Module Objectives
- Identify the purpose of security model.
- Identify common security model.
Security Models
Security models define rules of behavior for an information system to enforce policies related to system security but typically involving confidentiality and/or integrity policies of the system.
Models define allowable behavior for one or more aspect of system operation. When implemented in a system, technology enforces the rules of behavior to ensure security goals (e.g., confidentiality, integrity) are met.
Bell–LaPadula (BLP)
The Bell–LaPadula (BLP) model is intended to address confidentiality in a multilevel security (MLS) system. It defines two primary security constructs, subjects and objects. Subjects are the active parties, while objects are the passive parties. To help determine what subjects will be allowed to do, they are assigned clearances that outline what modes of access (e.g., read, write) they will be allowed to use when they interact with objects.
The model system uses labels to keep track of clearances and classifications and implements a set of rules to limit interactions between different types of subjects and objects. It was an early security model and does not provide a mechanism for a one-to- one mapping of individual subjects and objects. This also needs to be addressed by other models or features within a practical operating system.
The model defines two properties, the ss-property and the *-property.
- Simple Security property: A subject cannot read/access an object of a higher classification (no read up)
- Star property: A subject can only save an object at the same or higher classification (no write down)
The model does not attempt to define technical constructs or solutions. It merely identifies a high level set of rules that if implemented correctly, prevent the exposure or unauthorized disclosure of information in a system processing different classification levels of data.
Biba
The Biba model is designed to address data integrity and does not address data confidentiality. Like Bell–LaPadula, Biba is also a lattice-based model with multiple levels. It defines similar but slightly different modes of access (e.g., observe, modify) and also describes interactions between subjects and objects. Where Biba differs most obviously is that it is an integrity model; it focuses on ensuring that the integrity of information is being maintained by preventing corruption.
At the core of the model is a multilevel approach to integrity designed to prevent unauthorized subjects from modifying objects. Access is controlled to ensure that objects maintain their current state of integrity as subjects interact with them. Instead of the confidentiality levels used by Bell–LaPadula, Biba assigns integrity levels to subjects and objects depending on how trustworthy they are considered to be. Like Bell–LaPadula, Biba considers the same modes of access but with different results.
Related Product : Certified Threat Intelligence Analyst | CTIA
The model defines three properties, the ss-property and the *-property as in BLP, but also includes a new property, the invocation property.
- Simple Integrity property: A subject cannot observe an object of lower integrity (no read down)
- Star property: A subject cannot modify an object of higher integrity (no write up)
- Invocation property: A subject cannot send logical service requests to an object of higher integrity
Brewer and Nash
This model focuses on preventing conflict of interest when a given subject has access to objects with sensitive information associated with two competing parties. The principle is that users should not access the confidential information of both a client organization and one or more of its competitors. At the beginning, subjects may access either set of objects. Once, however, a subject accesses an object associated with one competitor, they are instantly prevented from accessing any objects on the opposite side. This is intended to prevent the subject from sharing information inappropriately between the two competitors even unintentionally. It is called the Chinese Wall Model because, like the Great Wall of China, once on one side of the wall, a person cannot get to the other side. It is an unusual model in comparison with many of the others because the access control rules change based on subject behavior.
Clark–Wilson
Biba only addresses one of three key integrity goals. The Clark–Wilson model improves on Biba by focusing on integrity at the transaction level and addressing three major goals of integrity in a commercial environment. To address the second goal of integrity, Clark and Wilson realized that they needed a way to prevent authorized subjects from making undesirable changes. This required that transactions by authorized subjects be evaluated by another party before they were committed on the model system. This provided separation of duties where the powers of the authorized subject were limited by another subject given the power to evaluate and complete the transaction. To address internal consistency (or consistency within the model system itself), Clark and Wilson recommended a strict definition of well-formed transactions. In other words, the set of steps within any transaction would need to be carefully designed and enforced. Any deviation from that expected path would result in a failure of the transaction to ensure that the model system’s integrity was not compromised. To control all subject and object interactions, Clark–Wilson establishes a system of subject–program–object bindings such that the subject no longer has direct access to the object. Instead, this is done through a program with access to the object. This program arbitrates all access and ensures that every interaction between subject and object follows a defined set of rules. The program provides for subject authentication and identification and limits all access to objects under its control.
Graham–Denning
Graham–Denning is primarily concerned with how subjects and objects are created, how subjects are assigned rights or privileges, and how ownership of objects is managed. In other words, it is primarily concerned with how a model system controls subjects and objects at a very basic level where other models simply assumed such control.
The Graham–Denning access control model has three parts: a set of objects, a set of subjects, and a set of rights. The subjects are composed of two things: a process and a domain. The domain is the set of constraints controlling how subjects may access objects. Subjects may also be objects at specific times. The set of rights govern how subjects may manipulate the passive objects.
This model describes eight primitive protection rights called commands that subjects can execute to have an effect on other subjects or objects.
The eight basic rules under Graham–Denning govern the following:
- Secure object creation
- Secure object deletion
- Secure subject creation
- Secure subject deletion
- Secure provisioning of read access right
- Secure provisioning of grant access right
- Secure provisioning of delete access right
- Secure provisioning of transfer access right
Harrison, Ruzzo, Ullman (HRU)
This model is very similar to the Graham–Denning model, and it is composed of a set of generic rights and a finite set of commands. It is also concerned with situations in which a subject should be restricted from gaining particular privileges. To do so, subjects are prevented from accessing programs, or subroutines, that can execute a particular command (to grant read access for example) where necessary.
Modern Implementation
Most modern operating systems implement elements of the security models. They are not perfect implementations of the academic models and focus on practical implementations that provide functionality consistent with one or more of the security models.
The access control models discussed in Domain 5 (discretionary access control (DAC), mandatory access control (MAC), etc.) have operating system vendor specific implementations of elements contained within the security model. Precise implementation of the security models has practical limitations and is rarely employed except in very specialized systems with intentionally limited functionality.
Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/
