2017 Second International Conference on Fog and Mobile Edge Computing (FMEC) .... teleconference establishment, add/drop of a conference, call teardown ..... Car Location. Tracking. IP-Camera. Recordings. App 1. App 2. App 3. App 4.
2017 Second International Conference on Fog and Mobile Edge Computing (FMEC)
Multi-Level Security for the 5G/IoT Ubiquitous Network Ola Salman Ayman Kayssi Ali Chehab Imad Elhajj Department Electrical and Computer Engineering American University of Beirut Beirut 1107 2020, Lebanon {oms15, ayman, chehab, ie05}@aub.edu.lb Abstract — 5G, the fifth generation of mobile communication networks, is considered as one of the main IoT enablers. Connecting billions of things, 5G/IoT will be dealing with trillions of GBytes of data. Securing such large amounts of data is a very challenging task. Collected data varies from simple temperature measurements to more critical transaction data. Thus, applying uniform security measures is a waste of resources (processing, memory, and network bandwidth). Alternatively, a multi-level security model needs to be applied according to the varying requirements. In this paper, we present a multi-level security scheme (BLP) applied originally in the information security domain. We review its application in the network domain, and propose a modified version of BLP for the 5G/IoT case. The proposed model is proven to be secure and compliant with the model rules. Keywords— 5G; IoT; BLP; Security Model; Multi-Level Security. I. INTRODUCTION 5G is recognized to be a revolution in the telecommunication domain with 2020 as an expected launching date. Until then, many challenges must be considered and resolved to build a widely acceptable and agreed upon telecommunication platform. While a lot of work has been put forward in the radio domain to meet some of the 5G requirements (high capacity and high data rate), the constraint of having 1 ms latency presents a tremendous challenge. Another challenge that faces the 5G deployment is the security and privacy concerns. Security solutions must be designed and built in any 5G architecture early on from the design phase and not added as an afterthought [1]. It is fair to acknowledge the high level of security ensured in the old mobile generations (GSM, UMTS and LTE). Thus, one can argue that security in 5G can be a simple carbon copy of the previous generation security schemes. However, 5G is not a simple quantitative evolution (data rate and latency enhancements) of the older generations. 5G presents a qualitative evolution of the supported services (e.g. IoT integration) [2]. 5G is intended to be a service-oriented network relying on the Infrastructure as a Service (IaaS) paradigm. Therefore, a new trust model must be established between applications and the network while a single trust model (consisting of user and network) was present in the previous generations.
978-1-5386-2859-1/17/$31.00 ©2017 IEEE
IoT applications, ranging from simple weather monitoring to more critical ones such as remote patient monitoring, should not be treated with the same level of security. The applications installed on billions of IoT devices and mobile phones will result in huge amounts of data. Adopting a uniform security scheme to secure all this data presents a real overhead. Thus, Multi-Level Security (MLS) is proposed to be applied [1, 2]. Ultimately, MLS is not an option since most of the IoT devices are power and processing constrained and necessitate lightweight security schemes. Consequently, they must delegate the authorization functions to a gateway. This gateway (mobile phone or black box gateway) communicating with a large number of devices cannot treat all requests (coming from different applications) with the same level of security. In this context, it is essential to have the data classified based on its type and its sensitivity level. Consequently, the gateway must allow each application to access the data based on the “Need to Know” principle. A multi-level secure system is defined in RFC 2828 [3] as “a class of system that has system resources (particularly stored information) at more than one security level (i.e., has different types of sensitive resources) and that permits concurrent access by users who differ in security clearance and need-to-know, but is able to prevent each user from accessing resources for which the user lacks authorization.” Applied in the computer and information security domains, this concept guarantees a safe flow of data between different system agents without permitting unauthorized entities to access privileged data. In this context, different models have been applied such as Bell-LaPadula (BLP), Biba, Clarck Wilson, Chinese Wall, etc. Apart from military, database, and computer system applications, the BLP model has been applied in different domains: local-area network (LAN), network business model, cloud computing, etc. But as argued in [4], the lack of a network operating system makes any MLS model application in the network domain a complicated task. The rest of the paper is organized as follows: in section II, we review the application of the information security models (BLP, Biba, etc.) in the network and telecommunication domains. In section III, we present some 5G/IoT use case scenarios. In section IV, we present our proposed MLS model along with the proofs and analyses. Finally, we conclude in section V.
