CISSP Domain 3 Security Engineering – Part 1 – Security Architecture Cheat Sheet

Security Engineering - Security Architecture

Security Models

Reading down and Writing Up

Reading Down – Occurs when a subject reads an object at a lower sensitivity level. ie A top secret subject reading a secret object.
Writing Up – At the expense of integrity, when a subject has information and passes that information up to an object, which has higher sensitivity than the subject has permission to access.

State machine model

Every possible state of a system is evaluated, showing all possible interactions between subjects and objects. If every state is proven to be secure, the system is proven to be secure. State machines are used to model real-world software.

Bell-Lapadula Model

Originally developed for the US DoD. Focused on maintaining confidentiality of objects.

  • Simple Security Property – There is no “Read up” ie subjects with secret clearance cannot access top secret objects
  • * Security Property – “no write down” – A subject at a higher classification level cannot write to a lower classification level – subjects who are logged into a top secret system cannot send emails to a secret system
  • Strong tranquility property – Security labels will not change while the system is operating.
  • Weak tranquility property – Security labels will not change in a away that conflicts with defined security properties

Lattice-Based Access controls

At the highest level of access is the box labeled “Alpha, Beta, Gamma”. A subject at this level has access to all objects in the lattice. At the second tier of the lattice, we see each object has a distinct upper and lower allowable limit. Eg. A subject that has “Alpha, Gamma” access the only viewable objects would be “Alpha and Gamma” objects. Both represent the greatest lower boundary (GLB). The subject would not be able to view object Beta.

Integrity Models

Bell-LaPadula focuses on confidentiality at the expense of integrity. What if the secret subject writes erroneous information to a top secret object?

Biba Model (reverse of Bell-LaPudula)

Businesses desire to ensure integrity of information protected at the highest level. Kenneth J Biba came up with two primary rules:

  • Simple Integrity Axiom – “no read down” – prevents subjects from accessing information at lower integrity level. It protects integrity by preventing bad information from moving up from lower integrity levels
  • * Integrity Axiom – “no write up” – a subject at a specific classification level cannot write to data at a higher classification. Prevents bad information from moving up to ta higher integrity level.


A real world integrity model that protects integrity by requiring subjects to access objects via programs.

  • Well formed transactions – The process comprises of the “access control triple” – User, transformation procedure, constrained data item.
    • Transformation procedure (TP) – Well formed transaction
    • Constrained data item (CDI) – Data that requires integrity
    • Unconstrained data item (UDI) – Data that do not require integrity
    • Integrity Verification procedures (IVPs) – ensures that data are kept in a valid state
    • For each TP an audit record is made and entered into a the access control system. This provides both detective and recovery controls in case integrity is lost

  • Certification, Enforcement and Separation of Duties – Certification monitors integrity, and enforcement preserves integrity. All relations must meet the requirements imposed by the separation of duty. All TPs must record enough information to reconstruct the data transaction to ensure integrity.

    Clark-Wilson requires that users are authorized to access and modify data. It also requires that data is modified in only authorized ways.

    Example – School Bursar Office
    On dept collects money and another dept issues payments. Both are not authorized to issue purchase orders. By keeping all three roles separate the school is assured no one person can fraudulently collect, order or spend the school’s money.

    Clark-Wilson enforces the concept of separation of duties and transformation procedures within the system.

    • Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT. Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV