SIMULATION OF MANDATORY ACCESS CONTROL (MAC)

AND LATTICE BASE ACCESS CONTROL (LBAC)

INFORMATION SECURITY MODEL

BY:

ADEWUNMI AFEEZ AYOKUNLE

181346

SUPERVISED BY:

PROF. (MRS) O.D FENWA

SUBMITTED TO:

THE DEPARTMENT OF COMPUTER SCINCE AND ENGINEERING,

FACUTY OF ENGINEERING AND TECHNOLOGY.

LADOKE AKINTOLA UNIVERSITY OF TECHNOLOGY, OGBOMOSO, OYO STATE.

IN PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE AWARD OF BACHELOR

(B.TECH.) IN COMPUTER SCIENCE

DECEMBER, 2022

1
 DEDICATION

This project work is dedicated to Almighty God

2
 ACKNOWLEDGEMENT

My sincere gratitude goes to our supervisor in person of Prof.(Mrs) O.D FENWAwho has been the back

bone for this project. I also appreciate our lovely parent for their financial support towards the success of this

program, also like to extend our profound gratitude to the Department of Computer, LAUTECH for the

privilege given to us

3
 ABSTRACT

This project discusses the realization of mandatory access control in role-based protection systems. Starting

from the basic definitions of roles, their application in security and the basics of the concept of mandatory

access control, we develop a scheme of role-based protection that realizes mandatory access control. The

basis of this formulation develops from the recognition that roles can be seen as facilitating access to some

given information context. By handling each of the role contexts as independent security levels of

information, we simulate mandatory access by imposing the requirements of mandatory access control.

Among the key considerations, we propose a means of taming Trojan horses’ by imposing acyclic

information among contexts in role-based protection systems. The acyclic information own and suitable

access rules incorporate secrecy which is an essential component of mandatory access control.

4
Contents
DEDICATION................................................................................................................................................2

ACKNOWLEDGEMENT..............................................................................................................................3

ABSTRACT...................................................................................................................................................4

CHAPTER ONE.............................................................................................................................................6

INTRODUCTION..........................................................................................................................................6

CHAPTER TWO............................................................................................................................................8

STATEMENT OF PROBLEM AND SOLUTION........................................................................................8

CONCLUSIONS..........................................................................................................................................15

REFERENCES.............................................................................................................................................16

5
 CHAPTER ONE

INTRODUCTION

Mandatory access control (MAC) model is an important security model. Based on the lattice model of

security level and Bell-LaPadula model the definition of MAC security model is formally described in detail.

The equivalent MAC security model described by colored Petri nets (CPN) is proposed. According to the

state reach ability graph, four security properties of MAC security model, i.e. the access temporal relations,

the reach ability of objects when subject accesses them, hidden security holes due to the dynamic security

level, the indirect reasoning of confidential information flow between different objects, are explored at

length.

In addition, an example of the security model is illustrated and the conclusions show that the security model

based on Petri nets is not only a concise graphic analysis method, but also suited to be formally verified. This

model can efficiently improve the whole security policies during the system security design and

implementation. system's security policy controls where a process can attach channels in the path space,

defines which abilities to assign to its processes, and controls which processes can connect to which others.

Access control is a mechanism used to secure a system by limiting the actions available to a

process. Sandboxing, in contrast, constrains code with virtual walls (to protect it from being accessed and

damaged). These security measures work well together. A security policy sets out the conditions for access

and allows access when they are met.

6
Mandatory access control (MAC) is policy-driven, with rules to enforce relationships between processes,

channels, and paths. For example, rules control which processes can connect to a channel, as well as which

specific paths a process may attach to in the path space.

It restricts the ability of a process to connect to a channel.

Role-based security provides a flexible means of managing large numbers of access rights, especially for

large database systems. A role is defined in terms of privileges where a privilege is a unit of access to system

information. A role is a named collection of such privileges (Baldwin (1990), Krishnamurthy &Mc Gu_n

(1992), Nyanchama& Osborn

(1994a)). User-role authorization grants the user access to the role's privileges.

Role-based protection eases the administration of privileges due to the edibility with which roles can be

conjured and recognized

7
 CHAPTER TWO

STATEMENT OF PROBLEM AND SOLUTION

2.1 STATEMENT OF PROBLEM

Simulation of mandatory access control (MAC) and lattice base access control (LBAC) Information Security

Model using Petri Net as the programming Language.

