Fundamental concepts of security models

Objectives:

At the end of this episode, I will be able to:

Understand what the fundamental concepts of security models and apply the
recommended guidance pertinent to them through your daily practice as an
information security professional.

External Resources:

Understand the fundamental concepts of security models (e.g., Biba, Star

Model, Bell-LaPadula)

================================================================================

Security Model - provides a way for the designer(s) of a system to correlate

abstract statements into a security policy that will define an explicit set of
rules allowing a computer to implement the fundamental concepts of the policy.

Types of Security Models - security models focus on defining allowed interactions

between subjects (users) and objects (assets/data) at a particular moment in time.

State Machine Model - based on the computer science definition of a Finite State
Machine (FSM), which describes the behavior of a system as it moves between one
state and another.

Purpose is to define which actions will be permitted at any point in time to

ensure that a secure state (a point in time when things are secure) is preserved.
The role of time in a state machine model is very important. According to its
rule set, which is determined by a security policy, a model system’s secure state
can only change at distinct points in time, such as when an event occurs or a
clock triggers it. Thus, upon its initial startup, the system checks to determine
if it is in a secure state. Once the system is determined to be in a secure
state, the state machine model will ensure that every time the system is accessed,
it will be accessed only in accordance with the security policy rules. This
process will guarantee that the system will transition only from one secure
state to another secure state.

Information Flow Models - focus on how information is allowed or not allowed

between individual objects. Information flow models are used to determine if
information is being properly protected throughout a given process. They may be
used to identify potential covert channels.

Matrix-based Models - An access control matrix is a two-dimensional table that

indicates the actions that subjects can perform on objects. Columns are Access
Control Lists (ACLs) tied to objects. Rows are Capability Lists tied to subjects.

Subjects File Scanner

Mike Read No Access

Wes Read, Write Scan

Take-Grant Model - uses a set of rules to enforce how rights can be passed from
one subject to another or from a subject to an object.
Take rule allows a subject to take rights

Grant rule allows a subject to grant rights

Create rule allows a subject to create new rights

Remove rule allows a subject to remove rights

Multilevel Lattice Models - describes strict layers of subjects and objects and
defines clear rules that allow or disallow interactions between them based on
the layers they are in. Subjects are assigned security clearances that define
what layer they are assigned to and objects are classified into similar layers.
Related security labels are attached to all subjects and objects. According to
this type of model, the clearance of the subject is compared with the
classification of the data to determine access. They will also look at what the
subject is trying to do to determine whether access should be allowed.

Noninterference Models - a type of multilevel model with a high degree of

strictness. These models not only address obvious and intentional interactions
between subjects and objects, but they also deal with the effects of covert
channels that may leak information inappropriately. The goal of a noninterference
model is to help ensure that high-level actions (inputs) do not determine what
low-level users can see (outputs).

Specific Models:

1. Bell-LaPadula - CONFIDENTAILITY OF DATA !!! (only). Also, the first

mathematical model of a multilevel security policy. Built on a state machine
concept & the information flow model as well as employing Mandatory Access
Controls & a lattice. The lattice tiers form the classification levels. Three
properties of the state machine:

a. Simple Security Property - subject may not read information at a higher

sensitivity level ... NO READ UP

b. * (star) Security Property (confinement property) - subject may not write

information to an object at a lower sensitivity level ... NO WRITE DOWN

c. Discretionary Security Property - system uses an access matrix to enforce

discretionary access control

There is an exception in Bell-LaPadula that a "trusted subject" will not be

constrained by the * Security Property. A trusted subject is one that WILL NOT
cause or allow a security breaching transfer, even if it is possible. This allows
the trusted subject to violate the * property, performing a write down operation,
which they must do in order to declassify or reclassify an object.

2. Biba - INTEGRITY !!! (only). Like Bell LaPadula, requires that all
subjects & objects have a classification label. Designed to address ONLY the
first of the three integrity issues:

Prevent modifications of objects by unauthorized subjects

Prevent unauthorized modifications of objects by authorized subjects

Protect internal and external object consistency

Properties:
a. Simple Integrity Property - subject cannot read an object at a lower
integrity level ... NO READ DOWN

b. * (star) Integrity Property - subject cannot modify an object at a higher

integrity level ... NO WRITE UP

3. Clark-Wilson - INTEGRITY !!! (only). Takes a different approach than Biba,

ditching the formal state machine in favor of defining each data item and
allowing modification ONLY through a small set of programs. Uses a three part
relationship (subject | program | object) called a triple or an access control
triple. NO DIRECT ACCESS BY SUBJECTS TO OBJECTS !!! (access only allowed
through authorized programs).

