Security Models

Question 1

What is a policy?

Answer 1

Set of rules and practices governing how a system will manage and protect data with special regard to sensitive objects.

Can be considered as a legal document, especially when defined in a security policy document.

Question 2

How does a reference monitor fit into a security model?

Answer 2

Mechanism or abstract concept that define how the policies are applied to the system, data and users.

Question 3

What does the security kernel do in security models?

Answer 3

Supervises low-level system activities that access resources such as registers and enforces policies?

Question 4

What is a security model?

Answer 4

High-level description of the rules that a security policy should implement. Usually an overarching guide including how flow of information between subjects and resources.

Question 5

What should be defined in a security model?

Answer 5

Explicitly describes what entities are covered by the model, and may include data structures and cryptographic specifications.

Should outline possible threats, data ccess rules and who is a valid user.

Question 6

How is the relationship between objects and relationships defined?

Answer 6

Both have levels of classifications that need to have access control defined.
IE: Subjects: Privates (0), NCO’s(1)…
Objects: Unclassified(0), Confidential(1)…

Question 7

What can a subject read?

Answer 7

Anything at their level of clearance or lower, but may write to anything at their level or higher.

Question 8

Why does the linear model not work?

Answer 8

It is inflexible and simplistic

Question 9

What is a poset?

Answer 9

A partial ordering on a set

Question 10

What is comparable in a poset?

Answer 10

Not every pair of elements needs to be comparable, distinct sets on the same level are incomparable but it does show hierarchy.

Question 11

What is domination?

Answer 11

Subject having higher access to resources or indicates the direction of information flow.

One or none of the elements in a comparison can dominate.

Question 12

What is the hierarchical/military model

Answer 12

If a <= b then a is dominated by b, the system low is the level dominated by all others.

System High is the one that dominates everything else.

A dominates B iff A can perform everything that B can.

Question 13

What is compartmentalisation?

Answer 13

Restrict access to contents based on clearance and what you’re working on.

Codewords are the compartment, with classifications and codewords forming a lattice.

Question 14

What is the Bell-LaPadula model?

Answer 14

BLP goal is to identify allowable communication while maintaining secrecy.

Secret information can’t flow downwards.

Question 15

What is an SS-property in the BLP model?

Answer 15

Simple security policy, no process can read data at a higher level. NRU.

Question 16

What is a *-property in the BLP model?

Answer 16

No process can write down to a lower level. NWD.

Stop’s sensitive data being given to those at a lower level.

Question 17

What are the drawbacks of the BLP model?

Answer 17

HIgh-level subject can’t inform lower-level subject of the information, meaning that they need to downgrade to the subject level or identify subjects to break the *-property.

Question 18

What is a ds-property in BLP?

Answer 18

DAC is enforced to allow this through an ACL (allowed users are designated alongside the file.)

Question 19

Why is the BLP model like a state machine and how can we verify it’s security?

Answer 19

The BLP model is like a state machine as it has valid states (properties) and the transitions (write-to subjects etc). This is useful as if the state system is secure, and the initial state is secure, then the system is secure.

Question 20

What is the Chinese Wall?

Answer 20

Reflects protection requirements for commercial information

Question 21

What are the units used in the Chinese Wall?

Answer 21

Objects: Files, low-level information pertaining to one company

Groups: All objects pertaining to one company are grouped

Conflict classes: All groups of objects for competing companies are clustered together

Question 22

When can a subject access any information?

Answer 22

As long as they have not accessed any information from a different company in the same conflict class.

Keeps entities from viewing info on competing entities.

Question 23

When can an object be made public?

Answer 23

When C(object) = empty set. That is, the information has been sanitised and is no longer useful to competitors.

Question 24

How are the accesing of objects traced?

Answer 24

Subjects who have viewed the data are noted in a matrix Ns,o where Ns,o is true iff access has been granted to an object at one time.

Question 25

What is the ss-property of the Chinese Wall?

Answer 25

Subject will be permitted access to an object o if o is sanitised or if the user hasn’t accessed another object in the competitor set.

Question 26

What is the *-property of the Chinse Wall?

Answer 26

Subject is granted write access to an object is the subject has had no read access to an object in the same competitor set.

Question 27

When are access rights checked in a Chinese wall?

Answer 27

On each access, as they change when a user accesses an object.

Question 28

What is the Clark-Wilson model?

Answer 28

Used when confidentiality and integrity are equaly is important. Implements a set of transactions policies.

Data is manipulated by a specific set of programs
Users have to collaborate to manipulate data and collude to penetrate security
Users are restricted in what they can execute.
There is an audit trail of transactions
There is a certification procedure

Question 29

What is included in the transactions as per the Clark-Wilson model?

Answer 29

User Id
Transaction Procedure
Data items operated on

Question 30

What do well-formed transactions appear like?

Answer 30

A series of operations taking the system state from one consistent state to another.