INFOSEC Programming Option
for the Term Project

CS-350: Computer Organization

© 2000 Charles Abzug

 

 

 

Implementation of a Reference Monitor in Beboputer assembly language.:

This programming project takes us, for the first time, into the INFOSEC arena. You will implement a Reference Monitor for Mandatory Access Control (MAC) in accordance with the Bell-LaPadula Model. Sounds like gobbledygook? Not to worry. New terminology will generally be explained, in most cases in a purposely simplified and perhaps not entirely accurate manner, just to get across the basic concept. In such cases, more rigorous definitions will be supplied as needed at a later point in the curriculum.

INFOSEC stands for .Information Systems Security.

Access Control refers to a role of the Operating System or other software on a computer system in adjudicating whether a particular user either is or is not permitted to have access to particular data to which he has requested access. In most cases, the form of Access Control that is actually enforced corresponds to a particular type known as Discretionary Access Control (DAC). There are two kinds of entities in a computer system. They are referred to as subjects and objects. For now, we will adopt the simplified view that subjects are users of the computer (people), while objects are units of data that reside on the computer, typically files. Thus, "Access Control" consists of controlling whether a subject (user) is or is not to be granted access to a given object (file). Under DAC, each data object on the computer (i.e., each file) is assigned to an owner, usually the person who created that object. Typically, the owner of the object is empowered to specify who may and who may not be allowed to access the object. Note that access can be of several types. Typically, the owner of an object will severely restrict who may have write access to the object, which includes the ability to modify the contents, and perhaps even to delete the object entirely and replace it with a totally different object. Read access to the object will typically be less severely restricted that write access, but that question, and indeed all issues regarding permitted and forbidden access to that particular object, is entirely at the discretion of the owner. That is why this form of Access Control is known as Discretionary Access Control.

There are some situations where Discretionary Access Control is not adequate for the protection of data. For example, in a large organization containing tens of thousands or perhaps even hundreds of thousands of persons, there may be substantial quantities of information whose access must be restricted both for read and for write purposes. The number of people involved is huge, and it is impossible for the "owner" of each piece of information personally to keep track of which individuals should and which should not have access to each object under his/her control. Going further, as people change jobs within the organization, the person who created a particular object may no longer have any connection with the object that he himself created one or more job assignments prior to his current assignment. There has to be a better way than DAC. In fact, the United States Department of Defense (DOD), which is a very large organization, indeed, has thought through this problem and proposed more than 15 years ago the use of a concept called Mandatory Access Control (MAC). Under MAC, it is not the "owner" of each object but rather the computer system which decides which subjects are allowed read access and which are allowed write access to each object. The basic rules for access to classified information were worked out for paper documents many years before computers came into common use, and are now referred to by Computer Scientists as the Military Model. It became apparent, however, that the Military Model, although adequate for use in the world of paper documents, was flawed when applied to computers. The reasons for all this make a very interesting story, and you can look forward to discussing that in detail when you get into the INFOSEC part of the curriculum. For now, it is enough to point out that two INFOSEC researchers at the MITRE Corporation outside of Boston, Massachusetts, whose names were John Bell and Len LaPadula, re-examined the Military Model as it applies to computerized data, pointed out its inadequacy, and devised a new model to take its place. The INFOSEC world has given the product of their efforts the name, "Bell-LaPadula Model".

Under the Bell-LaPadula Model (BLP), each subject, and also each object, is associated with two pieces of information. The two pieces of information for the subject are compared to thowe for the object in determining whether a requested access of the subject to the object is to be granted or denied. The first piece of information for a subject is a herarchical level of security clearance, which may be either U (Uncleared), C (Confidential-cleared), S (Secret-cleared), or TS (Top Secret-cleared). Likewise, each object on the system is also assigned a level of security classification, which is either U (Unclassified), C (Confidential), S (Secret), or TS (Top Secret). Both the security clearance and the security classification are hierarchical, in that, for example, the S level implies also C and U, but excludes TS. What this means in terms of an object's security classification is that if the file is classified Secret, then it must contain at least some Secret information, but it may also contain other information which is classified at the Confidential and Unclassified levels. It defenitely does not contain information at the Top Secret level, however. Likewise, a person cleared for access to Secret information is certainly also permitted to know Confidential and Unclassified information, but is not authorized to know any Top Secret information.

