannot counsel both banks.
 Definitions
Slide #7-
76

 Objects of the database: items of

information related to a company
 Company dataset (CD): contains objects
related to a single company
 Written CD(O)
 Conflict of interest class (COI):
contains datasets of companies in
competition
 Written COI(O)
 Assume: each object belongs to exactly one
COI class
Computer Security: Art and Science
June 1, 2004
©2002-2004 Matt Bishop
 Example
Slide #7-
77

Bank COI Class Gasoline Company COI Class

Bank of America Shell Oil Standard Oil

Citibank Bank of theWest Union ’76 ARCO

Computer Security: Art and Science

June 1, 2004
©2002-2004 Matt Bishop
 Temporal Element
Slide #7-
78

 If Tony reads any CD in a COI, he can

never read another CD in that COI.
 Assume that Tony first worked on Bank
of America portfolio , then he was
transferred to Citibank portofolio.
 Possible that information learned earlier
may allow him to make decisions later.
 Let PR(S) be set of objects that S has
already read

Computer Security: Art and Science

June 1, 2004
©2002-2004 Matt Bishop
 CW-Simple Security
Slide #7-
79
Condition
 s can read o iff either condition holds:
1. There is an o such that s has accessed o
and CD(o) = CD(o)
– Meaning s has read something in o’s dataset
2. For all o  O, o  PR(s)  COI(o) ≠ COI(o)
– Meaning s has not read any objects in o’s
conflict of interest class
 Ignores sanitized data (see below)
 Initially, PR(s) = , so initial read request
granted

Computer Security: Art and Science

June 1, 2004
©2002-2004 Matt Bishop
 Sanitization
Slide #7-
80

 Public information may belong to a CD

 As is publicly available, no conflicts of
interest arise
 So, should not affect ability of analysts to
read
 Typically, all sensitive data removed from
such information before it is released
publicly (called sanitization)
 Add third condition to CW-Simple Security
Condition:
3. o is a sanitized object
Computer Security: Art and Science
June 1, 2004
©2002-2004 Matt Bishop
 Writing
Slide #7-
81

 Anthony, Susan work in same trading

house
 Anthony can read Bank 1’s CD, Gas’ CD
 Susan can read Bank 2’s CD, Gas’ CD
 What happens if Anthony could write to
Gas’ CD?
 Susan can read it
 Hence, indirectly, she can read information
from Bank 1’s CD, a clear conflict of
interest Computer Security: Art and Science
June 1, 2004
©2002-2004 Matt Bishop
Write access is only permitted if
a) access is permitted by the simple
security rule, and
b) no object can be read which is in a
different company dataset to the
one for which write access is
requested and contains unsanitized
information.
 CW-*-Property
Slide #7-
83

 s can write to o iff both of the following

hold:
1. The CW-simple security condition
permits s to read o; and
2. For all unsanitized objects o, if s can
read o, then CD(o) = CD(o)
 Says that s can write to an object if all
the (unsanitized) objects it can read are
in the same dataset

Computer Security: Art and Science

June 1, 2004
©2002-2004 Matt Bishop
 Compare to Bell-LaPadula
Slide #7-
84

 Fundamentally different
 CW has no security labels, B-LP does
 CW has notion of past accesses, B-LP does not
 Bell-LaPadula can capture state at any
time
 Each (COI, CD) pair gets security category
 Two clearances, S (sanitized) and U
(unsanitized)
 S dom U
 Subjects assigned clearance for
compartments without multiple
categories corresponding to CDs in same
Computer Security: Art and Science
COI class ©2002-2004 Matt Bishop
June 1, 2004
 Compare to Bell-LaPadula
Slide #7-
85

 Bell-LaPadula cannot track changes

over time
 Susan becomes ill, Anna needs to take over
 C-W history lets Anna know if she can
 No way for Bell-LaPadula to capture this
 Access constraints change over time
 Initially, subjects in C-W can read any object
 Bell-LaPadula constrains set of objects that a
subject can access
 Can’t clear all subjects for all categories, because this
violates CW-simple security condition

Computer Security: Art and Science

June 1, 2004
©2002-2004 Matt Bishop
 Compare to Clark-Wilson
Slide #7-
86

 Clark-Wilson Model covers integrity, so

consider only access control aspects
 If “subjects” and “processes” are
interchangeable, a single person could
use multiple processes to violate CW-
simple security condition
 Would still comply with Clark-Wilson Model
 If “subject” is a specific person and
includes all processes the subject
executes, then consistent with Clark-
Wilson Model
Computer Security: Art and Science
June 1, 2004
©2002-2004 Matt Bishop