Security models

Security assumesEXECUTIVE SUMMARYOne of the most essential part of securing nettle to selective randomness, in chance variableation, security, as well as figurer organization is by having security policy. A computer security policy consist of a clearly defined and precise readiness of radiation diagrams, for determining authorization as a basis for making access control decisions. A security policy captures the security requirements of an establishment or describes the steps that have to be taken to accomplish the desired take aim of security. A security policy is typi blackguardy responsibilityd in terms of receptives and intents, given the desired domain and fair game there must be a tick off of rules that atomic number 18 used by the dust to determine whether a given subject can be given access to a specific object. A security stupefy is a formal or an informal way of capturing such policies. Security models argon an important opinion in the design of a system. The implementation of the system is then ground on the desired security model. In particular, security models be used to testing a particular policy for completeness and consistency document a policy help conceptualize and design an implementation check whether an implementation meets its requirementsWe assume that any(prenominal) access control policy dictates whether a given user can access a particular object. We also assume that this policy is established outdoor(a) any model. That is, a policy decision determines whether a specific user should have access to a specific object the model is still a mechanism that enforces that policy. Thus, we begin studying models by considering fair ways to control access by one user.In this paper, we would briefly explain about cardinal main security models that have already known and been used in securing a system. The two of them are BIBA and Bell La-Padula. Basically this two known system have been used widely in the world and it is essential for us as security technology students to understand and implement it in the future system. We super hope that this paper can help the student to understand the security policy that being implemented by the BIBA and Bell La-Padula model.CATEGORY OF SECURITY MODELSBiba poser The Biba legality model was published in 1977 at the Mitre Corporation, one year after the Bell La-Padula model (Cohen ). As positd before, the Bell La-Padula models guarantees confidentiality of data just not its wholeness. As a result, Biba created a model use address to enforcing single in a computer system. The Biba model proposed a conclave of integrity policies that can be used. So, the Biba model is actually family of varied integrity policies. Each of the policies uses different conditions to ensure information integrity (Castano). The Biba model, in turn, uses both discretional and nondiscretionary policies. The Biba model uses labels to give integrity levels to the subjects and obj ects. The data marked with a high level of integrity leave alone be more accurate and reliable than data labeled with a wiped out(p) integrity level. The integrity level use to prohibit the modification of data.Access ModesThe Biba Model consists of group access modes. The access modes are similar to those used in former(a) models, although they may use different terms to define them. The access modes that the Biba model sponsors are Modify allows a subject to write to an object. This mode is similar to the write mode in other models. Observe allows a subject to read an object. This command is synonyms with the read command of other models. Invoke allows a subject to communicate with another subject. Execute allows a subject to execute an object. The command essentially allows a subject to execute a program which is the objectPolicies Supported by the Biba ModelThe Biba model can be divided into two types of policies, those that are needful and those that are discretionary.Manda tory Policies unyielding Integrity insurance Low-Water-Mark Policy for Subjects Low-Water-Mark Policy for Objects Low-Water-Mark Integrity Audit Policy hem in PolicyDiscretionary Policies Access Control Lists Object Hierarchy RingMandatory Biba PoliciesThe Strict Integrity Policy is the first part of the Biba model. The policy states Simple Integrity Condition s S can observe o O if and only if i(s) i(o). Integrity steer Property s S can veer to o O if and only if i(o) i(s). Invocation Property s S can invoke s S if and only if i(s ) i(s ).The first part of the policy is known as the dewy-eyed integrity property. The property states that a subject may observe an object only if the integrity level of the subject is slight than the integrity level of the object. The second rule of the strict integrity property is the integrity star property. This property states that a subject can write to an object only if the objects integrity level is less than or come to to the subje cts level. This rule prevents a subject from writing to a more certain(p) object. The last rule is the invocation property, which states that a subject s can only invoke another subject s, if s has a lower integrity level than s.The strict integrity policy enforces no write-up and no read-down on the data in the system, which is a subject, is only allowed to modify data at their level or a low level. The no write up is essential since it limits the damage that can be done by malicious objects in the system. On the other hand, the no read down prevents a trusted subject from being contaminated by a less trusted object. Specifically, the strict integrity property restricts the reading of lower level objects which may be too restrictive in some cases. To combat this problem, Biba devised a number of dynamic integrity polices that would allow trusted subjects access to an un-trusted objects or subjects. Biba implemented these in a number of different low-water mark policies.The low-wate rmark policy for subjects is the second part of the Biba model. The policy states Integrity Star Property s S can modify o O if and only if i(o) i(s). If s S examines o O the i (s) = min(i(s),i(o)), where i (s) is the subjects integrity level after the read. Invocation Property s S can invoke s S if and only if i(s ) i(s ).The low-watermark policy for subjects is a dynamic policy because it lowers the integrity level of a subject based on the observations of