HAL Id: hal-02545660
https://hal.archives-ouvertes.fr/hal-02545660
Submitted on 17 Apr 2020
HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or
L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires
A full formalisation of the Bell and La Padula security model
Emmanuel Gureghian, Thérèse Hardin, Mathieu Jaume
To cite this version:
Emmanuel Gureghian, Thérèse Hardin, Mathieu Jaume. A full formalisation of the Bell and La Padula security model. [Research Report] lip6.2003.006, LIP6. 2003. �hal-02545660�
E. Gureghian,Th. Hardin, M.Jaume
Abstract
Information accesscontrol programsarebasedonasecuritypolicy model. Flaws
inthem maycome fromalackofprecisionorsomeincoherencesin thepolicymodel
orfrominconsistenciesbetweenthemodelandthecode. Inthispaper,webuildafull
mechanizedformalizationofthewell-knownBellandLaPadulapolicymodel,checking
allthe stepsof the proofs. Then, we derive automatically aprogram for theaccess
controlsconsidered in this model. Such aprogramimplementsatransition function
which hasbeenformally provedsound accordingto thethree securitypropertiesin-
volvedintheBellandLaPadulamodel. AlltheworkisdonewithinCoq,atheorem
proverbasedonaverystrongtypetheory.
Keywords: securitypolicy,BellandLaPadulamodel,formalmethods
1 Introduction
Security of information systemshas becomed a major problem of our societies and
a well-etablished eld of computer science. Research themes involve access control
mechanisms,modelingofinformationowanditsapplicationstocondentialitypoli-
cies[10],mobilecodesecurity,cryptographicprotocols,etc. Themethodstoconsider
these questions are evolving,just at the ones used in safety area,where ad-hoc and
empiricalapproachswereprogressivelyreplacedbymoreformalmethods. Highlevels
ofsafetyrequirethattherequirement/specicationphaseisdoneusingmathematical
models, allowingto have mechanized proofsof the requiredproperties. In thesame
way,insuranceinthesecurityofsystemsasksfortheuseoftrueformalmethodsalong
theprocessof softwaredevelopment,startingatthespecicationlevel.
Computerinformationsecurityisusuallyseenasthecombinationofthreeclassesof
properties: condentiality(denyingunauthorised accesses),integrity(denyingunau-
thorisedmodicationsof information)andavailability(denying unauthorisedusesof
ressources). Topromotethe conceptionof trustedsystems,securityevaluationcrite-
riashavebeenelaboratedbygovernmentsagencies,forexampletheTrustedComputer
SecurityEvaluation Criterias(1983)(TCSEC),theInformation TechnologySecurity
Evaluation Criterias (1991) (ITSEC) and the Common Criterias (1999), which are
acollection of normative documents. These criteriasprovide both a framework for
thesoftwareindustrytoensurethatsoftwarehasbeencarefullydesignedandarefer-
entialfor itscustomers. A productevaluation and certicationagainst thecommon
criteriasframework is builtaccordingto twohypotheses. The rstone is the\pro-
tectionprole",thatis,underwhichconditionstheevaluatedproductissupposedto
be used. Thesecond one is itslevelof assurance, which is simplythe level of trust
thesystemcan receiveaccordingtothewayitwasdeveloped. Agoodsecurity level
canbereachedif theproductis evaluatedat anassurancelevelgreaterthanEAL-5
SPI-LIP6,UniversityParis 6,France
requirestheuseofamandatoryformalpolicymodelinordertoachieveabacceptable
levelof condentiality. Mandatoryaccess control (MAC),contraryto discretionnary
accesscontrols(DAC)suchas accesscontrollist(ACL),ismanagedandenforcedby
theunderlying systemratherthanbyanauthorizeduser.
Suchapolicymodelmustbepreciseandunambiguousandthusmustbedescribed
inamathematicalformalism. Thisisthe casefortheBellandLaPadula[2]model.
Itisexposedinfoursuccessiverenements: themathematicalfoundations,themath-
ematical model, a renement of the mathematical model and a unied exposition
togetherwithaMulticsinterpretation[3]. Notethatsuchamodelisonlyconcerned
withcondentiality. Nevertheless,theBibaintegrityformalmodelisveryclosetothe
BellandLaPadulaoneandisalsoconsideredinthesameprotectionprole[13].
