3.2 Understand the fundamental concepts of security models (Biba, Star Model, Bell-LaPadula)

It’s best to understand security as a model.  Some definitions that will help us

  • Trusted Computing Base – a combination of hardware, software, and controls that enforce a security policy

    The TCB is the part of the system that is trusted to enforce the policy.  We should remember that other parts of the system are not trusted to enforce the policy.  The TCB controls access to the system and to provide access inside and outside the TCB

  • The Security Perimeter separates the TCB from the rest of the system.  The TCB can communicate with the external system through the trusted path.

  • Reference Monitor – the reference monitor validates access to a resource.  It sits between each subject and object.  A number of access control authorization models can be used.

  • Together, the components of the TCB that implement the reference monitor are called the security kernel.  We give the reference monitor a description of each resource so that it can figure out whether a subject should be allowed to access it.

  • A State Machine Model is a system that is always secure no matter what.

  • A Finite State Machine is a concept that takes an external input and an internal machine state, and results in an output.  The next state of the current state is a function of the input and the current state. 

    A state is the system is at a specific time.  A transition is when the system is changing state.  If we can change the state from one secure state to another secure state, no matter what, then the machine is a secure state machine.

Now that we know about the state, we can think about modeling the information flow.  How does data flow through a computer to a user?  There are several abstract models.

  • Bell-LaPadula model – how do we keep information from moving from a high security level to a low security level?

  • Biba model – how do we keep information from moving from a low security level to a high security level?

  • Noninterference Model – how does the actions of a subject at a higher security level affect the system state at a lower security level?  The actions at a high level should not affect the actions at a low level.

  • Composition Theory Model – how do inputs and outputs relate to each other?  How does information flow?

    • Cascading – an input for one system is an output to another system

    • Feedback – two systems are in a loop, where output from A is input to B, and output from B is input to A

    • Hookup – a system sends its input to another system and to other systems

  • Take-Grant Model – shows how rights can be transmitted from one subject to another or from a subject to an object.  A subject that has the “take” right can take a right away from another subject.  A subject with the “grant” right can give a right to another subject.

  • Access Control Matrix – a table of subjects and objects that tells us what functions each subject can perform on each object.  Each column is an Access Control List.  Each row is a capabilities list.  That means that the ACL is connected to the object and tells us what actions each subject can perform on it.  The capability list is tied to the subject.

    We are saying that for each subject, we should make a list of the rights that it has for every object.  If we want to stop access to an object, we must update every subject in the organization.

The Bell-LaPadula Model was developed by the DoD.  The idea is that each subject is given a security clearance level, and each object is given a security level.  A subject can access any object that is at or below its clearance level.  At higher levels, access is only provided on a need-to-know basis.  That means that the subject must be explicitly granted access to the object in addition to having the clearance.

The model includes Lattice-Based Access Control – mandatory access controls with a lattice.  The lattice tiers are classification levels that are applied to each subject.  They include

  • Simple Security Property – a subject can’t read information that is classified higher than itself

  • * Security Property – a subject can’t write information on a lower sensitivity level.  Bell-LaPadula prevents us from copying/pasting sensitive data in an unsensitive level.

  • Discretionary Security Property – the system uses an access matrix to enforce security, such as in a need to know basis.

The Biba Model provides integrity (ensures that data cannot be modified), with two properties

  • Simple Integrity Property – a subject can’t read an object at a lower integrity level.  This is also known as no read down.

  • * Integrity Property – a subject can’t write to an object at a higher integrity level

Biba prevents modification of objects by unauthorized subjects.  Every subject and object must have a label.  Biba does not provide confidentiality.

The Clark-Wilson Model says that a subject can only access an object through a program.  The subject can’t access the object directly.  Just because the subject has access doesn’t mean that he can do whatever he wants.  Each program is limited to what it can do with an object.  Some properties of the model

  • A Constrained Data Item is an object that is protected

  • An Unconstrained Data Item is an object that is not protected yet (an input)

  • The Integrity Verification Procedure is a process to confirm the integrity of an item

  • A Transformation Procedure is a procedure that modifies a Constrained Data Item

The Brewer and Nash Model

  • Permits access controls to change based on the previous activity of a user

  • It is also known as the Chinese Wall Model

  • It prevents a subject from access to multiple conflicting objects.  This is used to prevent conflicts of interest.  For example, a rule might say that a user with access to object A should not also be able to access object B.  A user might have access to both object A and object B.  As soon as the user accesses object A, they will be blocked from accessing object B.

  • The access can be limited temporarily or permanently depending on the requirements

The Take-Grant Model consists of four parts

  • Take – allows a subject to take the rights of another object

  • Grant – allow a subject to give rights to another object

  • Create – allow a subject to create a new object

  • Remove – allow a subject to revoke the rights of an object

The Goguen-Meseguer Model

  • It is an Integrity model (prevents data from being modified)

  • It is also known as the noninterference model

  • We predetermine the objects that each subject can access

  • A subject can perform specific actions against specific objects

The Sutherland Model

  • We define system states, initial states, and transition states

  • We can use these states and no others

The Graham-Denning Model

  • This model allows us to securely create and delete objects

  • We create a set of rules

    • Securely create an object

    • Securely create a subject

    • Securely delete an object

    • Securely delete a subject

    • Securely provide read access

    • Securely provide grant access

    • Securely provide delete access

    • Securely provide transfer access

  • We might define these rules in a matrix