All right now, let's pick up where we left off in talking about security models. So previously we talked about some concepts of secure architectural design. And really, the most essential idea behind secure architectural design is build a product to be secure. Don't think about securities and Afterthought.
Don't build the product to work and then go, Oh, it's not secure,
which is what we've done traditionally, with so many protocols and so many applications secure by design is what this entire chapter focuses on. So in this next section, what we look at our some security models on which we can base our systems
now these security models are mathematical models. You don't have to know the programming. You don't have to know the math off them,
but you do need to know what each of these models propose and what they attempt to demonstrate and enforce. Some models are primarily focused on confidentiality. Some are focused on integrity, some on preventing conflict of interest or enforcing isolation. Whatever the need for the model
Ah, they have a specific purpose in a specific function.
It's also important understand that often one model is built upon, another is built upon another's built upon another. So rarely do these models stand alone and hopefully you'll see what I mean is we get in through these. So we've got a handful of models that you would need to know, quite honestly, the two that are most testable. Bell Lapa, Djula
These always come up. Ah, if for those of you of any of you've taken the CSS P exam, they're big on C I S S P. They're big on schism. And when I say they're big, they're big Out of all the security models, how many questions? So I think you'll see on them two, maybe three, you know, So this is not something that's gonna make or break you,
But these air very much sort of factual questions. They're not very subjective.
So if you could memorize your security models, you know there will be a handful of questions that you know you're going to get right. All right. So as we move forward, let's go ahead and talk about different types of security models, and we can't move forward without talking about the state machine model.
We have to stop here because this is really the basis
on which all the other models are built. And you might hear this cult, the secure state model state machine model, something along those lines. Either one of those is fine, so this model kind of sounds like it give me at first, but it actually is very profound and very important. What the model says is if a system starts securely
and if it runs securely and if it shuts down even in failure securely, then we have a secure system. Now I know that sounds like a no brainer, and into a degree it is. But really, it's the opposite of that. That's so significant because what that really also says is unless a system starts securely
and shuts down even in failure securely than it's not secure. So so many times when we talk about a system, we talk about how it operates during function with the operating system, does how it enforces security policy and those ideas. But if a system doesn't start securely
and I can bypass that operating system and send you to a compromise set of
configuration, a startup files, whatever Ah, none of that security matters. So what the state machine model says is you must provide elements for security in all three phases of operations or all three states of operation. You must start securely, perform all operations securely and shut down,
even in failure. Security.
And we talked about just a little bit ago. Failing, secure, failing, safe to protect resource is but the bottom line here. Unless this model was in place, none of the other models matter because all the other models protect a system during operations. But if you haven't secured that system and start up or in shutdown,
that doesn't matter. All right, so that's the state machine model. That one's usually pretty straightforward. For most people, the one they love to ask about, probably more so than all others is the Bell Lapa Djula security model. Bella Popular is a confidentiality model. That's all Belle Lapa, Djula is designed
to do. It was designed to have used to be used by the government
to protect state secrets many years ago so it doesn't care about integrity. All it tries to do is to give us instructions on how to enforce confidentiality within a system. Now, many of these models are made up of rules, and Bella Padula has several different rules
that will have to look at. But again, it's based on the state machine model
designed to give us confidentiality. So there are three main rules that I would know. With Bella Padula, there is the simple security property, the star security property and the strong star property.
So this is pronounced star Security property. It's asterisk under store security property. That's how you would see it.
But it's pronounced star property. Now, in a couple of these, you're gonna have a simple rule and a star rule. Simple will always talk about Reed How you can read, okay, Star will always talk about right.
So when you see a star property, you know that's gonna dictate with the behavior we can use while writing.
When you see a simple property, it's gonna dictate what we can do. As far as Reed goes the way I remember that, as I remember the phrase it is written in the stars written in the stars. So star's gonna be right. Simple will be read. All right. So for the simple security property most people find Bella partial makes sense
because it's kind of what we think about anyway.
