Security Models

Security Models
• Security Models provides the rules of implementing
security in applications and operating systems
• How will it be implemented?
• What subjects can access the system?
• What objects will they have access to?
• Typically implemented by enforcing Integrity,
confidentiality, and other controls
• Guidelines – Non-specific!
• Developers decide how these will be used and
integrated into specific designs
State Machine Model

A state machine model monitors the status of the system to prevent it from slipping into an insecure state.

Systems that support the state machine model must have all their possible states examined to verify that all
processes are controlled.

The state machine concept serves as the basis of many security models.

The model is valued for knowing in what state the system will reside. As an example, if the system boots up in a
secure state, and every transaction that occurs is secure, it must always be in a secure state and not fail open.
State Machine
Model
• Based on a finite state machine used to
model complex systems and deals with
acceptors, recognizers, state variables,
and transaction functions.
• The state machine defines the behaviour
of a finite number of states, the
transitions between those states, and
actions that can occur.
Information Flow Model

Extension of the state machine concept and serves as the basis for other models

Consists of objects, state transitions, and lattice (flow policy) states.

The real goal of the information flow model is to prevent unauthorized, insecure
information flow in any direction.

This model and others can make use of guards. Guards allow the exchange of data
between various systems.
Non-interference Model
Defined by Goguen and Meseguer

Makes sure that objects and subjects of

different levels don’t interfere with the objects
and subjects of other levels
It uses inputs and outputs of either low or high
sensitivity

Each data access attempt is independent of all

others

Data cannot cross security boundaries

Lattice-Based Access Controls

• Lattice-based access control allows security

controls for complex environments.
• For every relationship between a subject and an
object, there are defined upper and lower access
limits implemented by the system. This lattice,
which allows reaching higher and lower data
classification, depends on the need of the
subject, the label of the object, and the role the
subject has been assigned.
• Subjects have a least upper bound (LUB) and
greatest lower bound (GLB) of access to the
objects based on their lattice position.
Security Models for
Confidentiality
The preceding models serve as a basis for many security models that were developed later, One
major concern is confidentiality. Government entities such as the U.S. DoD are concerned about the
confidentiality of information. The DoD divides information into categories to ease the burden of
managing who has access to what levels of information. DoD information classifications are Sensitive
but Unclassified (BU), Confidential, Secret, and Top Secret.
Bell-LaPadula
• The Bell-LaPadula state machine model enforces
confidentiality.
• The Bell-LaPadula model uses mandatory access control to
enforce the DoD multilevel security policy.
• For a subject to access information, he must have a clear need
to know and meet or exceed the information’s classification
level.
• Did not address security issues such as ‘covert channels’
• Designed in the era of Mainframes
• Designed for Multilevel Security and takes only confidentiality
into account
Bell-LaPadula
Properties
• Simple security property (ss
property)—This property states that a
subject at one level of confidentiality is
not allowed to read information at a
higher level of confidentiality. This is
sometimes referred to as “no read up.”
(NRU)
• Star * security property—This property
states that a subject at one level of
confidentiality is not allowed to write
information to a lower level of
confidentiality. This is also known as
“no write down.” (NWD)
• Strong star * property—This property
states that a subject cannot read/write
to object of higher/lower sensitivity.
 Although governmental entities
are typically very concerned
with confidentiality, other
organizations might be more
focused on the integrity of
information. In general, integrity
has four goals:
1. Prevent data modification by Security Models for
Integrity
unauthorized parties
2. Prevent unauthorized data
modification by authorized
parties
3. Must reflect the real world
4. Must maintain internal and
external consistency
Biba

First model to address the issue of Integrity

Originally published in 1977

Focused on external threats assuming that internal

threats are protected by good coding practices
Biba
Properties
• Simple integrity property—This
property states that a subject at one
level of integrity is not permitted to
read an object of lower integrity.
• Star * integrity property—This
property states that an object at one
level of integrity is not permitted to
write to an object of higher integrity.
• Invocation property—This property
prohibits a subject at one level of
integrity from invoking a subject at a
higher level of integrity.
Tibetan Monks (Biba Thought Aid)

