Lecture 10: 11th October 2019 Flashcards

Security Models

1
Q

What are Security Policies?

A

A set of rules and practices governing how a system
will manage and protect files with especial regard to sensitive data or code. Some companies will write a Security Policy document that defines the security (and safety) of the system. This can be considered as a legal
document if the company has an intrusion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are Reference Monitors?

A

The Reference Monitor is the mechanism or abstract concept as to how the access control policies are applied to a computer system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are Security Models?

A

A Security Model is the high-level description of the rules which security policies should implement. It is usually an overarching guide including the flow of information between subjects and resources, explicitly describing what entities are covered by the model. Some models may even include data structures or cryptographic specifications.

A model should outline possible threats, data access rules and who is a valid user. Some models enforce confidentiality, others integrity and others access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the Military Model?

A

The most basic security model, in which there is a hierarchy or linear ordering of degrees of sensitivities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are subjects?

A

People or processes who wish to access resources (objects)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are relationships?

A

The rules defining what specific access subjects of given levels have to objects of levels (both grouped into classifications). Subjects can write to any level but only read at their level or lower.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are partially ordered sets?

A

A set of elements in which at least some of the elements can be compared to each other with a binary relation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are partially ordered sets aka?

A

posets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are reflexive comparisons?

A

Elements comparing themselves to themselves

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are transitive comparisons?

A

Where you chain relations; e.g. if a < b and b < c then a < c

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are anti-symmetric comparisons?

A

No 2 unique elements may precede each other: be related in both directions

if R(a, b) is true and a ≠ b, then R(b, a) must not hold
if R(a, b) is true and R(b, a) is also true, then a = b

if a ≤ b and b ≤ a then a = b

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How can lattices be formed from posets?

A

Build up nodes of classification levels; e.g. top secret, secret, etc applied to science (weapons development) and military (weapons deployment). Arrange in a tree-like graph from most to least access. Most will be top secret for science and military, then top-secret one and secret other, etc. Comparisons arise from comparing science and/or military clearance levels of users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How does the PM, their top military general, and top scientific advisor illustrate partial order-based systems?

A

PM has top secret science and military clearance. General has top secret military but lower science clearance, and scientist has top secret science clearance but no military clearance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is domination?

A

Domination is a subject having higher access levels and indicating the direction of information flow. Those with higher access levels, closer to the root, dominate others.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Given two objects at different levels, what is the minimum security level a subject must be at to read both objects?

A

The higher of the security levels of the 2 objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Given two subjects at different levels, what is the maximum security level an object can be at and be read by both?

A

The lower of the security levels of the 2 subjects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the Hierarchical Model?

A

Another name for the military model. The military model is the most basic security model, in which there is a hierarchy or linear ordering of degrees of sensitivities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the System Low?

A

the level dominated by all others, i.e. the lowest access level that is a leaf node

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the System High?

A

the level that dominates all others, i.e. the highest access level that is the root node

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

When does one user’s privileges dominate another’s?

A

When they can perform access operations on every object the other user can

21
Q

What does it mean when two users have the same privileges?

A

They are at the same access level

22
Q

What is the hierarchical model aka?

A

the military model

23
Q

How can classifications work in conjunction with codewords?

A

To implement intra-access level compartmentalisation, combine access levels with codewords; this might be by military operational codenames, for instance. Compartments can, however, cross over different security levels.

24
Q

What is ss-property?

A

The simple security policy states that no process can read data at a higher access level. This is known as no read up: NRU.

25
Q

What is NRU?

A

no read up: no subject can read data at a higher access level.

26
Q

What is *-property?

A

no subject can write data to a lower level, i.e. no write

down (NWD).

27
Q

What is NWD?

A

no write down: no process can write data to a lower level.

28
Q

When may a subject read an object?

A

If the security class of the subject is greater than or equal to that of the object

29
Q

When may a subject s with read access to an object, o, write to another object, p?

A

If the security class of the object p is greater than or equal to that of o (apparently but I think it makes sense to just compare s to both directly).

30
Q

What is the BLP Secure flow of information?

A

The way in which information propagation is restricted with rules to prevent leakage. Only objects can read from subjects at higher levels. Subjects can only write to higher levels - not read as well. Both can read and write to others on the same level.

