Sample Solution

Assignment 6: Models of Security

Restrictions: Doctors may read and write patient records; Nurses may read and write prescriptions but should learn nothing about patient records; Patients may read their own record and prescriptions, but not for other patients.

An access control matrix (ACM) maps pairs of (object x subject) to access control permissions. An example is given in Pfleeger & Pfleeger on page 201. Note that the matrix contains permissions for concrete objects and subjects, not classes of objects and subjects. As an example, consider a hospital with subjects: 3 doctors, 2 nurses, and 5 patients, and objects: some records and some prescriptions.

subj/obj	Record for p₁	Record for p₅	Prescription for p₁ written by d₁	Prescription for p₃ written by d₁	Prescription for p₄ written by n₂
Doctor d₁	RW	RW	RW	RW	R
Doctor d₂	RW	RW	RW	RW	R
Doctor d₃	RW	RW	RW	RW	R
Nurse n₁	-	-	-	-	RW
Nurse n₂	-	-	-	-	RW
Patient p₁	R	-	R	-	-
Patient p₂	-	-	-	-	-
Patient p₃	-	-	-	R	-
Patient p₄	-	-	-	-	R
Patient p₅	-	R	-	-	-

Let's ignore the fact that patients are allowed to review their own records for now. We fix 3 sensitivity levels for information in the hospital:
"medical-info" > "privacy-sensitive-info" > "public-info"

Information classified as medical-info is extremely sensitive information about a patient. The patient will probably sue the hospital if such information becomes public. This could seriously damage the good reputation of the hospital. Information classified as privacy-sensitive-info is somewhat sensitive information about a patient. The patient might feel embarrased or uncomfortable if this information falls into the wrong hands. Information classified as public-info is information about the patient that nobody cares about.

Subjects: Doctors are cleared at medical-info level; nurses are cleared at privacy-sensitive-info level.

Objects: Patient records should be classified as medical-info, prescriptions written by nurses can be classified as privacy-sensitive-info. Prescriptions written by doctors are somewhat more problematic: in principle (based on the content) they contain privacy-sensitive-info information. However, since a doctor could leak information from patient records via prescriptions, they HAVE TO be classified as medical-info as well.

Note that this means that nurses are not able to read prescriptions written by doctors. This cannot be avoided.

Now, to put the patients in: Make a compartment for each individual patient. So, for five patients, we have compartments P₁, P₂, P₃, P₄, P₅. Doctors are cleared at level (medical-info, {P₁, P₂, P₃, P₄, P₅}); Nurses are cleared at level (privacy-sensitive-info, {P₁, P₂, P₃, P₄, P₅}); Patient p_i is cleared at level (medical-info, {P_i}).

We get the following lattice:

Note: Refinement of the compartments in this model is possible. For example, nurses could be made responsible for only those patients in a particular ward.

Note: The relation between sensitivity levels described in the lattice can be formally defined as:
(l₁, C₁) ≤ (l₂, C₂) holds iff ( l₁ ≤ l₂ and C₁ ⊆ C₂ )
Our Biba model also contains three levels. These levels describe the integrity of subjects (and objects):
"doctor-skill" > "staff-skill" > "others"

Information provided by individuals cleared at doctor-skill level is very trustworthy. These individuals have many years of training and experience as medical professionals. Information provided by individuals cleared at staff-skill level is somewhat trustworthy. These individuals are employed by the hospital and are supposed to do their job in a professional way. Information provided by others is not to be trusted.

Subjects: Doctors are cleared at doctor-skill level; Nurses are cleared at staff-skill level; Patients are cleared at others level.

Objects: Patient records are classified at doctor-skill level; Prescriptions are classified at staff-skill level.

No! The two models are dual.
Bell-La Padula has properties "read down" and "no write down". Biba has properties "no read down" and "write down". A combination model would necessarily confine information to the level at which it was published. Within the resulting model information cannot be shared outside of one's own level.

Of course, it is always possible to use two models: one for confidentiality and one for integrity (like in part 1).
Several solutions are possible. One possibility is to attach to each object a "houdbaarheidsdatum" (a sell-by-date).
Note, however, that confidentiality of objects can no longer be guaranteed after an object has been declassified to a lower sensitivity level.

To overcome this problem, some organizational measures must be taken:
- At the moment an object D is scheduled to be declassified in X years, it should be checked whether information from other (classified) objects is contained in D. If so, this information should be censored or X should be changed accordingly (based on the scheduled declassification date of the other objects).
- The next X years the contents of D should not be altered, in other words: D becomes read-only as soon as it has been scheduled for declassification.