Question

Develop a construction to show that a system implementing the Chinese Wall model can support the Bell-LaPadula Model.

Answer 1

The Chinese Wall model is a security model that concentrates on confidentiality and finds itself application in the commercial world. The model bases itself on the principles defined in the Clark Wilson security model.

The Chinese Wall model was introduced by Brewer and Nash in 1989. The model was built on the UK stock brokerage operations. The stock brokers can be consulted by different companies that are in competition. This causes a conflict of interest, which should be prevented with lawfully enforceable policies. Similar to the UK brokerage system, the Chinese Wall model assumes impenetrable Chinese Walls among company data sets, so that no conflict of interest occurs on the same side of the wall.

The Bell–LaPadula Model (BLP) is a state machine model used for enforcing access control in government and military applications. It was developed by David Elliott Bell  and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell, to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy. The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects.

To emulate the Chinese Wall model using Bell-LaPadula, we assign asecurity category to each (COI, CD) pair. We define two security levels, S (forsanitized) and U (for unsanitized). By assumption, S dom U. illustratesthis mapping for the system in Each object is transformed into twoobjects, one sanitized and one unsanitized. Each subject in the Chinese Wallmodel is then assigned clearance for the compartments that do not containmultiple categories corresponding to CDs in the same COI class. For example, ifSusan can read the Bank of America and ARCO CDs, her processes would haveclearance for compartment (U, {a, n}). There are three possible clearances fromthe bank COI class, and four possible clearances from the gasoline company COIclass, combining to give 12 possible clearances for subjects. Of course, allsubjects can read all sanitized data. The CW-simple security condition clearlyholds. The CW-*-property also holds, because the Bell-LaPadula *-propertyensures that the category of input objects is a subset of the category of outputobjects. Hence, input objects are either sanitized or in the same category (thatis, the same CD) as that of the subject. This construction shows that at any timethe Bell-LaPadula Model can capture the state of a system using the Chinese Wallmodel. But the Bell-LaPadula Model cannot capture changes over time. Forexample, suppose Susan falls ill, and Anna needs to access one of the datasetsto which Susan has access. How can the system know if Anna is allowed toaccess that dataset? The Chinese Wall model tracks the history of accesses, fromwhich Anna’s ability to access the CD can be determined.

Element of the model

• Company denoted c ∈ C
• Subjects s ∈ S are the analysts having access to company information
• Objects o ∈ O are items of information, each belonging to a company
• Company dataset are all objects concerning a company ◦ Function y : O → C maps object to its company dataset
• Conflict of interest class indicates which companies are in competition ◦ Function x : O → P (C) maps object to its conflict of interest class, an element in the powerset of C
• Security label is a pair (x(o), y(o))
• Sanitized information is object with no sensitive information ◦ Label is (∅,y(o))
• Matrix NS,O records history of subjects actions (true or false)

Access granted only if object belongs to ◦ A data set already accessed by the subject or ◦ A different conflict of interest class than previous objects ss-property

A subject s is permitted to access an object o only if for all objects o’ with Nso’ = true, y(o)=y(o’) or y(o) ∉ x(o’)

Analyst A updates bank information about company A  Analyst B can read this bank information and write to an object in company B

*-property regulates write access

Very restrictive: If you can read sensitive information in one company, you can not write to objects in any other company – ever

The Bell-LaPadula Model cannot capture changes over time. second, more serious problem arises when one considers that subjects in the Chinese Wall model may choose which CDs(company dataset) to access; in other words, initially a subject is free to access all objects. The Bell-LaPadula Model cannot emulate the Chinese Wall model.