Access Control and Information Flow Models

Questions and Answers

Which of the following is NOT a characteristic of a covert channel?

It requires cooperation between a sender and a receiver

It is an unauthorized communications channel within a system

It is used to transfer information without exceeding authorized access

It utilizes legitimate communication pathways within the system (correct)

What is the main reason why MAC cannot protect against covert channels?

Covert channels exploit vulnerabilities in the system's operating system

MAC policies are not designed to address covert channels

The encryption methods used in MAC are easily circumvented by covert channels

MAC focuses on controlling access to information through authorized channels (correct)

Which of these represents a covert channel type?

Utilizing a system's timer to convey information

Modifying data in a file to signal information (correct)

Accessing a restricted file using a valid password

Using a shared network drive to transfer information

In the context of lattice-based access control (LBAC), what does a lattice define?

Security levels associated with subjects and objects (C)

What is one of the main limitations of mandatory access control (MAC) policies?

They cannot protect against data leakage through covert channels (C)

What does the term 'cooperating entities' imply in the context of covert channels?

Two parties involved in transferring information through covert channels (A)

Which of these is NOT a recommended reading material for further study on MAC, according to the provided text?

Information Security: Principles and Practice by William Stallings (2017) (A)

According to the provided text, which of the following statements accurately describes the relationship between MAC and covert channels?

MAC focuses on controlling access through authorized channels, not covert channels (C)

What is a security label that a user cannot have according to the labeling rules?

⊤ (C)

If Alice's security label is Bank1, what principals does she have associated?

Alice.Public Info and Alice.Bank1 (C)

What is the principal's associated fixed security label in the given labeling rules?

The same label as the user’s security label (D)

Which of the following was an early implementation of Mandatory Access Control (MAC)?

Boeing Multi-level Secure LAN (C)

In the context of SELinux, what does the 'subject security level' represent?

Domain (C)

What does the type of an object refer to in SELinux?

Class (A)

What aspect of SELinux is primarily focused on enhancing security?

Access control security policies (A)

Which organization was involved in earlier projects related to SELinux?

United States National Security Agency (NSA) (C)

What is a fundamental characteristic of Mandatory Access Control (MAC)?

It enforces access control based on central authority regulations. (D)

Which MAC model is primarily concerned with maintaining confidentiality?

Bell-LaPadula model (A)

In the context of MAC, what is the definition of a 'subject'?

An entity that executes code and may not be trusted. (A)

What aspect does the Biba model focus on within MAC policies?

Integrity of information. (D)

Which model is associated with the concept of separation of duty?

Chinese Wall model (B)

What does the Chinese Wall model primarily aim to prevent?

Conflicts of interest between users. (C)

What is the purpose of assigning a security class in information flow models?

To define the flow of information between security levels. (B)

What is NOT a characteristic of Mandatory Access Control?

It involves a concept of ownership for access control. (D)

What does the ∗-property primarily prevent?

Information transfer to lower security classes (C)

Which statement is true regarding the strong ∗-property?

It necessitates that subjects can only write to objects of the same label. (C)

In the Bell-LaPadula model, what does write access often imply?

Both reading and writing privileges (B)

How does the Bell-LaPadula model couple mandatory and discretionary controls?

If discretionary control denies an operation, mandatory controls are irrelevant. (D)

What is the significance of users being able to login with any label dominated by their security clearance?

It simplifies the access control processes. (C)

Which aspect of the ∗-property includes provisions against unauthorized data destruction?

Strong ∗-property ensures matching labels for writing. (C)

What does the Bell-LaPadula model generally illustrate?

Read and write operations for securing information (A)

Which of the following describes how users connect to the system with regards to their security classes?

They are not restricted to classes lower than their clearance. (C)

According to the Chinese Wall model, what does the "*-property" imply for a subject's access to data?

A subject is either restricted to reading and writing within a single company dataset or prevented from writing entirely. (F)

Which of the following is NOT a rule of the Chinese Wall model?

A subject can only write to an object if they have been granted access to the same company dataset and to all other datasets within the same company dataset. (B)

What does the "Simple Security Rule" of the Chinese Wall model allow a subject to do?

To read an object in the same company dataset as objects already accessed or an object from a completely different conflict of interest class. (B)

What is the purpose of the "Chinese Wall" in the model?

To restrict subjects from gaining access to information that could compromise the confidentiality of multiple companies. (D)

What is a conflict of interest class (CIC) in the context of the Chinese Wall model?

A group of company datasets that are considered confidential and require special access control. (D)

What is the primary aim of integrity-based mandatory policies such as the Biba model?

To ensure subjects cannot modify information they are not authorized to write. (C)

In the Biba model, what does the integrity level of an object reflect?

The potential damage from unauthorized modifications. (C)

What does the No Read Down rule in the Biba model imply?

A subject can read an object only if their integrity level is less than or equal to that of the object. (C)

Which property allows a subject to write to an object in the Biba model?

The subject's integrity level must be greater than or equal to the object's level. (B)

How do the BLP and Biba models differ in terms of information flow direction?

BLP flows upward, and Biba flows downward. (A)

What is the significance of the integrity level assigned to a subject in the Biba model?

It reflects the subject's trustworthiness to modify information. (B)

In the context of mandatory access control, what is a common feature of the Biba model?

It uses integrity classes to regulate access. (B)

What does the term 'lattice of security classes' refer to in relation to BLP and Biba models?

