| http-equiv="Content-Type" content="text/html; | | | | These axioms are meant to be implemented by |
| charset=utf-8"> | | | | restriction of access rights that users or |
| 07/15/ 2008 | | | | processes can have to certain objects like |
| ABSTRACT | | | | devices and files. The concept of trusted subjects |
| This is a research conducted by investigating the | | | | is a less frequently described part of the |
| possible practical applications of the Bell-Lapadula | | | | Bell-LaPadula model. |
| model in library information management systems | | | | Systems that enforce the axioms of the original |
| (LIMS). The main aim of modern security | | | | Bell-LaPadula model very strictly are often |
| research is to facilitate the construction of | | | | impractical, because in a real system, a user might |
| multilevel secure systems, which can protect | | | | need to invoke operations that would require |
| information of differing classification from users | | | | subjects to violate the property, even though |
| that have varying levels of clearance. Since | | | | they do not go against our basic intuitive concept |
| publication, the Bell-LaPadula model has helped in | | | | of laboratory security. For instance, there might |
| the advancement of science and technology by | | | | be need in the laboratory to extract an |
| providing a mathematical basis for the | | | | UNCLASSIFIED paragraph from a CONFIDENTIAL |
| examination of laboratory security. Moreover, this | | | | document for use in a document that is |
| model has been major component of having a | | | | UNCLASSIFIED. A system that strictly enforces |
| disciplined approach to the building of effective and | | | | the properties of the original Bell-LaPadula model |
| secure laboratory systems. | | | | might prohibit this kind of operation. As a result, a |
| DECLARATION | | | | class of trusted subjects has had to be included in |
| I hereby certify that this dissertation constitutes | | | | the Bell-LaPadula model, and is trusted not to |
| my own product, that where the language of | | | | violate security, although they might violate the |
| others is set forth, quotation marks so indicate, | | | | property. Laboratory systems that are based on |
| and that appropriate credit is given where I have | | | | this less restrictive model usually have |
| used the language, ideas, expressions, or writings | | | | mechanisms that permit some of the operations |
| of another.. 3 | | | | that the property would normally not allow. |
| Introduction | | | | It should also be noted that a number of projects |
| The objective of this research is to ascertain the | | | | have used the Bell-LaPadula model for description |
| ways in which the bell-lapadula model can be | | | | of their security requirements, although strict |
| applied to Laboratory Information Management | | | | enforcement of the Bell-LaPadula axioms without |
| Systems. Laboratory automation occurs when the | | | | the implementation of trusted subjects turns out |
| application of technology is used to reduce the | | | | to be overly restrictive in these projects. Thus, |
| need for human intervention in the laboratory. | | | | there has been widespread introduction of these |
| This makes it possible for scientists to explore | | | | trusted processes to implement the concept of |
| data rates that otherwise may be too fast or too | | | | trusted subjects. |
| slow for proper scientific examination. In recent | | | | There are also some limitations involved in the use |
| years, the Bell-LaPadula model has been employed | | | | of the Bell-LaPadula model, including an absence of |
| more and more in scientific laboratories, and has | | | | policies for changing user access rights. With this |
| also dominated efforts to build secure computer | | | | model, there can be secure and complete general |
| systems for laboratory use. Since publication, the | | | | downgrade, and is it is intended for systems that |
| Bell-LaPadula model has helped in the | | | | have static security levels. |
| advancement of science and technology by | | | | The Bell-Lapadula model would be a suitable idea |
| providing a mathematical basis for the | | | | for Laboratory Information Management Systems |
| examination of laboratory security. Moreover, this | | | | because the model focuses on data confidentiality |
| model is a major component of having a | | | | and access to classified information, in contrast to |
| disciplined approach to building secure and | | | | some other models that describe rules for data |
| effective laboratory systems. The Bell-LaPadula | | | | protection and integrity. Clear and concise access |
| model can also be used to abstractly describe the | | | | rules for clinical information systems spells out by |
| computer security system in the laboratory, | | | | this model. Furthermore, it reflects current best |
| without regard to the system's application. The | | | | clinical practice, and it’s informed by the |
| goal of modern security research is to facilitate | | | | actual threats to privacy, its objective is to the |