2017 Second International Conference on Fog and Mobile Edge Computing (FMEC)
II. RELATED WORK A. Access Control Models Access control is related to checking if a certain request to access an object is compliant with certain policies. Closely attached to the authentication process, access control ensures the authorized access to different types of resources (data, network, etc.). While it has been successfully applied in the computer security domain, it is still a challenging issue in the network domain. There are many access control models with each having its advantages and limitations. Mandatory Access Control (MAC): in this type of access control model, security policies are configured by a central administrative entity. Mainly, in this model, the subjects and the objects have security labels, and there are security rules defining the conditions that must be met to permit access operations. This model has been used in the military domain, and later in the Linux operating system (SELinux). In this type of access control, the chance for administrative error or social engineering is greatly reduced. However, being very strict, it presents administrative limitations in a dynamic and evolving environment [5, 6]. Discretionary Access Control (DAC): in this type of access control model, every object has an owner. Typical examples integrating this model are Linux and Windows. Despite the fine granularity provided by such model, the possible conflict between the object owners and the configuration file sizes in case of large-scale networks are valid concerns [5, 6]. Role Based Access Control (RBAC): in this access control model, security policies are centrally controlled. The main components of this model are: users, roles, permissions, operations, and objects. Solaris and SELinux are examples of systems integrating RBAC. In RBAC, individual administration of accounts is significantly reduced. However, difficulty of defining an initial role and its structure inflexibility in dynamic network domains are the main limitations of this model [5, 6]. Attribute Based Access Control (ABAC): in this type of access control, each subject has a set of attributes. Accordingly, attribute based rules specify the conditions under which user access is granted or denied. Typical examples of this access model are Web services and IBM Tivoli [5, 6]. Capability Based Access Control (CBAC): in this type of access control, each subject has a set of capabilities. These capabilities are presented by the subject in the form of tokens at the accessed object; and thus if it has the capability to access this object, it will be permitted. This scheme is characterized by its flexibility and scalability where there is no need to save the access rules for each subject at the access control layer. B. BLP Security Model Applications While the main goal of an access control system is to ensure authorization, MLS differentiates the objects and subjects by their level of sensitivity. MLS was initially developed for
military uses. The data was classified upon its secrecy level (top secret, secret, confidential, and unclassified) and thus the access to each class of data is guaranteed for a certain set of users. Different MLS models have been proposed: the BLP security model is one of the most well-known ones [7]. As implemented in some operating systems and database management systems, MLS models proved their effectiveness in preventing unauthorized information access. However, the BLP application was restricted to the military domain due to its strictness and uniflow aspect (No read up, No write down). Thus, a more flexible model is needed when dealing with commercial use cases [8]. Consequently, some modifications and extensions are needed to make it suitable to other domains. In the following, we present some of the BLP applications in the networking1 and communication domains. In [9], an application of the BLP model in the networking domain defines the set of users as subjects, and the accessed data and files as objects. However, the authors modify the BLP model by adding integrity, availability, legality, and discretionary rules. Similarly, Si Tian-ge extended the BLP model to be applied in the local area network (LAN). The L-BLP extended model classifies the hosts and data into different levels. Thus, the system can monitor the host actions to specify the host security level, then controls the communication between the hosts according to the security policy of the proposed model [10]. Xue et al. argue the presence of some problems in the L-BLP rules due to the model unconsciousness that the object/subject clearance may change with time, which makes the system insecure [11, 12]. Thus, the authors define the state as function of time. The defined rules are proven to ensure the security of the system and add flexibility to the clearance levels definition. In [13], an application of MLS at the router level in the network domain is proposed. The main idea was to apply mandatory access control on certified nodes. The MLS network is built on an RBAC model. The router is configured with the subnet identifiers (their certificate and associated roles) and acts accordingly upon the received packets. The verdicts to process a packet are: read, write, read and write, and discard. In [14], an extension of the BLP model is proposed to fit the business network of an electric power enterprise case. So, a modification of its security rules is proposed where trusted white listed objects have authoritative access to low level security objects. The *-property of BLP was modified to allow access of high level trusted subject to low level security objects. In [15], the allocation of a work-flow along different clouds is considered. The problem of resource allocation on multiple clouds is treated broadly in the context of cost optimization while the security concern is not broadly tackled. Switching between private and public clouds based on the data sensitivity level is proposed as a solution in this paper. However, this solution cannot be executed in an ad-hoc manner and thus a precomputation of all possible solutions which respect the security rules is mandatory. In this context, an MLS model is proposed. After choosing the compliant solutions to the security rules, a
