The main security models are: lattice, state machine, research, Bell-Lapadula (BLP), Biba, Clark-Wilson, access control matrix, information flow models, Graham-Denning, Harrison-Ruzzo-Ullman and Brewer-Nash (chinese wall).
- one way information flow
- confidentiality and integrity
- security labels to all objects
- this model is used by (Bell-lapadula, biba, chinese wall)
* State machine
- The policy define the points the secure state can change.
- Check if current state is secure state.
- check the state of the automated information system (AIS)
- Go the one secure state to other secure state.
* Non interference models
- is a research model
- the inputs (high-level actions) don't determine what outputs (low-level actions) can see.
- Restricted flows between inputs and outputs.
- Activities are separated in security levels to reduce leaks.
- Higher security level can not interfere in lowerlevel
- Lower level cannot get any information from higher level.
* Information flow models
- research model
- labeled with security classes
- it could flow upward or at the same level if allowed.
- similar than BLP
* Bell-LaPadula model (BLP)
- Confidentiality model
- Described in the orange book and TCSEC
- Is a state machine
- Mandatory access control
- The MAC is based on labeling both objects and (with classifications) and subjects (with their clearances)
- The system (Reference Monitor) only allows access if the clearance is equal to or higher than the classification.
- Uses latice and matrix.
- simple security -> read down -> subject of lower clearance cannot read an object of higher classification.
- *(star) property -> write/append up -> hight level subject cannot send missages to lower-level object.
- Integrity model
- complement to BLP
- simple integrity -> subject read access to object only if subject level <= object level
(absurd but true)
- the integrity * property ->subject have write access to object only if subject level => object level
- no information from a subject can be passed on to an object in higher security level.
- Integrity by controlling changes
- Suitable for transaction systems
- CORBA is based on Clark-Wilson, it creates relations between objects.
- no changes by unauthorized subjects, no unauthorized changes by unauthorized subjects.
- subject-program-object binding.
- subject authentication and identification
- only a set of programs can access objects
- users can run only a set of programs
- External consistency -> The system is doing what is expected to do.
- Internal consistency -> The data being consistent and similar to real world.
- CDI -> Constrained data item -> integrity protected.
- UCDI -> Unconstrained data item -> data not controlled by Clark-Wilson.
- IVP -> Integrity verification procedure -> Procedure scanning, data and confirming its integrity.
- Transformation procedures -> Procedures allowed only to change a cconstrained data item.
* Access control matrix
- Users, groups and roles down the left hand side.
- All the resources a functions across the top.
- Subjects are listed in rows.
- Objects are listed in columns.
- set of objects, set of subjects, set of rights.
- subjects have process and a domain
- Eight primitive protection:
1. Create object
2. Create subject
3. Delete object
4. Delete subject
5. Read access right
6. Grant access right
7. Delete access right
8. Transfer access right
* Brewer-Nash (chinese wall)
- Prevent conflict of interest.
- Access control rules change user behavior.