Reading down and Writing Up
Reading Down – Occurs when a subject reads an object at a lower sensitivity level. ie A top secret subject reading a secret object.
Writing Up – At the expense of integrity, when a subject has information and passes that information up to an object, which has higher sensitivity than the subject has permission to access.
State machine model
Every possible state of a system is evaluated, showing all possible interactions between subjects and objects. If every state is proven to be secure, the system is proven to be secure. State machines are used to model real-world software.
Originally developed for the US DoD. Focused on maintaining confidentiality of objects.
- Simple Security Property – There is no “Read up” ie subjects with secret clearance cannot access top secret objects
- * Security Property – “no write down” – A subject at a higher classification level cannot write to a lower classification level – subjects who are logged into a top secret system cannot send emails to a secret system
- Strong tranquility property – Security labels will not change while the system is operating.
- Weak tranquility property – Security labels will not change in a away that conflicts with defined security properties
Lattice-Based Access controls
At the highest level of access is the box labeled “Alpha, Beta, Gamma”. A subject at this level has access to all objects in the lattice. At the second tier of the lattice, we see each object has a distinct upper and lower allowable limit. Eg. A subject that has “Alpha, Gamma” access the only viewable objects would be “Alpha and Gamma” objects. Both represent the greatest lower boundary (GLB). The subject would not be able to view object Beta.
Bell-LaPadula focuses on confidentiality at the expense of integrity. What if the secret subject writes erroneous information to a top secret object?
Biba Model (reverse of Bell-LaPudula)
Businesses desire to ensure integrity of information protected at the highest level. Kenneth J Biba came up with two primary rules:
- Simple Integrity Axiom – “no read down” – prevents subjects from accessing information at lower integrity level. It protects integrity by preventing bad information from moving up from lower integrity levels
- * Integrity Axiom – “no write up” – a subject at a specific classification level cannot write to data at a higher classification. Prevents bad information from moving up to ta higher integrity level.
A real world integrity model that protects integrity by requiring subjects to access objects via programs.
- Well formed transactions – The process comprises of the “access control triple” – User, transformation procedure, constrained data item.
- Transformation procedure (TP) – Well formed transaction
- Constrained data item (CDI) – Data that requires integrity
- Unconstrained data item (UDI) – Data that do not require integrity
- Integrity Verification procedures (IVPs) – ensures that data are kept in a valid state
For each TP an audit record is made and entered into a the access control system. This provides both detective and recovery controls in case integrity is lost
- Certification, Enforcement and Separation of Duties – Certification monitors integrity, and enforcement preserves integrity. All relations must meet the requirements imposed by the separation of duty. All TPs must record enough information to reconstruct the data transaction to ensure integrity.
Clark-Wilson requires that users are authorized to access and modify data. It also requires that data is modified in only authorized ways.
Example – School Bursar Office
On dept collects money and another dept issues payments. Both are not authorized to issue purchase orders. By keeping all three roles separate the school is assured no one person can fraudulently collect, order or spend the school’s money.
Clark-Wilson enforces the concept of separation of duties and transformation procedures within the system.