objects. This policy is not without its problems. One problem with this policy is if a subject observes a lower integrity object it will drop the subjects integrity level. Then, if the subject needs to legitimately observe another object it may not be able to do so because the subjects integrity level has been lowered. Depending on the times of read requests by the subject, to observe the objects, a denial of service could develop.The low-watermark policy for objects is the third part of the Biba model. This policyis simil ar to the low-watermark policy for subject. The policy states s S can modify any o O regardless of integrity level. If s S observe o O the i (o) = min(i(s),i(o)), where i (o) is the objects integrity level after it is modified.This policy allows any subject to modify any object. The objects integrity level is then lowered if the subjects integrity level is less than the objects. This policy is also dynamic because the integrity levels of the objects in the system are changed based on what subjects modify them. This policy does nothing to prevent an un-trusted subject from modifying a trusted object. The policy provides no real protection in a system, but lowers the trust placed in the objects. If a malicious program was inserted into the computer system, it could modify any object in the system. The result would be to lower the integrity level of the infected object. It is possible with this policy that, overtime there will be no more trusted objects in the system because their integrity level has been lowered by subjects modifying them.The low-watermark integrity size up policy is the fourth mandatory policy under the Biba model. The policy states s S can modify any o O , regardless of integrity levels. If a subject modifies a higher level object the transaction is recorded in an audit log.The low-watermark integrity audit policy simply records that an improper modification has taken place. The audit log must then be examined to determine the cause of the improper modification. The drawback to this policy is that it does nothing to prevent an improper modification of an object to occur.The Ring Policy is the last mandatory policy in the Biba Model. This policy is not dynamic like the first three policies. Integrity labels used for the ring policy are fixed, similar to those in the strict integrity policy. The Ring Policy states Any subject can observe any object, regardless of integrity levels. Integrity Star Property s S can modify o O if and only if i(o) i(s). Invocation Property s S can invoke s S if and only if i(s ) i(s).The ring policy is not perfect it allows improper modifications to take place. A subject can read a low level subject, and then modifies the data observed at its integrity level (Castano).Advantages DisadvantagesAdvantages Easy to implement So, It is no harder to implement the strict integrity policy. Provides a number of different policies If the strict integrity property is too restricting, one of the dynamic policies could be used in its place. Disadvantages The model does nothing to enforce confidentiality. The Biba model does not support the granting and revocation of authorization. This model is selecting the right policy to implement.Bell La-Padula ModelThe Bell La-Padula model is a classical model used to define access control. The model is based on a military-style mixed bag system (Bishop). With a military model, the sole goal is to prevent information from being leaked to those who are not inside to access the information. The Bell La-Padula was developed at the Mitre Corporation, a government funded organization, in the 1970s (Cohen). The Bell La-Padula is an information flow security model because it prevents information to flow from a higher security level to a lower security level. The Bell La-Padula model is based around two main rules the dewy-eyed security property and the star property. The simple security property states that a subject can read an object if the object is classification is less than or equal to the subjects headway level. The simple security property prevents subjects from reading more privileged data. The star property states that a subject can write to an object, if the subjects clearance level is less than or equal to the objects classification level. What the star property essentially does is it prevents the 2 lowering of the classification level of an object. The properties of the Bell La-Padula model are commonly referred to as no read up and no write down, respectively. The Bell La-Padula model is not flawless. Specifically, the model does not deal with the integrity of data. It is possible for a lower level subject to write to a higher classified object. Because of these short comings, the Biba model was created. The Biba model in turn is late rooted in the Bell La-Padula model. There is a slightly embellished Mealy-type automaton as our model for computer systems. That is, a system (or machine) M is composed of a set S of states, with an initial state s0 2 S, a set U of users (or subjects in security parlance), a set C of commands (or operations), and a set O of outputs, Together with the functions next and out next S U C S out S U C OPairs of the form (u, c) 2 U C are called actions. We derive a function next* Next* S (U C)* S(The natural extension of next to sequences of actions) by the equations Next*(s, ) = s, and Next*(s, (u, c)) = next (next*(s, ), u, c), Where denotes the empty string and denotes string concatenation.Based on these two primitive types of access, four more elaborate ones can be constructed. These are known as w, r, a, and e access, respectively w write access permits both observation and alteration, r read access permits observation but not alteration, a append access permits alteration, but not observation, and e execute access permits neither observation nor alteration.In order to model formally this internal structure of the system state we introduce a set N of object names, a set V of object values, the set A = w, r, a, e of access types,And also the functions contents and current-access-set contents S N V , current-access-set S P(U N A)(where P denotes power set) with the interpretation that contents(s, n) returns the value of object n in state s, while current-access-set(s) returns the set of all triples (u, n, x) such that subject u has access type x to object n in state s. Observe that