Chapter 8 Principles of Security Models, Design, and Capabilities

Question 1

What is the difference between subjects and objects?

Answer 1

The subject is the active entity that makes a request to access a resource. A subject can be a user, process, program, computer, or organization. The object is the passive entity that the subject wants to access. Access is the relationship between the subject and object, which could include reading, writing, changing, deleting, printing, moving, backing up, etc.

The actual entities being referenced are specific to an individual access request. The entity that is the object in one request could be the subject in another.

Leads into transitive trust. If A trust B and B trusts C, A inherits trust of C. This can be a security issue; you may block certain sites, but if you allow access to a VPN, and the VPN allows access to those sites, people have access to those sites through transitive trust.

Question 2

What is privacy by design?

Answer 2

PHD. A guideline to integrate privacy protections into products during the early design phase instead of doing it at the end. Seven key principles:

–proactive, not reactive
–privacy as the default
–privacy embedded into design
–full functionality, aka positive sum, not zero sum
–end to end security
–visibility and transparency
–respect for user privacy

Question 3

What is confinement?

Answer 3

Process confinement allows a process to read from and write to only certain memory locations and resources. AKA sandboxing. Applies the principle of least privilege. Can be implemented in the OS, through an application or service, or through a hypervisor.

Question 4

What are bounds?

Answer 4

Each process that runs on the system is assigned an authority level. In simple systems, it may only be user and kernel. The bounds of a process consists of limits set on the memory address and resources it can access. In most systems, the bound segment logical areas of memory for each process. Physical bounds reqire each bounded process to run in an area of memory that is separate from other process. This can be more expensive but is more secure.

Question 5

What is isolation?

Answer 5

When a process is confined through enforcing access bounds, that process runs in isolation. Process isolation ensures any behavior will affect only the memory and resources associated with the isolated process. Isolation is used to protect the operating environment, the kernel of the operating system, and other independent applicatoins.

Confinement is making sure that an active process can only access certain resources, bounds is the limit of authorization assigned to a process, and ioslation is the means by which confinement is implemented through the use of bounds.

Question 6

What is a security model?

Answer 6

Provides a way for designers to map abstract statements into a security policy that prescribes the algorithms and data structures necessary to build hardware and software.

Question 7

What are tokens, capability lists, and labels?

Answer 7

Tokens are separate objects that associated with resources that describe their security attributes. It can communicate security information about an object prior to requesting access to the actual object. Various list are used to store security information about multiple objects.

A capabilities list maintains a row of security attributes for each controlled object. Not as flexible as tokens, but offers quicker lookups when a subject requests access to an object.

A label is a permanent part of the object to which it is attached. Once it is set, it cannot be altered. This provides a safeguard against tampering that the other models do not.

Question 8

What is the Trusted Computing Base?

Answer 8

The TCB principle is the combination of hardware, software, and controls that work together to form a trusted base to enforce your security policy. It is a subset of the overall computing system, and should be as small as possible so that a detailed analysis can reasonably ensure it meets requirements. It is the only portion of the system that can be trusted to adhere to and enforce security policy.

Question 9

What is the security perimeter?

Answer 9

An imaginary boundary that separates the TCB from the rest of the system. It ensures that no insecure communications or interactions happen between the TCB and everything else. The TCB must create secure channels, aka trusted paths, to communicate out.

The perimeter may allow for the use of a trusted shell, which allows the subject to perform command line operations without risk to the TCB. The subject cannot break out of isolation to affect the TCB.

Question 10

What is the reference monitor?

Answer 10

The part of the TCB that validates access to every resource before granting access. It stands between every subject and object, verifies the subject’s credentials meet the object’s requirements, and acts as the access control monitor.

Question 11

What is the security kernel?

Answer 11

The collection of components in the TCB that implement the reference monitor functions is called the security kernel. The kernel launches appropriate components to enforce reference monitor functionality.

Question 12

What is the state machine model?

Answer 12

A system that is always secure no matter what state it is in. It is based on the computer science definition of of “finite state machine.” An FSM combines an external input with an internal machine to model all kinds of complex systems. Given an input and a state, an FSM transitions to another state and may create an output.

Next state = F(input,current state).
Output = F(input, current state)

A state is a snapshot of a system at a specific moment in time. If all aspects of a state meet the requirements of the security policy, it is cconsidered secure. A transition occurs when accepting input or producing output, and always results in a new state. If each possible state transition results in another secure state, it is known as a secure state machine.

Question 13

What is an information flow model?

Answer 13

Based on the state machine model. Doesn’t just address the direction of flow, but also the type of flow. Designed to prevent unauthorized, insecure, or restricted information flow, often between different levels of security. Can be between subjects and objects at the same or different classification levels. Used to establish a relationship between two versions or states of the same object when those two versions or states exist at different points of time. Excludes all undefined flow pathways.

