Security Architecture and Design/Security Models
- 1 Security Models
- 1.1 Lattice Models
- 1.2 State Machine Models
- 1.3 Noninterference Models
- 1.4 Bell—LaPadu Confidentiality Model
- 1.5 Biba Integrity Model
- 1.6 Clark—Wilson Integrity Model
- 1.7 Access Control Matrix
- 1.8 Information Flow Models
- 1.9 Graham—Denning Model
- 1.10 Harrison—Ruzzo—Ullman Model
- 1.11 Brewer—Nash (Chinese Wall)
- A security policy is a document that expresses clearly and concisely what the protection mechanisms are to achieve. Its a statement of the security we expect the system to enforce.
- A security model is a specification of a security policy:
- it describes the entities governed by the policy,
- it states the rules that constitute the policy.
- There are various types of security models:
- Models can capture policies for confidentiality (Bell-LaPadula) or for integrity (Biba, Clark-Wilson).
- Some models apply to environments with static policies (Bell-LaPadula), others consider dynamic changes of access rights (Chinese Wall).
- Security models can be informal (Clark-Wilson), semi-formal, or formal (Bell-LaPadula, Harrison-Ruzzo-Ullman).
- Model vs Policy
- A security model maps the abstract goals of the policy to information system terms by specifying explicit data structures and techniques that are necessary to enforce the security policy. A security model is usually represented in mathematics and analytical ideas, which are then mapped to system specifications, and then developed by programmers through programming code
- For Example, if a security policy states that subjects need to be authorized to access objects, the security model would provide the mathematical relationships and formulas explaining how x can access y only through the outlined specific methods
- A security policy outlines goals without regard to how they will be accomplished. A model is a framework that gives the policy form and solves security access problems for particular situations.
- A lattice is a mathematical construct that is built upon the notion of a group.
- A lattice is a mathematical construction with:
- a set of elements
- a partial ordering relation
- the property that any two elements must have unique least upper bound and greatest lower bound
- A security lattice model combines multilevel and multilateral security
- Lattice elements are security labels that consist of a security level and set of categories
State Machine Models
- In state machine model, the state of a machine is captured in order to verify the security of a system.
- A given state consists of all current permissions and all current instances of subjects accessing the objects. If the subject can access objects only by means that are concurrent with the security policy, the system is secure.
- The model is used to describe the behavior of a system to different inputs. It provides mathematical constructs that represents sets (subjects, objects) and sequences. When an object accepts an input , this modifies a state variable thus transiting to a different state.
- Implementation tips
- The developer must define what and where the state variables are.
- The developer must define a secure state for each state variable.
- Define and identify the allowable state transition functions.
- The state transition function should be tested to verify that the overall m/c state will not compromise and the integrity of the system is maintained.
- The model ensures that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level.
- It is not concerned with the flow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an action, it can not change the state for the entity at the lower level.
- The model also addresses the inference attack that occurs when some one has access to some type of information and can infer(guess) something that he does not have the clearance level or authority to know.
Bell—LaPadu Confidentiality Model
- It was the first mathematical model with a multilevel security policy that is used to define the concept of a secure state machine and models of access and outlined rules of access.
- It is a state m/c model that enforces the confidentiality aspects of access model.
- The model focuses on ensuring that the subjects with different clearances(top secret, secret, confidential) are properly authenticated by having the necessary security clearance , need to know , and formal access approval-before accessing an object that are under different classification levels (top secret, secret, confidential).
- The rules of Bell-Lapadula model
- Simple security rule (no read up rule): It states that a subject at a given security level can not read data that resides at a higher security level.
- Star property rule ( no write down rule): It states that a subject in a given security level can not write information to a lower security levels.
- Strong star property rule: It states a subject that has read and write capabilities can only perform those functions at the same security level , nothing higher and nothing lower.
- Tranquility principle : subjects and objects can not change their security levels once they have been instantiated (created).
- All MAC systems are based on the Bell – Lapadula model because of it multilevel security.
- Designed US govt and mostly adopted by govt agencies
Biba Integrity Model
- It is developed after Bell – Lapadula model.
- It addresses integrity of data unlike Bell – Lapadula which addresses confidentiality.
- It uses a lattice of integrity levels unlike Bell – Lapadula which uses a lattice of security levels.
- It is also an information flow model like the Bell – Lapadula because they are most concerned about data flowing from one level to another.
- The rules of Biba model
- simple integrity rule(no read down) : it states that a subject can not read data from a lower integrity level.
- star integrity rule(no write up) : it states that a subject can not write data to an object at a higher integrity level.
- invocation property : it states that a subject can not invoke(call upon) a subject at a higher integrity level.
Clark—Wilson Integrity Model
- It was developed after Biba and addresses the integrity of information.
- This model separates data into one subject that needs to be highly protected , referred to as a constrained data item(CDI)and another subset that does not require high level of protection , referred to as unconstrained data items(UDI).
- Subjects (users): are active agents.
- Transformation procedures (TPs): the s/w procedures such as read, write, modify that perform the required operation on behalf of the subject (user).
- Constrained data items (CDI): data that can be modified only by Tp’s.
- Unconstrained data items (UDI): data that can be manipulated by subjects via primitive read/write operations.
- Integrity verification procedure (IVP): programs that run periodically to check the consistency of CDIs with external reality. These integrity rules are usually defined by vendors.
- Integrity goals of Clark – Wilson model
- Prevent unauthorized users from making modification (addressed by Biba model).
- Separation of duties prevents authorized users from making improper modifications.
- Well formed transactions: maintain internal and external consistency i.e. it is a series of operations that are carried out to transfer the data from one consistent state to the other.
Access Control Matrix
- This model addressed in access control.
- Commonly used in OS and applications.
Information Flow Models
- In this model, data is thought of as being held in individual discrete compartments.
- Information is compartmentalized based on two factors.
- Classification and
- Need to know
- The subjects clearance has to dominate the objects classification and the subjects security profile must contain the one of the categories listed in the object label, which enforces need to know.
- For example:
- Bell – Lapadula which prevents information flowing from higher source level to lower source level.
- Biba which prevents information flowing from lower integrity level to higher integrity level
- A covert channel is a way for an entity to receive information in an unauthorized manner.
- It is an information flow that is not controlled by a security mechanism.
- It is an unauthorized communication path that is not protected by the system because it was uncovered while developing the system.
- Types of covert channels
- Covert timing: in this channel, one process relays information to another by modulating its use of system resources.
- Covert storage: in this channel, one process writes data to a storage location and another process directly, or indirectly reads it.
- This model defines a set of basic rights in terms of commands that a specific subject can execute on an object.
- It proposes the eight primitive protection rights, or rules of how these types of functionalities should take place securely.
- How to securely create an object.
- How to securely create a subject.
- How to securely delete an object.
- How to securely delete a subject.
- How to provide read access rights.
- How to provide grant access rights.
- How to provide delete access rights.
- How to provide transfer access rights.
- The HRU security model (Harrison, Ruzzo, Ullman model) is an operating system level computer security model which deals with the integrity of access rights in the system. The system is based around the idea of a finite set of procedures being available to edit the access rights of a subject s on an object o.
- The model also discussed the possibilities and limitations of proving safety of a system using an algorithm.
Brewer—Nash (Chinese Wall)
- This model provides access controls that can change dynamically depending upon a user’s previous actions.
- The main goal of this model is to protect against conflicts of interests by user’s access attempts.
- It is based on the information flow model, where no information can flow between subjects and objects in a way that would result in a conflict of interest.
- The model states that a subject can write to an object if, and only if, the subject can not read another object that is in a different data set.