...

...

...

...

The introduction of BLP caused some excitement: here was a straightforward security policy that was clear to the intuitive understanding, yet still allowed people to prove theorems. But John McLean showed that the BLP rules were not in themselves enough. He introduced System Z, defined as a BLP system with the added feature that a user can ask the system administrator to temporarily declassify any file from High to Low. In this way, Low users can read any High file without breaking the BLP assumptions.

Bell’s argument was that System Z cheats by doing something the model doesn’t allow (changing labels isn’t a valid operation on the state), and McLean’s argument was that it didn’t explicitly tell him so. The issue is dealt with by introducing a tranquility property. The strong tranquility property says that security labels never change during system operation, while the weak tranquility property says that labels never change in such a way as to violate a defined security policy.

The motivation for the weak property is that in a real system we often want to observe the principle of least privilege, and start a process at the uncleared level, even if the owner of the process were cleared to ‘Top Secret’. If she then accesses a confidential email, that session is automatically upgraded to ‘Confidential’; and in general, her process is upgraded each time it accesses data at a higher level (this is known as the high water mark principle). As subjects are usually an abstraction of the memory management subsystem and file handles, rather than processes, this means that state changes when access rights change, rather than when data actually moves.

(Anderson, 2001, p. 143)

Bibliography

...