Security Protection Mechanisms
Security Models
Principles of Computer Design
Ronel N. DadulaReporter
Security Protection Mechanisms
• Technical Mechanisms
• Policy Mechanisms
Security Protection Mechanisms
Technical Mechanisms
Layering Abstraction Data Hiding Process Isolation Hardware Segmentation
Security Protection Mechanisms
By layering processes, you implement a structure similar to the ring model used for operating modes and apply it to each operating system process. It puts the most-sensitive functions of a process at the core, surrounded by a series of increasingly larger concentric circles with correspondingly lower sensitivity levels
Technical Mechanisms
Layering Layering
Abstraction
Data Hiding
Process Isolation
Hardware Segmentation
Security Protection Mechanisms
Abstraction is one of the fundamental principles behind the field known as object-oriented programming.
It is the “black box” doctrine that says that users of an object (or operating system component) don’t necessarily need to know the details of how the object works; they just need to know the proper syntax for using the object and the type of data that will be returned as a result.
Technical Mechanisms
Abstraction Layering
Abstraction
Data Hiding
Process Isolation
Hardware Segmentation
Security Protection Mechanisms
Data hiding is an important characteristic in multilevel secure systems. It ensures that data existing at one level of security is not visible to processes running at different security levels.
The key concept behind data hiding is a desire to make sure those who have no need to know the details involved in accessing and processing data at one level have no way to learn or observe those details covertly or illicitly.
Technical Mechanisms
Data Hiding Layering
Abstraction
Data Hiding
Process Isolation
Hardware Segmentation
Security Protection Mechanisms
Process isolation requires that the operating system provide separate memory spaces for each process’s instructions and data. It also requires that the operating system enforce those boundaries, preventing one process from reading or writing data that belongs to another process.
Technical Mechanisms
Process Isolation Layering
Abstraction
Data Hiding
Process Isolation
Hardware Segmentation
Security Protection Mechanisms
There are two major advantages to using this technique:
1. It prevents unauthorized data access. 2. It protects the integrity of processes.
Technical Mechanisms
Process Isolation Layering
Abstraction
Data Hiding
Process Isolation
Hardware Segmentation
Security Protection Mechanisms
Hardware segmentation is similar to process isolation in purpose—it prevents the access of information that belongs to a different process/security level. The main difference is that hardware segmentation enforces these requirements through the use of physical hardware controls rather than the logical process isolation controls imposed by an operating system.
Technical Mechanisms
Hardware Segmentation Layering
Abstraction
Data Hiding
Process Isolation
Hardware Segmentation
Security Protection Mechanisms
Policy Mechanisms
Principle of Least Privilege Separation of Privilege Accountability
Security Protection Mechanisms
When designing operating system processes, you should always ensure that they run in user mode whenever possible. The greater the number of processes that execute in privileged mode, the higher the number of potential vulnerabilities that a malicious individual could exploit to gain supervisory access to the system.
Policy Mechanisms
Principle of Least Privilege Principle of
Least Privilege
Separation of Privilege
Accountability
Security Protection Mechanisms
The principle of separation of privilege builds upon the principle of least privilege. It requires the use of granular access permissions; that is, different permissions for each type of privileged operation. This allows designers to assign some processes rights to perform certain supervisory functions without granting them unrestricted access to the system.
Policy Mechanisms
Separation of Privilege Principle of
Least Privilege
Separation of Privilege
Accountability
Security Protection Mechanisms
Accountability is an essential component in any security design. Many high-security systems contain physical devices (such as pen registers and non-modifiable audit trails) that enforce individual accountability for privileged functionality.
Policy Mechanisms
Accountability Principle of
Least Privilege
Separation of Privilege
Accountability
Security Models
Security ModelsIn information security, models
provide a way to formalize security policies. Such models can be abstract or intuitive, but all are intended to provide an explicit set of rules that a computer can follow to implement the fundamental security concepts, processes, and procedures that make up a security policy.
These models offer a way to deepen your understanding of how a computer operating system should be designed and developed to support a specific security policy.
Security Models
State machine model Information flow model Noninterference model Take-Grant model Access control matrix Bell-LaPadula Biba Clark-Wilson Brewer and Nash model
State machine
Information flow
Noninterference
Take-Grant
Access control matrix
Bell-LaPadula
Biba
Clark-Wilson
Brewer and Nash
Security Models
The state machine model describes a system that is always secure no matter what state it is in. It’s based on the computer science definition of a finite state machine (FSM).
Many security models are based on the secure state concept. According to the state machine model, a state is a snapshot of a system at a specific moment in time. If all aspects of a state meet the requirements of the security policy, that state is considered secure.
