Bell-Lapadu-lookback - Looking Back at the Bell-La Padula...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
Looking Back at the Bell-La Padula Model David Elliott Bell Reston VA, 20191 December 7, 2005 Abstract The Bell-La Padula security model produced conceptual tools for the analysis and design of secure computer sys- tems. Together with its sibling engineering initiatives, it identified and elucidated security principles that endure to- day. This paper reviews those security principles, first in their own time, and then in the context of today’s computer and network environment. 1. Looking Back I look back at the Bell-La Padula Model over a career in security engineering that began with a concentrated burst of security modeling between 1972 to 1975. It is difficult, therefore, to limit myself to modeling and to exclude secu- rity topics without which real systems would never reach the field. I choose, then, to look back on both the model- ing work and its engineering siblings so as to highlight their contributions to the DNA of network and computer secu- rity. What follows is not a synthesized chronicle of every- thing that happened but my own experiences and knowledge since the publication of the Bell-La Padula model. 2. Before the Bell-La Padula Model In the late 1960’s, developments in commercial operat- ing systems suggested the possibility of tremendous cost savings. Time-sharing was starting to provide commercial customers the ability to share the leasing costs of IBM and other big-iron computers through simultaneous or sequen- tial use of the expensive mainframe computers. For those in classified government circles, this new capability promised even more savings. Before time-sharing, separate comput- ers had to be used for each different security level which was processed on computers, or careful “color changes” had to be made so that the same equipment could be used se- quentially to process information at different security levels (referred to as “periods processing”). There was therefore the possibility of sharing those computer systems across se- curity levels, with an important proviso. It was crucial that that processing artifacts of each security level (files, regis- ters, data) be kept rigorously separate with a high degree of confidence. An initial effort in this direction was commissioning computer experts to test the security robustness of computer systems that were developed in response to market forces. The experts were called “tiger teams.” The success of the tiger teams was spectacular. “It is a commentary on contem- porary systems that none of the known tiger team efforts has failed to date” [1]. The situation was in reality even worse than it first sounds. Tiger Teams, flush with success in at- tacking and taking over system A , would try their successful system- A attacks on system B . Alarmingly, many previous attacks worked immediately. Even more worrying were the possibilities opened by a successful attack. After captur- ing the system and inserting a back-door entrance, penetra- tors could report the initial flaw and gain a reputation for good citizenship. This planting of back-doors, particularly
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 02/05/2011 for the course CS 2105 taught by Professor Ana during the Fall '09 term at National University of Singapore.

Page1 / 15

Bell-Lapadu-lookback - Looking Back at the Bell-La Padula...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online