| the construction of multilevel secure systems, | | | | maximum number of records accessed by any |
| which can protect information of differing | | | | user, and at the same time the number of users |
| classification from users that have varying levels | | | | who can access any record and this has to do |
| of clearance. | | | | with controlling information flows across rather |
| There are some deficiencies inherent in the Bell | | | | than down and at the same time a strong |
| and LaPadula model, and there have been efforts | | | | notification property should be enforced. I will also |
| to develop a new approach to defining laboratory | | | | discuss its relationship with other existing security |
| security models, on the basis that security models | | | | policy models available, and the possibility of its |
| should be derived from specific applications. | | | | usage in other applications where information |
| Scope | | | | exposure must be localized, which ranges from |
| This dissertation covers the applicability of the | | | | private banking to the management of intelligence |
| bell-lapadula model in Laboratory Information | | | | data, and much more. |
| Management Systems, and the limitations involved | | | | Another area in which laboratories could benefit |
| in the use of the Bell-LaPadula model, including an | | | | by using the Bell-Lapadula model is the multi million |
| absence of policies for changing user access | | | | dollar drug industry, which requires a high level of |
| rights. Also to be covered is the relationship that | | | | security and confidentiality since drug research |
| this model has with other existing security policy | | | | sensitive, and results or findings in an ongoing |
| models available, and the possibility of using the | | | | research may sometimes need to be kept from |
| model in other applications where information | | | | unauthorized persons. |
| exposure must be localized, for example in private | | | | Approach |
| banking and in the management of intelligence | | | | This research will be conducted by investigating |
| data. | | | | the possible practical applications of the |
| Problem Statement | | | | Bell-Lapadula model. This would be conducted and |
| The use of the Bell and LaPadula Model has been | | | | tested physically and objectively. A prototype will |
| successful in modeling information that is relevant | | | | be built in order for it to be properly tested, since |
| to security, even though this success might be | | | | it is practical. The testing stage will involve |
| responsible for the vagueness of the model about | | | | programming codes for different levels of |
| its primitives. This vagueness can also be | | | | security and the objective is to find out if security |
| examined with respect to the theory that the Bell | | | | can be breached at any stage. |
| and LaPadula Model and Noninterference are | | | | Outcome |
| equivalent. Laboratory automation makes it | | | | |
| possible for scientists to explore data rates that | | | | Background and review of literature |
| otherwise may be too fast or too slow to | | | | Related Work |
| properly examine. Therefore, an automated | | | | Literature |
| laboratory reduces the need for human | | | | Industry Sources |
| intervention and creates a more efficient | | | | Theory |
| environment in which human beings and | | | | A |
| technology can interact to produce a great deal | | | | B |
| more information and accurate data that was not | | | | |
| possible prior to automation. | | | | Analysis and Design |
| Its approach is to define a set of system | | | | A |
| constraints whose enforcement will prevent any | | | | B |
| application program executed on the system | | | | C |
| from compromising system security. The model | | | | |
| includes subjects, which represent active entities | | | | Methods and Realization |
| in a system (such as active processes), and | | | | A |
| objects, which represent passive entities (such as | | | | B |
| files and inactive processes). Both subjects and | | | | C |
| objects have security levels, and the constraints | | | | |
| on the system take the form of axioms that | | | | Results and Evaluation |
| control the kinds of access subjects may have to | | | | A |
| objects. ( | | | | B |
| While the complete formal statement of the | | | | C |
| Bell-LaPadula model is quite complex, the model | | | | |
| can be briefly summarized by these two axioms | | | | Conclusions |
| stated below: | | | | Lessons Learned |
| (a) The simple security rule, which states that a | | | | Future Activity |
| subject cannot read information for which it is not | | | | Prospects for Further Work |
| cleared (i.e. no read up) | | | | |
| (b) The property that states that a subject | | | | REFRENCES |
| cannot move information from an object with a | | | | Christine Paszko, Elizabeth Turner, Mary D. Hinton |
| higher security classification to an object with a | | | | (2001). |
| lower classification (i.e. no write down). ( | | | | |