A Complete Generative Label Model for Lattice-Based Access Control Models
Lattice-based access control models (LBAC) initiated by Bell-LaPadula (BLP)/Biba models, and consolidated by Denning have played a vital role in building secure systems via Information Flow Control (IFC). IFC systems typically label data and track labels, while allowing users to exercise appropriate access privileges. This is defined through a finite set of security classes over a lattice. Recently, IFC has also been playing a crucial role in formally establishing the security of operating systems/programs. Towards such a goal, researchers often use assertions to keep track of the flow of information from one subject/object to another object/subject. Specifying and realizing these assertions will be greatly benefitted, if the underlying labels of objects/subjects can be interpreted in terms of access permissions/rights of subjects/objects as well as subjects/objects that have influenced them; these would lead to automatic generation of proof obligations/assertions. Thus, if one can arrive at a label model for LBAC that satisfies properties like (i) intuitive and expressive labels, (ii) completeness w.r.t. Denning’s lattice model, and (iii) efficient computations on labels, then building/certifying secure systems using LBAC will be greatly benefitted.
In this paper, we arrive at such a semantic generative model (that tracks readers/writers of objects/subjects) for the Denning’s lattice model, and establish a strong correspondence between syntactic label policies and semantically labelled policies. Such a correspondence leads to the derivation of the recently proposed Readers-Writers Flow Model (RWFM). It may be noted that RWFM  also deals with declassification rules which is not discussed here as it is not relevant here. The relationship, further establishes that the RWFM label model provides an application-independent concrete generative label model that is sound and complete wrt Denning’s Model. We define the semantics of information flow in this label model, and argue that reading and writing induce possibly different pre-orders on the set of subjects. Hence, the subject relations become explicit, making it possible to derive relations from the labels. We further define a notion of information dominance on subjects and show that the notion of principal hierarchy can be naturally defined that is consistent with the IFC model; this perhaps overcomes the adverse impact on the flow policy that is often experienced during the classical approach of defining the hierarchy orthogonally. This enables us to realize Role-Based Access Control (RBAC) structurally and enforce information flow security. Further, we demonstrate how the underlying label model succinctly subsumes various lattice-based control models like BLP, Biba, RBAC, Chinese wall model, etc.
KeywordsMAC DAC LBAC RBAC Chinese wall
The work was done as part of Information Security Research and Development Centre (ISRDC) at IIT Bombay, funded by MEITY, Government of India.
- 1.Bell, D., La Padula, L.: Secure computer systems: Unified exposition and multics interpretation. In: Technical Report ESD-TR-75-306, MTR-2997, MITRE, Bedford, Mass (1975)Google Scholar
- 2.Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: IEEE SP 1996, pp. 164–173. IEEE Computer Society (1996)Google Scholar
- 3.Brewer, D., Nash, M.: The Chinese wall security policy. In: 1989 Proceedings of the IEEE Symposium on Security and Privacy, pp. 206–214, May 1989Google Scholar
- 4.Crampton, J.: On permissions, inheritance and role hierarchies. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS, pp. 85–92 (2003)Google Scholar
- 6.Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: RFC 2693: SPKI certificate theory. IETF RFC Publication, September 1999Google Scholar
- 7.Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)Google Scholar
- 9.Biba, K.: Integrity considerations for secure computer systems. In: Technical Report ESD-TR-76-372, MITRE, Bedford, Mass (1976)Google Scholar
- 11.Kumar, N.V.N., Shyamasundar, R.K.: Realizing purpose-based privacy policies succinctly via information-flow labels. In: 2014 IEEE Fourth International Conference on Big Data and Cloud Computing, BDCloud 2014, Sydney, Australia, 3–5 December 2014, pp. 753–760. IEEE Computer Society (2014). https://doi.org/10.1109/BDCloud.2014.89
- 12.Kumar, N.V.N., Shyamasundar, R.K.: Analyzing protocol security through information-flow control. In: Krishnan et al. , pp. 159–171. https://doi.org/10.1007/978-3-319-50472-8_13
- 13.Kumar, N.V.N., Shyamasundar, R.K.: Dynamic labelling to enforce conformance of cross domain security/privacy policies. In: Krishnan et al. , pp. 183–195. https://doi.org/10.1007/978-3-319-50472-8_15
- 14.Kumar, N.V.N., Shyamasundar, R.: Decentralized information flow securing method and system for multilevel security and privacy domains, 29 November 2016. https://www.google.co.in/patents/US9507929, US Patent 9,507,929