9

I'm self-studying for the CISSP exam and am having difficulty wrapping my mind around the practical side of the ★-property rule in the Bell-LaPadula Model. I understand the mechanics of it and that it protects against accidentally downgrading information. It makes sense for use-cases where a subject wants to write information to an object of equal sensitivity labels.

What I don't get though is why the rule allows information to be written to objects with a HIGHER sensitivity label than the subject. Can someone provide a practical example of when this might happen?

I guess I don't understand how/when/why someone would ever need to write to an object they would never be able to read?

Can someone please elaborate?

CodesInChaos
  • 11,854
  • 2
  • 40
  • 50
Mike B
  • 3,336
  • 4
  • 29
  • 39

3 Answers3

11

Sure. Here's an example. Suppose we want to have a system log manager, which collects logs from all processes. We'll run the log manager at system HIGH. We want every process to be able to send log records to it.

  • With your proposed rule, processes running at LOW would not be able to send log entries to the log manager.

  • In contrast, the ★-property allows all processes to send log entries to the log manager.

As far as a practical example, well, Bell-Lapadula isn't very practical. If you're looking primarily for practical stuff, I wouldn't spend your time looking at Bell-Lapadula; I'd recommend looking at more recent work on systems security -- it'll be a better use of your limited time.

D.W.
  • 98,420
  • 30
  • 267
  • 572
5

This model makes very little sense in context of regular computer usage. It makes a lot more sense when you think of military style classifications, where it makes sense sometimes to write things to another level. For example, if you have a bunch of reports coming in to one analyzer, you want the singular report writers to just upload their stuff and never deal with it again. However, the guy that analyzes all the reports can operate at a higher level because of the increased classification of information, due to aggregation of information due to having multiple reports/sources of information.

Another thing you gotta keep in mind BLP is all about Confidentiality. The star property in particular is also called the 'confinement property' as it supposed to prevent information traversing multiple levels. You want each subject to be able to read or write from particular levels and that's it, no other abilities limit the possibility of the information traversing outside of it's designated level. This property makes sure you cannot grab information that's not for you (no read up), and cannot give away the information to lower levels (no write down).

The Strong Star Property makes the limitations even more stringent, as it changes 'no read up, no write down' to 'no read up, write only to same'. This way you cannot 'write up' and upclassify documents, which is desireable, unless you actually need it.

All of these are just more precise formulation of the general Principle of Least Privilege, with respect to confidentiality.

Marcin
  • 2,508
  • 1
  • 15
  • 14
4

The truth is that there isn't any good reason this would happen practicaly afaik, but on the other hand, it is not against the goal of the model. I will reverse the question: Why do you think it shouldn't happen? From a confidentiality point of view, it does not matter if a lower label subject can write to higher levels, since those on the higher level can see the information anyway. There are issues with integrity, but Bell-LaPadula is not concerned about that.

To sum-up, your question basically is "Why is write-up permitted in Bell-LaPadula?" The answer is: Because either if write-up was forbidden or permitted, it would be the same from a confidentiality point of view. The model just takes one of the two possible approaches, without compromising anything.

john
  • 10,968
  • 1
  • 36
  • 43
  • 1
    Hi John, thanks for the prompt response! I see your point and I guess it doesn't hurt for something to be more secure. As for why it shouldn't happen, I guess it just doesn't make sense to me for a subject to not be able to "read" the same place that they're "writing" to. How would they know if they're overwriting something? It also seems like it would dilute the purpose of the object. If I'm storing "confidential" information in an object that's really intended to keep "Top Secret" information, I'm reducing it's effectiveness. Perhaps I'm over-thinking this though. – Mike B Apr 22 '11 at 00:55
  • 1
    Hi Mikey. You said that it doesn't hurt for something to 'be more secure'. How do you define 'more' exactly? For your other points: First of all, ability to 'read' is not necessarily required for writing. If you have ever been into programming, you will know that you can 'open' a file either for reading, or for writing, or for both, depending on several switches. In the Bell-La-Padula model case, overwriting is not important - that is an integrity issue, and as I said in my previous answer this model is not concerned about it (Biba model is!) – john Apr 22 '11 at 01:28
  • Thanks for the clarification. I'm not a programmer so perhaps that's where my confusion is coming from. – Mike B Apr 22 '11 at 15:12