Principles:

a. well-formed transactions
b. separation of duties

Items & Procedures:

a. constrained data item (CDI) - any data item protected by the model

b. unconstrained data item (UDI) - any data item not protected by the model

c. integrity verification procedure (IVP) - scanning items to ensure integrity

d. transformation procedures (TPs) - ONLY procedures allowed to modify a CDI

Improves on Biba by focusing on integrity at the transaction level and addressing

three major goals of integrity in a commercial environment:
1. Preventing unauthorized users from making modifications to data or programs.

2. Preventing authorized users from making improper or unauthorized modifications.

3. Maintaining internal and external consistency of data and programs.

4. Brewer-Nash (Chinese Wall) - focuses on conflict of interest

5. Goguen-Meseguer - INTEGRITY !!! (just not as well known as Biba). Credited

with defining the concepts of noninterference. Based on predetermining a list
of objects that a subject can access.

6. Sutherland - INTEGRITY !!! focuses on preventing interference to support

integrity. Based on state machine and information flow. Only allows for the
use of a set of predetermined secure states to maintain integrity and prevent
interference. Is often used to prevent covert channels from influencing outcomes.

7. Graham-Denning - secure creation & deletion of subjects & objects specified

via a collection of rules & detailed in an Access Control Matrix. 8 primary
rules:

a. securely create an object

b. securely create a subject
c. securely delete an object
d. securely delete a subject
e. securely provide the read access right
f. securely provide the grant access right
g. securely provide the delete access right
h. securely provide the transfer access right

8. Harrison-Ruzzo-Ullman - very similar to Graham-Denning. Composed of a set of

generic rights and a finite set of commands. It is also concerned with
situations in which a subject should be restricted from gaining particular
privileges.

What about the STAR Model?

CSA Security Trust, Assurance and Risk (STAR) is a program for security assurance
in the cloud. STAR encompasses key principles of transparency, rigorous auditing,
and harmonization of standards. The STAR program provides multiple benefits,
including indications of best practices and validation of security posture of
cloud offerings.

STAR is based on the following foundation tools:

• The CSA Cloud Controls Matrix (CCM)

• The Consensus Assessments Initiative Questionnaire (CAIQ)
• The CSA Code of Conduct for GDPR Compliance

The CCM is a meta-framework of cloud-specific security controls, mapped to

leading standards, best practices and regulations.

The CAIQ is based upon the CCM and provides a set of Yes/No questions a cloud
consumer and cloud auditor may wish to ask of a cloud provider to ascertain their
compliance to the Cloud Controls Matrix.
The CSA Code of Conduct for GDPR Compliance includes all the necessary requirements
a Cloud Service Provider has to satisfy in order to comply with the EU GDPR.

One of most essential features of the STAR program is its registry that documents
the security and privacy controls provided by popular cloud computing offerings.

This publicly accessible registry is designed for users of cloud services to

assess their cloud providers, security providers and advisory and assessment
services firms in order to make the best procurement decisions.

Level One: Self-Assessment - There are different options for completing each
level of assurance. For level one organizations can choose to complete one or
both of the security and privacy self-assessments.

Level Two: Third-Party Certification - Organizations looking for a third-party

certification can choose from one or more of the options available. In some
cases an organization may choose to pursue all of the certifications at this
level, in other cases one will suffice. An organization’s location, along with
the regulations and standards it is subject to will have the greatest factor
in determining which ones are appropriate to pursue.

Level 3: Continuous Monitoring - CSA STAR Continuous Monitoring enables

automation of the current security practices of cloud providers. Providers
publish their security practices according to CSA formatting and specifications,
and customers and tool vendors can retrieve and present this information in a
variety of contexts.

All Levels: Continuous Auditing - Each level of STAR has also has a continuous
auditing option that allows you to increase your transparency.