Having amathematical model drawn by hand is a very serious way to increase
condence. But, this is not enough. Attempts to check proofs done by hand with
atheorem proverhas thrawn away alot of them. Often, the errors are introduced
bypoints consideredas evidentdetails orby forgottencases. Inthis paper,wegive
a formal description of Bell and LaPadula model, checked by the theorem prover
Coq [15]. Fromthisspecication,an implementation isautomatically extracted and
thusfullycertied. Itisthetransitionfunctionofanabstractstatemachine.
Inthispaper,weexposethemodel,thecodeandtheproofs. However,asallreaders
areperhapsnotveryacquaintedwithCoq,wedescribethespecicationandtheproofs
with a quite usual mathematical language, in fact very close to Coq syntax. The
completeimplementationisavailableonthesitehttp://www-spi.lip6.fr/~jaume/.
Inthefollowing,werstgiveashortpresentationofCoq,whichisahigher-orderlogic
proof assistant implementing the calculus of inductive constructions [7] and which
alowsto extractprograms from proofs [14]. Then , wegiveafull descriptionof the
BellandLaPadulamodel andof itsimplementation. Weassumethereaderfamiliar
withtheBellandLaPadulamodelaspresentedin[2]. Amoregeneraldiscussionon
ittogetherwith asurveyonsecuritymodelscanbefoundin[12].
2 A (very) brief vescription of Coq
Weuse here version7.3 of the proof assistant Coq which allowsthe interactive de-
velopment of formal proofs. In order to make this paper more readable, we adopt
hereapseudo-Coqsyntaxwhichdiersslightlyfrom theusualCoqsyntax. TheCoq
toolisbasedonalogicalframeworkknownasthecalculusofinductiveconstructions,
whichisanextensionofatyped-calculussupportingdependenttypes,polymorphic
types,andtypeconstructors. Thebasicideaunderlyingthislogicalframework,based
on the Curry-Howard isomorphism, is that a proof of aproposition can be seenas
a functional object. For instance, a proof of a proposition of the form A ) B is
afunction mapping everyproof of A to a proof of B. The type of this function is
isomorphicto theprovedproposition,so types andproposition are identied, asare
objectsandproofs. Furthermore,thisframeworkallowsthedenitionofinductiveand
co-inductivetypes (which are specied bytheir constructors). Constructingaproof
withinCoqisaninteractiveprocess: givenagoal,theuserspecies which deduction
rule should be applied, and Coq does all the \computations". The theorem prover
solves successive subgoals with tactics (i.e., functions that build a proof of agiven
goalfromproofsofmoreelementarysubgoals). Inallourdevelopment,weuseaCoq
packagefornitesetsimplementedaslists: wewillwrite[jAj]thetypeofnitesetsof
elementsof typeA, overwhich classicaloperationson sets, such as2, ,[, ..., are
dened. GiventwotermsE
1 andE
2
oftype[jAj],wewillwriteE
1 E
2
asashortcut
1 2 2 1
(decidable)property,wedeneafunctionforall oftype[jAj]!(A!IB)!IBwhere
A isanytype neededand IBis theinductive set of booleans. Similarly, wedene a
functionlteroftype[jAj]!(A!IB)![jAj] whoseresultistheset ofelementsofa
givenset whichsatisfya(decidable) property. It isimportant tonote that wewrite
t:T to expressthatthetypeofatermt isT,whilewewritet2Eto expressthata
termt oftypeT belongstothesetE oftype[jTj](thusthetermt2E isoftypeIB).
3 System representation
Thesystemisrepresentedbyanabstract machinecontainingastatethat operations
(orrequests)canchange.
