Domain 3 - Security Engineering - Security Models

Question 1

Security Model - what is it?

Answer 1

provides ‘rules of the road’ for securely operating systems. Can be used in determining policy.

provides a way for designers to map abstract statements into a security policy that prescribes the algorithms and data structures necessary to build hardware and software.

Question 2

Read down, Write up

Answer 2

Applies to Mandatory Access Control models.

Read down = user reads an object at a lower sensitivity leve.

Write up = user writes to an object then labels it at a higher sensitivity level than the clearence they themselves possess.

Question 3

State Machine Model

Answer 3

Based on concept of FSM (Finite State Machine) Mathematical Model that groups all possible system occurrences (called states). Every possible state is evaluated as secure.

Each input results in a transition to a new state that must be evaluated for secureness.

Basis of many other sec. models.

Question 4

Bell-Lapadula Model

Answer 4

Based on State-Machine and information flow models. Origin in DOD. Main focus is on confidentiality of objects.

Simple Security Property

*Security Property

Question 5

Bell Lapadula

• What is Simple Security Property?

What is the star property AKA Security Property?

Answer 5

No Read Up (SSP)

No Write Down (SP)

Question 6

Bell Lapadula

• What is Strong Tranquility Property

Answer 6

labels will not change while a system is operating

Question 7

Bell Lapadula

• What is Weak Tranquility Property

Answer 7

Labels can’t change in a way that conflicts with defined security properties

Question 8

Lattice-based Controls

Answer 8

o Security for complex environments
o For every relationshiop between a subject and object – there are defined upper and lower access limits
o Subject have Least UpperBound and Greatest Lower Bound
o Multi level and multi lateral

Question 9

Integrity Models

Answer 9

Focus on integrity moreso than confidentiality.

Question 10

Biba Model

Answer 10

Integrity based model. Based on State Machine and Information flow. Two primary rules
Simple integrity axioim – no read down
*Integrity Axiom – no write up

Question 11

Biba Model - what is Simple integrity axiom?

Answer 11

no read down. Prevents subjects from accessin info at lower integrity level - protects integrity by preventing bad info from reaching higher levels.

Question 12

Biba Model - what is star property AKA integrity axiom?

Answer 12

no write up.

Question 13

Clark-Wilson

Answer 13

Integrity model
Real world model
o Requires subjects to access objects via programs
o Two primary concepts
Well formed transactions
Separation of duties

Question 14

Clark-Wilson - what are Well formed transactions?

Answer 14

Abiltity to enforce control over apps.

Comprised of: User, Transformation procedure, and Constrained Data Item.

Question 15

Clark - Wilson - certification, enforcement, and separation of duties

Answer 15

All TP (Transformation procedures) must record enough information to reconstruct the data transaction.

Question 16

Clark - wilson separation of duties

Answer 16

ensure authorized users don’t change data in an inappropriate way.

Question 17

Information Flow Model

Answer 17

Based on State-machine model. Focused on controlling information flow and type of information. Designed to prevent unauthorized, insecure, or restricted info flow. Excludes all un-defined flow pathways.

Question 18

Chinese Wall Model (Brewer Nash)

Answer 18

AKA Brewer-Nash. Designed to avoid conflicts of interest. Specifically addresses consultants/contractors in financial institutions.

o Subject can write to an object only if the subject cannot read another object in a diff data set

Question 19

Non-interference Model

Answer 19

Loosely based on Information Flow model. Instead of information flow, is concerned with how Actions at a higher security level affects states at lower level

Not concerned with the flow of data but more so with what a subject knows

Addresses the inference attack that occurs when someone has access to some type of info and can guess something they don’t have clearance to.

Question 20

Take-Grant Model

Answer 20

Dictates how rights can be passed from subject to subject, or from subject to object.

Has four rules
Take rule, grant rule, create rule, and remove rule.

Question 21

Access Control Matrix

Answer 21

Commonly used in OS and applications
Table that defines access permissions between subjects and objects

Question 22

Graham-denning Model

Answer 22

Focuses on the secure creation and deletion of both subjects and objects.

Has 8 primary protection rules.

Question 23

Zachmann Framework for enterprise architecture

Answer 23

Six frameworks for providing information sec.

Question 24

Harrison-ruzzo-ullman model

Answer 24

Matrix based, variation of graham-denning model.

Six primitive operations.

Question 25

Trusted Computing Base

Answer 25

Subset of a complete information system. Combination of hardware, software, and controls working together to form the trusted base or ‘core’ to enforce your security policies. Should be as small as possible.

Question 26

Security perimeter

Answer 26

Imaginary Boundary that separates TCB from the rest of system.

Question 27

Goguen-Meseguer Model

Answer 27

Integrity Model. Predetermining the set or domain of objects a subject can access.

Question 28

Sutherland Model

Answer 28

Integrity Model. Focuses on preventing interference in support of integrity. Sets of States.

Question 29

Star Security Property AKA Confinement Property

Answer 29

Subject may not write information to an object at a lower sensitivity level. No write down.

Question 30

Reference Monitor

Answer 30

Part of the TCB that validates access to every resource prior to granting access. Stands between every subject and object.

Question 31

Biba vs Bell Lapadula

Answer 31