31
Q

What is a ds-property?

A

ds-property = Effectively Discretionary Access Control = temporarily allowing subjects to have higher clearances or downgrading the security of an object to allow high level subjects to inform others of info regarding the objects

32
Q

When is a state considered secure in BLP?

A

if the ss-property, the *property, and the ds-property all hold

33
Q

What are some security disadvantages of the Bell-LaPadula system?

A

no command and control as you can’t easily inform others of info if at a lower level than the object that is the source of info; ds-property leads to security vulnerabilities while allowing others access to info to get past this

34
Q

How does the Bell-LaPadula system work?

A

The BLP model effectively describes valid states and state transitions. If all state transitions in a system are secure and if the initial state is secure, then every subsequent state will also be secure, no matter what
the inputs are.

Have a graph of objects and subjects and read and write rights between them. Have a vertical scale of security level, higher as go higher on the graph.

35
Q

What is the Basic Security Theorem?

A

That the BLP model effectively describes valid states and state transitions: if all state transitions in a system are secure and if the initial state is secure, then every subsequent state will also be secure, no matter what
the inputs are.

36
Q

What is the Chinese Wall?

A

A security model implementing the protection of commercial information by grouping data from competitors and only allowing viewing of data of 1 company in group to prevent spying.

37
Q

What does the Chinese Wall consist of?

A

Objects: files, low-level information pertaining to one company.

Groups: All objects pertaining to one company is grouped together.

Conflict Classes: all groups of objects for competing companies are clustered together

38
Q

With the Chinese Wall, how do you define a subject, two companies, a security label of an object, sanitisied info, and subjects who have viewed data?

A

Subject s, the company is B(s) and the competitor company set is C(s).

The security label of an object o is (B(o), C(o)), i.e. competitor and company class pair.

Sanitised information isC(o) =∅, i.e. can be made public.

Subjects who have viewed the data are noted in a matrix Ns,o where Ns,ois true if access has at one time been granted.

Think of it as Business(obj), Competitor(obj) and if Competitor(obj) isempty then the Business object can be made open (!)

39
Q

What is the ss-property with the Chinese Wall?

A

If you have had access to o’ from company B(o’) (the Company that owns o’) then you are forbidden from accessing objects from (competitor) companies in C(o’). However, a tertiary company may be used to pass information between the competing companies

40
Q

What is the *-property with the Chinese Wall?

A

The *-property: A subject S is granted write access to an object o if S has no read access to an object o’ with B(o) != B(o’) and C(o’) != ∅.

i.e. write access to an object is only grant

41
Q

What is the Clark & Wilson well-formed transaction policy?

A

Way of ensuring confidentiality and integrity for commercial systems. A well-formed transaction is a series of operations that transition a system from one consistent state to another consistent state.

42
Q

How does the Clark & Wilson transaction policy work?

A

Policies allow users to execute transitions, whose integrity is enforced by the system’s integrity policies.

43
Q

What are the properties of the Clark & Wilson transaction policy?

A
  • Data is manipulated by a specific set of programs, i.e. intermediate control.
  • User has to collaborate to manipulate data and to collude to penetrate security, i.e. separation of duties.
  • Users are restricted in what they can execute here is an audit trail of transactions
  • There is a certification procedure.
44
Q

What are Access Triples?

A

Access triple = a three-part relationship of subject/program/object (where the program is interchangeable with the transaction).

Aka an access control triple.

45
Q

What do Access Triples consist of?

A

Subject, transaction/program, and ≥ 1 object

46
Q

How do Access Triples control the actions of users?

A

If user not listed in a triple for a transaction/program and object they can’t perform that transaction/program on that object

47
Q

What is a security kernel?

A

The Security Kernel supervises low-level system activities that access resources such as registers or policies.

48
Q

What is BLP model?

A

BLP model = Bell-LaPadula = model for security in USAF to identify allowable downward information flow whilst maintaining security by disallowing downward information flow in general.

49
Q

What is the lattice model?

A

Connected groups of objects in a graph in which objects dominate each other. Consists of a set of objects as nodes and a partial ordering to compare them