3.1 Parameters and hypothesis
TheBellandLaPadulasecuritymodeldescribesasetofaccesscontrolrulesbetween
activeentities,calledsubjects(representingprocesses,programsinexecution...) and
passive entities, called objects (representing data, les, programs, subjects, I/O de-
vices...). Each subjectandobjectis associated withtwoindependentinformations:
theset ofneeds-to-know (i.e.,aspecialaccessprivilegestoasubject,thetopic ofthe
data)andtheclassication (i.e.,theclearancelevelofasubject,thesensibilityofthe
data)WerstdeneO andS assets ofobjectsand subjects. Inorderto beableto
enumerateelementsbelongingtothesesets,wesupposeOandStobecountablesets,
byindexingthembynaturalnumbers. Then,weintroduceasetK ofneeds-to-know
andasetC ofclassicationsasvariables,thusthesesetsareparametersofourdevel-
opment. Furthermore,weassumethat equalityoverthesesets is decidable. Wealse
introduceasanassumptionatotalorderrelationoverC.
Definition O : Set := IN. Definition S : Set := IN.
Variable K : Set.
Hypothesis eqdecK : 8c
1
;c
2
:K fc
1
=c
2 g+fc
1 6=c
2 g.
Variable C : Set. Variable :C!C!IB.
Hypothesis eqdecC : 8c
1
;c
2
:C fc
1
=c
2 g+fc
1 6=c
2 g.
Hypothesis Totalorder : 8c
1
;c
2
:C fc
1 c
2 g+fc
2 c
1 g.
Hypothesis ReflC : 8c:C cc.
Hypothesis ASymC : 8c
1
;c
2 :C c
1 c
2 )c
2 c
1 )c
1
=c
2 .
Hypothesis TransC : 8c
1
;c
2
;c
3 :C c
1 c
2 )c
2 c
3 )c
1 c
3 .
(+denotesthedisjunction.)
The security level associated with an objector a subject canbe seen as a pair
(c;k)wherec isaclassicationandkisasetofneeds-to-know. Giventwoentitiese
1
ande
2
respectivelyassociatedwiththesecuritylevels(c
1
;k
1
)and(c
2
;k
2
),wewillsay
that e
1
dominates e
2 ifc
2 c
1
and if k
1
isasuperset ofk
2
. Notethat the relation
\dominates"isapartialorder.
3.2 States
A stateis apair (m;f) where m is amatrix containingcurrentaccesses andaccess
rightsandfisaclassicationvector. Thus,wedenethetypeofstatesasthefollowing
product:
Definition :Set := MF.
whereMandF aredenedin thetwofollowingsubsections.
Wedene A as the set of access attributes containing thefollowingelements: r for
\read-only" (i.e., \pure read"), w for \read-write", e for \execute", a for \append"
(i.e.,\pure-write"),andcfor\control"(allowingtoupdate controlaccesses).
Inductive A:Set := r:A | w:A | e:A | a:A | c:A.
Currentaccessesand access rightsare usually representedbytwomatrices. One
waytodenethese notionswithinCoqistodenethetypeMasfollows:
Record M : Set := mkM f
M:S !O![jAj][jAj] ; N
o
:IN ; N
s :IN g.
Givenatermm oftypeM,m willbecalled amatrixand wewill writem:M (resp.
m:N
o ,m:N
s
)todenotetheeldM(resp. N
o ,N
s
)ofm. Since,werequirethenumber
ofsubjectsandobjectstobenite(thisrequirementisneededin ordertobeableto
enumerate elements of the matrix in anite way), we introduce two elds N
o and
N
s
corresponding respectivelyto thenumber of objectsand the numberof subjects
minus 1since both the subjects and the objects of the matrixare indexed from 0.
