Skip to content

Page091

Simple Security Property

The Simple security property states that there is “no read up”: a subject at a specific classification level cannot read an object at a higher classification level. Subjects with a Secret clearance cannot access Top Secret objects, for example.

*Security Property (Star Security Property)

The * Security Property is “no write down”: a subject at a higher classification level cannot write to a lower classification level. For example: subjects who are logged into a Top Secret system cannot send emails to a Secret system.

Strong and Weak Tranquility Property

Within the Bell-LaPadula access control model, there are two properties that dictate how the system will issue security labels for objects. The Strong Tranquility Property states that security labels will not change while the system is operating. The Weak Tranquility Property states that security labels will not change in a way that conflicts with defined security properties.

Lattice-Based Access Controls

Lattice-based access control allows security controls for complex environments. For every relationship between a subject and an object, there are defined upper and lower access limits implemented by the system. This lattice, which allows reaching higher and lower data classification, depends on the need of the subject, the label of the object, and the role the subject has been assigned. Subjects have a Least Upper Bound (LUB) and Greatest Lower Bound (GLB) of access to the objects based on their lattice position. Fig. 4.4 shows an example of a lattice-based access control model. At the highest level of access is the box labeled, “{Alpha, Beta, Gamma}.” A subject at this level has access to all objects in the lattice. At the second tier of the lattice, we see that each object has a distinct upper and lower allowable limit. For example, assume a subject has “{Alpha, Gamma}” access. The only viewable objects in the lattice would be the “Alpha” and “Gamma” objects. Both represent the greatest lower boundary. The subject would not be able to view object Beta.

Fig. 4.4