contents captures the idea of the value state, while current-access-set embodies the protection state of the system.Thus, we introduce functions alter, and observe alter S P(U N), and observe S P(U N)with the definitions observe(s) def = (u, n) (u, n,w) or (u, n, r) current-access-set(s), and alter(s) def = (u, n) (u, n,w) or (u, n, a) current-access-set(s).That is, observe(s) returns the set of all subject-object pairs (u, n) for which subject u has observation rights to object n in state s, while alter (s) returns the set of all pairs for which subject u has alteration rights to object n in state s.Definitions of Bell La-PadulaDefinition 1 (Simple Security Property) A state s S satisfies the simple security property if N (u, n) observe(s) clearance (u) classification(s, n).A rule r is ss-property-preserving if next(s, u, r) satisfies the ss-property whenever s does. Definition 2 (*-property) Let T U denote the set of trusted subjects. A state s S satisfies the *-property if, for all un-trusted subjects u UT (we use to denote set difference) and objects n N (u, n) alter(s) classification(s, n) current-level(s, u), and (u, n) observe(s) current-level(s, u) classification(s, n).A rule r is *-property-preserving if next(s, u, r) satisfies the *-property whenever s does. Note that it follows from these definitions that (u, n, a) current-access-set(s)current-level(s, u), (u, n, r) current-access-set(s) classification(s, n),And (u, n,w) current-access-set(s) classification(s, n) = current-level(s, u).Also, as a simple consequence of the transitivity of , if a state s satisfies the *-property and u is an un-trusted subject with alteration rights to object n1 and observation rights to object n2 (in state s), then classification(s, n1) classification(s, n2). The original formulation of the *- property was somewhat different than that given above in that it did not employ the belief of a subjects current-level. The formulation of the *-property given in 1, Volume II is, u TU, and m, n N (u,m) observe(s) (u, n) alter(s) classification(s, n) classification(s,m).Definition 3 (Security)A state is secure if it satisfies both the simple security property and the *-property. A rule r is security-preserving if next(s, u, r) is secure whenever s is.We say that a state s is reachable if s = next*(s0, ) for some action sequence (U C)*. A system satisfies the simple security property if every(prenominal) reachable state satisfies the simple security property. A system satisfies the *-property if every reachable state satisfies the *-property. A system is secure if every reachable state is secure.Applications of Bell La-PadulaBell and La Padula demonstrated the application of their security model by using the results of the previous section to establish the security of a representative class of 11 rules. These rules were chosen to model those found in the Multics system.1. Get-Read (rule 1 of 2)A subject u may call the rule get-read(n) in order to acquire read acces s to the object n. The rule checks that the following conditions are satisfied. clearance (u) classification(s, n) If u is not a trusted subject (i.e., u UT), theno current-level(s, u) classification(s, n)If both these conditions are satisfied, the rule modifies the protection state by setting current-access-set(s0) = current-access-set(s) (u, n, r),where s0 denotes the mod system state following execution of the rule. Otherwise, the system state is not modified.The security of get-read follows directly from Corollary 9.2. Get-Append, Get-Execute, Get-Write (rules 2 to 4 of 2)These are uniform to get-read.3. Release-Read (rule 5 of 2)A subject u may call the rule anaesthetise-read(n) in order to release its read access right to the object n. No checks are made by the rule, which simply modifies the protection state by setting current-access-set(s0) = current-access-set(s)(u, n, r),where s0 denotes the new system state following execution of the rule. The security of release r ead follows directly from Theorem 10.4. Release-Execute, Release-Append, Release-Write (rule 5 of 2)These are analogous to release-read.5. Change-Subject-Current-Security-Level (rule 10 of 2)A subject u may call Change-Subject-Current-Security-Level(l) in order to request that its current-level be changed to l. The rule checks that the following conditions are satisfied. clearance(u) l (i.e., a subjects current-level may not exceed its clearance). If u is an un-trusted subject (i.e., u UT) then assigning l as the current level of u must not cause the resulting state to violate the *-propertyi.e.,n N (u, n) alter(s) classification(s, n) l, and (u, n) observe(s) l classification(s, n).If both these conditions are satisfied, the rule modifies the system state by settingcurrent-level (s0, u) = l, where s0 denotes the new system state following execution of the rule. Otherwise, the system state is not modified.6. Change-Object-Security-Level (rule 11 of 2)A subject u may call Ch ange-Object-Security-Level(n, l) in order to request that the classification of object n be changed to l. The rule checks that the following conditions are satisfied. current-level(s, u) classification(s, n) (i.e., no subject may change the classification of an object which is currently classified above its own level). If u is an un-trusted subject (i.e., u UT), then current-level(s, u) l and l classification(s, n),o (i.e., untrusted subjects may not range the classification of an object). v U, (v, n) 2 observe(s) current-level(s, v) l (i.e., if any subject has observation rights to the object n, then the current level of that subject must dominate the new classification of n). Assigning l as the classification of n must not cause the resulting state to violate the *-property.If these conditions are satisfied, the rule modifies the system state by setting classification (s0, n) = l, where s0 denotes the new system state following execution of the rule. Otherwise, the system state is not modified.There are several limitations of BLP dependant to confidentiality No policies for changing access rights a general and complete downgrade is secure BLP is intended for systems with static security levels. BLP contains covert channels a low subject can detect the existence of high objects when it is denied access. Sometimes, it is not sufficient to hide only the contents of objects. Also their existence may have to be hidden.