Integrity policies Flashcards
What are the five integrity model requirements defined by Lipner?
- Users will not write their own programs, but use production software.
- Programmers will develop and test software on non-production systems.
- As special process must be followed to install a program from dev to prod.
- This special process must be controlled and audited.
- Managers and auditors must have access to the system state and logs.
What are the goals of Lipner’s five integrity model requirements?
There five integrity model requirements are designed to collectively achieve:
- Seperation of duty - multi-step critical functions require the involvement of multiple entities. For instance, installation of developed software is not handles by the developers but by someone else, e.g., system admin.
- Separation of function - No one entity can possess complementary roles in a process. For instance, a developer cannot retrieve production data to be used in the development process. If this is needed, someone else must collect the data on behalf of the developer.
- Auditing - This allows for potential recovery of systems and accountability for all actions undertaken on systems.
What is information transfer?
Given two object o1 and o2, information transfer is the phenomenon in which information contained in o1 is transferred to 02.
This can occur in a system if a subject s reads the information i from o1 and writes i to o2.
What is an information transfer path?
An information transfer path is a sequence of object o1,…,on and subjects s1,…,sm where s1 first reads from o1 followed by writing that information to o2. Then, s2 reads from o2 and writes to o3. This continues until sm reads from on-1 and writes to on.
How does the Low-Water-Mark policy restrict information transfer paths in a system?
The main idea of the Low-Water-Mark Policy is to change the level of the subject s reading from the object o to protect information flow.
This policy impose the following restrictions:
s can only write to o if I(s) >= I(o)*
s reads o, then I(s) = min(I(s), I(o))**
s1 can execute s2 if I(s1) >= I(s2)
By changing the integrity level of s when reading o, the policy ensures that the information read can never be written to an object with a higher integrity level. Thus, less reliable information cannot be written to another object and appear as more reliable on the back off the higher integrity of the object written to.
*I(x) denotes the integrity level of x, i.e., how much do we trust the information in x if x is an object, or how much do we trust x if x is a subject.
** The integrity level of s is set to the lowest of its own integrity level and that of the object o.
What are the pros and cons of the Low-Water-Mark Policy?
The main advantages are:
1. It prevents contamination of objects*.
- Prevents direct modifications that will lower integrity labels.
- Prevent indirect modification.**
The main downside with the policy is the fact that many subjects can end up with the lowest integrity level merely by reading from “unreliable” objects. This can make the subjects incapable of doing their designated tasks.
- contamination in the sense that unreliable information has been written to it.
** indirect modification can occur when s1 reads from o1 and writes to o2 followed by s2 reading from o2 and writing to o3. In this scenario, s1 is indirectly modifying o3 by writing information from o1 to o2.
What is the Ring Policy and how is it different from the Low-Water-Mark Policy?
The Ring Policy only differs from the Low-Water-Mark policy by not lowering the integrity of subjects reading objects.
This policy will also prevent contamination as it restricts subjects from writing to objects with a higher integrity level.
What is the Biba Model?
The Biba Model is considered a strict integrity policy. It imposes the same requirements as the Ring and Low-Water-Mark policies on writing and execution. However, it only allows a subject s to read from the object o if the integrity level of s is higher or equal to o (I(s) >= I(o)).
The Biba model is therefore similar to the Bell-LaPadula model for confidentiality