2017 Second International Conference on Fog and Mobile Edge Computing (FMEC)
cost optimizing model is applied to choose the best partitioning scheme. Youn et al. apply the MLS concept on top of the Public Switched Telecommunication Network (PSTN) for ensuring the security of teleconferencing sessions [16]. On top of the signaling protocol SS7, they develop eight protocols for: the teleconference establishment, add/drop of a conference, call teardown, drop/hang-up, and the change of the conference security level. The subject is considered as being the pair usertelephone and the object is the conference content. In [17], the BLP model is applied in the network domain in the context of a centralized SDN control over OpenFlow switches; the aim was to prevent a covert channel attack. The covert channel attack is a network attack consisting of transmitting illegitimate data in the unused packet fields which will be undetectable for a normal packet filter since it normally looks up known packet fields. The model consists of preventing the direct flow of data from high level security host to low level security host complying with the BLP properties. However, in the network domain this model breaks a wide set of protocols (e.g. TCP) following a request/response scheme. Thus, it was necessary to allow the flow in the reverse security order but with caution. A filter is installed in the network playing the role of receiving the packets that do not conform to the controller security rules. The filter checks the packets (including the unused fields), takes the action (drop/forward) and returns feedback to the controller.
While the internet was essentially about computer networks, IoT (along with 5G) is about “things” networks. Our home assets, our cars, our cities, etc. will all be connected to this future network and thus special care must be taken to provide data confidentiality. Proposing the strongest encryption methods in this context is a sub-optimal solution. Having a large-scale network with a huge number of constrained devices makes the adoption of complex end-to-end security schemes an impractical solution. Additionally, various data types and contents, with different levels of security will be generated by these things, so consuming processing and power resources for securing all this data will be extremely demanding. We need to classify this data and apply the corresponding access control rules to prevent sensitive data exposure. The first use case scenario (shown in Figure 1) is home automation. We notice here the presence of different sets of connected things: light system, TV system, microwave, refrigerator, air conditioning, healthcare monitoring system, etc. Given that most of these things may be unable to perform complex encryption operations, the data is transmitted with minimal security provisions. Thus, the gateway or the mobile phone in case of 5G will be responsible for securing this data based on its criticality level.
In this paper, we build on the above previous work to present a security model for the 5G IoT network. This model modifies the BLP access operations to include the REST based operations. Additionally, to cope with the IoT scalability challenge, the proposed model employs the CBAC and ABAC access schemes instead of the MAC and DAC ones initially applied by the BLP model. III. USE CASES AND PROBLEM STATEMENT Figure 2: VANET
The second use case scenario (shown in Figure 2) is the Vehicular Ad-hoc NETwork (VANET). Intelligent car systems will be fully equipped with different kinds of facilities (TV, computers, etc.). This case is less challenging from a processing/capabilities perspective but more challenging due to high mobility and the imposed overhead in terms of communication in a large-scale dynamic network. Additionally, being public in nature, data about traffic and street maps do not need to be encrypted. On the other hand, some of the applications (e.g. car location tracking) need more privacy precautions.
Figure 1: Smart Home
Security and privacy are of critical importance due to the way IoT applications will become an essential part of our private life.
The last scenario (shown in Figure 3) is the smart city. Here the variety is at its peak. In such a complex situation, a dynamic security platform built on top of a gateway is needed. At this gateway, the data is classified based on its critical nature. The monitoring of the network state and the enforcement of the access rules are also assigned to this gateway.
2017 Second International Conference on Fog and Mobile Edge Computing (FMEC)
5G as an enabler of the IoT should therefore allow for the adoption of a multi-level security paradigm. We consider that the mobile phone in 5G will play the role of the gateway between the IoT devices and the 5G network. Each application will be granted certain capabilities to access the data respecting the “Need to Know” rule.
theorem). The BLP model includes a set of rules determining basic operations that change the system state. The rules are as follows: get access (read, write, append, execute), release access (read, write, append, execute), change object level, change current subject level, give access permission, rescind access permission, create an object, delete an object (or group of objects) [19, 20]. These rules are proven to be secure by demonstrating their conformity to the following BLP properties: ss-property: This simple security property reflects the “no read up” rule where a subject cannot read or write-read an object unless its security level is higher or equal to the object’s security level. This property is presented by a state ʋ = (b, M, f), iff V (s, o, x) Є b, (x = r or x = w), x Є A => fs(s) ≥ fo(o).
