Question

Topic Name: Computer Security Policy

Q1. Between inclusive and exclusive policies, which one is more adaptable to new technologies? In your answer, provide a HIGH-LEVEL policy example and a modern technology that proves your point.

HINT: Different security policies models including Bell-La Padula (BLP) Model, Biba Integrity Model, Lipner’s Model and Clark-Wilson Integrity Mode

Answer 1

The Bell–LaPadula Model (BLP) is a state machine model used for enforcing access control in government and military applications. It was developed by David Elliott Bell  and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell, to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy. The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g., "Top Secret"), down to the least sensitive (e.g., "Unclassified" or "Public").

• The Bell–LaPadula model is an example of a model where there is no clear distinction between protection and security.
• The Bell–LaPadula model focuses on data confidentiality and controlled access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity.
• Limitations
• Only addresses confidentiality, control of writing (one form of integrity), *-property and discretionary access control
• Covert channels are mentioned but are not addressed comprehensively
• The tranquility principle limits its applicability to systems where security levels do not change dynamically. It allows controlled copying from high to low via trusted subjects.

The Biba model addresses the issue of integrity, i.e. whether information can become corrupted. A new label is used to gauge integrity. If a high security object comes into contact with a low-level information, or be handled by a low-level program, the integrity level can be downgraded. For instance, if one used an insecure program to view a secure document, the program might covertly copy it to another part of the system.

Integrity is usually characterized by the three following goals:

1. The data are protected from any modification by unauthorized users
2. The data are protected from unauthorized modification by authorized users (which raises the question -- what is unauthorized modification; for example for logs this is deletion or altering of records, while adding records is permitted)
3. The data are internally and externally consistent.

Lipner devised his Integrity Matrix Model to handle those concerns via a combination of BLP and Biba Integrity. There are two confidentiality levels: Audit Manager (AM): system audit and management. System Low (SL): all other processes. In addition there are three confidentiality categories: Production (SP): production code and data. Development (SD): programs under development. System Development (SSD): system programs in development.

The Clark–Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system.

The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model uses security labels to grant access to objects via transformation procedures and a restricted interface model.