Um, for those of us that work in military or government environments, let's say I have secret clearance. Would it make sense that I can't read top secret information? And I think most people say, Yeah, that makes sense. That's the simple security property. The simple security property says No read up. Okay, no read up
makes sense. I get secret clearance. I can't read top secret documents. Now there's another property called the Star Security Property. If you'll remember Star Ming's right, the Star Security property says no right down.
So if I've got top secret clearance, I can't write documents to a folder that's labeled secret. Why? Because I might be leaking sensitive information down to lower levels.
Okay, so the star Security property says no right down. Bella Padula is not an all or nothing deal. You can apply just the simple security property or just the star security property or the strong star property. There's some other properties that you can apply as well,
so it's not like all or nothing. It depends on which rule you apply,
so you can apply just the portion that says no read up That's the simple property. Or you can apply no right down. That's the star property. The strong star property says Stay where you are no read or right up or down.
Those are the three main properties. There's also property, called the Tranquillity Property with Bella Padula. That's very logical. The Tranquillity Property says security labels on subjects or objects can't be arbitrarily changed.
That makes sense. I want to have top secret clearance. I don't just get to right click on my user account and promote myself, right?
So the Tranquility Property says, Here's how you design a system to prohibit that. Now, if Bella popular makes sense to you excellent, we're gonna flip it on its head. For Beba, Beba at first is very confusing to people, but you have to think about the context for which it's designed
and literally. Bell Apostle is almost exactly the opposite
of Beba, and the reason for that is they do different things. Bella populace concern with confidentiality. Biber is concerned with integrity,
protecting the integrity of the knowledge base. Okay, so we've got, you know, a whole different purpose for this. Let's go ahead and move in and look at the rules of Tiba again. There's a simple axiom and a star axiom. Simple is read stars, Right?
So what bib a says is no reed down?
That always seems weird, right? No. Read down. You mean I can read up with Biba? Yep, all day long. The reason for that is we're not trying to protect confidentiality. What we're trying to do is protect the integrity of the knowledge base, the accuracy of the knowledge base, the sanctity
of the knowledge base, if you will.
And if you go to a less trusted source for your information, you'll pollute the knowledge base. I'll give you an example.
I'm almost ashamed to admit this, but it's part of the learning process. So I'm gonna share this with you. All some friends of mine that I used to work with were always coming in talking about this dreadful television show. Honey, Boo boo. I do not endorse this show, so finally they come in and talk about it, you know, again and again. I said, Fine. I'm gonna go ahead and watch it.
I made eight minutes of watching this television show and I literally felt myself get dumber every second that I watched that TV, I polluted my knowledge base. I have a knowledge base and I go to a less trusted source to fill up my brain, and all of a sudden I bring the knowledge base down.
That's what Bilbo is designed to prevent.
Can I go to more trusted sources? For my information? Absolutely. That's how knowledge works. That's how I get smarter. I can read up because up has more accurate information. It's just like if you were to write a research paper and quote Wikipedia
how trusted his Wikipedia?
It is not trusted at all. It's written by the masses, right, and people are ableto update it and edited as they see fit. So it's not a trusted source. You don't go toe untrusted to improve your knowledge. You go to more trust it.
So Bubba says, no read down. That's the simple integrity Axiom. No read down well along those same lines. Bibras Star Security Axiom says no right up. Why? Because you might pollute a knowledge base. You know if if I am not a doctor or physician,
ah, medical advice and someone chooses to use that medical advice that could be very dangerous, right? I'm polluting the knowledge base. So what Pippa says is, let's protect the sanctity and the accuracy in the integrity of knowledge. Don't read down because that's less trusted. Don't write up because you're less trusting.
And then there's also an invocation property
that says you cannot access anything above your level. No read or write above your level. It's a little bit like Bella populace. Strong property. But where's Bella populace? Strong property says no reader right up or down
the invocation Property only says no reader. Right.
Okay, now one thing. I want to just pause here and I want to caution you. These are models these air theoretical concepts. Don't try to go out there in research and find a bell. A populous system or a bib. A system. Don't try to real world this too much. This is very much academic in nature.
