Models are used to express access control requirements in a theoretical or mathematical framework that precisely describes or quantifies its function. Common access control models include Bell-LaPadula, Access Matrix, Take-Grant, Biba, Clark-Wilson, Information Flow, and Non-interference.
Published in 1973, the Bell-LaPadula model was the first formal confidentiality model of a mandatory access control system. (We discuss mandatory and discretionary access controls in Chapter 4.) It was developed for the U.S. Department of Defense (DoD) to formalize the DoD multilevel security policy. As we discuss in Chapter 6, the DoD classifies information based on sensitivity at three basic levels: Confidential, Secret, and Top Secret. In order to access classified information (and systems), an individual must have access (clearance level equal to or exceeding the classification of the information or system) and need-to-know (necessary to perform a required job function). The Bell-LaPadula model implements the access component of this security policy.
Bell-LaPadula is a state machine model that addresses only the confidentiality of information. (A secure state is defined and maintained during transitions between secure states.) The basic premise of Bell-LaPadula is that information can’t flow downward. Bell-LaPadula defines the following two properties:
Simple security property (ss property): A subject can’t read information from an object with a higher sensitivity label (also known as no read up, or NRU).
*-property (star property): A subject can’t write information to an object with a lower sensitivity label (also known as no write down, or NWD).
Bell-LaPadula also defines two additional properties that give it the flexibility of a discretionary access control model:
Discretionary security property: This property determines access based on an access matrix.
Trusted subject: A trusted subject is an entity that can violate the
*-property but not its intent.
An Access Matrix model, in general, provides object access rights (read/write/ execute, or R/W/X) to subjects in a discretionary access control (DAC) system. An Access Matrix consists of access control lists (columns) and capability lists (rows). See Table 9-1 for an example.
Subject/Object | Directory: H/R | File: Personnel | Process: LPD |
---|---|---|---|
Thomas | Read | Read/Write | Execute |
Richard | Read | Read | Execute |
Harold | None | None | None |
Take-Grant systems specify the rights that a subject can transfer to or from another subject or object. These rights are defined through four basic operations: create, revoke, take, and grant.
Instant Answer Bell-LaPadula, Access Matrix, and Take-Grant models address confidentiality.
Cross-Reference Published in 1977, the Biba integrity model (sometimes referred to as Bell-LaPadula upside down) was the first formal integrity model. Biba is a lattice-based model that addresses the first goal of integrity: ensuring that modifications to data aren’t made by unauthorized users or processes. (See Chapter 6 for a complete discussion of the three goals of integrity.) Biba defines the following two properties:
simple integrity property: A subject can’t read information from an object with a lower integrity level (no read down).
*-integrity property (star integrity property): A subject can’t write information to an object with a higher integrity level (also known as no write up).
Cross-Reference Published in 1987, the Clark-Wilson integrity model establishes a security framework for use in commercial activities, such as the banking industry. Clark-Wilson addresses all three goals of integrity and identifies special requirements for inputting data based on the following items and procedures. (See Chapter 6 for more on the three goals of integrity.)
Unconstrained data item (UDI): Data outside the control area, such as input data.
Constrained data item (CDI): Data inside the control area. (Integrity must be preserved.)
Integrity verification procedures (IVP): Checks validity of CDIs.
Transformation procedures (TP): Maintains integrity of CDIs.
The Clark-Wilson integrity model is based upon the concept of a well-formed transaction, in which a transaction is sufficiently ordered and controlled in order to maintain internal and external consistency.
Instant Answer Biba and Clark-Wilson address integrity.
An Information Flow model is a type of access control model based on information flow rather than access controls. Objects are assigned a security class and value, and their direction of flow is controlled by a security policy. This model type is useful for analyzing covert channels.
A Non-interference model ensures that the actions of different objects and subjects aren’t seen by and don’t interfere with other objects and subjects on the same system.