TL;DR
This guide explains how to combine Bell-LaPadula (confidentiality) and Biba (integrity) security models for a more robust system. We’ll cover the core principles of each, then show how they can work together to control access based on both data sensitivity and trustworthiness.
1. Understanding Bell-LaPadula
Bell-LaPadula is all about keeping secrets safe. It focuses on preventing unauthorised disclosure of information. It has two main rules:
- No Read Up: You can’t read data at a higher classification level than your clearance.
- No Write Down: You can’t write data to a lower classification level than your clearance.
Think of it like this:
- Classification Levels: Top Secret, Secret, Confidential, Unclassified
- If you have a ‘Secret’ clearance, you can read ‘Unclassified’ and ‘Confidential’, but not ‘Top Secret’.
- You can write to ‘Unclassified’ and ‘Confidential’, but not ‘Top Secret’.
Simple Rule Example: If your security level is ‘Secret’, you cannot view a file classified as ‘Top Secret’.
2. Understanding Biba
Biba does the opposite of Bell-LaPadula – it’s about ensuring data integrity, meaning keeping information correct and trustworthy. It has two main rules:
- No Read Down: You can’t read data at a lower integrity level than your current integrity level.
- No Write Up: You can’t write data to a higher integrity level than your current integrity level.
Integrity Levels are often used to represent how much you trust the source of the information:
- Integrity Levels: Level 0 (Most Trustworthy), Level 1, Level 2, Level 3 (Least Trustworthy)
- If your integrity level is ‘Level 2’, you can read data at ‘Level 2’ and ‘Level 0’.
- You can write to ‘Level 2’ but not ‘Level 0’.
Simple Rule Example: If your integrity level is ‘Level 1’, you cannot modify a file with an integrity level of ‘Level 0’ (highly trusted data).
3. Combining Bell-LaPadula and Biba
Using both models together gives you much stronger security. You need to satisfy both sets of rules to access or modify data.
- Access Control Matrix: Imagine a table where rows are users, columns are files, and cells indicate permissions based on classification & integrity levels.
- Combined Checks: Before allowing any operation (read/write), the system checks:
- Bell-LaPadula rules are met (no read up, no write down).
- Biba rules are met (no read down, no write up).
Example Scenario:
| User | Security Level | Integrity Level | File | Classification | Integrity | Access? |
|---|---|---|---|---|---|---|
| Alice | Secret | Level 2 | Report A | Confidential | Level 1 | Yes (Both rules met) |
| Bob | Top Secret | Level 0 | Report B | Secret | Level 2 | No (Biba: No Write Up) |
| Carol | Confidential | Level 1 | Report C | Top Secret | Level 0 | No (Bell-LaPadula: No Read Up) |
In this example, only Alice can access Report A because her security and integrity levels allow it according to both models.
4. Practical Implementation Considerations
- Labels: Each file needs two labels – a classification label (e.g., ‘Confidential’) and an integrity label (e.g., ‘Level 1’).
- User Profiles: Each user needs a security level and an integrity level assigned in their profile.
- Operating System Support: Some operating systems have built-in features for Mandatory Access Control (MAC) that can be configured to implement these models. SELinux is one example.
# Example SELinux policy snippet (simplified) - Application Logic: Applications need to be designed to respect the access control rules enforced by the system. This often involves checking user credentials and file labels before performing any operations.
5. Limitations
- Complexity: Implementing these models can be complex, especially in large systems.
- Overhead: Access control checks add overhead to every operation.
- Granularity: Defining appropriate classification and integrity levels requires careful consideration of the data’s sensitivity and trustworthiness.