Question 14

What is the non interference model?

Answer 14

Loosely based on the information flow model. It is more cncerned about how the actions of a subject at a higher security level affect the system state or the actions of a subject at a lower level. You don’t want the lower system to be able to see what is going on at higher classifications.

Question 15

What is the Take Grant Model?

Answer 15

Employs a directed graph to dictate how rights can be passed from one subject to another or from a subject to an object. A subject with the grant right can grant other object or subject any right he possesses, and a subject with a take right can take a right from another subject. There is also a create rule and delete rule. Basically, using these rules lets you figure out when rights in the system can change and where leakage can occur.

Question 16

What is an access control matrix?

Answer 16

A table of subjects and objects that indicates the actions or functions that each subject can perform on each object. Each column is the ACL pulled from objects. Once sorted, each row is a capabilities list for each subject. ACLs are tied to objects; they list valid actions that can be taken.

From an admin perspective, using only capability lists is a management nightmare. Each individual has to be addressed individually.

Question 17

What is the Bell-LaPadula model?

Answer 17

DOD developed. States a subject with a given level of clearance can access resources at or below that level. However, within clearance levels, access to compartmentalized objects is done based on NTK. Designed to prevent the leaking or transfer of classified information. Does not address any other objects of object security.

This model is built on a state machine concept and the information flow model. It employs mandatory access controls and is lattice-based. The lattice tiers are the classification levels as the organization defines them. The three basic properties:

–The Simple Security Property states that a subject may not read information at a higher sensitivity level (no read up).

–The * (star) Security Property states that a subject may not write information to an object at a lower security level (no write down). This is also known as the Confinement Property.

–The Discretionary Security Propery states the system uses
an access matrix to enforce discretionary access control.

–The first two properties define the states into which the system can transition. No other transitions are allowed. Thus, this model offers state machine model security.

There is an exception for ““trusted subjects,”” who are not constrained by the * Security Property. This is required for declassification or reclassification. Also, the model was designed in the 1970s, before file sharing and networking.

Question 18

What is the Biba model?

Answer 18

Focuses on integrity. It is an inverted Bell-LaPadula model.

–Simple Integrity Property says a subject cannot read an object at a lower integrity level (no read down)

–* (Star) Integrity Property says a subject cannot modify an object at a higher integrity level (no write up)

This prevents modification of objects by unauthorized subjects, prevents unauthorized modifications of objects by authorized subjects, and protects internal and external object consistency.

This model requires all subjects and objects to have a classification level. Thus, data integrity depends on data classification.

Critics note this model only addresses integrity; it focuses on protecting objects from external threats (it assumes internal threats are handled programmatically); it does not address access control management or provide a way to assign or change classification levels; and it does not prevent covert channels.

Question 19

What is the Clark-Wilson model?

Answer 19

A multifaceted model to enforcing data integrity. It defines each data item and allows modifications only through a limited or controlled intermediary program or interface. It does not require use of a lattice structure. Instead, it has a three-part relationship of subject/program/object. This is known as a triple or access control triplet.

Subjects do not have direct access to objects–only through programs. Through the use of well-formed transactions and separation of duties, the model provides an effective means to protect integrity. Well-formed transactions take the form of programs. Each program has specific limitations on what it can and cannot do. This is known as a constrained, limiting, or restrictive interface.

–A constrained data item (CDI) is any data item whose integrity is protected by the security model
–An unconstrained data item (UDI) is not controlled by the security model. Any data that is to be input and has not been validated, or any output, would be considered a UDI.
–An integrity verification procedure (IVP) is a procedure that scans data items and confirms their integrity.
–Transformation procedures (TPs) are the only procedures allowed to modify a CDI.

It uses security labels to grant access to objects, but only through TPs and a restricted interface model. This model uses classification-based restrictions to offer subject-specific authorization information and functions. One subject at one classification level will see one set of data and have access to one set of functions, whereas another subject at a different classification level will see a different set of data. The different functions are implemented either by showing all functions but disabling ones you can’t access, or only showing specific functions to specific users.

Was designed to protect integrity through using the triplet. However, the program can also limit what can be done to an object by a subject, so it can protect confidentiality.

Question 20

What is the Brewer and Nash model?

Answer 20

Permits access controls to change dynamically based on a user’s previous activity. It applies to a single integrated database; it seeks to create security domains that are sensitive to the notion of conflict of interest (for example, somoene at company A who has access to information on company B should not have access to company C if B and C compete with each other). This model creates a class of data that defines which security domains are potentially in conflict and prevents any subject with access to one domian in a specific conflict class from accessing another domain in that same class.

Previously known as the Chinese Wall model, but now the ““ethical wall”” or the ““cone of silence.”

Question 21

What is the Goguen-Meseguer Model?

