Models of Security
Security models are used to
• Test a particular policy for completeness
and consistency
• Document a policy
• Help conceptualize and design an
• Check whether an implementation
meets its requirements
Multilevel Security
Want to build a model to represent a
range of sensitivities and to reflect need to
separate subjects from objects to which
they should not have access.
Use the lattice model of security
• military security model where <= in the model
is the relation operator in the lattice
(transitive, antisymmetric)
• Commercial security model (public,
proprietary, internal)
Bell-La Padula Confidentiality Model
Formal description of allowable paths of
information flow in a secure system
• Simple Security Property. A subject s may
have read access to an object o only if C(o)
<= C(s)
• *-Property – A subject s who has read access
to an object o may have write access to an
object p only if C(o) <= C(p)
The *-property is used to prevent write-down
(subject with access to high-level data transfers that
data by writing it to a low-level object.
Bibb Integrity Model
Simple Integrity Property. Subject
s can modify (have write access to)
object o only if I(s) >= I(o)
 Integrity *-Property. If subject s
has read access to object o with
integrity level I(o), s can have write
access to object p only if I(o) >=
Models Proving Theoretical
Limitations of Security Systems
Graham-Denning Model – introduced
concept of a formal system of protection
rules; constructs a model having generic
protection properties
Harrison-Ruzzo-Ullman Model – uses
commands involving conditions and
primitive operations where a protection
system is a set of subjects, objects,
rights, and commands
Take-Grant Systems
Four operations performed by
subjects on objects with rights
• Create(o,r) subject creates an object
with certain rights
• Revoke(o,r) subject removes rights from
• Grant(o,p,r) subject grants to o access
rights on p
• Take (o,p,r) subject removes from o
access rights on p
Trusted System Design Elements
Least privilege
 Economy of mechanism
 Open design
 Complete mediation
 Permission based
 Separation of privilege
 Least common mechanism
 Ease of use
Security Features of Ordinary
Operating Systems
Authentication of users
Protection of memory
File and I/O device access control
Allocation and access control to general
Enforcement of sharing
Guarantee of fair service
Interprocess communications and
Protection of operating system protection
Security Features of Trusted
Operating Systems
Trusted systems incorporate technology to
address both features and assurance
Objects are accompanied (surrounded) by
an access control mechanism
Memory is separated by user, and data
and program libraries have controlled
sharing and separation
Security Features of Trusted
Operating Systems
Identification and Authentication
• Require secure id of individuals, each
individual must be uniquely identified
Mandatory and Discretionary Access
• MAC – access control policy decisions are
made beyond the control of the individual
owner of the object
• DAC – leaves access control to the discretion
of the object’s owner
• MAC has precedence over DAC
Security Features of Trusted
Operating Systems
Object Reuse Protection
• Prevent object reuse leakage
• OS clears (overwrites) all space to be
• Problem of magnetic remanence
Complete Mediation
• All accesses must be controled
Trusted Path
• For critical operations (setting password, etc.),
users want unmistakable communications
Security Features of Trusted
Operating Systems
Accountability and Audit
• Maintain a log of security relevant events
• Audit log must be protected from outsiders
Audit Log Reduction
• Audit only open and close of files/objects
Intrusion detection
• Build patterns of normal system usage,
triggering an alarm any time usage seems
• Intrusion prevention
Kernelized Design
Kernel – part of OS that performs
lowest-level functions
• Synchronization, interprocess
communications, message passing,
interrupt handling
• Security kernel – responsible for
enforcing security mechanism for entire
OS; provides interface among the
hardware, OS, and other parts of
computer system