To Support Digital India, We are trying to enforce the security on the web and digital Information. This Slides provide you basic as well as advance knowledge of security model. Model covered in this slides are Chinese Wall, Clark-Wilson, Biba, Harrison-Ruzzo-Ullman Model, Bell-LaPadula Model etc. Types of Access Control.

1. Security Models
Copyright by Aakash Panchal
All Right reversed by LJ Projects

2. 2
Basic Concepts

3. Terminology
3
Trusted Computing Base (TCB) – combination of protection
mechanisms within a computer system
Subjects / Objects
Subjects are active (e.g., users / programs)
Objects are passive (e.g., files)
Reference Monitor – abstract machine that mediates subject
access to objects
Security Kernel – core element of TCB that enforces the
reference monitor’s security policy

4. Types of Access Control
4
Discretionary Access Control (DAC) – data owners can
create and modify matrix of subject / object relationships
(e.g., ACLs)
Mandatory Access Control (MAC) – “insecure”
transactions prohibited regardless of DAC
Cannot enforce MAC rules with DAC security kernel
Someone with read access to a file can copy it and build a new
“insecure” DAC matrix because he will be an owner of the new
file.

5. Information Flow Models
5
In reality, there are state transitions
Key is to ensure transitions are secure
Models provide rules for how information flows from state to state.
Information flow models do not address covert channels
Trojan horses
Requesting system resources to learn about other users

6. State Machine Model
State is a snapshot of the system at one moment in time.
State transition is the change to the next state.
If all the state transitions in a system are secure and if the
initial state of the system is secure, then every subsequent
state will also be secure, no matter what input occurs.

7. 7
Access Control Models

8. Bell-LaPadula (BLP) Model
8
BLP is formal (mathematical) description of mandatory access control
First model that was created to control access to data.
Three properties:
ds-property (discretionary security)
ss-property (simple security – no “read up”)
*-property (star property – no “write down”)
A secure system satisfies all of these properties
BLP includes mathematical proof that if a system is secure and a
transition satisfies all of the properties, then the system will remain
secure.

9. Bell-LaPadula Model (Continued)
9
Honeywell Multics kernel was only true implementation of
BLP, but it never took hold
DOD information security requirements currently achieved
via discretionary access control and segregation of systems
rather than BLP-compliant computers
The problem with this model is that it does not deal with
integrity of the data.

10. Bell-LaPadula Model (Continued)
10
The star property makes it possible for a lower level subject
to write to a higher classified object.
A covert channel is an information flow that is not controlled
by a security mechanism.
A low level subject may see high level object name but are
denied access to the contents of the object.

11. Harrison-Ruzzo-Ullman Model
BLP model does not state policies for changing access rights
or for the creation or deletion of subjects and objects.
This model defines authorization system that address these
issues.
It operates on access matrices and verifies if there is any
sequence of instructions that cause an access right to leak
information.

12. Three Main Goals of Integrity
Preventing unauthorized users from making modifications to
data or programs.
Preventing authorized users from making improper or
unauthorized modifications.
Maintaining internal and external consistency of data and
programs.

13. Biba Model
13
Similar to BLP but focus is on integrity, not confidentiality
Implements the first goal of integrity.
Result is to turn the BLP model upside down
High integrity subjects cannot read lower integrity objects (no “read
down”)
Subjects cannot move low integrity data to high-integrity environment
(no “write up”)

14. Intuition Behind Models
Control of confidential information is important both in
military and commercial environment.
However in commercial environment the integrity of data is
also equally important to prevent errors and frauds.
The higher the level, the more confidence one has that a
program will execute correctly.
Data at higher level is more accurate, reliable and
trustworthy than data at the lower level.

15. Clark-Wilson Model
15
Reviews distinction between military and commercial policy
Military policy focus on confidentiality
Commercial policy focus on integrity
Mandatory commercial controls typically involve who gets to
do what type of transaction rather than who sees what
(Example: Handle a check above a certain amount)

16. Clark-Wilson Model (Continued)
16
Two types of objects:
Constrained Data Items (CDIs)
Unconstrained Data Items (UDIs)
Two types of transactions on CDIs in model
Integrity Verification Procedures (IVPs)
Transformation Procedures (TPs)
IVPs certify that TPs on CDIs result in valid state
All TPs must be certified to result in valid
transformation

17. Clark-Wilson Model (Continued)
17
System maintains list of valid relations of the form:
{UserID, TP, CDI/UDI}
Only permitted manipulation of CDI is via an authorized TP
If a TP takes a UDI as an input, then it must result in a
proper CDI or the TP will be rejected
Additional requirements
Auditing: TPs must write to an append-only CDI (log)
Separation of duties

18. Clark-Wilson Model (Continued)
18
Subjects have to identified and authenticated.
Objects can be manipulated only by a restricted set of
programs.
Subjects can execute only a restricted set of programs
A proper audit log has to be maintained.

19. Clark-Wilson versus Biba
19
In Biba’s model, UDI to CDI conversion is performed by
trusted subject only (e.g., a security officer), but this is
problematic for data entry function.
In Clark-Wilson, TPs are specified for particular users and
functions. Biba’s model does not offer this level of
granularity.

20. Chinese Wall
20
Focus is on conflicts of interest.
Principle: Users should not access the confidential
information of both a client organization and one or more of
its competitors.
How it works
Users have no “wall” initially.
Once any given file is accessed, files with competitor
information become inaccessible.
Unlike other models, access control rules change with
user behavior

21. Chinese Wall
21
Separation of Duty.
A given user may perform transaction A or Transaction B but
not both.
A simple security property
A subject has access to an object if and only if, all the objects that
subject can read are from non competing groups.
The *- Property
A subject can write to client only if the subject can not read any
object from a competing group.

22. +91-82381-35844
Aakashpanchal100@
gmail.com
Follow us