Figure 3: Smart City
IV. SECURITY MODEL A security model is a formal description of a set of security policies. A security policy is a depiction of the system security goals and the mechanisms to achieve these goals. The MLS concept has to classify documents into different security levels: top secret, secret, confidential, and unclassified. Thus, a user cannot read a document if they don’t have the clearance to read it. Soon thereafter, BLP was developed in the 1970’s to describe an MLS model in a more formal way to be applied in the computer and information security domains. A. The BLP Model The BLP model is a state machine that aims at modeling the system security and more precisely data confidentiality. It defines the set of subjects S, the set of objects O, and their correspondent security level functions. The state of the system is defined by the tuple ʋ = (b, M, f), where b is the current access set b = (S, O, A), with A being the access set, defined by four operations {r, w, a, e} where r stands for “read”, w stands for “write and read”, a stands for “append: write without reading”, and e stands for “execute”. f is composed of three components: fs the subject level function, fo the object level function, and fc the current subject level function. M is the access matrix where Mij defines the access permission for subject si to object oj. R denotes the set of access requests. r Є R is defined by the vector r=(si, oj, x) where x the operation to be performed from the set {r, w, a, e}. D denotes the set of outcomes: y for yes (allowed), n for no (not allowed), i for illegal request, and o for error. The set W ⊆ R × D × V × V is the set of actions of the system. This notation means that when a request is issued in R, a decision will be taken in D that moves the system from one state in V to another state in V [18]. The system is proven to be secure by making sure that the transition from a state to another state is secure (the main security
*-property: This star property reflects the BLP “no write down” rule. A subject can write an object if its security level is less than the object security level or write-read an object if its security level is equal to the object security level and read an object only if its security level is higher than the object’s security level. This property is presented by a state ʋ = (b, M, f), iff V (s, o, x) Є b, (x = r => fc(s) ≥ fo(o)) or (x = a => fs(s) ≤ fo(o)), s Є S’, where S’ is the set of untrusted subjects => fc(s) = fo(o). ds-property: This discretionary security property allows the trusted subject to access an object if they are permitted to do so. This property is presented by a state ʋ = (b, M, f), iff V (s, o, x) Є b, x Є Mij. BLP combines MAC and DAC in its defined properties. The DAC is a user based access control scheme whereas MAC is a rule based access control scheme. The ss-property and *property are MAC based access control properties and the dsproperty is a DAC based access control property. However, its applicability in the network domain is constrained by the dynamicity required in defining the security levels. Accordingly, the L-BLP model has been proposed by modifying some aspects of the BLP properties. The subject clearance and object classification changes during the state transition might present security rules and properties violation and thus the system becomes insecure. In [11, 12], the authors take into consideration the time factor to prevent security levels change before performing the state transitions. In addition, in the 5G/IoT case, the scalability is the main constraint. Consequently, new access control models (CBAC and ABAC) should be employed appropriately. B. The Proposed 5G Security Model Our security model is a state machine. The set S of subjects is the set of IoT applications, the set O of objects includes the different types of data. The set of access attributes is A = Ao, where A0 is the set of operations – in this case REST based – {Get, Post, Put, and Delete} requested by the subjects to access the data resources. The security function is f = fs U fo , where fs is the security function determining the subject clearance and fo is the security function determining the data resources classification (category + security label). The set C of subject capabilities is formed by the set {Ci} where Ci is the tuple {oj,, x,
2017 Second International Conference on Fog and Mobile Edge Computing (FMEC)