The structure that defines how information flows between classes. (D)

Study Notes

Access Control

• Mandatory Access Control (MAC) enforces access control based on rules set by a central authority.
• MAC doesn't rely on ownership concepts.
• MAC distinguishes between users and subjects. Users are trusted, subjects are not.
• Users are trusted not to disclose sensitive information outside the system.
• Subjects aren't trusted – they may contain malicious code.
• Subjects and objects are assigned security levels (security classes).
• Security level of objects reflects the information's sensitivity.
• Security level of subjects reflect user trustworthiness.
• Requests to access objects are regulated by the subjects' security classes.

Information Flow Models

• Information flow (IF) models by Denning (1976) focus on information flow between security classes.
• An object is viewed as a container of information, e.g., files or database relations.
• Information flow is controlled by assigning a security class or label to each object.

Definition 1: Information Flow Model

• A triple (SC, →, ⊕) defines an IF model, where:
  • SC is a set of security classes (access classes or security labels)
  • → (may-flow) is a binary relation between security classes.
  • ⊕ (class combiner operator) combines two security classes.

Information Flow Models: Denning's Axioms

• Axiom 1: SC is finite.
• Axiom 2: The may-flow relation (→) is a partial order.
• Axiom 3: SC has a least element (w.r.t.).
• Axiom 4: ⊕ is a least upper bound operator.

Dominance

• A > B (A dominates B) if B → A. A strictly dominates B if A > B and A ≠ B.

Confidentiality-based Policies: Bell-LaPadula

• Aim: prevents information leaks to unauthorized subjects.
• Subjects and objects are assigned security levels.
• The security level of the object reflects its sensitivity
• The security level of the subject reflects the user's trustworthiness
• Access requests are regulated by security classes.
• A subject (user) can connect to the system at a security class dominated by its security class.

The Bell-LaPadula Model

• Key idea: augment discretionary access control (DAC) with MAC to enforce information flow policies.
• Two-step approach is used:
  1. Establish a discretionary access control matrix D.
  2. Authorize operations through mandatory access controls.
• Initially defined for read and write operations (R,W)

The Bell-LaPadula: Rules (No Read Up - No Write Down)

• Simple Security (ss-): subject s can read object o if s's level is at least as high as o's level (s ≥ o).
• • Property (or *-): subject s can write to object o if s's level is at most as low as o's level (s ≤ o).

Integrity-based Policies: Biba

• Aim: prevents unauthorized modification of information.
• Subjects and objects are assigned integrity levels.
• Object's integrity level reflects trust and potential damage.
• Subject's integrity level reflects trustworthiness of inserting/modifying/deleting information.
• Requests are regulated by integrity classes.

The Biba Model

• Rules are the opposite ("No read down, no write up")
  • Simple integrity property: s can read o only if subject's integrity level is ≤ object's integrity level (w(s) ≤ w(o))
  • Integrity *-property: s can write to o only if subject's integrity level is > object's integrity level (w(s) > w(o)) -w means integrity function
• The Biba and Bell-LaPadula rules are the "duals" of each other.

Combining BLP and Biba

• Models can use the same lattice of security classes (although information flows in different directions).

Case 1: Single Label

• Uses a single label for confidentiality and integrity.
• Subjects can read/write only if both subject and object have the same security class.

Case 2: Independent Labels, Same Directions

• Uses independent labels for confidentiality and integrity (based on two separate lattices).
• Subject can read if its confidentiality level is greater than or equal to the object's and its integrity level is less than or equal to the object's.

Case 3: Independent Labels, Opposite Directions

• Uses independent labels for confidentiality and integrity (and separate lattices).
• The highest confidentiality level has the lowest integrity and vice versa.

Separation of Duty: Chinese Wall

• Aims to prevent conflicts of interest and inadvertent disclosure in advisory systems (e.g., law firms, consultants).
• Separate datasets from competitors
• When an object/dataset is accessed, create a "wall" around it, preventing access to a different dataset by the same subject.

Chinese Wall Model

• A subject can access an object if it's in the same dataset or belongs to a different conflict of interest class.
• Write access is restricted to the datasets the subject has read access, and no other datasets.

Criticisms: Chinese Wall

• The rules limit operational flexibility since a user may not read information or write it to more than one company.

MAC Implementations

• Early implementations (e.g., Honeywell SCOMP, US Air Force SACDIN, Boeing MLS LAN) were military-oriented.

MAC Implementations: SELinux

• SELinux adds a MAC layer for Linux. It uses domains (subject levels), types (object levels) and classes for objects. It uses access and labeling rules.

MAC Implementations: AppArmor

• AppArmor a MAC for Linux that extends Unix DAC model.
• AppArmor is described using file paths and capabilities (privileges).

MAC Implementations: MIC

• Windows's Mandatory Integrity Control (MIC) enforces integrity rules, ensuring a subject's integrity level is greater than or equal to an object's to write.

MAC and Covert Channels

• Covert channels are unauthorized intra-system channels that circumvent security policies, despite subjects maintaining access permissions.
• Covert channels can be based on timing, storage and network access.

Concluding Remarks on MAC

• MAC is based on regulations dictated by a central authority.
• MAC differentiates between trusted users and untrusted subjects.
• Lattice-based access controls (LBAC) define security levels for objects and subjects.
• MAC policies typically safeguard information flow over overt (legitimate) channels, but not over covert channels.

Description

Explore the concepts of Mandatory Access Control (MAC) and Information Flow Models. Understand how security levels define user trustworthiness and information sensitivity, along with the regulatory mechanisms in place for information access. This quiz covers key definitions and principles essential for cybersecurity.