4

I am taking a computer security class, and have a homework problem which has the following setup:

Now assume a dynamic version of the Bell-La Padula Confidentiality model that incorporates a suitable version of the low watermark property, where the updates involve the lub (least upper bound) function.

First, to be clear: I am not looking for an answer to this problem. (I have provided only a portion of the problem here for that reason.)

Now, we learned in class that the low-water mark principle applies to the Biba security model. I found the same result on Wikipedia and many other sites.

I understand that Bell-LaPadula has "no read up" and "no write down" principles, so if I have:

Top Secret > Secret > Confidential > Unclassified

Subject = [Secret, {P, Q}]

Object A = [Secret, {P, Q}]
Object B = [Confidential, {P}]
Object C = [Top Secret, {P, Q, R}]

Then the subject can read A, B and can write to A, C. (Right?)

But, how can the low-water mark principle be applied to the Bell-LaPadula model? What effect would the low-water mark principle have in these cases?

CodesInChaos
  • 11,854
  • 2
  • 40
  • 50
Cat
  • 141
  • 5

2 Answers2

3

I think I'm taking the same class as you and I think I've figured out a solution to this problem, but I may be wrong. The low watermark policy of the Biba Model allows one to write up and read down, but in order to read down the subject must lower their integrity level to do so. This means that when accessing information, it is crucial that it is done in the correct order.

For the question, they're asking us to use a combination of the Bell-Lapadula model and the idea of low watermark policy, where reading down lowers the integrity level and writing up is okay provided the objects being modified are contained in the higher-level object matrix.

Hope that helps.

Steven
  • 31
  • 1
  • This was my initial instinct as well, but I got stuck on the mention of the "lowest upper bound". If we only ever lower the integrity level of the reader, where does the *lub* function come into play? – Cat Mar 13 '13 at 21:55
0

The teacher sent us an email clarifying this question, and it was explained that the lub() function is indeed what we're supposed to use, by creating a "new system of [our] own".

It was explained that, due to lub(), whenever something changes it has to go up. So, as he put it, "So whenever something happens, either nothing changes, or something gets upgraded."

This means that it is Bell-LaPadula, but reading-up is allowed. This, however, would raise the subject's level to that of the document. (This seems weird, but the answer doesn't have to be a practical real-world usage.)

Cat
  • 141
  • 5