t} where oj is the object, x the permitted operation, and t the access conditions. A capability-based certificate is associated with each application. This certificate includes the data types that this application can access. We assume that at each time the user wants to install a new application on the mobile phone, the user must ensure the correctness of its capability certificate via the network to the authority server. This request is associated with device context information (e.g. location, device specifications, etc.) The authority server authenticates the application based on the provided signed capability certificate. Then, it gives the application a capability-based access token. This token can encompass attribute-based access rules (i.e. access can be granted in certain region, for certain duration of time, or during certain time of day). Additionally, objects are labeled with respect to their security level (private or public). As an example, private information is given higher classification level than environmental based information (e.g. weather). A model state is defined by ʋ = (b, C, f). Each request r is defined by the tuple r= (si, oj, x), where si is the subject, oj the object and x the requested access operation. 1) Properties Property 1: an application cannot request private data, if it does not have the capability to access it. This property is presented by a state ʋ = (b, C, f), iff V (s, o, x) Є b, (x = get, post, put, or delete and fo = private), x Є A => (oj , x, t) Є {Ci}. Property 2: if not included in its capability token to generate, modify or delete public data, an application can just get such data. This property is presented by a state ʋ = (b, C, f), iff V (s, o, x) Є b, (x = post, put, or delete and fo = public), x Є A => (oj, get, t) Є {Ci}. Property 3: in case of access strictness to certain context conditions, the capability based access rules become invalid. This property is presented by a state ʋ = (b, C, f), iff V (s, o, x) Є b, x Є A => (oj, x, t) Є {Ci} and t == true. 2) Rules Suppose that a request r = (si, oj, x) is established between a device and the gateway. GET Object: If x == get If fo == private and (oj , get) Є {Ci} and t == true ACCEPT Else if fo == public ACCEPT Else DENY POST Object: If x == post If fo == private and (oj , post) Є {Ci} and t == true ACCEPT Else if fo == public ACCEPT
Else DENY PUT Object: If x == post If (oj , put) Є {Ci} and t == true ACCEPT Else DENY DELETE Object: If x == post If fs == admin and (oj , delete) Є {Ci} and t == true ACCEPT Else DENY
3) Analysis We can prove that the system is secure if each request conforms to the defined properties. Informal Proof: Suppose that the system in a state ʋ = (b, C, f). After a request (Ri), the new system state is ʋ’ = (b’, C, f’). The system is secure if ʋ’ is a secure state. Consequently, we have to prove that the difference between the two states ʋ’- ʋ , presenting the system transition, is secure. For the GET transition, we have the initiated request b’- b = (si, oj, get) and the security function f’ = f (security labels do not change in our case). 1) if the requested data is private, the request initiator subject must have the corresponding permission configured in its capability token, which meets property 1. 2) if the requested data is public, the subject can access the requested object, if no conditioned permission is included in its capability token, which meets property 2. 3) if there is access restriction configured as an attribute based permission in its capability token, the access is restricted to this condition, which meets property 3. By showing that the transition complies with the three properties defined above, we can state that the system is secure. The proofs for other transition rules can be done similarly.
PUT
Temperature Measures
App 1
GET
Heartbeat Measures
App 2
POST
Car Location Tracking
App 3
DELETE
IP-Camera Recordings
App 4
Device 1 Device 2
Device 3 Device 4
Figure 4: 5G/IoT Scenario
C. Discussion In our proposed IoT security model, data is labeled based on its secrecy level (e.g. public or private) and its category (e.g. temperature, geographic location, speed, time, etc.). To meet the IoT scalability requirement, we modified the discretionary
2017 Second International Conference on Fog and Mobile Edge Computing (FMEC)
access scheme (access matrix M) in the BLP model to a distributed capability based one (based on a capability token C). As shown in Figure 4, multiple devices, installing different applications, produce/request different types of data. Each initiated request (e.g. CoAP request) holds the application certified identity and the generated/requested data label (e.g. REST service URL). The request is received and processed by the gateway or mobile phone. The applications, being identified and certified by an authority server, have a capability-based token which defines their data access permissions and the attribute-based conditions under which these permissions are valid. For example, public data can be read by any application. However, generating, deleting, or modifying this data is restricted to privileged entities. Access to private data is more constrained; to manipulate such data, the application must have the corresponding permissions. To apply the proposed model, we must consider the different data and device classes. In the smart home use case scenario, the IoT devices are mostly power and processing constrained. They are connected directly to a mobile phone or to a home gateway, and apply basic security functions and thus further security precautions must be taken at the gateway. When device-initiated requests arrive at the gateway, it applies