Thursday, April 20, 2006

The Bell-LaPadula Security Policy Model

The best-known example of a security policy model was proposed by David Bell and Len LaPadula in 1973, in response to U.S. Air Force concerns over the security of time-sharing mainframe systems. By the early 1970s, people had realized that the protection offered by many commercial operating systems was poor, and was not getting any better. As soon as one operating system bug was fixed, some other vulnerability would be discovered. There was the constant worry that even unskilled users would discover loopholes, and use them opportunistically; there was also a keen and growing awareness of the threat from malicious code. There was a serious scare when it was discovered that the Pentagon’s World Wide Military Command and Control System was vulnerable to Trojan Horse attacks; this had the effect of restricting its use to people with a ‘Top Secret’ clearance, which was inconvenient. Finally, academic and industrial researchers were coming up with some interesting new ideas on protection, which we’ll discuss below.

A study by James Anderson led the U.S. government to conclude that a secure system should do one or two things well; and that these protection properties should be enforced by mechanisms that were simple enough to verify and that would change only rarely. It introduced the concept of a reference monitor, a component of the operating system that would mediate access control decisions and be small enough to be subject to analysis and tests, the completeness of which could be assured. In modern parlance, such components—together with their associated operating procedures—make up the Trusted Computing Base (TCB). More formally, the TCB is defined as the set of components (hardware, software, human, etc.) whose correct functioning is sufficient to ensure that the security policy is enforced, or, more vividly, whose failure could cause a breach of the security policy. The Anderson report’s goal was to make the security policy simple enough for the TCB to be amenable to careful verification.


Post a Comment

<< Home