Question

(a) How does the main security aim of the Clark-Wilson model differ from that of the Bell-LaPadula model? 

(b) Consider the following documents that have been created within the Bell-LaPadula security model. The levels are: top secret (ts), secret (s), confidential (c), and unclassified (uc). In addition to these levels, there are the following categories: development (D), production code (PC), and software tools (T) 

Document 1: c, {D, T} 

Document 2: s, {T, PC} 

Document 3: ts, { } 

Document 4: uc, {D, T, PC} 

Alice has secret clearance with access to the categories {D, T}. Determine which documents Alice can read. Determine also which documents Alice can write to. 

Answer 1

Answer a

Bell-LaPadula model focuses on data confidentiality and controlled access to the classified information. In this subject has a security clearance and object has a security classification for e.g. Top Secret, Secret, Confidential etc. Main focus is to decide the manner by which a subject may access a object.

Security level	Subject	Object
Top Secret	Tamara	Personnel Files
Secret	Samuel	E-Mail Files
Confidential	Claire	Activity Logs
Unclassified	James	Telephone Lists

This means Tamara can read all files but Claire cannot read personal and email files.

On the other side, Clark-Wilson focuses on Integrity of data rather than confidentiality. It relies on two concepts to make sure data integrity.

1. Well Formed Transactions: User can manipulate data only in constrained way.

2. Separation of Duty: One can create the transaction but not execute it.

These are the basic terminology used in this model.

CDI: constrained data items (loan app; checks)

UDI: unconstrained items

IVPs: procedures that assure all CDIs conform to integrity/consistency rules

TPs: transactions that change CDIs

Below rules are certified and enforced in this model.

C1: IVPs must ensure that all CDIs are in valid states

C2: All TPs must be certified (must take a CDI from a valid state to a valid final state) –(Tpi, CDIa, CDIb, CDIc, …)

E1: The system must maintain a list of relations specified in C2

E2: The system must maintain a list of (User, Tpi, (CDIa, CDIb, …))

C3: The list of relations in E2 must be certified to meet separation of duties

E3 The system must authenticate each user when executing a TP

C4: All TPs must be certified

C5: Any TP that takes UDI as in input value must be certified to perform valid transaction

E4: Only the agent permitted to certify entitles is allowed to do so

Answer b:

According to this model these two rules are followed when deciding read and write.

1. No Read Up - A subject can only read an object of less or equal security level.

2. No Write Down - A subject can only write an object of greater or equal security level.

Now, Alice has security clearance with access to the {D, T} Categories means document 1 type of data which has Confidential level assigned.

Now confidential level is higher than the unclassified so Alice can also read document 4 which is {D, T, PC} apart from document 1.

Confidential level is lower than the Secret and Top Secret so Alice can write only in document 1 and document 2 which is {T, PC}. Alice also can write in document 3 but there is no item in document 3.