Theseelds areusedto deneanaccessfunction A
M
to theelementsofamatrixm
oftypeM:
A
M
:M!S!O![jAj][jAj]
:=m:M:s:S:o:O:
m:M(s;o) ifsm:N
s
and om:N
o
(;;;) otherwise
wherex:T:edenotesthefunctionwhoseargumentisatermxoftypeT andwhose
bodyistheterme. Inthefollowingwewillusethefollowingnotations:
we will write m
(1)
[s;o] for the rst projection of A
M
(m:M;s;o), representing
thecurrentaccessesofthesubjectsovertheobjecto
wewillwritem
(2)
[s;o]forthesecondprojectionofA
M
(m:M;s;o),representing
theaccess rightsofthesubjectsovertheobjecto
GivenamatrixmoftypeM,anobjectoissaidto beopened accordingto theright
:A, ifthere isasubjectssuch that2m
(1)
[s;o]. Similarly,asubjectsissaidto
begranted therightoveranobjecto if2m
(2)
[s;o]. Since, aswesaid, elements
ofmcanbeenumerated,wedeneafunction of typeM!S![jAj]![jOj] , such
that(m;s;E)containsalltheobjectsopenedbythesubjectsaccordingtoanaccess
modeinE. Thefollowingpropertyiseasilyproved:
8m:M8s:S 8
1 :A8
2
:A8o:O
o2(m;s;f
1
;
2
g))(o2(m;s;f
1
g)_o2(m;s;f
2 g))
(1)
Thefollowingoperationsovermatricesarenowdened. Werstdeneafunction
1
:M!S!O!A!Mallowingtoaddanaccessx:Ainthecurrentaccesses
ofamatrixm:Mforasubjects:Soveranobjecto:O. Wewillwritem
1 hs;o;xi
thematrixobtained. Of course,only theeld M is updated(i.e., theelds N
o and
N
s
arenotmodied):
M:(m
1
hs;o;xi)
:= s 0
:S:o 0
:O:
(fxg[m
(1) [s;o];m
(2)
[s;o]) ifs=s 0
and o=o 0
(m
(1) [s
0
;o 0
];m
(2) [s
0
;o 0
]) otherwise
Similarly, we dene a function
2
: M ! S ! O ! A ! M allowing to add an
accessrightinamatrix.
M:(m
2
hs;o;xi)
:= s 0
:S:o 0
:O:
(m
(1)
[s;o];fxg[m
(2)
[s;o]) ifs=s 0
and o=o 0
(m
(1) [s
0
;o 0
];m
(2) [s
0
;o 0
]) otherwise
functions
1 and
2
oftypeM!S!O!A!Mdenedasfollows:
M:(m
1
hs;o;xi)
:= s 0
:S:o 0
:O:
(m
(1)
[s;o]nfxg;m
(2)
[s;o]) ifs=s 0
ando=o 0
(m
(1) [s
0
;o 0
];m
(2) [s
0
;o 0
]) otherwise
M:(m
2
hs;o;xi)
:= s 0
:S:o 0
:O:
(m
(1) [s;o];m
(2)
[s;o]nfxg) ifs=s 0
ando=o 0
(m
(1) [s
0
;o 0
];m
(2) [s
0
;o 0
]) otherwise
Wealsodeneafunction:M!S!O!([jAj][jAj])!Mallowingtoassigna
valueto m[s;o]
M:(m hs;o;(E
1
;E
2 )i)
:= s 0
:S:o 0
:O:
(E
1
;E
2
) ifs=s
0
ando=o 0
(m
(1) [s
0
;o 0
];m
(2) [s
0
;o 0
]) otherwise
Last,we deneafunction 2 :M !O!IBsuchthat, givenamatrixm :M and
anobjecto:O,o2misfalseifandonlyifforallsubjectsN
s ,m
(2)
[s;o]=;. In
otherwords,sincem
(2)
[s;o] denotestheaccess rightsovero, we haveo2m ifforat
leastonesubjects,theobjectocanbeaccessed. Suchobjectsarecalledlive objects 1
.
We prove that opened objects by a subject s
2
: S, according to a set of access
attributes E : [jAj] , are exactly the same if either we add an access attribute for a
subjects
1 6=s
2
orweaddanaccessattributex62E tothecurrentaccesses:
8m:M8s
1
;s
2
:S 8o:O 8x:A8E:[jAj]
(s
1 6=s
2
)_(x62E))(m
1 hs
1
;o;xi;s
2
;E)=(m;s
2
;E)
(2)
Wealsoprovethat,giventhematrixm
1 hs
1
;o
1
;xi, ifanobjecto
2
isopened bya
subject s
2
accordingto aset of access attributes E, then either o
1
= o
2 or o
2 was
alreadyopenedinm:
8m:M8s
1
;s
2 :S 8o
1
;o
2
:O8x:A8E :[jAj]
o
2
2(m
1 hs
1
;o
1
;xi;s
2
;E))o
1
=o
2 _o
2
2(m;s
2
;E)
(3)
Furthermore,weprovethefollowingpropertyover
1 :
8m:M8s:S 8s 0
:S 8o:O8o 0
:O8:A (m
1
hs;o;i)
(1) [s
0
;o 0
]m
(1) [s
0
;o 0
]
(4)
Thus, itfollows:
8m:M8s:S 8s 0
:S 8o:O 8E:[jAj]8:A (m
1
hs;o;i;s 0
;E)(m;s 0
;E)
(5)
3.2.2 Classication vectors
Each object and subject possessesaclassication anda nite set of needs-to-know.