State Machine Model
State machine
Information flow
Noninterference
Take-Grant
Access control matrix
Bell-LaPadula
Biba
Clark-Wilson
Brewer and Nash
Security Models
The information flow model focuses on the flow of information. Information flow models are based on a state machine model. Information flow models are designed to prevent unauthorized, insecure, or restricted information flow.
Information Flow Model
State machine
Information flow
Noninterference
Take-Grant
Access control matrix
Bell-LaPadula
Biba
Clark-Wilson
Brewer and Nash
Security Models
The noninterference model is loosely based on the information flow model. However, instead of being concerned about the flow of information, the noninterference model is concerned with how the actions of a subject at a higher security level affect the system state or actions of a subject at a lower security level.
Noninterference Model
State machine
Information flow
Noninterference
Take-Grant
Access control matrix
Bell-LaPadula
Biba
Clark-Wilson
Brewer and Nash
Security Models
The Take-Grant model employs a directed graph to dictate how rights can be passed from one subject to another or from a subject to an object.
Simply put, a subject with the grant right can grant another subject or another object any other right they possess. Likewise, a subject with the take right can take a right from another subject.
Take-Grant Model
State machine
Information flow
Noninterference
Take-Grant
Access control matrix
Bell-LaPadula
Biba
Clark-Wilson
Brewer and Nash
Security Models
An access control matrix is a table of subjects and objects that indicates the actions or functions that each subject can perform on each object.
Implementing an access control matrix model usually involves constructing an environment that can create and manage lists of subjects and objects and a function that can return the type associated with whatever object is supplied to that function as input
Access Control Matrix
State machine
Information flow
Noninterference
Take-Grant
Access control matrix
Bell-LaPadula
Biba
Clark-Wilson
Brewer and Nash
Security Models
Access Control Matrix
TABLE 1. An Access Control Matrix
State machine
Information flow
Noninterference
Take-Grant
Access control matrix
Bell-LaPadula
Biba
Clark-Wilson
Brewer and Nash
Security Models
The Bell-LaPadula model was developed out of the U.S. Department of Defense (DoD) multilevel security policy. The DoD’s policy includes four levels of classification, from most sensitive to least: top secret, secret, confidential, and unclassified.
Bell-LaPadula model is focused on maintaining the confidentiality of objects. Bell-LaPadula does not address the aspects of integrity or availability for objects.
Bell-LaPadula Model
State machine
Information flow
Noninterference
Take-Grant
Access control matrix
Bell-LaPadula
Biba
Clark-Wilson
Brewer and Nash
Security Models
By design, the Bell-LaPadula model prevents the leaking or transfer of classified information to less-secure clearance levels. This is accomplished by blocking lower-classified subjects from accessing higher-classified objects.
Bell-LaPadula Model
State machine
Information flow
Noninterference
Take-Grant
Access control matrix
Bell-LaPadula
Biba
Clark-Wilson
Brewer and Nash
Security Models
Bell-LaPadula efficiently manages confidentiality, but it fails to address or manage numerous other important issues:
• It does not address integrity or availability.• It does not address access control
management, nor does it provide a way to assign or change an object’s or subject’s classification level.
• It does not prevent covert channels. • It does not address file sharing (a common
feature on networked systems).
Bell-LaPadula Model
State machine
Information flow
Noninterference
Take-Grant
Access control matrix
Bell-LaPadula
Biba
Clark-Wilson
Brewer and Nash
Security Models
The Biba Model or Biba Integrity Model, is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity.
In general the model was developed to circumvent a weakness in the Bell–LaPadula model which only addresses data confidentiality.
Biba Model
State machine
Information flow
Noninterference
Take-Grant
Access control matrix
Bell-LaPadula
Biba
Clark-Wilson
Brewer and Nash
Security Models
Biba was designed to address three integrity issues:
1. Prevent modification of objects by unauthorized subjects.
2. Prevent unauthorized modification of objects by authorized subjects.
3. Protect internal and external object consistency.
Biba Model
State machine
Information flow
Noninterference
Take-Grant
Access control matrix
Bell-LaPadula
Biba
Clark-Wilson
Brewer and Nash
Security Models
The Clark-Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system.
The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent.
Clark-Wilson Model
State machine
Information flow
Noninterference
Take-Grant
Access control matrix
Bell-LaPadula
Biba
Clark-Wilson
Brewer and Nash
Security Models
An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules.
Clark-Wilson Model
State machine
Information flow
Noninterference
Take-Grant
Access control matrix
Bell-LaPadula
Biba
Clark-Wilson
Brewer and Nash
Security Models
This model was created to permit access controls to change dynamically based on a user’s previous activity (making it a kind of state machine model as well). This model applies to a single integrated database; it seeks to create security domains that are sensitive to the notion of conflict of interest.
Brewer and Nash Model (a.k.a. Chinese Wall)
The End