Flashcards in Domain 3: Security Engineering; Security Models Deck (34):
Is Bell-LaPadula mandatory or discretionary?
What is reading down?
When a subject reads an object at a lower security level.
What is writing up?
When a subject passes information to an object which has higher sensitivity than the subject has permission to access.
What is the State Machine Model?
A state machine model is a mathematical model that groups all possible system occurences, called states. Every possible state of a system is evaluated, showing all possible interactions between subjects and objects. If every state is proven to be secure, the system is proven to be secure.
What is the focus of the Bell-LaPadula Model?
Maintaining the confidentiality of objects. This means not allowing users at a lower security level to access objects at a higher level.
What are the two rules Bell-LaPadula observes?
The Simple Security Property and the * Security Property.
What is the Simple Security Property?
"no read up". A subject at a specific classification level cannot read an object at a higher level.
What is the * Security Property? (Star Security Property)
"no write down". A subject at a higher classification level cannot write down to an object at a lower level.
Within the Bell-Lapadula access control model, what are the two properties that dictate how the system will issue security labels for objects?
The Strong Tranquility Property states that security labels will not change while the system is operating. The Weak Tranquility Property states that security labels will not change in a way that conflicts with defined security properties.
What is Lattice-based access control?
Lattice-based access control allows security controls for complex environments. For every relationship between a subject and object, there are defined upper and lower access limits implemented by the system. The subject can be allowed access to higher or lower classification depending on their needs. Subjects have a Least Upper Bound (LUB) and Greatest Lower Bound (GLB) depending on their position in the latice.
What is the Biba-Model?
Focuses on Integrity of data. "no write up;no read down". This prevents bad data from being written to higher classification levels, and bad data being read from lower classification levels.
Within the Biba-Model, the rule for "no read down" is called?
The Simple Integrity Axiom.
Within the Biba-Model, the rule for "no write up" is called?
The * Integrity Axiom.
What is the Clark-Wilson model?
Clark-Wilson is a real-world integrity model that protects integrity by requiring subjects to access objects via programs. Because the programs have specific limitations to what they can and cannot do, this model effectively limits the capabilities of the subject.
What are the two primary concepts Clark-Wilson uses to ensure the security policy is enforced?
Well-formed transactions and Separation of Duties.
Within Clark-Wilson, what does Well-formed transactions describe?
It describes Clark-Wilson's ability to enforce control over applications. This process is comprised of the "access control triple:" user, transformation procedure, and constrained data item.
Within Clark-Wilson, describe the "access control triple".
A transformation procedure (TP) is a well-formed transaction.
A constrained data item (CDI) is data that requires integrity.
An unconstrained data item (UDI) are data that do not require integrity.
Within Clark-Wilson, what is IVP?
Integrity Verification Procedures, ensures that the data are kept in a valid state.
Within Clark-Wilson, for each TP...
... an audit record is made and entered into the access control system. This provides both detective and recovery controls in case integrity is lost.
Within Clark-Wilson, what is the purpose of separation of duties?
To ensure authorized users do not change data in an inappropriate way.
What is the Chinese Wall Model?
It's designed to avoid conflict of interest by prohibiting one person, such as a consultant, from accessing multiple conflict of interest (CoIs) categories. The Chinese Wall model requires that CoIs be identified so that once a consultant gains access to one CoI, they cannot read or write to an opposing CoI.
What is the Noninterference model?
It prevents covert channel communication from occuring by ensuring data at different security domains remain separate from one another. This separation prevents information from crossing security boundaries.
What is a covert channel?
A cover channel is policy-violating communication that is hidden from the owner or users of a data system.
What is the Take-Grant Protection Model?
The Take-Grant Protection Model contains rules that govern the interactions between subjects and objects, and permissions subjects can grant to other subjects. Rules include: take, grant, create, and remove.
What is the Access Control Matrix?
An access control matrix is a table that defines access permissions between specific subjects and objects. A matrix is a data structure that acts as a table lookup for the operating system.
Within the Access Control Matrix, what are the functions of the rows and columns?
The rows show the capabilities of each subject. Each row is called a capability list. The columns show the ACL for each object or application.
What are the six frameworks and rules of the Zachman Framework for Enterprise Architecture?
The frameworks are what, how, where, who, when, and why. The rules are planner, owner, designer, builder, programmer, and user.
What are the three parts of the Graham-Denning model and what are the eight rules?
The three parts are: subject, object, and rules. The rules are:
R1: Transfer Access
R2: Grant Access
R3: Delete Access
R4: Read Object
R5: Create Object
R6: Destroy Object
R7: Create Subject
R8: Destroy Subject.
How is the Harrison-Ruzzo-Ullman model different from the Graham-Denning model?
It treats the subjects to be also objects. There are only six primitive rules:
Enter right into access matrix
Destroy right from access matrix
What are the four Modes of Operation?
Dedicated, System High, Compartmented, Multilevel.
What is the Dedicated mode of operation?
The system contains objects of one classification label. All subjects must possess a clearance level equal or greater than the label of the object.
What is System High mode of operation?
The system contains objects of mixed labels. All subjects must have a clearance level equal to the system's highest object.
What is Compartmented mode of operation?
Objects on the system are placed into compartments that require additional approval before a subject has access to it, even if the subject has the appropriate clearance to access the system.