October 10th, 2003, 06:18 PM
CISSP Notes: Security Models: Access Control Models
CISSP Notes: Security Models: Access Control Models
As part of my intent on finally going after my CISSP, I thought I'd occassionally post these notes up as tutorials for those interested (occassionally basically means I have no idea how often I'll do this based on time and schedule). Today, I decided to take a look at some of the security models that are used in the industry to create security policies and to develop new security products and appliances. Many of these security models are theoretical and tend to deal with access controls.
Access controls provide necessary rules and structure that details how and if subjects will be allowed utilize resources. Sometimes this can also detail any interactions between users and resources and necessary protocols to follow.Basically, an access control model (or security model) allows us to detail how resources will be accessed, that the method of accessing the resources is a safe and secure method, and to help the overall security of the system. (Remember that there is no such thing as 100% security but we can mitigate it as much as possible and make it more difficult for those who challenge the secure environment we create).
While the security model shows us how to implement our security procedures and rules, the state machine model looks at the system's present state and determines continually ensures that the system is in a secure state. The secure state is achieved through compliance to the security model. The security Models that I will look at are:
Keep in mind that not all models will work with all situations. Many of these models were developed with military needs in mind.
- Chinese Wall (sometimes referred to as Brewer and Nash)
Developed in the 1970s for the US military, it deals with senstive information being accessed by those who shouldn't have access. This model specifically deals with the complexity of subjects having multiple levels of clearance for different information types and different classifications. Simply put: confidentiality.
Basically, the system looks at the subjects clearance level for a particular object. If they have an equal level or higher clearance they can look at the object. If not, they are denied access. The model looks at factors such as the subject itself, the object (resource), type of access (read-write, read only, write only) and designated security levels for both subjects and objects.
To help with control of the confidentiality of information, there are two main rules to the BLP:
1. No read up: a subject cannot read information at a higher security level. (simple confidentiality)
2. No write down: a subject cannot alter information at a lower security level. (prevents declassification of material)
While developed for the military this model may have some benefits for commercial enterprises since recent security surveys indicate that theft of proprietary information is the number 1 attack in computer and network security breaches.
One of the models that deals with integrity, this model was based on the BLP but was targetted more to commercial endeavours than military. Military organizations are big on confidentiality and security; commercial enterprises, however, are often more concerned with integrity and ensuring that information hasn't been altered when going from one point to another.
While fundamentally covering many of the same areas, the rules are "reversed":
1. No write up: a subject cannot alter information at a higher security level (integrity)
2. No read down: a subject cannot read information at a lower security level (integrity: prevents resources at higher levels from being altered based on information at lower levels)
Again, while this was developed with commercial enterprises in mind, this might benefit some aspects of the military.
Like the Biba Model, this is an integrity based type of security model. How this model achieves its security is slightly different: it uses what is referred to as a lattice. (basically, a matrix with boundaries for upper and lower levels). In order for subjects to be able to access and/or alter resources (objects) they will have to do this through a program. It strikes me as similar to a *nix operating system, where the kernel is seperated from the various applications (commands) and the user can only alter something through the use of those commands rather than direct access to the object (kernel).
While Biba only deals with integrity and specifically, unauthorized modification of information, Clark-Wilson goes further with authorized subjects making "bad" modifications of information and maintaining consistency.
This would work well for many accounting type firms (perhaps something that Arthur Anderson should look into.. .. )
This model is also sometimes referred to as the Goguen and Meseguer model, named after the creators of the model. It is often used where there are multiple levels of security, this ensures that what a subject does at one security level will not have an impact on subjects at other security levels.
Access Control Matrix Model
A favourite of mine, we actually see this one easily in a variety of environments. This one uses a simple two-dimensional to determine necessary access for subjects. Subjects are placed in the rows while the access is listed in the column.
I've used this method to develop necessary controls in Windows NT and 2000. Sometimes old fashion pencil and paper (or word document) can help develop a necessary and yet simple security model.
Subject File 1 File 2
Joe Read,Write No Access
Sally Write Full Control
Bobby Full Control Read
Chinese Wall (aka Brewer and Nash Model)
This model is an interesting one in that it monitors subjects' actions and based on those actions (and previous activity) dynamically assigns access controls. This is to avoid issues of conflict of interest. Evidentally this particular model works best in political environments, where politicians lose access to private sector positions for that exact reason.
This is a start for now. I will add more CISSP notes as time permits and if there is interest. If you have questions or comments, do not hesitate to ask or PM me.
Security Models and Architecture
Security Models -- PDF
Security Architecture and Models -- PDF
October 10th, 2003, 11:22 PM
Well, interesting stuff.
More theoretical that the plethora of tutorials which are posted here each week, but it is a good thing. We need sometimes to consider global plans, and not only "this little point of detail about this new buffer overflow in Bugdos v184.108.40.206b which will change entirely your administration job".
I'm already waiting the following.
Life is boring. Play NetHack... --more--
October 11th, 2003, 01:45 AM
MsMittens, you are incredible!
Now that I've sufficiently stroked your ego, I want to request that you continue. I'm also studying for the CISSP. I don't know if I will be ready by the time the tests and classes roll around here next year.
October 11th, 2003, 03:30 AM
Excellent, I think it is important to expose more users the these models, even ones like the Chinese-Wall which is typically used in the selection of out source providers. All that said... I feel the Bell-LaPadula model as written here is incomplete.
The Bell-LaPadula model (BL76) features as you pointed out:
-Subjects cannot read objects from a higher security level (Simple Security Property)
-Subjects cannot write to objects of a lower security level (*-Property)
However this is not all BL76 states, other stipulations include:
-Security labels cannot be altered while the object is being accessed by the system or any subjects (Strong Tranquility Property)
-Security labels may changed if the change does not violate the security policy. (Weak Tranquility Property)
-An access matrix is also indicated by BL76 to determine more finely grained access within levels.
-Lastly, BL76 calls for the use of Trusted Subjects, which are subjects which may violate the security model, these are important as it helps deal with the system's spiral toward entropy.
It is important to note that BL76 is the founding model beneath multi level secure finite state machines (systems with 100% secure software/design) though the BL76 does have issues which need to be resolved with other models.
I've attached the original Bell-LaPadula document for those interested.
hmm the attachment (pdf) isn't being liked so I've supplied a link:
October 11th, 2003, 04:22 AM