Security Models and Techniques

Overview

• Basic concepts
• The Models
– Bell-LaPadula (BLP)
– Biba
– Clark-Wilson
– Chinese Wall
• Systems Evaluation

2
Basic Concepts

3
Terminology

• Trusted Computing Base (TCB) – combination of

protection mechanisms within a computer system
• Subjects / Objects
– Subjects are active (e.g., users / programs)
– Objects are passive (e.g., files)
• Reference Monitor – abstract machine that
mediates subject access to objects
• Security Kernel – core element of TCB that
enforces the reference monitor’s security policy

4
 Access Control Models

• Frameworks that dictate how subjects access objects

• Three Main Types
– Discretionary Access Control (DAC)
– Mandatory Access Control (MAC)
– Role Based Access Control (RBAC)
 Discretionary Access Control

• Allows the owner of the resource to specify which

subjects can access which resources
• Access control is at the discretion of the owner
• DAC defines access control policy
– That restricts access to files and other system resources based
on identity
• DAC can be implemented through Access Control Lists
(ACLs)
 Access Control Matrix

• Access Control Lists (ACLs)

– Specifies the list of subjects that are authorized to access a
specific object
• Capability Lists
– Specifies the access rights a certain subject possesses pertaining
to specific objects
Access Control Matrix
 Mandatory Access Control

• Based on security label system

• Users given security clearance and data is classified
• Used where confidentiality is of utmost importance
• MAC is considered a policy based control
• Every object and subject is given a sensitivity label
– Classification level
• Secret, Top secret, Confidential, etc
– Category
• Information warfare, Treasury, UN, etc
 Mandatory Access Control

Subject Classification level Category

Umair Secret Finance
Tayyeb Secret HR

Object Classification level Category

Finance records Secret Finance
Employee records Secret HR
 Role Based Access Control

• Uses centrally administered set of controls to determine

how subjects and objects interact
• Decisions based on the functions that a user is allowed to
perform within an organization
• An advantage of role based access controls is the ease of
administration
• Capability tables are sometimes seen in conjunction with
role-based access controls
• Best for high turn over organizations
Information Flow Models

• Pour cement over a PC and you have a secure system

• In reality, there are state transitions
• Key is to ensure transitions are secure
• Models provide rules for how information flows from state to
state.
• Information flow models do not address covert channels
– Trojan horses
– Requesting system resources to learn about other users

12
Models

• Bell-LaPadula
• Biba
• Clark-Wilson
• Chinese Wall

Good brief summary on Harris p.247

13
Bell-LaPadula (BLP) Model

• BLP is formal (mathematical) description of mandatory

access control
• Three properties:
– ds-property (discretionary security)
– ss-property (simple security – no “read down”)
– *-property (star property – no “write down”)
• A secure system satisfies all of these properties
• BLP includes mathematical proof that if a system is secure
and a transition satisfies all of the properties, then the system
will remain secure.

14
Bell-LaPadula Model (Continued)

• Honeywell Multics kernel was only true

implementation of BLP, but it never took hold
• DOD information security requirements currently
achieved via discretionary access control and
segregation of systems rather than BLP-compliant
computers

15
Biba Model

• Similar to BLP but focus is on integrity, not

confidentiality
• Result is to turn the BLP model upside down
– High integrity subjects cannot read lower
integrity objects (no “read down”)
– Subjects cannot move low integrity data to high-
integrity environment (no “write up”)
• McLean notes that ability to flip models essentially
renders their assurance properties useless

16
Clark-Wilson Model

• Reviews distinction between military and

commercial policy
– Military policy focus on confidentiality
– Commercial policy focus on integrity
• Mandatory commercial controls typically involve
who gets to do what type of transaction rather than
who sees what (Example: cut a check above a
certain dollar amount)

17
Clark-Wilson Model (Continued)

• Two types of objects:

– Constrained Data Items (CDIs)
– Unconstrained Data Items (UDIs)
• Two types of transactions on CDIs in model
– Integrity Verification Procedures (IVPs)
– Transformation Procedures (TPs)
• IVPs certify that TPs on CDIs result in valid state
• All TPs must be certified to result in valid transformation

18
Clark-Wilson Model (Continued)

• System maintains list of valid relations of the form:

{UserID, TP, CDI/UDI}
• Only permitted manipulation of CDI is via an authorized TP
• If a TP takes a UDI as an input, then it must result in a proper
CDI or the TP will be rejected
• Additional requirements
– Auditing: TPs must write to an append-only CDI (log)
– Separation of duties

19
Clark-Wilson versus Biba

• In Biba’s model, UDI to CDI conversion is

performed by trusted subject only (e.g., a security
officer), but this is problematic for data entry
function.
• In Clark-Wilson, TPs are specified for particular
users and functions. Biba’s model does not offer
this level of granularity.

20
Chinese Wall

Focus is on conflicts of interest.

• Principle: Users should not access the confidential
information of both a client organization and one or more of
its competitors.
• How it works
– Users have no “wall” initially.
– Once any given file is accessed, files with competitor
information become inaccessible.
– Unlike other models, access control rules change with
user behavior

21