- BLP enhanced with tranquility property
- Strong tranquility: security labels never change
- Weak tranquility: security label can only change if it does not violate “established security policy”
- Strong tranquility impractical in real world
- Often want to enforce “least privilege”
- Give users lowest privilege for current work
- Then upgrade as needed (and allowed by policy)
- This is known as the high water mark principle
- Weak tranquility allows for least privilege (high water mark), but the property is vague
BLP: The Bottom Line - BLP is simple, probably too simple
- BLP is one of the few security models that can be used to prove things about systems
- BLP has inspired other security models
- Most other models try to be more realistic
- Other security models are more complex
- Models difficult to analyze, apply in practice
Biba’s Model - BLP for confidentiality, Biba for integrity
- Biba is (in a sense) the dual of BLP
- Integrity model
- Spse you trust the integrity of O but not O
- If object O includes O and O then you cannot trust the integrity of O
- Integrity level of O is minimum of the integrity of any object in O
- Low water mark principle for integrity
Biba - Let I(O) denote the integrity of object O and I(S) denote the integrity of subject S
- Biba can be stated as
Write Access Rule: S can write O if and only if I(O) I(S) (if S writes O, the integrity of O that of S) Biba’s Model: S can read O if and only if I(S) I(O) (if S reads O, the integrity of S that of O) - Often, replace Biba’s Model with
Chia sẻ với bạn bè của bạn: |