Bell-LaPadula model

The Bell-LaPadula Model (abbreviated BLP) is a state machine model used for enforcing access
control in government and military applications. It was developed by David Elliott Bell and Leonard J.
LaPadula, subsequent to strong guidance from Roger R. Schell to formalize the U.S. Department of
Defense (DoD) multilevel security (MLS) policy. The model is a formal state transition model of
computer security policy that describes a set of access control rules which use security labels on
objects and clearances for subjects. Security labels range from the most sensitive (e.g."Top Secret"),
down to the least sensitive (e.g., "Unclassified" or "Public").

The Bell-LaPadula model is an example of a model where there is no clear distinction of protection
and security.

Features

The Bell-LaPadula model focuses on data confidentiality and controlled access to classified
information, in contrast to the Biba Integrity Model which describes rules for the protection of data
integrity. In this formal model, the entities in an information system are divided into subjects and
objects. The notion of a "secure state" is defined, and it is proven that each state transition preserves
security by moving from secure state to secure state, thereby inductively proving that the system
satisfies the security objectives of the model. The Bell-LaPadula model is built on the concept of a
state machine with a set of allowable states in a computer network system. The transition from one
state to another state is defined by transition functions.

A system state is defined to be "secure" if the only permitted access modes of subjects to objects are
in accordance with a security policy. To determine whether a specific access mode is allowed, the
clearance of a subject is compared to the classification of the object (more precisely, to the
combination of classification and set of compartments, making up the security level) to determine if
the subject is authorized for the specific access mode. The clearance/classification scheme is
expressed in terms of a lattice. The model defines two mandatory access control (MAC) rules and one
discretionary access control (DAC) rule with three security properties:

1. The Simple Security Property - a subject at a given security level may not read an object at a
higher security level (no read-up).

2. The *-property (read "star"-property) - a subject at a given security level must not write to
any object at a lower security level (no write-down). The *-property is also known as the
Confinement property.

3. The Discretionary Security Property - use of an access matrix to specify the discretionary
access control.

The transfer of information from a high-sensitivity document to a lower-sensitivity document may

happen in the Bell-LaPadula model via the concept of trusted subjects. Trusted Subjects are not
restricted by the *-property. Untrusted subjects are. Trusted Subjects must be shown to be
trustworthy with regard to the security policy. This security model is directed toward access control
and is characterized by the phrase: "no read up, no write down." Compare the Biba model, the Clark-
Wilson model and the Chinese Wall model.

With Bell-LaPadula, users can create content only at or above their own security level (i.e. secret
researchers can create secret or top-secret files but may not create public files; no write-down).
Conversely, users can view content only at or below their own security level (i.e. secret researchers
can view public or secret files, but may not view top-secret files; no read-up).

The Bell-LaPadula model explicitly defined its scope. It did not treat the following extensively:

• Covert channels. Passing information via pre-arranged actions was described briefly.

• Networks of systems. Later modeling work did address this topic.

• Policies outside multilevel security. Work in the early 1990s showed that MLS is one version
of boolean policies, as are all other published policies.

Limitations

• Only addresses confidentiality, control of writing (one form of integrity), *-property and
discretionary access control

• Covert channels are mentioned but are not addressed comprehensively

• The tranquility principle limits its applicability to systems where security levels do not change
dynamically. It allows controlled copying from high to low via trusted subjects.

Government classification

The purpose of classification is ostensibly to protect information from being used to damage or
endanger national security. Classification formalises what constitutes a "state secret" and accords
different levels of protection based on the expected damage the information might cause in the
wrong hands.

Classification levels

Although the classification systems vary from country to country, most have levels corresponding to
the following British definitions (from the highest level to lowest):

Top Secret (TS)

The highest level of classification of material on a national level. Such material would cause
"exceptionally grave damage" to national security if made publicly available.

