I'm trying to figure out Bell-LaPadula model and am having a hard time with compartments. If Subject 1 is (SECRET, {C}) and they want to read Document 1 which is (UNCLASSIFIED, {A, B, C}), would they be able to? Read down is accepted in the Bell-LaPadula model and subject 1 has permission to read C, but not A or B. So I'm thinking Subject 1 cannot read Document 1 since Document 1 also contains A and B. Is this correct?
Asked
Active
Viewed 154 times
1 Answers
1
First Unclassified isn't a sensitivity classification. Unclassified documents can be compartmentalized but there's nothing to prevent dissemination outside the compartment.
For your question, let's assume that Document 1 is Confidential,{A,B,C}.
Subject 1 would not be able to read Document 1 in the Bell-LaPadula model because even though they are able to read down the object (Document 1) is compartmentalized for A,B, and C. Using the image below, if Subject 1 had top secret{nuclear} they would be able to read (and write) top secret{nuclear}, read secret{nuclear}, and read unclassified. Notice there is no connection in the lattice from top secret{nuclear} to secret{nuclear,crypto}.
The math for this is explained in the Purdue document in the references.
To paraphrase, the sensitivity/category combination is less than or equal to a higher sensitivity/category combination if and only if the first sensitivity is less than or equal to the second AND all the categories in the first combination are in the second category.
So to read Confidential{A,B,C} would need to be less than or equal to Secret{C}. Confidential is less than Secret so that passes but {A,B,C} are not in {C}. The test fails and you'd be unable to read.
References
Cornell Multi-level Security
Purdue CS 426 Lecture 21
Classified Information/Unclassified
kenlukas
- 835
- 6
- 18