Quite honestly, I don't think I've ever heard a human being. Speak the words Bella Padula,
outside of the academic world, outside of C I s s P year schism or whatever. So this may not be necessarily something you go rushing back to work with, but the concepts of this are very important. Protect the knowledge base when you've got information that you want to keep accurate. Think about keeping people
from writing to it if they're of a lower level of trust.
Right, so that's Belle. I'm sorry, that's Buba, and it really is kind of an extension of Bella Padula Velma Populace for confidentiality, Business for Integrity.
All right, now the next model. Those two were designed for the government for using the government, whether it was for academic use or confidential use. We have now the first commercial model, which is the Clark Wilson security model,
and this model is brilliant and accurate, and it is all over the place. You'll see Clark Wilson everywhere you go.
Once we talk about it now with the Clark Wilson security model actually says, I'm going to give you kind of a simple explanation of it, and then I will say it more eloquently. The simple explanation of Clark Wilson Clark Wilson says, Keep users out of your stuff or they'll break it.
Ponder that for a second, keep users out of your stuff, or they'll break it.
So think about when I go to make a purchase, maybe on the Amazon. And if I want to buy a book on Amazon, do I get the password to access Amazons database table and I go in and I removed the quantity of one book and I ring myself out or check myself out, so to speak. Of course not. Why?
Because I'll break their database. They know me. I'll break their database. So what does the Amazon do? They don't let me have access to their table. They give me access to a front end application, and that front and application is a lot down very tightly. For instance, when they ask for my dress and I'm originally from North Carolina,
they don't give me 50 characters so I can type out North Carolina.
Why? Because I'll miss that up.
I'll misspell it. I'll abbreviate it wrong. I'll do something crazy so they'll give me two characters.
I can still mess that up, but it's a lot harder. And if they're really smart, they don't even just give me two characters. What did they give me so that I can choose my state? They give me a drop down list, right? It's very hard for me to mess up a drop down list, right? So they use the front end interface to control
as a user. I ultimately will wind up again, ultimately modifying their database, because I'm making a purchase. But they're not gonna let me do that directly. They give me permission to affront an application. The application has access to the backend database. That's Clark Wilson.
So let's say that a little bit more eloquently.
Clark Wilson enforces well formed transactions through the use of the access triple.
I kind of like the way I said it the first time, a little bit better. But let's say that again. Clark Wilson enforces well formed transactions through the use of the Access triple and that access triple the user, the back end trusted Resource and the interface.
Now Clark Wilson has slightly different terms for them. Ah, he still call the Clark was a model calls the user the user. That's part one of the access triple. The second piece, which is the interface Clark Wilson were forced, refers to as a T p. A transformation procedure.
A. So the user accesses the transformation procedure. The transformation procedure modifies the CD I the constrained data item. Now, again, I think I was probably more depth that you then you need to go to for this particular exam. But just understanding that concept of
keep untrusted away from trusted
thes air. My resource is this is my database. I'm gonna keep users out of it. And even if users need to modify it, I'm gonna force them through an interface to make sure that they do so in a secure manner.
And the idea of separation of duties. Clark Wilson,
Separation of beauties a, um, bank teller gets a $10,000 deposit. And I've used this example earlier, but I don't get keys to the vault,
right? I give my money the money that's been deposited to the bank teller. He's my interface. He's my trusted interface. The middleman. Right? So any time where you see
untrusted going through an interface to access trusted Clark Wilson. If you've ever hidden columns and an Excel spreadsheet, you've manipulated the interface to control what untrusted users or entities can do.
If you go to an A t m and you swipe your card punching your pen, think about what you see on the screen. Where is the option to inner maintenance mode?
Ideally, there isn't one on the screen. Why?
I'll give it a shot. I might get lucky, right? So what do they do? They physically constrain that interface because they know if they even give me so much as an option, I'll try to abuse my power. So Clark Wilson constrain the interface toe limit with the user. Condone? It's all about that interface. Okay, so Clark wasn't very important.
Ultimately, what Clark Wilson is going to do
is keep unauthorized users from making changes. Sure, that's an important rule of integrity but also keeping authorized users from making unauthorized changes. Right, I'm authorized. I'm legitimate but keeps me from doing something I shouldn't be able to do and then ultimately maintain internal and external consistency.
