Security Models

Trusted Computing Base (TCB) – orange book – Reference Monitor controls access to security perimeter through trusted paths

State Machine – based on finite state machine – system is secure no matter what state it’s in – if each state is secure, it’s a Secure State Machine

Information Flow – based on state machine – designed to prevent unauthorized information flow between levels of security

Noninterference Model – prevent actions at high level of classification from affecting system state at a lower level – prevent information leakage

Take-Grant Model – rights are passed subject -> subject or subject -> object

Access Control Matrix – access control list / capabilities list

Bell-LaPadula – confidentiality – information flow – DoD / government

  • Simple security property – no read-up
  • * security property – no write-down (confinement)
  • Discretionary security property – discretionary access control

Biba – integrity – information flow – commercial

  • Simple security property – no read-down
  • * security property – no write-up

Clark-Wilson – “access control triple” of subject / program / object – each object can be modified by an subject only through a well-formed transaction – integrity – restricted interface model, separation of duties, commercial applications

Lipner – combines Bell-LaPadula and Biba – integrity levels avoid unauthorized modification of programs, integrity categories separate domains based on functional areas

Brewer-Nash / Chinese Wall – users can’t access confidential information of competing client organizations

Graham-Denning – 3 parts: objects, subjects, rights – rights govern how subjects may manipulate objects – 8 primitive protection rights (create object, create subject, delete object, delete subject, read access right, grant access right, delete access right, transfer access right)

Harrison-Ruzzo-Ullman – similar to Graham-Denning, set of rights and commands, subjects prevented from accessing programs or subroutines that can execute a particular command

Goguen-Meseguer – integrity – foundation of non-interference models – subjects are allowed only to perform pre-determined actions against pre-determined objects

Sutherland – integrity – state machine / information flow – based on defining a set of secure system states, initial states, and state transitions – prohibits interference