Please enable JavaScript.
Coggle requires JavaScript to display documents.
3 - Fundamental Concepts of Security Models - Coggle Diagram
3 - Fundamental Concepts of Security Models
Methods to describe the necessary security attributes
Security token
Separate object that is associated with a resource and describes its security attributes.
Can communicate security information about an object prior to requesting access to the actual object
Capabilities list
Maintains a row of security attributes for each controlled boject
Not as flexible as the token object, but quicker lookups when a subject requests access to an object
Security label
Generally a permanent part of the object to which it's attached
Once set, it generally cannot be altered
Trusted computing base
Security perimeter
Imaginary boundary that separates the TCB from the rest of the system
It ensures that no insecure communications or interactions occur between the TCB and the remaining elements of the computer system
For the TCB to communicate with the rest of the system, it must create a trusted paths/secure channels
Scope: Includes all security-critical components: the OS kernel, access control mechanisms, trusted processes, and hardware enforcing protection (e.g., CPU ring levels, memory protection).
Reference monitor
Validates access to every resource prior to granting access requests
Concept or theory that is put into practice via the implementation of a security kernel in software and hardware
Enforce access control or authorization based on the desired security model, whether discretionary, mandatory, role-based, or some other form of access control
State machine model
A system that is always secure no matter what state it is in
If each possible state transition results in another secure state, the system can be called a secure state machine
Information flow model
Focus on controlling the flow of information based on the state machine model.
Designed to prevent unauthorized, insecure, or restricted information flow, often between different levels of security
Noninterference model
Loosely based on the information flow model.
Instead of being concerned about the flow of information, the noninterference model is concerned with how the actions of a subject at a higher security level affect the system state or the actions of a subject at a lower security level
Actions of subject A (high) should not affect or interfere with the actions of subject B (low) or even be noticed by subject B
Take-grant model
Employ a directed graph to dictate how rights can be passed from one subject to another or from a subject to an object
4 rules
Take rule: allows a subject to take rights over an object
Grant rule: allows a subject to grant rights to an object
Create rule: Allows a subject to create new rights
Remove rule: Allows a subject to remove rights it has
Access control matrix
Table of subjects and objects that indicates the actions or functions that each subject can perform on each object.
A capabilities table can be created by pivoting an access control matrix
Bell-LaPadula model
Three basic properties of this state machine
Simple Security Property (ss-property)
A subject may not read information at a higher sensitivity level (no read-up)
*-Property (star-property)
A subject may not write information to an object at a lower sensitivity level (no write-down)
Similar to pasting a top-secret memo into an unclassified document file
Discretionary Security Property
The system uses an access matrix to enforce discretionary access control
Model built on...
state machine concept
information flow model
Mandatory Access Control (MAC)
lattice-based access control concept
Subjects can access only those objects that fall into the range between the least upper bound (LUB) and the greatest lower bound (GLB) of the labels or classifications for their lattice position
The lattice tiers are the classification levels defined by the organization's security policy
Objective: protect data confidentiality
Biba model
Objective: protect data integrity
Model built on...
state machine concept
information flow model
Mandatory Access Control (MAC)
lattice-based access control concept
The lattice tiers are the classification levels defined by the organization's security policy
Subjects can access only those objects that fall into the range between the least upper bound (LUB) and the greatest lower bound (GLB) of the labels or classifications for their lattice position
Three basic properties of this state machine
*-Property (star-property)
A subject cannot modify an object at a higher integrity level (no write-up)
Invocation Property
A process from below cannot request higher access (neither read nor write); only with subjects at an equal or lower level
Simple Integrity Property (si-property)
A subject cannot read an object at a lower integrity level (no read-down)
When integrity is important, you don't want invalidated data read into validated documents.
Drawbacks
Dependent on data classficiation
Addresses only integrity, not confidentiality or availability
Focus on protecting objects from external threats; assumes that internal threats are handled programmatically
Does not address access control management and does not provide a way to change an object or subject classification
Does not prevent covert channels
Clark-Wilson model
Goal: enforcing data integrity
Use of a three-part relationship of subject/program/object known as a triple or an access control triplet.
Two principles
Well-formed transactions
A subject is able to access objects only by using a program, interface, or access portal
Separation of duties
Each program has specific limitations on what i can and cannot do to an object (such as a database or other resource)
Items and procedures
Constrained Data Item (CDI)
Any data item whose integrity is protected by the security model
Unconstrained Data Item (UDI)
Any data item that is not controlled by the security model.
Integrity Verification Procedure (IVP)
A procedure that scans data items and confirms their integrity
Transformation Procedures (TPs)
The only procedures that are allowed to modify a CDI. The limited access to CDIs through TPs forms the backbone of the Clark-Wilson integrity model
Use security labels to grant access to objects, but only through transformation procedures and a restricted interface model using classification-based restrictions to offer only subject-specific authorized information and functions.
Brewer and Nash model
Goal: permit access controls to change dynamically based on a user's previous activity
Define which security domains are potentially in conflict and prevent any subject with access to one domain that belongs to a specific conflict class from accessing any other domain that belongs to the same conflict class.
Known as the "ethical wall" or "cone of silence"
Composition theories
Explain how outputs from one system relate to inputs to another system
Cascading: input for one system comes from the output of another system
Feedback: One system provides input to another system, which reciprocates by reversing those roles (so that system A first provides input to system B and then system B provides input to system A)
Hookup: one system sends input to another system but also sends input to external entities