Domain 3: Security Models

Question 1

• Reading down occurs when a subject reads an object at a lower sensitivity level
• i.e. top secret subject reading a secret object
• i.e. Bell-LaPadula

Answer 1

Reading Down and Writing Up

Question 2

• Provides confidentiality of objects

- Users at lower security level are denied access to objects at a higher security level

Answer 2

Bell-LaPadula

Question 3

• Bell-LaPadula Property

- “No read up”; a subject at a specific clearance level cannot read an object at a higher classification level

Answer 3

Simple Security Property

Question 4

• Bell-LaPadula Property

- “No write down”; a subject at a higher clearance level cannot write to a lower classification level.

Answer 4

*(star) Security Property

Question 5

• Bell-LaPadula Property

- States that the system uses an access matrix to enforce access control

Answer 5

Discretionary Security Property

Question 6

• Bell-LaPadula Property

- Security labels will not change while the system is operating

Answer 6

Strong Tranquility Property

Question 7

• Bell-LaPadula Property

- Security labels will not change in a way that conflicts with defined security properties

Answer 7

Weak Tranquility Property

Question 8

• Subjects can only access objects that fall into a range between the least upper bound and the highest lower bound.

Answer 8

Lattice-based access control

Question 9

The the nearest security label or classification higher than their lattice position

Answer 9

Least upper bound

Question 10

The the nearest security label or classification lower than their lattice position

Answer 10

Highest lower bound

Question 11

• Describes a system that is always secure no matter what state it is in
• Based on computer science definition of finite state machine (FSM)

Answer 11

State Machine Model

Question 12

Security model designed to prevent unauthorized , insecure or restricted information flow, between different levels of security

Answer 12

Information Flow Model

Question 13

Security model that prevents actions from a subject at a higher security level to not affect actions at a lower security level or even be noticed

Answer 13

Noninterference Model

Question 14

Security model that deploys a graph that dictates how rights can be passed from one subject to another or from a subject to an object

Answer 14

Take-Grant Model

Question 15

• Prevents modification of objects by unauthorized subjects
• Prevents unauthorized modification of objects by authorized subjects
• Protect internal object consistency
• Integrity model

Answer 15

Biba Model

Question 16

• “No read down”; a subject at a specific clearance level cannot read data at a lower classification
• Biba rule

Answer 16

Simple Integrity Axiom

Question 17

“No write up”; a subject at a specific clearance level cannot write data to a higher classification

Answer 17

*Integrity Axiom

Question 18

• Uses a three-part relationship subject/program/object
• A subject is only able to access objects through a program, interface, or access portal
• Integrity model

Answer 18

Clark-Wilson

Question 19

Any data item whose integrity is protected by the Clark-Wilson security model

Answer 19

Constrained data item (CDI)

Question 20

Any data item that is not controlled by the Clark-Wilson security model

Answer 20

Unconstrained data item (UDI)

Question 21

• Procedure that scans items and confirms their integrity

- Clark-Wilson procedure

Answer 21

Integrity Verification Procedure (IVP)

Question 22

• Only procedures that are allowed to modify a CDI

- Clark-Wilson procedure

Answer 22

Transformation procedures (TPs)

Question 23

• Subjects at one classification level will see one set of data and have access to one set of functions; whereas another subject at a different classification level will see a different set of data and have access to a different set of functions.
• Part of Clark-Wilson model

Answer 23

Restricted Interface model

Question 24

• Security model designed to prevent conflict of interests
• i.e. A consultant who has access to Company A should not also have access to similar data for Company B if these two companies compete with each other

Answer 24

Brewer and Nash (aka Chinese Wall)

Question 25

• Table that defines the access permissions that exist between subjects and objects
• i.e. ACLs

Answer 25

Access Control Matrix

Question 26

• Security model that predetermines a list of objects that a subject can access
• Subjects are allowed only to perform predetermined actions against predetermined objects
• Based on automation theory and domain separation
• Noninterference model
• Integrity model

Answer 26

Goguen-Meseguer Model

Question 27

• Prevents interference in support of integrity
• Security model that defines a set of system states, initial states, and state transitions. Through this integrity is maintained and interference is prohibited.
• Integrity model

Answer 27

Sutherland Model

Question 28

• Security model that focuses on the secure creation and deletion of both subjects and objects
• Specific permissions of a subject over a set of objects is defined in the access control matrix

Answer 28

Graham-Denning Model

Question 29

Variant of phishing that targets senior or high level execs in a company

Answer 29

Whaling

Question 30

• Combines elements of Bell-Lapula and Biba
• Protects confidentiality and integrity
• Assigns one of two security levels to each subject: system manager or anyone else

Answer 30

Lipner security architecture model

Question 31

• Extend the Graham-Denning Model by including integrity protection that prevents a subject or object from being created if it already exists in the access control matrix
• Does not allow deletion of a subject or object if it didn’t previously exist

Answer 31

Harison-Ruzzo Ullman