Principles of Computer Design

Security Protection Mechanisms Security Models

Ronel N. Dadula
Reporter

Security Protection Mechanisms

Technical Mechanisms Policy Mechanisms

Security Protection Mechanisms

Technical Mechanisms
     Layering Abstraction Data Hiding Process Isolation Hardware Segmentation

Security Protection Mechanisms

Technical Mechanisms
Layering Abstraction Data Hiding Process Isolation Hardware Segmentation

Layering
By layering processes, you implement a structure similar to the ring model used for operating modes and apply it to each operating system process. It puts the most-sensitive functions of a process at the core, surrounded by a series of increasingly larger concentric circles with correspondingly lower sensitivity levels

Security Protection Mechanisms

Technical Mechanisms
Layering Abstraction Data Hiding Process Isolation Hardware Segmentation

Abstraction
Abstraction is one of the fundamental principles behind the field known as object-oriented programming. It is the black box doctrine that says that users of an object (or operating system component) don t necessarily need to know the details of how the object works; they just need to know the proper syntax for using the object and the type of data that will be returned as a result.

Security Protection Mechanisms

Technical Mechanisms
Layering Abstraction Data Hiding Process Isolation Hardware Segmentation

Data Hiding
Data hiding is an important characteristic in multilevel secure systems. It ensures that data existing at one level of security is not visible to processes running at different security levels. The key concept behind data hiding is a desire to make sure those who have no need to know the details involved in accessing and processing data at one level have no way to learn or observe those details covertly or illicitly.

Security Protection Mechanisms

Technical Mechanisms
Layering Abstraction Data Hiding Process Isolation Hardware Segmentation

Process Isolation
Process isolation requires that the operating system provide separate memory spaces for each process s instructions and data. It also requires that the operating system enforce those boundaries, preventing one process from reading or writing data that belongs to another process.

Security Protection Mechanisms

Technical Mechanisms
Layering Abstraction Data Hiding Process Isolation Hardware Segmentation

Process Isolation
There are two major advantages to using this technique: 1. It prevents unauthorized data access. 2. It protects the integrity of processes.

Security Protection Mechanisms

Technical Mechanisms
Layering Abstraction Data Hiding Process Isolation Hardware Segmentation

Hardware Segmentation
Hardware segmentation is similar to process isolation in purpose it prevents the access of information that belongs to a different process/security level. The main difference is that hardware segmentation enforces these requirements through the use of physical hardware controls rather than the logical process isolation controls imposed by an operating system.

Security Protection Mechanisms

Policy Mechanisms
 Principle of Least Privilege  Separation of Privilege  Accountability

Security Protection Mechanisms

Policy Mechanisms

Principle of Least Privilege

Principle of Least Privilege Separation of Privilege Accountability

When designing operating system processes, you should always ensure that they run in user mode whenever possible. The greater the number of processes that execute in privileged mode, the higher the number of potential vulnerabilities that a malicious individual could exploit to gain supervisory access to the system.

Security Protection Mechanisms

Policy Mechanisms

Separation of Privilege
Principle of Least Privilege Separation of Privilege Accountability

The principle of separation of privilege builds upon the principle of least privilege. It requires the use of granular access permissions; that is, different permissions for each type of privileged operation. This allows designers to assign some processes rights to perform certain supervisory functions without granting them unrestricted access to the system.

Security Protection Mechanisms

Policy Mechanisms

Accountability
Principle of Least Privilege Separation of Privilege Accountability

Accountability is an essential component in any security design. Many high-security systems contain physical devices (such as pen registers and non-modifiable audit trails) that enforce individual accountability for privileged functionality.

Security Models

Security Models
In information security, models provide a way to formalize security policies. Such models can be abstract or intuitive, but all are intended to provide an explicit set of rules that a computer can follow to implement the fundamental security concepts, processes, and procedures that make up a security policy. These models offer a way to deepen your understanding of how a computer operating system should be designed and developed to support a specific security policy.

Security Models
 State machine model  Information flow model  Noninterference model  Take-Grant model  Access control matrix  Bell-LaPadula  Biba  Clark-Wilson  Brewer and Nash model

Security Models
State machine
 Information flow  Noninterference  Take-Grant  Access control matrix  Bell-LaPadula  Biba  Clark-Wilson  Brewer and Nash

State Machine Model

The state machine model describes a system that is always secure no matter what state it is in. It s based on the computer science definition of a finite state machine (FSM). Many security models are based on the secure state concept. According to the state machine model, a state is a snapshot of a system at a specific moment in time. If all aspects of a state meet the requirements of the security policy, that state is considered secure.

