Information security models are methods used to authenticate security policies as they are intended to provide a precise set of rules that a computer can follow to implement the fundamental security concepts, processes, and procedures contained in a security policy. These models can be abstract or intuitive.
State Machine Model
The state machine model refers to a system that is always in secure mode regardless of the operational state it is in. According to the state machine model, a state is a snapshot of a system at a specific moment in time. The state machine model derives from the computer science definition of a finite state machine (FSM), integrating an external input with an internal machine state to model all types of systems, including parsers, decoders, and interpreters.
Given an input and a state, an FSM transitions to another state and may create an output. A transition takes place when accepting input or producing output and always results in a new state. All state transitions must be examined and if all components of the state meet the requirements of the security policy, then the state is considered secure. When each state transitions to another secure state, the system is rendered as a secure state machine. Many other security models are influenced by the secure state concept.
The Bell-LaPadula Model
The Bell-LaPadula Model was developed to formalize the U.S. Department of Defense (DoD) multi-level security policy. The DoD classifies resources into four different levels. In ascending order from least sensitive to most sensitive are the following: Unclassified, Confidential, Secret, and Top Secret. Going by the Bell-LaPadula model, a subject with any level of clearance can access resources at or below its clearance level. However, only those resources that a person needs access to are made available. For example, an individual cleared for the Secret level only has access documents labeled Secret. With these restrictions, the Bell-LaPadula model preserves the confidentiality of objects. It does not acknowledge integrity or availability of objects.
The Bell-LaPadula model is based on the state machine model. It also implements mandatory access controls and the lattice model. The lattice tiers are the classification levels used by the security policy of the organization. In this model, secure states are delimited by two rules called properties:
- The Simple Security Property (SS Property) states that a subject at a specific classification level cannot read data with a higher classification level.
- The Security Property ( Property) states that a subject at a specific classification level cannot write data to a lower classification level.
Subjects: A subject is an active entity that is seeking rights to a resource or object. A subject can be a person, a program, or a process.
Objects: An object is a passive entity, such as a file or a storage resource. In some cases, an item can be a subject in one context and an object in another. The Bell-LaPadula does not deal with integrity or availability, access control management, and file sharing. It also does not impede covert channels, a mechanism that allows data to be communicated outside of normal, expected, or detectable methods.
The Biba Integrity Model
The Biba model was developed as a direct analogue to the Bell-LaPadula model and is also a state machine model based on a classification lattice with mandatory access controls. It was developed to address three integrity issues:
- The prevention of object modification by unauthorized subjects.
- The prevention of unauthorized object modification by authorized subjects.
- The protection of internal and external object consistency.
In this model there are three axioms:
- The Simple Integrity Axiom (SI Axiom), which states that a subject at a specific classification level cannot read data with a lower classification level.
- The Integrity Axiom ( Axiom), which states that a subject at a specific classification level cannot write data to a higher classification level.
- A subject at one level of integrity cannot invoke a subject at a higher level of integrity.
The Biba model only acknowledges integrity, not confidentiality or availability. Its main focus is safeguarding objects from outside threats and regards internal threats handled by appropriate programs. Access control management is not acknowledged by the Biba model, and there’s no function that allows modification of an object or subject’s classification level. In addition, it does not prevent covert channels.
Clark-Wilson Integrity Model
The Clark-Wilson model is an integrity model that was developed after the Biba model. It addresses integrity protection from a different perspective. Instead of using a lattice structure, it implements a subject-program-object or three-part relationship. Subjects have accessibility to objects exclusively through programs. There’s no direct access.
The Clark-Wilson model offers integrity through two principles: well-formed transactions and separation of duties. Well-formed transactions take the form of programs, the method in which subjects are able to access objects. Each program has restrictions in terms of what it can or can’t do to an object, effectively limiting the subject’s capabilities. If the programs are properly designed, then the triple relationship is successful in protecting the integrity of the object.
Separation of duties is the method of dividing critical functions into two or more parts. Each part is required to be handled by a different subject. This prevents authorized subjects from making unauthorized modifications to objects, further protecting the integrity of the object. The Clark-Wilson model requires auditing along with the above-mentioned principles. Auditing tracks monitors to objects as well as inputs from outside the system.
The Brewer and Nash Model
The Brewer and Nash model has similarities with the Bell-LaPadula model and is also referred to as the Chinese Wall model. This model allows access controls to change dynamically based on a user’s past activity. This model applies to a single integrated database; it seeks to create security domains that are sensitive to the notion of conflict of interest (COI).
Data is created with indications of which security domains are potentially in conflict and blocks any subject with access to one domain that belongs to a specific conflict class from accessing any other domain that belongs to the same conflict class. This structure is based on data isolation within each conflict class to shield users from potential conflict of interest scenarios.
The Take-Grant Model
The Take-Grant model is a confidentiality-based model that uses a directed graph to specify the rights that can be passed from one subject to another or from a subject to an object. The model gives permission to subjects to take rights from other subjects. Subjects with the grant right have permission to grant rights and have permission to grant rights to other subjects.
The Information Flow Model
The information flow model is based on a state machine model, and consists of objects, state transitions, and lattice states. Information flow models are constructed to block unauthorized, insecure, or restricted information flow, either between subjects and objects at the same classification level, or between subjects and objects at different classification levels. It permits authorized information flows within the same classification level or between different classification levels, while preventing all unauthorized information flows between or among the classification levels.
The Bell-LaPadula model and the Biba model are both information flow models. Bell-LaPadula concentrates on blocking the information flow from a high security level to a low security level. Biba is focused on preventing information from flowing from a low security level to a high security level.
The Noninterference Model
The noninterference model is based on the information flow model, but addresses how the actions of a higher security level subject impacts the system state or actions of a subject at a lower security level. In this model, the actions at the higher security level subject should have influence on the actions of a subject at a lower security level. Essentially the higher security subject should go unnoticed at the lower level.
The Access Control Matrix
An access control matrix is a table that states a subject’s access rights on an object. A subject’s access rights can be of the type read, write, and execute. Each column of the access control matrix is called an Access Control List (ACL) while each row is called a capability list.
An ACL is connected to the object and outlines actions each subject can perform on that object. A capability list is connected to the subject and outlines the actions that a specific subject is allowed to perform on each object. The access matrix model follows discretionary access control because the entries in the matrix are at the discretion of an individual who has authority over the table.