Models of Security

Security models are used to
• Test a particular policy for completeness
and consistency
• Document a policy
• Help conceptualize and design an
implementation
• Check whether an implementation
meets its requirements
Multilevel Security


Want to build a model to represent a
range of sensitivities and to reflect need to
separate subjects from objects to which
they should not have access.
Use the lattice model of security
• military security model where <= in the model
is the relation operator in the lattice
(transitive, antisymmetric)
• Commercial security model (public,
proprietary, internal)
Bell-La Padula Confidentiality Model

Formal description of allowable paths of
information flow in a secure system
• Simple Security Property. A subject s may
have read access to an object o only if C(o)
<= C(s)
• *-Property – A subject s who has read access
to an object o may have write access to an
object p only if C(o) <= C(p)

The *-property is used to prevent write-down
(subject with access to high-level data transfers that
data by writing it to a low-level object.
Bibb Integrity Model
Simple Integrity Property. Subject
s can modify (have write access to)
object o only if I(s) >= I(o)
 Integrity *-Property. If subject s
has read access to object o with
integrity level I(o), s can have write
access to object p only if I(o) >=
I(p)

Models Proving Theoretical
Limitations of Security Systems


Graham-Denning Model – introduced
concept of a formal system of protection
rules; constructs a model having generic
protection properties
Harrison-Ruzzo-Ullman Model – uses
commands involving conditions and
primitive operations where a protection
system is a set of subjects, objects,
rights, and commands
Take-Grant Systems

Four operations performed by
subjects on objects with rights
• Create(o,r) subject creates an object
with certain rights
• Revoke(o,r) subject removes rights from
object
• Grant(o,p,r) subject grants to o access
rights on p
• Take (o,p,r) subject removes from o
access rights on p
Trusted System Design Elements
Least privilege
 Economy of mechanism
 Open design
 Complete mediation
 Permission based
 Separation of privilege
 Least common mechanism
 Ease of use

Security Features of Ordinary
Operating Systems








Authentication of users
Protection of memory
File and I/O device access control
Allocation and access control to general
objects
Enforcement of sharing
Guarantee of fair service
Interprocess communications and
synchronization
Protection of operating system protection
data
Security Features of Trusted
Operating Systems



Trusted systems incorporate technology to
address both features and assurance
Objects are accompanied (surrounded) by
an access control mechanism
Memory is separated by user, and data
and program libraries have controlled
sharing and separation
Security Features of Trusted
Operating Systems

Identification and Authentication
• Require secure id of individuals, each
individual must be uniquely identified

Mandatory and Discretionary Access
Control
• MAC – access control policy decisions are
made beyond the control of the individual
owner of the object
• DAC – leaves access control to the discretion
of the object’s owner
• MAC has precedence over DAC
Security Features of Trusted
Operating Systems

Object Reuse Protection
• Prevent object reuse leakage
• OS clears (overwrites) all space to be
reassigned
• Problem of magnetic remanence

Complete Mediation
• All accesses must be controled

Trusted Path
• For critical operations (setting password, etc.),
users want unmistakable communications
Security Features of Trusted
Operating Systems

Accountability and Audit
• Maintain a log of security relevant events
• Audit log must be protected from outsiders

Audit Log Reduction
• Audit only open and close of files/objects

Intrusion detection
• Build patterns of normal system usage,
triggering an alarm any time usage seems
abnormal
• Intrusion prevention
Kernelized Design

Kernel – part of OS that performs
lowest-level functions
• Synchronization, interprocess
communications, message passing,
interrupt handling
• Security kernel – responsible for
enforcing security mechanism for entire
OS; provides interface among the
hardware, OS, and other parts of
computer system