2.2 SOLUTION

2.2.1 Mandatory Access Control Model

MAC model includes two entities: objects and subjects.

Objects mainly include passive entities (file, storage area) While Subjects mainly contain active entities

(processes, Users). Subjects obtain information by accessing objects.

MAC model has an evident peculiarity that each subject Or object is assigned a security level. System

security Administrator directly impacts on a subject’s access mode

By comparing the security level of a subject with that of an Object. Unlike DAC model, subjects have no

privilege to Decide the right when accessing objects.

2.2.2. Multi-Level Security

Multi-Level Security (MLS) has a long tradition in Military environments and is a basic requirement for A

and B security classes in the TCSEC. MAC model is Based on security class, which is involved in two

concepts, i.e. security domains and security levels. For convenience, we firstly introduce the concept of

partially order set and lattice respectively.

The pair (R, ≤) is a partially order set if defines a reflective, anti-symmetric, and transitive Relations on set

R. A partial order set (R, ≤) is called Lattice if for every x, y R there exists a least upper bound

8
LR and a greatest lower R.

Security domain denotes the legal active range of Information. If D0 denote a finite set of all domains and

2.2.3. MAC model

According to the lattice model of MLS and BellLaPadula model, we introduce the formal definition of MAC

model. The two access rules are:

i. No-read-up

ii. No-write-down

Which demands that low-level subjects are not allowed to read high-level objects, and high level Objects are

only written by low-level subjects? These rules keep information flow from low to high.

2.2.4 The Mandatory Access Control model

is a six-tuple M = (S, O, A, L, f, R), such that:

S is the set of subjects.

O is the set of objects.

A is access mode set when subjects access objects:

S×O →{φ,{read},{write},{read, write}}.

L is security level, where (L, ≤) is a lattice.

F is security functions which map each subject and

Object to a security level.

R is a set of security rules to prescribe the Constraints conditions when subjects access objects.

They must obey the two constraints: No-read-up and No-write-down.

9
2.2.5 In MAC model, the security level of a subject is a range (minL, maxL). If minL<maxL, the subject is

Called Trusted Subject. If minL=maxL, the subject is Called Untrusted Subject.

3.0 Colored Petri Nets

Petri Net, as a formal tool, has a well-defined rigorous Semantics and can be efficiently used to model and

verify The security properties of a system model.

Colored Petri Nets (CPN) extends Petri Nets by allowing tokens to be associated with colors, i.e., data types

using a functional Programming language, SML. Additionally, transitions

and arcs can be augmented with guards and expressions, respectively.

A CPN is a nine-tuple （Σ, P, T, A, N, C, G,E, I ）satisfying these requirements:

 Σ is a finite set of no-empty types, called color sets.

 P is a finite set of places.

 T is a finite set of transitions.

 A is a finite set of arcs: P∩T=P∩A=T∩A=Ф.

 N is a node function: A(P×T)∪(T×P).

 C is a color function: pΣ.

 G is a guard function. It is defined from transition set

 T into expressions, such that: tT, [Type(G(t))=Boolean∧Type (Var(G(t))) Σ].

 E is an arc expression function, It is defined from arc set A into expressions, such that: aA,

[Type(E(a))= C(p(a))MS ∧ Type(Var(E(a)))  Σ ],

where p(a) is the place of N(a).

I is an initialization function, it is defined from P into closed expressions, such that: pP,

[Type(I(p))=C(p)MS].

A binding of a transition t is a function b defined on Var(t), such that:

10
Var(t): b(v) Type(v) and G(t)<b>

where expr<b> denotes the evaluation of the expression expr in the binding b. Let B(t) mean the set of all

bindings for transition t.

token element is a pair (p, c) where pP and cC(p), while a binding elements is a pair (t, b),

where tT and bB(t). The set of all token elements is

denoted by TE while the set of all binding elements is

denoted by BE.

A Marking is a multi-set over TE while a

step is a finite multi-set over BE.

A finite occurrence sequence is a sequencen markings and steps:

=M1[>Y1M1[>Y2…Mn[Yn>Mn+1 such that nN, and Mi[>Mi+1 for all i1…n. A marking

M is reachable from a marking M iff there exists a finite occurrence sequence, e.g. iff for some nN

there exists asequence of steps Y1Y2…Yn such that: M[Y1Y2…Yn>M.

