Security Models Flashcards
What is a policy?
Set of rules and practices governing how a system will manage and protect data with special regard to sensitive objects.
Can be considered as a legal document, especially when defined in a security policy document.
How does a reference monitor fit into a security model?
Mechanism or abstract concept that define how the policies are applied to the system, data and users.
What does the security kernel do in security models?
Supervises low-level system activities that access resources such as registers and enforces policies?
What is a security model?
High-level description of the rules that a security policy should implement. Usually an overarching guide including how flow of information between subjects and resources.
What should be defined in a security model?
Explicitly describes what entities are covered by the model, and may include data structures and cryptographic specifications.
Should outline possible threats, data ccess rules and who is a valid user.
How is the relationship between objects and relationships defined?
Both have levels of classifications that need to have access control defined.
IE: Subjects: Privates (0), NCO’s(1)…
Objects: Unclassified(0), Confidential(1)…
What can a subject read?
Anything at their level of clearance or lower, but may write to anything at their level or higher.
Why does the linear model not work?
It is inflexible and simplistic
What is a poset?
A partial ordering on a set
What is comparable in a poset?
Not every pair of elements needs to be comparable, distinct sets on the same level are incomparable but it does show hierarchy.
What is domination?
Subject having higher access to resources or indicates the direction of information flow.
One or none of the elements in a comparison can dominate.
What is the hierarchical/military model
If a <= b then a is dominated by b, the system low is the level dominated by all others.
System High is the one that dominates everything else.
A dominates B iff A can perform everything that B can.
What is compartmentalisation?
Restrict access to contents based on clearance and what you’re working on.
Codewords are the compartment, with classifications and codewords forming a lattice.
What is the Bell-LaPadula model?
BLP goal is to identify allowable communication while maintaining secrecy.
Secret information can’t flow downwards.
What is an SS-property in the BLP model?
Simple security policy, no process can read data at a higher level. NRU.
What is a *-property in the BLP model?
No process can write down to a lower level. NWD.
Stop’s sensitive data being given to those at a lower level.
What are the drawbacks of the BLP model?
HIgh-level subject can’t inform lower-level subject of the information, meaning that they need to downgrade to the subject level or identify subjects to break the *-property.
What is a ds-property in BLP?
DAC is enforced to allow this through an ACL (allowed users are designated alongside the file.)
Why is the BLP model like a state machine and how can we verify it’s security?
The BLP model is like a state machine as it has valid states (properties) and the transitions (write-to subjects etc). This is useful as if the state system is secure, and the initial state is secure, then the system is secure.
What is the Chinese Wall?
Reflects protection requirements for commercial information
What are the units used in the Chinese Wall?
Objects: Files, low-level information pertaining to one company
Groups: All objects pertaining to one company are grouped
Conflict classes: All groups of objects for competing companies are clustered together
When can a subject access any information?
As long as they have not accessed any information from a different company in the same conflict class.
Keeps entities from viewing info on competing entities.
When can an object be made public?
When C(object) = empty set. That is, the information has been sanitised and is no longer useful to competitors.
How are the accesing of objects traced?
Subjects who have viewed the data are noted in a matrix Ns,o where Ns,o is true iff access has been granted to an object at one time.
What is the ss-property of the Chinese Wall?
Subject will be permitted access to an object o if o is sanitised or if the user hasn’t accessed another object in the competitor set.
What is the *-property of the Chinse Wall?
Subject is granted write access to an object is the subject has had no read access to an object in the same competitor set.
When are access rights checked in a Chinese wall?
On each access, as they change when a user accesses an object.
What is the Clark-Wilson model?
Used when confidentiality and integrity are equaly is important. Implements a set of transactions policies.
Data is manipulated by a specific set of programs
Users have to collaborate to manipulate data and collude to penetrate security
Users are restricted in what they can execute.
There is an audit trail of transactions
There is a certification procedure
What is included in the transactions as per the Clark-Wilson model?
User Id
Transaction Procedure
Data items operated on
What do well-formed transactions appear like?
A series of operations taking the system state from one consistent state to another.
