Question

Some of the well-known and best studied security models are listed below. Select a security model, research and submit a detailed post.

1. Bell-LaPadula Confidentiality Model

2. Biba Integrity Model

3. Clark-Wison (well-formed transaction) Integrity Model

4. Brewer-Nash (Chinese Wall)

Answer 1

The Bell-Lapadula Model of protection systems deals with the control of information flow. It is a linear non-discretionary model. This model of protection consists of the following components:

• A set of subjects, a set of objects, and an access control matrix.
• Several ordered security levels. Each subject has a clearance and each object has a classification which attaches it to a security level. Each subject also has a current clearance level which does not exceed its clearance level. Thus a subject can only change to a clearance level below its assigned clearance level.

The set of access rights given to a subject are the following:

• Read-Only: The subject can only read the object.
• Append : The subject can only write to the object but it cannot read.
• Execute : The subject can execute the object but can neither read nor write.
• Read-Write: The subject has both read and write permissions to the object.

Control Attribute: This is an attribute given to the subject that creates an object. Due to this, the creator of an object can pass any of the above four access rights of that object to any subject. However, it cannot pass the control attribute itself. The creator of an object is also known as the controller of that object.

Restrictions imposed by the Bell-Lapadula Model:

The following restrictions are imposed by the model:

• reading down: A subject has only read access to objects whose security level is below the subject's current clearance level. This prevents a subject from getting access to information available in security levels higher than its current clearance level.
• writing up: A subject has append access to objects whose security level is higher than its current clearance level. This prevents a subject from passing information to levels lower than its current level.

The Bell-Lapadula model supplements the access matrix with the above restrictions to provide access control and information flow. For instance, if a subject has read access to an object in the access matrix, it may still not be able to exercise this right if the object is at a security level higher than its clearance level.

Bell and Lapadula modeled the behavior of a protection system as a finite state machine and defined a set of state transitions that would not violate the security of the system. The following operations gaurantee a secure system:

• get access: Used by a subject to initiate access to an object (read, append, execute etc )
• release access: Used by a subject to giveup an initiated access.
• give access: Controller of an object can give a particular access (to that object) to a subject.
• rescind access: Controller of an object can revoke a designated access ( to that object) from a subject.
• create object: Allows a subject to activate an inactive object.
• delete object: Allows a subject to deactivate an active object.
• change security level:Allows a subject to change its clearance level ( below an initial assigned value)

However certain conditions have to be satisfied before the above operations can be performed. For instance, a subject can exercise give and rescind rights to an object only if it has control attributes to that object.

Bell-Lapadula is a simple linear model that exercises access and information flow control through the above restrictive properties and operations. However, it has a disadvantage of security levels of objects being static. The properties of this model might become too restrictive in cases when certain operations are outside the context of protection system.