The second critical piece of information for the BLP model is a set of categories that are associated with each subject and with each object. These categories are non-hierarchical. To give a slightly contrived example, but one which vividly demonstrates the point, consider a large team developing a weapon system that consists of some kind of a propulsion system, a maneuver-control sustem, a warhead detonation control system, and a guidance-navigation system. Some people on the large development team are working exclusively on the propulsion system and have nothing to do with any other aspect of the weapon. Others are working exclusively on the maneuver control system or on the warhead detonation system, and they have nothing to do with either the propulsion system or the guidance system. In general, each system is worked on by a separate group f people who have nothing to do with any of the other systems. But there must be some people who work specifically on the interface between the maneuvering system and the navigation-guidance system, and there must be some who work on the interface between the navigation-guidance system and the warhead detonation system. How else would the warhead be made to explode at the optimum instant? Likewise, there may be some people who work on the systems integration of all four subsystems of the weapon, and who therefore have legitimate need to have access to all four types of information. Thus, each subject (person) and each object (file) having to do with this weapon system has associated with it a non-herarchical set of categories, which can include either no categories at all (the null set, which might be the appropriate allowed access for a member of the personnel department who does not require access to classified information concerning any of the systems), or any one of the four possible categories (P for Propulsion, M for Maneuvering, G for Guidance-Navigation, or W for Warhead), or two or three, or possibly all four. Note that the set of categories is assigned exclusively of the hierarchical level.

In the BLP model, read access is granted for a subject to read from an object only if two conditions are satisfied: First, the hierarchical level of clearance of the subject must be at least equal to the level of classification of the object. And second, the set of categories associated with the subject must include at least each and every one of the categories associated with the object.

Write access in the BLP model will be stated, but not justified, at this point. Under BLP, a subject is given write access to an object also only if two conditions are met. The first condition for write access is that the hierarchical level of classification of the object is at least equal to that of the subject. Note that this is opposite to the requirement for read access from the same subject to the same object. The second requirement for write access under BLP is also the opposite of the second requirement for read access, namely, that the set of categories associated with the object must include at least all categories associated with the subject.

Your deliverable assignment for this week is to write four assembly language routines. One is a piece of code that would be included in the operating system to implement the Reference Monitor. This is a subroutine that adjudicates whether a requested access either is or is not granted. Your Reference Monitor must call a level-checking subroutine which compares the clearance level of the subject with the classification level of the object. The level-checking subroutine must determine whether the subject's clearance level is greater than or equal to the object's classification level, and also whether the object's classification level is greater than or equal to the subject's clearance level. The Reference Monitor must also call a category-checking subroutine, which determines whether the subject's authorized categories include at least all categories associated with the object, and whether the object's categories include at least all categories associated with the subject. The main program must call the Reference Monitor and must pass to it five pieces of data: the subject's hierarchical clearance level, the subject's authorized categories, the object's hierarchical classification level, the object's set of categories, and the type of access requested (read or write). The Reference Monitor in turn passes back to the main program a simple binary answer: either access is permitted or access is denied.

Suggestion 1: Implement the set of hierarchical clearance levels and the set of hierarchical classification levels as a single-precision (one-byte) integer. You should be able to accommodate at least 64 different levels of clearance or classification, although the simple DOD example above contains only four levels. Thus, the question of whether the subject's clearance level is greater than or equal to the object's boils down to the comparison or two numerical values to determine if one is greater than or equal to the other.

Suggestion 2: Implement the set of categories by means of a one-byte bit vector. That is, one byte of zeroes and ones, where each bit represents a different category of information. Using a single byte thus provides for up to eight categories to be represented, which is enough for this assignment. Thus, determining whether the subject's authorized categories include at least all those associated with the object corresponds with a bit-by-bit comparison of the two bytes representing the bit vectors for subject and object. This operation must determine whether there are any "one" bits in the object's bit vector that lack a corresponding "one" bit in the subject's bit vector.