The set of markings which are reachable from M is denoted by [M>, and M[Y1Y2 … Yn>M could

be compactly denoted by M[*> M.

The reachability graph of CPN is the directed graph OG=(V, A, N)

2.4. Using CPNs to Describe MAC model

4.1. Entity security model

For describing the MAC model with CPN, we firstly introduce the concept of Entity Security Model

(ESM).Similar to the concept of Entity Model in Database; the ESM is close to the realistic MAC model

while MAC model described by CPNs is more abstract. As shown in Fig.1, the ESM is the intermediate

output to convert

11
 MAC model
CPN model Equivalent
semantics.

Fig. 1. Entity security model

Suppose O be an object set in MAC, an ESM

model is four-tuple (E, R, f, L), such that:

 E∈O is the entity sets of security model.

 R∈O is the subordinate relations between entities.

 f and L is the same as Def. 2.5.

Fig. 2. Entity Security Model

As an example, an ESM is shown in Fig.2. The elements of this ESM can be listed as follows:

E = (institute, Prof.1, Prof.2, project, Symposium);

12
R = (member, research, attend, subject, director);

L = (U, C, S, TS), with U<C<S<TS; f(institute) = U, f(prof.1) = U, etc.

The security class is assigned to every object by system administrator. They obey the relations U<C<S<TS,

and form a lattice.

Reachability graph of MAC model

After modeling the system with CPN, it is possible to use existing analysis techniques to verify the security

properties. Such tool is available,

Transitions T denote the R elements of ESM.

Color sets Σ={L, Access_mode, PR}, such that: L is security class;

Access_mode is access mode when subjects access objects; PR is the product of L×L×Access_mode.

Variables maxL and curL denote the maximal and current security class of subjects respectively; objL

denotes the security class of objects.

t3
1000 0100
0 0
t4

t1 t2
0000
1
t6
13
t5
0010 0001
Fig. 3 Reachability graph for a trusted subject

t3
100 010
00 00
t4

t1 t2
000
01
t6
t5
001 000
00 10

Fig. 4. Reachability graph for an un-trusted subject

CONCLUSIONS

We have presented in this paper an emulation of mandatory access control using role-based protection. We

made the key observation that in MAC we are interested both inthe integrity and secrecy of information.
14
Thus in MAC, information own must be acyclic.We also observed that MAC requires subject and object

attributes as the basis for grantingauthorization. Moreover, such authorizations must observe the reference

monitor principle.

Consequently, to realize MAC using role-based protection, we view each role context asa security level and

ensure that information ows, caused either by role execution oruser-role authorization will be acyclic. We

proposed a number of access constraints that could realize the equivalent of Bell and LaPadula no read-up

and no write-down rules.Moreover, user labels will be determined by authorization while subject labels are

thebonade privileges on the object.

REFERENCES

R. W. Baldwin. Naming & Grouping Privileges to Simplify Security Management in

Large Databases. In Proc. 1990 Symposium on Res. in Security & Privacy, pages 116{
15
32. IEEE Computer Society Press, May 1990.

D. E. Bell and L. J. LaPadula. Secure Computer Systems: Uni_ed Exposition &Multics

Interpretation. Technical Report MTIS AD-A023588, MITRE Corporation, July 1975.

D. D. Clark and D. R. Wilson. A Comparison of Commercial and Military Security

Policies. In Proc. 1987 Symposium on Res. in Security & Privacy, pages 184{94. IEEE

Computer Society Press, April 1987.

D. E. Denning and P. J. Denning. Certi_cation of Programs for Secure Information Flow.

Communications of the ACM, 20(7):504{13, July 1977.

D. E. Denning. Commutative Filters for Reducing Inference Threats in Multilevel

Database Systems. In Proc. 1985 Symposium on Res. in Security & Privacy. IEEE

Computer Society Press, April 1985.

J. E. Dobson and J. A. McDermid. Security Models and Enterprise Models. In Landwehr,

editor, Database Security II: Status & Prospects, pages 1{39. North-Holland, 1989.

D. E. Denning and W. Shockley. Discussion: Pros and Cons of the Various Approaches.

In T. F. Lunt, editor, Research Directions in Database Security, pages 97{103. Springer-

16
17