That means when I look at my inventory system
and I say and I see my inventory system, it says I should have three widgets on the shelf. I should be able to go to the shelf and count three widgets. What's outside should be the same. It's what's inside, and that's all that Clark Wilson is about. It's all about protecting again the integrity of the information through the use of the access triple
Clark Wilson's an important, important security model.
You'll see it everywhere you go. Another one that's developed for the commercial industry is the Brewer Nash Security model, and this is sometimes referred to us the Chinese Wall, although I think they're really getting more into referring to it as Brewer Nash. This is on Lee for use in a very particular
environment. This isn't for use in everybody's database.
Many people may have never even may never even see Brewer Nash before, but it's designed as part of a database control, and it's designed for organizations that collect information about a lot of different types of businesses and different competitors within the same industry.
Okay, so think maybe about the New York Stock Exchange. Think about all the companies I have financial information on,
and the idea is to prevent conflict of interest. The idea is to keep one of my employees from going out and collecting information about competitors. Maybe I've decided to do a little insider trading, so I want to find out financials on various credit card companies. Visa, MasterCard, American Express, Discover, Go on and on there.
So what Brewer Nash says, is if you have a database, that house is sensitive information about competitors to keep somebody from aggregating that information. What you could do is you could implement a control that says you can on Lee Access one competitors
A. And it doesn't matter which one I could access Visa or MasterCard or American Express or discover it's not really based on the client. It's based on the fact that if I access one credit card companies information, I can't access any other credit card companies. Information.
The Chinese wall. That's why they call it that.
Comes in and walks me into Visa, for instance, were Fight Access MasterCard. It would lock me in the master court. So it's about keeping somebody from pulling together. Information about competitors may be using their insider privileges fraudulently, for instance. So that's Brewer Nash.
Ah, again, you're probably not going to see that in most databases,
and what it's based on is an idea called meta attacking because if you think about it, think about how many credit card companies they are. We know the common ones discovered MasterCard visa, but there are other credit card companies as well. The decision is not made on the title. The decision is based on their metadata,
and metadata is information.
If you look it up in the dictionary, you'll get the definition data about data.
And even though that's true, that helps Absolutely no one. That doesn't make a lot of sense to me. Meta data is what gives data its meaning. So the fact that we have Visa, that's fine. That's the name of the company. The metadata says This is a credit card company.
MasterCard is a credit card company. Discover is a credit card company. So once you access one credit card company, Boom, the wall comes down.
You could on Lee access that company. I hope that makes sense because Brewer Nash is an important one. But again, it's very specialized.
Now those were the models that I think you're most likely going to see. Certainly Bella Padula, Brewer Nash, probably the state machine model as well. Bib Clark Wilson. Those are fair game now. There are many other there numerous security models. They're just a handful of others. I put on the slides just in case
there's a model called the information flow model.
Now, when we talk about Bella Padula, we talked about what you could do up or down, right? I have secret clearance above me is top secret. Below me is confidential. So that idea of layering, I'm gonna jump over here just real quick when we talk about having upper and lower levels. That's a lattice model,
upper and lower boundaries. So secret is bound at this level, and crossing over the boundary would lead you into top secret.
Okay, so that's lattice now the information flow model just to get back up and get what I skipped. The information flow model says Sometimes information has to flow across boundaries. Somebody with top secret clearance may have to access secret data the information flow model. Make sure that that happens securely.
The non interference model says what happens. A top secret shouldn't affect what happens. It's secret or non interference.
This is kind of the what happens in Vegas stays in Vegas model. That's the model that says anything that happens up here doesn't affect anything lower tohave that true boundary enforcement.
Okay. And then the lattice model. All right, so those are your security models definitely know those. They're worth a handful of questions. They're pretty straight afford. As long as you don't have to try to go back and apply them to your work environment. Remember, this is very academic information. Bella Padula Bib Clark Wilson Brewer Nash State Machine model
and then just review information flow, noninterference and lattice model just from a familiarity standpoint.