the appropriate security measures (based on the data type), using the data owner credentials. The data ownership, in this case, is easily recognizable; this however may not be the case in the smart city use case. In the latter, the ambiguity about private data ownership and the abundance of public data is more noticeable. Thus, the modification/deletion of public data must be restricted to privileged entities to preserve data integrity, and secret data, not pertaining to individuals, might be encrypted using group-based keys. In the VANET use case scenario, the differentiation between public and private data is contextual. Thus, including attribute based conditions in our model, we can restrict access to data on a time-location basis. While we defined the main security requirements and goals in the proposed model, the data classification and security management tasks need further consideration. V. CONCLUSION 5G is a major evolution in the telecommunication domain, promising to change the way we interact with our world. Integrating IoT applications, 5G presents new challenges in the mobile network domain. Data confidentiality is one of the main requirements to be integrated in any 5G solution. Specifically, the multi-level security is a feature to be included in the 5G security scheme due to IoT big data proliferation. In this work, we proposed an MLS model to be applied in the 5G network domain. The proposed state machine based model consists of a set of properties and rules protecting data and resources preventing their disclosure to unauthorized access. Extending the BLP model, initially applied in the information security domain, the proposed model defines new rules corresponding to the new access control model. The model is proven to be secure by
demonstrating the transition from secure state to another secure state conforming to the defined security properties. ACKNOWLEDGMENT This research is funded by TELUS Corp., Canada. REFERENCES [1] [2] [3] [4]
[5] [6]
[7]
[8]
[9]
[10] [11] [12] [13] [14]
[15]
[16]
[17]
[18] [19]
[20]
5G security. Ericsson white paper. June 2015. 5G Security: Forward Thinking. Huawei White Paper. 2015. RFC 2828: Internet Security Glossary [online]. Available at: http://www.rfc-base.org/txt/rfc-2828.txt. Accessed on: August 14, 2016. W.A. Ballenger Jr, Modeling security in local area networks. AIR FORCE INST OF TECH WRIGHT-PATTERSONAFB OH SCHOOL OF ENGINEERING; 1983 Dec 16. http://csrc.nist.gov/groups/SNS/rbac/documents/kuhn-‐coyne-‐weil-‐ 10.pdf. S. De Capitani di Vimercati, S. Paraboschi and P. Samarati, '"Access control: principles and solutions," Software: Practice and Experience, vol. 33, no. 5, pp. 397-421. J. Jin and M. Shen, '"Analysis of Security Models Based on Multilevel Security Policy,", In Management of e-Commerce and e-Government (ICMeCG), 2012 International Conference on, pp. 95-97. IEEE, 2012. X. Zhang and C. Shen, '"Reliability Extended Security Model Combining Confidentiality and Integrity," In 2006 8th international Conference on Signal Processing. W. Ou, X. Wang, W. Han and Y. Wang, '"Research on trusted network model based on BLP model," n Computer Sciences and Convergence Information Technology, 2009. ICCIT'09. Fourth International Conference on, pp. 1137-1142. SI Tian-ge, Research on security infrastructure and model of local area network, Beijing: Tsinghua University, 2009. (in Chinese). H. Xue, X. Liu and Y. Dai, '"A privacy protection model on internal networks,", pp. 1-5. H. Xue, Y. Zhang, Z. Guo and Y. DAI, '"A multilevel security model for private cloud," Chin.J.Electron., vol. 23, no. 2. D. Yu and S.L. Fang, '"Research of multilevel security network based on mobile IPv6." Applied Mechanics & Materials. T. Zhang, K. Wu, G. Ma and W. Li, '"A Network Business Security Model Based on Developed BLP Model in Electric Power Enterprise," Przegląd Elektrotechniczny, vol. 88, no. 3b, pp. 63-66. P. Watson, '"A multi-level security model for partitioning workflows over federated clouds," Journal of Cloud Computing: Advances, Systems and Applications, vol. 1, no. 1, pp. 1-15. I. Youn, C. Farkas and B. Thuraisingham, '"Multilevel secure teleconferencing over public switched telephone network," In IFIP Annual Conference on Data and Applications Security and Privacy, pp. 99-113. Springer Berlin Heidelberg, 2005. X. Liu, H. Xue, X. Feng and Y. Dai, '"Design of the multi-level security network switch system which restricts covert channel," In Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on, pp. 233-237. IEEE, 2011. M. Bishop, "Computer Security: Art and Science", Addison-Wesley Professional, December 2002. D. E. Bell and L. J. La Padula. Secure computer system: Unified exposition and Multics interpretation. Technical Report ESD-TR-75-306, Mitre Corporation, Bedford, MA, March 1976. D. E. Bell and L. J. La Padula. Secure computer systems: Vol. I— mathematical foundations, Vol. II—a mathematical model, Vol. III—a refinement of the mathematical model. Technical Report MTR-2547 (three volumes), Mitre Corporation, Bedford, MA, March–December 1973.
