Lecture 10: 11th October 2019

Question 1

What are Security Policies?

Answer 1

A set of rules and practices governing how a system
will manage and protect files with especial regard to sensitive data or code. Some companies will write a Security Policy document that defines the security (and safety) of the system. This can be considered as a legal
document if the company has an intrusion.

Question 2

What are Reference Monitors?

Answer 2

The Reference Monitor is the mechanism or abstract concept as to how the access control policies are applied to a computer system.

Question 3

What are Security Models?

Answer 3

A Security Model is the high-level description of the rules which security policies should implement. It is usually an overarching guide including the flow of information between subjects and resources, explicitly describing what entities are covered by the model. Some models may even include data structures or cryptographic specifications.

A model should outline possible threats, data access rules and who is a valid user. Some models enforce confidentiality, others integrity and others access.

Question 4

What is the Military Model?

Answer 4

The most basic security model, in which there is a hierarchy or linear ordering of degrees of sensitivities

Question 5

What are subjects?

Answer 5

People or processes who wish to access resources (objects)

Question 6

What are relationships?

Answer 6

The rules defining what specific access subjects of given levels have to objects of levels (both grouped into classifications). Subjects can write to any level but only read at their level or lower.

Question 7

What are partially ordered sets?

Answer 7

A set of elements in which at least some of the elements can be compared to each other with a binary relation.

Question 8

What are partially ordered sets aka?

Answer 8

posets

Question 9

What are reflexive comparisons?

Answer 9

Elements comparing themselves to themselves

Question 10

What are transitive comparisons?

Answer 10

Where you chain relations; e.g. if a < b and b < c then a < c

Question 11

What are anti-symmetric comparisons?

Answer 11

No 2 unique elements may precede each other: be related in both directions

if R(a, b) is true and a ≠ b, then R(b, a) must not hold
if R(a, b) is true and R(b, a) is also true, then a = b

if a ≤ b and b ≤ a then a = b

Question 12

How can lattices be formed from posets?

Answer 12

Build up nodes of classification levels; e.g. top secret, secret, etc applied to science (weapons development) and military (weapons deployment). Arrange in a tree-like graph from most to least access. Most will be top secret for science and military, then top-secret one and secret other, etc. Comparisons arise from comparing science and/or military clearance levels of users.

Question 13

How does the PM, their top military general, and top scientific advisor illustrate partial order-based systems?

Answer 13

PM has top secret science and military clearance. General has top secret military but lower science clearance, and scientist has top secret science clearance but no military clearance.

Question 14

What is domination?

Answer 14

Domination is a subject having higher access levels and indicating the direction of information flow. Those with higher access levels, closer to the root, dominate others.

Question 15

Given two objects at different levels, what is the minimum security level a subject must be at to read both objects?

Answer 15

The higher of the security levels of the 2 objects

Question 16

Given two subjects at different levels, what is the maximum security level an object can be at and be read by both?

Answer 16

The lower of the security levels of the 2 subjects

Question 17

What is the Hierarchical Model?

Answer 17

Another name for the military model. The military model is the most basic security model, in which there is a hierarchy or linear ordering of degrees of sensitivities

Question 18

What is the System Low?

Answer 18

the level dominated by all others, i.e. the lowest access level that is a leaf node

Question 19

What is the System High?

Answer 19

the level that dominates all others, i.e. the highest access level that is the root node

Question 20

When does one user’s privileges dominate another’s?

Answer 20

When they can perform access operations on every object the other user can

Question 21

What does it mean when two users have the same privileges?

Answer 21

They are at the same access level

Question 22

What is the hierarchical model aka?

Answer 22

the military model

Question 23

How can classifications work in conjunction with codewords?

Answer 23

To implement intra-access level compartmentalisation, combine access levels with codewords; this might be by military operational codenames, for instance. Compartments can, however, cross over different security levels.

Question 24

What is ss-property?

Answer 24

The simple security policy states that no process can read data at a higher access level. This is known as no read up: NRU.

Question 25

What is NRU?

Answer 25

no read up: no subject can read data at a higher access level.

Question 26

What is *-property?

Answer 26

no subject can write data to a lower level, i.e. no write | down (NWD).

Question 27

What is NWD?

Answer 27

no write down: no process can write data to a lower level.

Question 28

When may a subject read an object?

Answer 28

If the security class of the subject is greater than or equal to that of the object

Question 29

When may a subject s with read access to an object, o, write to another object, p?

Answer 29

If the security class of the object p is greater than or equal to that of o (apparently but I think it makes sense to just compare s to both directly).