Secret
Such material would cause "grave damage" to national security if it were publicly available.
Confidential
Such material would cause "damage" or be "prejudicial" to national security if publicly available.

Restricted
Such material would cause "undesirable effects" if publicly available. Some countries do not have
such a classification.

Unclassified
Technically not a classification level, but is used for government documents that do not have a
classification listed above. Such documents can sometimes be viewed by those without security
clearance.

Clearance

Depending on the level of classification there are different rules controlling the level of clearance
needed to view such information, and how it must be stored, transmitted, and destroyed.
Additionally, access is restricted on a "need to know" basis. Simply possessing a clearance does not
automatically authorize the individual to view all material classified at that level or below that level.
The individual must present a legitimate "need to know" in addition to the proper level of clearance.

Buffer Overflow and SQL Injection Examples

/*This program shows an example of how a static

buffer overrun can be used to execute arbitrary code. Its
objective is to find an input string that executes the function bar.
*/

#include <stdio.h>
#include <string.h>

void foo(const char* input)

{
char buf[10];

//What? No extra arguments supplied to printf?

//It's a cheap trick to view the stack 8-)
//We'll see this trick again when we look at format strings.
printf("My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");

//Pass the user input straight to secure code public enemy #1.
strcpy(buf, input);
printf("%s\n", buf);

printf("Now the stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");

}

void bar(void)
{
printf("Augh! I've been hacked!\n");
}

int main(int argc, char* argv[])

{
//Blatant cheating to make life easier on myself
printf("Address of foo = %p\n", foo);
printf("Address of bar = %p\n", bar);
foo(argv[1]);
return 0;
}
/*
ArrayIndexError.cpp
*/

#include <stdio.h>
#include <stdlib.h>

int* IntVector;

void bar(void)
{
printf("Augh! I've been hacked!\n");
}

void InsertInt(unsigned long index, unsigned long value)

{
//We're so sure that no one would ever pass in
//a value more than 64 KB that we're not even going to
//declare the function as taking unsigned shorts
//or check for an index out of bounds - doh!
printf("Writing memory at %p\n", &(IntVector[index]));

IntVector[index] = value;
}

bool InitVector(int size)

{
IntVector = (int*)malloc(sizeof(int)*size);
printf("Address of IntVector is %p\n", IntVector);

if(IntVector == NULL)
return false;
else
return true;
}

int main(int argc, char* argv[])

{
unsigned long index, value;

if(argc != 3)
{
printf("Usage is %s [index] [value]\n");
return -1;
}

printf("Address of bar is %p\n", bar);

//Let's initialize our vector - 64 KB ought to be enough for

//anyone <g>.
if(!InitVector(0xffff))
{
printf("Cannot initialize vector!\n");
return -1;
}
index = atol(argv[1]);
value = atol(argv[2]);

InsertInt(index, value);
return 0;
}
/* a.c */
#include <stdio.h>
int main(int argc, char **argv)

{
char *buf1, *buf2, *buf3;
if(argc == 1) {
printf("\nThis program takes a string as an arguement.\n");
return(0);
}
buf1 = (char *) malloc(56);
buf2 = (char *) malloc(56);
buf3 = (char *) malloc(56);

strcpy(buf2,"CCCCCCCCCCCCCCCC");
strcpy(buf1, argv[1]);
printf("\n%s\n", buf1);
free(buf2);
free(buf1);
strcpy(buf3, "END OF PROGRAM");
printf("\n%s\n", buf3);

free(buf3);

return(0);

SQL INJECTION

SELECT fieldlist
FROM table
WHERE field = '$EMAIL';

SELECT email, passwd, login_id, full_name

FROM members
WHERE email = 'x'; DROP TABLE members; --';

SELECT email, passwd, login_id, full_name

FROM members
WHERE email = 'x';
INSERT INTO members ('email','passwd','login_id','full_name')
VALUES ('steve@unixwiz.net','hello','steve','Steve Friedl');--';