3.2 Sec Models, Frameworks Flashcards
state machine model
ensures, that all instances of a subject accessing objects are secure. a system is always secure, no matter which state it is in. based on finite state machine and basis for many other security models.
information flow model
- based on state machine model
- designed to prevent unauthorized, insecure or restricted information flow, often between different levels of security
-> bell lapadula, biba
noninterference model
prevents the actions of one subject (at a higher level) from affecting the system state or actions of another (lower) subject.
-> goguen-meseguer
take-grant model
dictates, how rights can be passed from one subject to another or from a subject to an object.
A subject with a grant-right can grant another subject or object any other right they want.
take rule
grant rule
create rule
remove rule
access-control-matrix
each column is an ACL |
each row is a cababilities list —
ACLs are tied to the object (who is allowed to access this object)
capability lists are tied to the subject (lists every object this subject is allowed to access) -> management nightmare because every subject needs to be touched if general access to an object should be mitigated
bell-lapadula
- confidentiality only, based on information flow model, inverted biba
- prevents leaking or transfer of classified information to less secure levels
- no read up (Simple Security Property)
- no write down * (Star Property)
- requires classification level for all subjects and objects
- enforces need to know
- trusted subject is allowed to violate * (write down) to change classification levels
- Strong tranquility property: labels will not change while system is operation
biba
- integrity only, based on information flow, inverted bell-lapadula
- prevents subjects with lower security level from writing up
- no read down (Simple Integrity)
- no write up * (Star Integrity) / write down allowed
- no trusted subject -> changing of classification levels impossible
clark-wilson
- integrity only, based on three-part-relationship
client interface resource
- constrained interface (different functions/resources) related to security level
- well formed transactions, separation of duties
- a transaction procedure is allowed to modify a constrained data item. unconstrained data items are ignored
brewer and nash
chinese wall
access control changes dynamically to avoid conflict of interests.
Determines, which security domains are in conflict with the actual task and puts a wall around around all other information in a conflict class.
Uses data isolation to keep users out of potentional conflict-of-interest situations
goguen-meseguer
integrity-only, based on non-interference
domain separation, subjects are unable to interfere with their activities
TCB
trusted computing base
TCP is the only portion of a system that can be trusted. Trusted base, that is separated from the rest of the system by a security perimeter and communicates with non-TCB components using trusted paths (secure channels)
Reference monitor
security kernel in practice!
Part of TCB that stands between any subject and object, verifying that credentials meet the access requirements before any access is allowed
certification
accreditation
technical evaluation if security standards are met
formal acceptance of certified configuration through senior management
TCSEC (outdated)
red/orange book
guideline to evaluate IT from a security perspective
confidentiality only, no personnel or physical sec
A verified protection
B mandatory protection
C discretionary protection
D minimal
ITSEC (outdated)
guideline to evaluate IT from a security perspective
full CIA
split into functionality and assurance (2-scale)
security (assurance is rated E0 minimal - E6 verified )