Thus, wedenethetypeF asfollows:
Record F : Set := mkF f
f
1
:S!C; f
2
:O!C ; f
3
:S ![jK j] ; f
4
:O![jK j] g
1
IntheoriginalpaperofBellandLaPadula,thesetA(m)ofliveobjectsisdenedandisonlyusedto
testifanobjectobelongstoit. Hence,sincetheconstructionofthissetiscomputationallyveryexpensive,
weonlyimplementthefunction2 whichstopsassoonasitndsasubjectssuchthatm
(2)
[s;o]6=;.
1 2 3 4
where'
1
(resp. '
2 ,'
3 and'
4
)standsforf:f
1
(resp. f:f
2 ,f:f
3
andf:f
4 ).
As we did for matrices, given an object o : O, a classicationc : C and aset of
needs-to-know E : [jK j] , we dene a function : F ! O ! C ! [jK j] ! F overa
vector classication f allowing to set new values to '
2
(o) and '
4
(o) (note that no
modicationisallowedforthefunctions '
1 and'
3 ):
('
1
;'
2
;'
3
;'
4
)ho;c;Ei=('
1
;' 0
2
;'
3
;' 0
4 )
where' 0
2 and'
0
4
aredenedasfollows:
' 0
2 :=o
0
:O:
c ifo=o 0
'
2
(o) otherwise '
0
4 :=o
0
:O:
E ifo=o 0
'
4
(o) otherwise
3.2.3 Security properties over states
Wecannowdene thesecuritypropertiesoverstatesthat areconsideredin theBell
andLaPadulamodel. Wefocus hereontwotypesofaccess controlpolicies: Discre-
tionnaryAccessControl (DAC)consistinginthecontrolofaccessrights(basedonle
ownership),andMandatoryAccessControl (MAC)whichrestrictshowuserscanpass
rightstoother users(suchapolicy ismotivated bytheexistenceofprogramsknown
asTrojan Horses 2
).
Let = (m;('
1
;'
2
;'
3
;'
4
)) be a state. We dene the three following security
propertiesover. ThetypeofDAC,MACandMAC
?
is!Prop.
The DAC property statesthatcurrentaccessesmustalwaysbelongtotheset of
authorizedaccesses. So,wedeneDAC()asthefollowingproposition:
8s:S 8o:O m
(1)
[s;o]m
(2) [s;o]
Of course,this propertyremainstruewhenadding anaccessrightin thematrix.
Indeed,itiseasytoprovethat:
8=(m;f):8s:S 8o:O 8:A DAC())DAC((m
2
hs;o;i;f)) (6)
The MAC property statestheno \read-up"property: nosubjectcangainread
accessoveranobjectwhoseclassicationishigherthanitsclassicationorwhoseset
ofneeds-to-knowisnotincludedinitssetofneeds-to-know. Sincewisa\read/write"
attribute,bothrandwaccessesmustbeenforced. WedeneMAC()asthefollowing
proposition:
8s:S 8o:O (r2m
(1)
[s;o]_w2m
(1)
[s;o]))('
2 (o)'
1 (s)^'
4 (o)'
3 (s))
Hereagain,thispropertyremainstruewhenaddinganaccess rightinthematrix:
8=(m;f):8s:S 8o:O8:A MAC())MAC((m
2
hs;o;i;f)) (7)
2
AnexampleofTrojanHorsesprogramisaprogramgiving(high-level)rightsassociatedwiththeuser
whichexecutesittotheownerofthisprogramwhichisassociatedwithlowsecuritylevel.