Security Models
State machine  Information

Information Flow Model

The information flow model focuses on the flow of information. Information flow models are based on a state machine model. Information flow models are designed to prevent unauthorized, insecure, or restricted information flow.

flow
 Noninterference  Take-Grant  Access control matrix  Bell-LaPadula  Biba  Clark-Wilson  Brewer and Nash

Security Models
State machine  Information flow  Noninterference  Take-Grant  Access control matrix  Bell-LaPadula  Biba  Clark-Wilson  Brewer and Nash

Noninterference Model
The noninterference model is loosely based on the information flow model. However, instead of being concerned about the flow of information, the noninterference model is concerned with how the actions of a subject at a higher security level affect the system state or actions of a subject at a lower security level.

Security Models
State machine  Information flow  Noninterference

Take-Grant Model
The Take-Grant model employs a directed graph to dictate how rights can be passed from one subject to another or from a subject to an object. Simply put, a subject with the grant right can grant another subject or another object any other right they possess. Likewise, a subject with the take right can take a right from another subject.

 Take-Grant
 Access control matrix  Bell-LaPadula  Biba  Clark-Wilson  Brewer and Nash

Security Models
State machine  Information flow  Noninterference

Access Control Matrix

An access control matrix is a table of subjects and objects that indicates the actions or functions that each subject can perform on each object. Implementing an access control matrix model usually involves constructing an environment that can create and manage lists of subjects and objects and a function that can return the type associated with whatever object is supplied to that function as input

 Take-Grant
 Access control

matrix
 Bell-LaPadula  Biba  Clark-Wilson  Brewer and Nash

Security Models
State machine  Information flow  Noninterference

Access Control Matrix

 Take-Grant
 Access control

matrix
 Bell-LaPadula  Biba  Clark-Wilson  Brewer and Nash TABLE 1. An Access Control Matrix

Security Models
State machine  Information flow  Noninterference

Bell-LaPadula Model
The Bell-LaPadula model was developed out of the U.S. Department of Defense (DoD) multilevel security policy. The DoD s policy includes four levels of classification, from most sensitive to least: top secret, secret, confidential, and unclassified. Bell-LaPadula model is focused on maintaining the confidentiality of objects. Bell-LaPadula does not address the aspects of integrity or availability for objects.

 Take-Grant
 Access control matrix

 Bell-LaPadula
 Biba  Clark-Wilson  Brewer and Nash

Security Models
State machine  Information flow  Noninterference

Bell-LaPadula Model
By design, the Bell-LaPadula model prevents the leaking or transfer of classified information to less-secure clearance levels. This is accomplished by blocking lower-classified subjects from accessing higher-classified objects.

 Take-Grant
 Access control matrix

 Bell-LaPadula
 Biba  Clark-Wilson  Brewer and Nash

Security Models
State machine  Information flow  Noninterference

Bell-LaPadula Model
Bell-LaPadula efficiently manages confidentiality, but it fails to address or manage numerous other important issues: It does not address integrity or availability. It does not address access control management, nor does it provide a way to assign or change an object s or subject s classification level. It does not prevent covert channels. It does not address file sharing (a common feature on networked systems).

 Take-Grant
 Access control matrix

 Bell-LaPadula
 Biba  Clark-Wilson  Brewer and Nash

Security Models
State machine  Information flow  Noninterference

Biba Model
The Biba Model or Biba Integrity Model, is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. In general the model was developed to circumvent a weakness in the Bell LaPadula model which only addresses data confidentiality.

 Take-Grant
 Access control matrix  Bell-LaPadula

 Biba
 Clark-Wilson  Brewer and Nash

Security Models
State machine  Information flow  Noninterference

Biba Model
Biba was designed to address three integrity issues: 1. Prevent modification of objects by unauthorized subjects. 2. Prevent unauthorized modification of objects by authorized subjects. 3. Protect internal and external object consistency.

 Take-Grant
 Access control matrix  Bell-LaPadula

 Biba
 Clark-Wilson  Brewer and Nash

Security Models
State machine  Information flow  Noninterference

Clark-Wilson Model
The Clark-Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system. The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent.

 Take-Grant
 Access control matrix  Bell-LaPadula  Biba

 Clark-Wilson
 Brewer and Nash

Security Models
State machine  Information flow  Noninterference

Clark-Wilson Model
An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules.

 Take-Grant
 Access control matrix  Bell-LaPadula  Biba

 Clark-Wilson
 Brewer and Nash

Security Models
State machine  Information flow  Noninterference

Brewer and Nash Model (a.k.a. Chinese Wall)

This model was created to permit access controls to change dynamically based on a users previous activity (making it a kind of state machine model as well). This model applies to a single integrated database; it seeks to create security domains that are sensitive to the notion of conflict of interest.

 Take-Grant
 Access control matrix  Bell-LaPadula  Biba  Clark-Wilson

 Brewer and Nash

The End