Lecture 10: 11th October 2019 Flashcards
Security Models
What are Security Policies?
A set of rules and practices governing how a system
will manage and protect files with especial regard to sensitive data or code. Some companies will write a Security Policy document that defines the security (and safety) of the system. This can be considered as a legal
document if the company has an intrusion.
What are Reference Monitors?
The Reference Monitor is the mechanism or abstract concept as to how the access control policies are applied to a computer system.
What are Security Models?
A Security Model is the high-level description of the rules which security policies should implement. It is usually an overarching guide including the flow of information between subjects and resources, explicitly describing what entities are covered by the model. Some models may even include data structures or cryptographic specifications.
A model should outline possible threats, data access rules and who is a valid user. Some models enforce confidentiality, others integrity and others access.
What is the Military Model?
The most basic security model, in which there is a hierarchy or linear ordering of degrees of sensitivities
What are subjects?
People or processes who wish to access resources (objects)
What are relationships?
The rules defining what specific access subjects of given levels have to objects of levels (both grouped into classifications). Subjects can write to any level but only read at their level or lower.
What are partially ordered sets?
A set of elements in which at least some of the elements can be compared to each other with a binary relation.
What are partially ordered sets aka?
posets
What are reflexive comparisons?
Elements comparing themselves to themselves
What are transitive comparisons?
Where you chain relations; e.g. if a < b and b < c then a < c
What are anti-symmetric comparisons?
No 2 unique elements may precede each other: be related in both directions
if R(a, b) is true and a ≠ b, then R(b, a) must not hold if R(a, b) is true and R(b, a) is also true, then a = b
if a ≤ b and b ≤ a then a = b
How can lattices be formed from posets?
Build up nodes of classification levels; e.g. top secret, secret, etc applied to science (weapons development) and military (weapons deployment). Arrange in a tree-like graph from most to least access. Most will be top secret for science and military, then top-secret one and secret other, etc. Comparisons arise from comparing science and/or military clearance levels of users.
How does the PM, their top military general, and top scientific advisor illustrate partial order-based systems?
PM has top secret science and military clearance. General has top secret military but lower science clearance, and scientist has top secret science clearance but no military clearance.
What is domination?
Domination is a subject having higher access levels and indicating the direction of information flow. Those with higher access levels, closer to the root, dominate others.
Given two objects at different levels, what is the minimum security level a subject must be at to read both objects?
The higher of the security levels of the 2 objects
Given two subjects at different levels, what is the maximum security level an object can be at and be read by both?
The lower of the security levels of the 2 subjects
What is the Hierarchical Model?
Another name for the military model. The military model is the most basic security model, in which there is a hierarchy or linear ordering of degrees of sensitivities
What is the System Low?
the level dominated by all others, i.e. the lowest access level that is a leaf node
What is the System High?
the level that dominates all others, i.e. the highest access level that is the root node
When does one user’s privileges dominate another’s?
When they can perform access operations on every object the other user can
What does it mean when two users have the same privileges?
They are at the same access level
What is the hierarchical model aka?
the military model
How can classifications work in conjunction with codewords?
To implement intra-access level compartmentalisation, combine access levels with codewords; this might be by military operational codenames, for instance. Compartments can, however, cross over different security levels.
What is ss-property?
The simple security policy states that no process can read data at a higher access level. This is known as no read up: NRU.
What is NRU?
no read up: no subject can read data at a higher access level.
What is *-property?
no subject can write data to a lower level, i.e. no write
down (NWD).
What is NWD?
no write down: no process can write data to a lower level.
When may a subject read an object?
If the security class of the subject is greater than or equal to that of the object
When may a subject s with read access to an object, o, write to another object, p?
If the security class of the object p is greater than or equal to that of o (apparently but I think it makes sense to just compare s to both directly).
What is the BLP Secure flow of information?
The way in which information propagation is restricted with rules to prevent leakage. Only objects can read from subjects at higher levels. Subjects can only write to higher levels - not read as well. Both can read and write to others on the same level.
What is a ds-property?
ds-property = Effectively Discretionary Access Control = temporarily allowing subjects to have higher clearances or downgrading the security of an object to allow high level subjects to inform others of info regarding the objects
When is a state considered secure in BLP?
if the ss-property, the *property, and the ds-property all hold
What are some security disadvantages of the Bell-LaPadula system?
no command and control as you can’t easily inform others of info if at a lower level than the object that is the source of info; ds-property leads to security vulnerabilities while allowing others access to info to get past this
How does the Bell-LaPadula system work?
The BLP model effectively describes valid states and state transitions. If all state transitions in a system are secure and if the initial state is secure, then every subsequent state will also be secure, no matter what
the inputs are.
Have a graph of objects and subjects and read and write rights between them. Have a vertical scale of security level, higher as go higher on the graph.
What is the Basic Security Theorem?
That the BLP model effectively describes valid states and state transitions: if all state transitions in a system are secure and if the initial state is secure, then every subsequent state will also be secure, no matter what
the inputs are.
What is the Chinese Wall?
A security model implementing the protection of commercial information by grouping data from competitors and only allowing viewing of data of 1 company in group to prevent spying.
What does the Chinese Wall consist of?
Objects: files, low-level information pertaining to one company.
Groups: All objects pertaining to one company is grouped together.
Conflict Classes: all groups of objects for competing companies are clustered together
With the Chinese Wall, how do you define a subject, two companies, a security label of an object, sanitisied info, and subjects who have viewed data?
Subject s, the company is B(s) and the competitor company set is C(s).
The security label of an object o is (B(o), C(o)), i.e. competitor and company class pair.
Sanitised information isC(o) =∅, i.e. can be made public.
Subjects who have viewed the data are noted in a matrix Ns,o where Ns,ois true if access has at one time been granted.
Think of it as Business(obj), Competitor(obj) and if Competitor(obj) isempty then the Business object can be made open (!)
What is the ss-property with the Chinese Wall?
If you have had access to o’ from company B(o’) (the Company that owns o’) then you are forbidden from accessing objects from (competitor) companies in C(o’). However, a tertiary company may be used to pass information between the competing companies
What is the *-property with the Chinese Wall?
The *-property: A subject S is granted write access to an object o if S has no read access to an object o’ with B(o) != B(o’) and C(o’) != ∅.
i.e. write access to an object is only grant
What is the Clark & Wilson well-formed transaction policy?
Way of ensuring confidentiality and integrity for commercial systems. A well-formed transaction is a series of operations that transition a system from one consistent state to another consistent state.
How does the Clark & Wilson transaction policy work?
Policies allow users to execute transitions, whose integrity is enforced by the system’s integrity policies.
What are the properties of the Clark & Wilson transaction policy?
- Data is manipulated by a specific set of programs, i.e. intermediate control.
- User has to collaborate to manipulate data and to collude to penetrate security, i.e. separation of duties.
- Users are restricted in what they can execute here is an audit trail of transactions
- There is a certification procedure.
What are Access Triples?
Access triple = a three-part relationship of subject/program/object (where the program is interchangeable with the transaction).
Aka an access control triple.
What do Access Triples consist of?
Subject, transaction/program, and ≥ 1 object
How do Access Triples control the actions of users?
If user not listed in a triple for a transaction/program and object they can’t perform that transaction/program on that object
What is a security kernel?
The Security Kernel supervises low-level system activities that access resources such as registers or policies.
What is BLP model?
BLP model = Bell-LaPadula = model for security in USAF to identify allowable downward information flow whilst maintaining security by disallowing downward information flow in general.
What is the lattice model?
Connected groups of objects in a graph in which objects dominate each other. Consists of a set of objects as nodes and a partial ordering to compare them