Question 30

What is the BLP Secure flow of information?

Answer 30

The way in which information propagation is restricted with rules to prevent leakage. Only objects can read from subjects at higher levels. Subjects can only write to higher levels - not read as well. Both can read and write to others on the same level.

Question 31

What is a ds-property?

Answer 31

ds-property = Effectively Discretionary Access Control = temporarily allowing subjects to have higher clearances or downgrading the security of an object to allow high level subjects to inform others of info regarding the objects

Question 32

When is a state considered secure in BLP?

Answer 32

if the ss-property, the *property, and the ds-property all hold

Question 33

What are some security disadvantages of the Bell-LaPadula system?

Answer 33

no command and control as you can't easily inform others of info if at a lower level than the object that is the source of info; ds-property leads to security vulnerabilities while allowing others access to info to get past this

Question 34

How does the Bell-LaPadula system work?

Answer 34

The BLP model effectively describes valid states and state transitions. If all state transitions in a system are secure and if the initial state is secure, then every subsequent state will also be secure, no matter what the inputs are. Have a graph of objects and subjects and read and write rights between them. Have a vertical scale of security level, higher as go higher on the graph.

Question 35

What is the Basic Security Theorem?

Answer 35

That the BLP model effectively describes valid states and state transitions: if all state transitions in a system are secure and if the initial state is secure, then every subsequent state will also be secure, no matter what the inputs are.

Question 36

What is the Chinese Wall?

Answer 36

A security model implementing the protection of commercial information by grouping data from competitors and only allowing viewing of data of 1 company in group to prevent spying.

Question 37

What does the Chinese Wall consist of?

Answer 37

Objects: files, low-level information pertaining to one company. Groups: All objects pertaining to one company is grouped together. Conflict Classes: all groups of objects for competing companies are clustered together

Question 38

With the Chinese Wall, how do you define a subject, two companies, a security label of an object, sanitisied info, and subjects who have viewed data?

Answer 38

Subject s, the company is B(s) and the competitor company set is C(s). The security label of an object o is (B(o), C(o)), i.e. competitor and company class pair. Sanitised information isC(o) =∅, i.e. can be made public. Subjects who have viewed the data are noted in a matrix Ns,o where Ns,ois true if access has at one time been granted. Think of it as Business(obj), Competitor(obj) and if Competitor(obj) isempty then the Business object can be made open (!)

Question 39

What is the ss-property with the Chinese Wall?

Answer 39

If you have had access to o' from company B(o') (the Company that owns o') then you are forbidden from accessing objects from (competitor) companies in C(o'). However, a tertiary company may be used to pass information between the competing companies

Question 40

What is the *-property with the Chinese Wall?

Answer 40

The *-property: A subject S is granted write access to an object o if S has no read access to an object o' with B(o) != B(o') and C(o') != ∅. i.e. write access to an object is only grant

Question 41

What is the Clark & Wilson well-formed transaction policy?

Answer 41

Way of ensuring confidentiality and integrity for commercial systems. A well-formed transaction is a series of operations that transition a system from one consistent state to another consistent state.

Question 42

How does the Clark & Wilson transaction policy work?

Answer 42

Policies allow users to execute transitions, whose integrity is enforced by the system's integrity policies.

Question 43

What are the properties of the Clark & Wilson transaction policy?

Answer 43

- Data is manipulated by a specific set of programs, i.e. intermediate control. - User has to collaborate to manipulate data and to collude to penetrate security, i.e. separation of duties. - Users are restricted in what they can execute here is an audit trail of transactions - There is a certification procedure.

Question 44

What are Access Triples?

Answer 44

Access triple = a three-part relationship of subject/program/object (where the program is interchangeable with the transaction). Aka an access control triple.

Question 45

What do Access Triples consist of?

Answer 45

Subject, transaction/program, and ≥ 1 object

Question 46

How do Access Triples control the actions of users?

Answer 46

If user not listed in a triple for a transaction/program and object they can't perform that transaction/program on that object

Question 47

What is a security kernel?

Answer 47

The Security Kernel supervises low-level system activities that access resources such as registers or policies.

Question 48

What is BLP model?

Answer 48

BLP model = Bell-LaPadula = model for security in USAF to identify allowable downward information flow whilst maintaining security by disallowing downward information flow in general.

Question 49

What is the lattice model?

Answer 49

Connected groups of objects in a graph in which objects dominate each other. Consists of a set of objects as nodes and a partial ordering to compare them