Answer 21

Integrity model, sometimes said to be the foundation of the noninterference concept. It is based on predetermining the set of domain of objects that a subject can access. Subjects can only perform predetermined actions against predetermined objects. When similar users are grouped into their own domain, members of one subject domain cannot interfere with the members of another domain.

Question 22

What is the Sutherland model?

Answer 22

Another integrity model. Focuses on preventing interference in support of integrity. Formally based on the state machine model and the information flow model. However, it does not directly indicate specific mechanisms for protection of integrity. it defines a set of system states, initial states, and state transitions. Through the use of thse predetermined states, integrity is maintained and interference prohibited.

Question 23

What is the Graham-Denning Model?

Answer 23

Focuses on the secure creation and deletion of both subjects and objects. It is a collection of 8 primary protection rules or actions that define the boundaries of certain secure actions.

–Securely create an object
–Securely create a subject
–Securely delete an object
–Securely delete a subject
–Securely provide the read access right
–securely provide the grant access right
–Securely provide the delete access right
–Securely provide the transfer access right

The specific abilities or permissions of a subject over an object are defined in an access matrix

Question 24

What is the Harrison-Ruzzo-Ullman Model?

Answer 24

Aka HRU model. Focuses on the assignment of object access rights to subjects as well as the resilience of those assigned rights. It is an extension of the Graham-Denning Model and is centered around the establishment of a finite set of procedures that can be used to edit or alter the access rights of a subject over an object.

The state of access rights can be expressed in a matrix. The rows are subjects and the columns are objects. The intersection of each row and column will include the specific procedures that each subject is allowed to perform against each subject. A finitte set of commands or primitives is defined that controls how the matrix can be modified by authorized subjects. There are integrity rules such as in order to create or add a subject/object, it must not already exist.

Question 25

Describe the Common Criteria.

Answer 25

Defines various levels of testing and confirmation of systems’ security capabilities and the number of the level ndicates what testing and confirmation has been performed. Even the highest CC ratings to not equate to a guarantee that the systems are completely secure. Originally signed in 1998, and has been published as ISO/IEC 15408-1, -2, and -3 and labeled as ““Information technology - Security techniques - Evaluation criteria for IT Security.””

The objectives of the CC guidelines are to add buyers’ confidence in the security of evaluated, rated IT products; eliminate duplicate evaluations; keep making security evaluations more cost-effective and efficient; make sure evaluations of IT products adhere to high and consistent standards; promote the evaluation and increase availability of evaluated, rated IT products; and to evaluate the functionality and assurance.

TOE is Target of Evaluation. Based on two key elements: protection profiles and security targets. Protection profiles specify for a product that to is evaluated the security requirements and protections desired. Security Targets specify the claims of security from the vendor. An organization’s PP is compmared to various STs from the selected vendor’s TOEs.

–Level 1 is functionality tested. Applies when some confidence in correct operation is required but where threats to security are not secret. Mostly about protecting personal info.
–Level 2 is structurally tested. Applies when delivery of design information and test results are keeping with good commercial practices. This is of value when developers or users require low to moderate levels of independently assured security. Particularly useful for legacy systems.
–Level 3 is methodically tested and checked. Applies when security engineering begins at the design stage and is carried through without substantial alteration. Of value when developers or users require a moderate level of independently assured security.
–Level 4 is methodically designed, tested, and checked. Applies when rigorous, positive security engineering and good commerical development practices are used. Does not require substantial specialist knowledge. It does involve independent testing.
–Level 5 is semi-formally designed and tested. Uses rigorous security engineering and commercial development practices, including specialist security engineering techniques, for semi-formal testing. Applies when there is a need for a high-level of independently assured security in a planned development approach, as well as rigorous development.
–Level 6 is semi-formally verified, designed, and tested. uses direct, rigorous engineering techniques at all phases of design, development, and testing to produce a premium TOE. Applies for high-risk situations, where the value of protected assets justifies additional cost.
–Level 7 is formally verified, designed, and testing. used only for the highest risk situations. Tightly focused security functonality is subject to extensive formal analysis and testing.

The guidelines do not address how users act on data, or address administrative issues outside of security. For example, nothing about personnel, organizational practices and procedures, or physical security.

Question 26

What are the four decisions an Authorizing Official can make?

Answer 26

The assessment and assignment of an ATO is performed by an Authorizing Official. May also be known as the Designated Approving Authority (DAA), Approving Authority (AA), Security Control Assessor (SCA), and Recommending Official (RO). typically issued for five years, and must be reobtained in the event of a security breach.

AO can operate four types of decisions: Authorization to Operate (risk is managed to an acceptable level), Common Control Authorization (security control is inherited from another provider and when the risk associated with the common control is at an acceptable level, and already has a ATO from the same AO), Authorization to Use (a 3rd party provides services that are deemed to have acceptable use), and denial of authorization.