Security Models Fundamental Concepts Flashcards
Bell-LaPadula: (Confidentiality) (Mandatory Access Control)
Simple Security Property “No Read UP”.
Subjects with Secret clearance can’t read Top Secret
data.
* Security Property: “No Write DOWN”.
Subjects with Top Secret clearance can’t write Top
Secret information to Secret folders.
Strong * Property: “No Read or Write UP and DOWN”.
Subjects can ONLY access data on their own level.
BIBA: Integrity (Mandatory Access Control):
Simple Integrity Axiom: “No Read DOWN”.
Subjects with Top Secret clearance can’t read Secret data.
Remember that integrity is the purpose here; we don’t want to have wrong or lacking lower clearance level data confuse us.
* Integrity Axiom : “No Write UP”.
Subjects with Secret clearance can’t write Secret information to Top Secret folders.
We don’t want wrong or lacking lower level information to
propagate to a higher level.
Invocation Property: “No Read or Write UP”.
Subjects can never access or alter data on a higher level.
Lattice Based Access Control (LBAC) (MAC):
A subject can have multiple access
rights.
A Subject with “Top Secret”
{crypto, chemical} would be able
to access everything in this
lattice.
A Subject with “Secret” {crypto}
would only have access to that
level.
A subject with “Top Secret”
{chemical} would have access to
only {chemical} in Top Secret and
Secret.
These are obviously vastly more complex in real life.
For the exam, just know what they are and how they work.Graham-Denning Model – uses Objects, Subjects, and Rules.
The 8 rules that a specific subject can execute on an object are:
- Transfer Access.
- Grant Access.
- Delete Access.
- Read Object.
- Create Object.
- Destroy Object.
- Create Subject.
- Destroy Subject.
HRU model (Harrison, Ruzzo, Ullman):
An operating system level computer security model that deals with the integrity
of access rights in the system.
It is an extension of the Graham-Denning model, based around the idea of a
finite set of procedures being available to edit the access rights of a subject on
an object.
Considers Subjects to be Objects too (unlike Graham-Denning).
Uses six primitive operations:
Create object.
Create subject.
Destroy subject.
Destroy object.
Enter right into access matrix.
Delete right from access matrix.
Clark-Wilson - Integrity:
Separates end users from the back-end data through ‘Wellformed transactions’ and ‘Separation of Duties’.
The model uses Subject/Program/Object.
We have discussed the Subject/Object relationship
before, but this puts a program between the two.
We don’t allow people access to our inventory
when they buy from us.
We give them a limited functionality interface they
can access.
Separation of duties:
The certifier of a transaction and the implementer are different
entities.
The person making purchase orders should not be paying the invoices.
Well-formed transactions is a series of operations that transition a system from
one consistent state to another consistent state.
Brewer-Nash (Chinese Wall or Information Barriers):
Designed to provide controls that mitigate conflict of interest in commercial organizations, and is built upon an information flow model.
No information can flow between the subjects and objects in a way that would create a conflict of interest
Non-Interference Model:
Ensures that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level.
The model is not concerned with data flow, but with what a subject knows about the state of the system.
Any changer by a higher level subject, will never be noticed by a lower level subject.
Take-Grant Protection Model:
Uses rules that govern the interactions between subjects and objects.
It uses permissions that subjects can grant to (or take from) other subjects.
It has 4 rules:
Take rule allows a subject to take rights of another
object.
Grant rule allows a subject to grant own rights to
another object.
Create rule allows a subject to create new objects.
Remove rule allows a subject to remove rights it has
over another object.
Thor can Take (t) Jane’s rights for the object.
Jane can Create (c) and Remove (r) rules for the object.
Jane can Grant (g) any of her rights to Bob.
Access Control Matrix:
Model describing the rights of every subject for every object in the system.
An access matrix is like an Excel sheet.
- One row per subject.
- One column per object.
- The rows are the rights of each subject; each row is called a capability list.
- The columns show the
ACL (Access Control List) for each object or application.
We will cover the different permissions later.
Zachman Framework (for Enterprise Architecture):
Provides six frameworks:
- What, How, Where, Who, When, and Why.
Mapping those frameworks to rules for:
- Planner, Owner, Designer, Builder, Programmer, and User.
System high security modee - All users must have:
Signed NDA for ALL information on the system.
Proper clearance for ALL information on the system.
Formal access approval for ALL information on the system.
A valid need to know for SOME information on the system.
All users can access SOME data, based on their need to know.
Compartmented security mode - All users must have:
Signed NDA for ALL information on the system.
Proper clearance for ALL information on the system.
Formal access approval for SOME information they will access on the
system.
A valid need to know for SOME information on the system.
All users can access SOME data, based on their need to know and formal
access approval.
Multilevel security mode - (Controlled Security Mode) - All users must have:
Signed NDA for ALL information on the system.
Proper clearance for SOME information on the system.
Formal access approval for SOME information on the system.
A valid need to know for SOME information on the system.
All users can access SOME data, based on their need to know, clearance
and formal access approval.
