Domain 3: Security Models Flashcards
- Reading down occurs when a subject reads an object at a lower sensitivity level
- i.e. top secret subject reading a secret object
- i.e. Bell-LaPadula
Reading Down and Writing Up
- Provides confidentiality of objects
- Users at lower security level are denied access to objects at a higher security level
Bell-LaPadula
- Bell-LaPadula Property
- “No read up”; a subject at a specific clearance level cannot read an object at a higher classification level
Simple Security Property
- Bell-LaPadula Property
- “No write down”; a subject at a higher clearance level cannot write to a lower classification level.
*(star) Security Property
- Bell-LaPadula Property
- States that the system uses an access matrix to enforce access control
Discretionary Security Property
- Bell-LaPadula Property
- Security labels will not change while the system is operating
Strong Tranquility Property
- Bell-LaPadula Property
- Security labels will not change in a way that conflicts with defined security properties
Weak Tranquility Property
- Subjects can only access objects that fall into a range between the least upper bound and the highest lower bound.
Lattice-based access control
The the nearest security label or classification higher than their lattice position
Least upper bound
The the nearest security label or classification lower than their lattice position
Highest lower bound
- Describes a system that is always secure no matter what state it is in
- Based on computer science definition of finite state machine (FSM)
State Machine Model
Security model designed to prevent unauthorized , insecure or restricted information flow, between different levels of security
Information Flow Model
Security model that prevents actions from a subject at a higher security level to not affect actions at a lower security level or even be noticed
Noninterference Model
Security model that deploys a graph that dictates how rights can be passed from one subject to another or from a subject to an object
Take-Grant Model
- Prevents modification of objects by unauthorized subjects
- Prevents unauthorized modification of objects by authorized subjects
- Protect internal object consistency
- Integrity model
Biba Model
- “No read down”; a subject at a specific clearance level cannot read data at a lower classification
- Biba rule
Simple Integrity Axiom
“No write up”; a subject at a specific clearance level cannot write data to a higher classification
*Integrity Axiom
- Uses a three-part relationship subject/program/object
- A subject is only able to access objects through a program, interface, or access portal
- Integrity model
Clark-Wilson
Any data item whose integrity is protected by the Clark-Wilson security model
Constrained data item (CDI)
Any data item that is not controlled by the Clark-Wilson security model
Unconstrained data item (UDI)
- Procedure that scans items and confirms their integrity
- Clark-Wilson procedure
Integrity Verification Procedure (IVP)
- Only procedures that are allowed to modify a CDI
- Clark-Wilson procedure
Transformation procedures (TPs)
- Subjects at one classification level will see one set of data and have access to one set of functions; whereas another subject at a different classification level will see a different set of data and have access to a different set of functions.
- Part of Clark-Wilson model
Restricted Interface model
- Security model designed to prevent conflict of interests
- i.e. A consultant who has access to Company A should not also have access to similar data for Company B if these two companies compete with each other
Brewer and Nash (aka Chinese Wall)
- Table that defines the access permissions that exist between subjects and objects
- i.e. ACLs
Access Control Matrix
- Security model that predetermines a list of objects that a subject can access
- Subjects are allowed only to perform predetermined actions against predetermined objects
- Based on automation theory and domain separation
- Noninterference model
- Integrity model
Goguen-Meseguer Model
- Prevents interference in support of integrity
- Security model that defines a set of system states, initial states, and state transitions. Through this integrity is maintained and interference is prohibited.
- Integrity model
Sutherland Model
- Security model that focuses on the secure creation and deletion of both subjects and objects
- Specific permissions of a subject over a set of objects is defined in the access control matrix
Graham-Denning Model
Variant of phishing that targets senior or high level execs in a company
Whaling
- Combines elements of Bell-Lapula and Biba
- Protects confidentiality and integrity
- Assigns one of two security levels to each subject: system manager or anyone else
Lipner security architecture model
- Extend the Graham-Denning Model by including integrity protection that prevents a subject or object from being created if it already exists in the access control matrix
- Does not allow deletion of a subject or object if it didn’t previously exist
Harison-Ruzzo Ullman
