8

I'm currently studying the Bell-LaPadula model and i need to do an implementation as an example.

I understand how the model works, but I have difficulties implementing it in a programming language (for example Java). I consider to have the following classifications:

  • Restricted,
  • Confidential,
  • Secret,
  • Top Secret

and the following categories:

  • Lieutenant,
  • Colonel,
  • Captain,
  • Lieutenant General,
  • General.

How do I represent the lattice?

CodesInChaos
  • 11,854
  • 2
  • 40
  • 50
user1019710
  • 81
  • 1
  • 1
  • 3
  • Just a note: In most armies, a captain is some steps below a colonel, not above. – Paŭlo Ebermann Nov 05 '11 at 16:26
  • So do you want to treat the ranks as compartments, or Integrity labels? – Marcin Nov 06 '11 at 19:23
  • Is this homework? Generally speaking, for homework, we ask that you label the question as homework, and we ask that you indicate how far you've gotten on your own or what you have tried yourself. – D.W. Nov 07 '11 at 07:23
  • Study some more: in addition to subjects and objects the BLP model must define the actions - resulting in a 3D matrix indicating valid combinations. – symcbean Nov 09 '11 at 17:56

3 Answers3

10

I suspect you are slightly confused about how Bell-Lapadula works, and in particular, how categories work in Bell-Lapadula.

  • Classifications are necessarily ordered. In your example, we have Restricted < Confidential < Secret < Top Secret. So far, so good.

  • Categories are, in general, not ordered. Often, they are a set, with no ordering amongst them. They are used for compartmentalization, and they are orthogonal to classification. A compartment is used to further restrict dissemination to a group of individuals with a need-to-know. Examples of compartments (categories) might be GAMMA (interception of Soviet communications), RUFF (images obtained by satellite), or somesuch. For instance, the set of categories might be {GAMMA, RUFF}, with no ordering implied between GAMMA vs RUFF.

A document might be stamped, e.g., Top Secret GAMMA RUFF. For someone to be allowed to read this document, they need both Top Secret clearance, and they need to be authorized to access material in the GAMMA compartment and to access material in the RUFF compartment. In general, to read some document, your clearance needs to be at least as high as the classification, and you have to be a member of every compartment (category) that the document is labelled with.

Thus, in practice, compartments would never be ranks like Lieutenant. Your example doesn't make sense.

With this background, each document / data item is labelled as follows:

  • It has a classification.

  • It has a set of categories (compartments).

You can represent the classification as @Jeff Ferland suggests. To represent the set of categories, you'll need to modify @Jeff's suggestion, and store a set of categories.

The most interesting part is not the representation of labels; the most interesting part is to figure out how to compare two labels. If a document has label L, and a person has label L', should the person be allowed to read the document? To check that you understand the Bell-Lapadula model, I suggest that you code up this check, for some example.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • The "homework" crap at the end is very annoying. For those of us who came in from search (because of say, a security textbook suggesting this model to be a good read) it's a most unhelpful jab. – Skrylar Oct 29 '19 at 06:42
  • @Skrylar, you're right. That was gratuitous and unhelpful, and I regret it. I've removed it. I hope this is a small improvement. Thank you for bringing my attention to it, and I apologize for those comments. – D.W. Oct 29 '19 at 07:30
6
[Restricted, Confidential, Secret, Top Secret] => [0, 1, 2, 3] //constants
[Lieutenant, Colonel, Captain, Lieutenant General, General] => [0, 1, 2, 3, 4] //constants

Set this up in a static class similar to how Math.MAX_INT and others work ... Classification.RESTRICTED will return 0. That makes it easy to read from a programmer's standpoint.

How your relate the categories is up to you. Your read / write tests are simple "is this value lower / higher than user.getClassification() (user.setClassficiation(Classification.SECRET))" (or wherever you place that).

The categories aren't spec'd in Bell-LaPadula, so you'll either have to hint how you plan to use them or figure out how to relate it as I assume that a rank doesn't directly relate to a clearance.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • This isn't quite right. In general, each document receives a set of categories, not just one category. Then again, the question-asker's example seems a bit confused: the categories don't fit something you'd actually use in real life. You wouldn't use categories that way (to correspond to ranks). – D.W. Nov 07 '11 at 07:28
  • 1
    @D.W. I think that may be what confuses me... if he had categories like "field intel", "France", "double agents", etc. then it'd make more sense for compartmentalization. – Jeff Ferland Nov 07 '11 at 15:44
4

The simple way to remember the Bell-LaPadula model is: No read up, no write down.

A classification is the label and controls whether the subject (person) can read the object (document, file, etc). For this example, I will ignore compartments.

Let's create four people Alice, Bob, Charlie, Diana, and Eve. Now let's give each one a label: Alice is Confidential, Bob is Restricted, Charlie is Confidential, Diana is Secret, Eve is Top Secret. Each person creates a document, and when they create a document the document gets the same label as the person who created it. Alice creates Document A, Bob creates Document B, Charlie creates Document C, Diana creates Document D, and Eve creates Document E.

You can now create a simple table showing what happens when someone tries to read a document.

For reading:

        | Doc A | Doc B | Doc C | Doc D | Doc E |
-------------------------------------------------
Alice   | allow | deny  | deny  | deny  | deny  |
Bob     | allow | allow | deny  | deny  | deny  | 
Charlie | allow | allow | allow | deny  | deny  | 
Diana   | allow | allow | allow | allow | deny  | 
Eve     | allow | allow | allow | allow | allow |
schroeder
  • 123,438
  • 55
  • 284
  • 319
this.josh
  • 8,843
  • 2
  • 29
  • 51
  • Bell-Lapadula does not involve assigning classification levels to the ranks. The categories are independent/orthogonal from the classification level. That said, I think the original question-asker is confused, too. – D.W. Nov 07 '11 at 07:11
  • @d-w Ok, I did not make it clear that mapping the categories is not part of the Bell-LaPadula model, but it looks germain for the given assignment. Do you think that makes my answer misleading? – this.josh Nov 07 '11 at 23:34
  • It depends whether the original question-asker wants to know about how to implement Bell-LaPadula, or wants to know how to implement his example with ranks in some more intuitive way (not using Bell-LaPadula). If he/she wants to know about Bell-LaPadula, your answer is misleading, because that's not how Bell-LaPadula works. Part of the problem is that it seems like the original question-asker has some faulty premises about how Bell-LaPadula works, or else his/her example is poorly suited to the Bell-LaPadula model. (cont.) – D.W. Nov 08 '11 at 08:02
  • (cont.) Bell-LaPadula is a specific formal model that incorporates classifications and compartments (categories) into a single label. In the original Bell-LaPadula model, there's no mapping between them; they are two separate parts of the label. Once we talk about creating a mapping between them, we're no longer talking about the original Bell-LaPadula model, but rather something new. Often the compartments (categories) get left out in popular descriptions of Bell-LaPadula, because conceptually they're less important, and because B-L can be generalized to address that need. – D.W. Nov 08 '11 at 08:03