D3: Principles of Secure Design Flashcards
Principles of Secure Design
The security requirements of an information system are driven by the security policy of the organization that will use the system
To incorporate the abstract goals of a security policy into an information system’s architecture, you will need to use security models
We serve the business, so ultimately our security stuff should reflect business objectives
Security Model
A security model lays out the framework and mathematical models that act as a security related specifications for a system architecture
System Architecture
The overall design of the components such as hardware, OS, applications and networks - of an information system
The design should meet the specifications provided by the security model.
System
A group of individual components working together towards a common goal or outcome e.g. computers, network segments, departments
Security Model Examples and Significance for Exam
State Machine Model Bell-LaPadula Model** Biba Model** Clark-Wilson Model* Brewer & Nash Model* Information Flow Model Non-Interference Model Lattice Model
State Machine Model
The state of a system is its snapshot at any one particular moment. The state machine model describes subjects, objects, and sequences in a system. The focus of this model is to capture the system’s state and ensure its security
When an object accepts input, the value of the state variable is modified. For a subject to access this object or modify the object value, the subject should have appropriate access rights
State transitions refer to activities that alter a system state
**Other models are built off this model
if a system starts, functions, and even fails/shuts down securely - it’s a secure system.»_space; this model instructs you in that unless if you can secure a system in all 3 states, then you don’t have a secure system
A system is most difficult to secure is start-up because all security mechanisms haven’t loaded yet. During the initial load, the system is very vulnerable.
Shutdown - trusted recover, in the event of a violation of the system security, it should be shut down in a way that it protects itself e.g. blue screen of death
Bell-LaPadula Model - Overview
- confidentiality
The ONLY model designed for confidentiality aka Confidentiality Model
- a former mathematical model that’s built on the state machine model. so this doesn’t mean anything unless the three states are secure.
Developed by David Elliot Bell and Len LaPadula
- this model focuses on data confidentiality and access to classified information
- a formal model developed for the DoD multilevel security policy
- this formal model divides entities in an information system into subjects and objects
- model is built on the concept of a state machine with different allowable states (i.e. secure state)
Bell-LaPadula Model - Three Security Rules to Enforce Confidentiality
- Simple Security Property - “no read up”
- a subject cannot read data from a security level higher than subject’s security level - Security Property - “no write down”
- a subject cannot write data to a security level lower than the subject’s security level. Prevent data leakage from upper levels to lower
- Security Property - “no write down”
- Strong * Property - “no read/write up or down”
- a subject with read/write privilege can perform read/write functions only at the subject’s security levels.
Each rule is independent of the other, unless it’s expressly denied then it’s allowed
Having upper and lower bounds help enforce security permissions
Biba Integrity Model - Overview
- integrity
The exact oppossite of BL because it focuses on integrity
Developed by Kenneth J. Biba in 1977 based on a set of access control rules designed to ensure data integrity
No subject can depend on an object of lesser integrity
Based on a hierarchal lattice of integrity levels
authorized users must perform correct and safe procedures to protect data integrity
Biba Integrity Model - Three Security Rules to Enforce Integrity
Focus on protecting the integrity/sanctity of our knowledge base
Simple Integrity Axiom - “no read down” a subject cannot read data from an object of lower integrity level
- implies and encourages you can read above you
- Integrity Axiom - “no write up” - a subject cannot write data to an object at a higher integrity level
Invocation property - a subject cannot invoke (call upon) subjects at a higher integrity level
Clark Wilson Security Model
- integrity
Integrity Model
Model Characteristics:
- Clark Wilson enforces well-informed transactions through the use of the access triple:
- user > transformation procedure > CDI (constrained data item) > deals with all three integrity goals
Separation of Duties
- prevent unauthorized users from making modifications
- prevents authorized users from making improper modifications
- maintain internal and external consistency - reinforces separation of duties
SIMPLY PUT - Keep users out of your stuff or they’ll break it; for example. amazon does not give you access to our stuff and instead uses a trusted interface AKA the frontend
- if amazon allowed free text, people would input information in all different types of formats and a database wouldn’t know what that means. so they give you a drop down, or limit a username field to just 12 characters
EXAM - untrusted entity does not get to access a trusted entity;
User > Interface > Stuff
API: Application Programming Interface - letting an untrusted application to provide access to trusted resources
Brewer Nash
- SoDs
Commercial Models: Brewer-Nash
Brewer-Nash Model - aka Chinese Wall
- developed to combat conflict of interest in databases housing competitor information
Publish in 1989 to ensure fair competition
Defines a wall and a sat of rules to ensure that no
subject accesses objects on the other side of the wall
way of separating competitions data within the same integrated database
Shouldn’t go from Visa, recording information, Citi, recording information, etc. - seems like a conflict of interest
Information Flow Model
- most likely not testable
- data is compartmentalized based on classification and the need to know
model seeks to eliminate covert channels
model ensures that information always flows from a low security level to higher integrity level to a high integrity level
Whatever component directly affects the flow of information must dominate all components involved with the flow of information
Non-interference Model
*most likely not testable
Model Characteristics
- model ensures that actions at a higher security level does not interfere with the actions at a lower security level
- the goal of this model is to protect the state of an entity at the lower security level by actions at the higher security level so that data does not pass through covert or timing channels
Lattice Model
*most likely not testable
Model consists of a set of objects constrained between the least upper bound and the greatest lower bound values
the least upper bound is the value that defines the least level of object access rights granted to a subject
the goal of this model is to protect the confidentiality of an object and only allow access by an authorized subject