• After a long journey on your search for Shangri-La and true security awareness,
you arrive at a Tibetan monastery. You discover the monks are huge fans of
the Biba model and as such, have defined certain rules that you, the
commoner, must abide by.
• A Tibetan monk may write a prayer book that can be read by commoners, but
not one to be read by a high priest.
• A Tibetan monk may read a book written by the high priest, but may not read
down to a pamphlet written by a commoner.
Clark-Wilson
• Created in 1987
• Intended for use in the Commercial Space
• Addresses all the goals of Integrity
• Dictates that the separation of duties must be enforced, subjects must access data through
an application, and auditing is required
• Some terms associated with Clark Wilson include
• User
• Transformation procedure
• Unconstrained data item
• Constrained data item
• Integrity verification procedure
Clark-Wilson
• Entities
• SUBJECT: It is any user who is requesting
for Data Items.
• CONSTRAINED DATA ITEMS: It cannot be
accessed directly by the Subject. These
need to be accessed via Clarke Wilson
Security Model
• UNCONSTRAINED DATA ITEMS: It can be
accessed directly by the Subject.
• Components
• TRANSFORMATION PROCESS: Here, the
Subject’s request to access the
Constrained Data Items is handled by the
Transformation process which then
converts it into permissions and then
forwards it to Integration Verification
Process
• INTEGRATION VERIFICATION PROCESS: The
Integration Verification Process will
perform Authentication and Authorization.
If that is successful, then the Subject is
given access to Constrained Data Items.
 Has the following Rules:

• TAKE
TAKE • GRANT
GRANT • CREATE
• REMOVE

Can evolve into a complex

graph of relationships
TAKE
GRANT
• Alice can create and
remove privileges to
secrets
• Alice can grant privileges
to Carol
• Bob can take Alice’s
privileges
Access Matrix
Other Models
• Chinese Wall (Brewer and Nash) : used for employing consultants in
banks, avoids conflict of interest by prohibiting one person access to
multiple conflict of interest categories (Cols)
• Graham-Denning: Uses subjects, objects, and 8-rules; Transfer Access,
Grant Access, Delete Access, Read Object, Create Object, Destroy
Object, Create Subject, Destroy Subject
• Harrison-Rizzo-Ullman (HRU) : like Graham-Denning but only has 6-
rules as subjects and objects are treated the same; Create Object,
Create Subject, Destroy Subject, Destroy Object, Enter right into
Access Matrix, Delete right from Access Matrix.
 SALAMAT PO!

ALBERT P. DELA CRUZ <albertdc@[Link]>

[Link] [Link]/phcert [Link]/phcert

Memory and Remanence
Data
Remanence
The residual representation of
Data that has been in some way
nominally erased or removed
 Data that PERSISTS even when
deleted by “Non-invasive” means.

What is Data Usually referenced as residual data

that stays on in Magnetic Media
Remanence? (but not anymore)

Discussed usually in Digital Forensics

and Data Destruction
Data Remanence in Disk Drives

HARD DISKS SOLID STATE DRIVES

• Data is recorded magnetically on • Uses Flash memory (chips) to store data
platters • Data Accessed directly (no mechanically
• Mechanical – the read/write heads move moving parts)
and the platter rotates • New data is typically written to a new
• Magnetic data is not erased, only the location
indexes • Destruction Incineration/shredding is
• New data may be saved over deleted best for chips
data • Hybrid drives are not cleared by
degaussing
Data Remanence Countermeasures
 Memory
Fundamentally a series of ‘on’ and ‘off’ switches used to
represent the binary digits ( 0 and 1)
Memory
 Real (Primary)
Memory

• RAM is a Real or ‘Primary’ memory

• Directly accessible by the CPU
• Holds instructions and data for
currently executing processes
• ‘Scratch Pad’ Memory
Cache Memory
• Fastest system memory
• Keeps up with the CPU as it fetches and executes
instructions
• Data most frequently used by CPU is stored here
• fastest portion of the CPU cache is the register
file, which contains multiple registers. Registers
are small storage locations used by the CPU to
store instructions and data
• The next fastest form of cache memory is Level 1
cache, located on the CPU itself. Finally, Level 2
cache is connected to (but outside of) the CPU.
• Static random-access memory (SRAM) is used for
cache memory.
 CACHE

CPU Primary Memory Secondary Memory

Cache Memory
RAM vs ROM
PARAMETER RAM ROM
VOLATILITY Volatile: data is lost when computer Non-Volatile: data is retained even when power is
is powered done turned-off
ACCESSIBILITY Can be directly accessed by the CPU Cannot be directly accessed by the CPU, has to
transfer to RAM
STORAGE Used to store temporary information Stores permanent information (e.g., BIOS)
in a finite time
HARDWARE STRUCTURE A form of chip (Integrated Circuit) Can be a chip, magnetic media, optical disks
COST Expensive than ROM Less expensive than RAM
SIZE Larger than ROM Lesser than RAM
WRITING SPEED Fast data write speeds Slow write process (Burn-In)
STORAGE LIMIT 16, 32, 64GB or more MB
EXAMPLES Static and Dynamic RAM PROM, EPROM, EEPROM (Flash Memory - USB)
DRAM vs SRAM
 • Combination of Flash Memory
(EEPROM) and DRAM
• Unlike HDD where data is mapped to
specific locations on the disk, SSDs
SSD (Solid are logical and writes on unused
State Devices) portions and marks previous ones as
unallocated
 SALAMAT PO!

ALBERT P. DELA CRUZ <albertdc@[Link]>

[Link] [Link]/phcert [Link]/phcert