Access Control and Information Flow Models

Questions and Answers

Which of the following is NOT a characteristic of a covert channel?

• It requires cooperation between a sender and a receiver
• It is an unauthorized communications channel within a system
• It is used to transfer information without exceeding authorized access
• It utilizes legitimate communication pathways within the system (correct)

What is the main reason why MAC cannot protect against covert channels?

• Covert channels exploit vulnerabilities in the system's operating system
• MAC policies are not designed to address covert channels
• The encryption methods used in MAC are easily circumvented by covert channels
• MAC focuses on controlling access to information through authorized channels (correct)

Which of these represents a covert channel type?

• Utilizing a system's timer to convey information
• Modifying data in a file to signal information (correct)
• Accessing a restricted file using a valid password
• Using a shared network drive to transfer information

In the context of lattice-based access control (LBAC), what does a lattice define?

Security levels associated with subjects and objects (C)

What is one of the main limitations of mandatory access control (MAC) policies?

They cannot protect against data leakage through covert channels (C)

What does the term 'cooperating entities' imply in the context of covert channels?

Two parties involved in transferring information through covert channels (A)

Which of these is NOT a recommended reading material for further study on MAC, according to the provided text?

Information Security: Principles and Practice by William Stallings (2017) (A)

According to the provided text, which of the following statements accurately describes the relationship between MAC and covert channels?

MAC focuses on controlling access through authorized channels, not covert channels (C)

What is a security label that a user cannot have according to the labeling rules?

⊤ (C)

If Alice's security label is Bank1, what principals does she have associated?

Alice.Public Info and Alice.Bank1 (C)

What is the principal's associated fixed security label in the given labeling rules?

The same label as the user’s security label (D)

Which of the following was an early implementation of Mandatory Access Control (MAC)?

Boeing Multi-level Secure LAN (C)

In the context of SELinux, what does the 'subject security level' represent?

Domain (C)

What does the type of an object refer to in SELinux?

Class (A)

What aspect of SELinux is primarily focused on enhancing security?

Access control security policies (A)

Which organization was involved in earlier projects related to SELinux?

United States National Security Agency (NSA) (C)

What is a fundamental characteristic of Mandatory Access Control (MAC)?

It enforces access control based on central authority regulations. (D)

Which MAC model is primarily concerned with maintaining confidentiality?

Bell-LaPadula model (A)

In the context of MAC, what is the definition of a 'subject'?

An entity that executes code and may not be trusted. (A)

What aspect does the Biba model focus on within MAC policies?

Integrity of information. (D)

Which model is associated with the concept of separation of duty?

Chinese Wall model (B)

What does the Chinese Wall model primarily aim to prevent?

Conflicts of interest between users. (C)

What is the purpose of assigning a security class in information flow models?

To define the flow of information between security levels. (B)

What is NOT a characteristic of Mandatory Access Control?

It involves a concept of ownership for access control. (D)

What does the ∗-property primarily prevent?

Information transfer to lower security classes (C)

Which statement is true regarding the strong ∗-property?

It necessitates that subjects can only write to objects of the same label. (C)

In the Bell-LaPadula model, what does write access often imply?

Both reading and writing privileges (B)

How does the Bell-LaPadula model couple mandatory and discretionary controls?

If discretionary control denies an operation, mandatory controls are irrelevant. (D)

What is the significance of users being able to login with any label dominated by their security clearance?

It simplifies the access control processes. (C)

Which aspect of the ∗-property includes provisions against unauthorized data destruction?

Strong ∗-property ensures matching labels for writing. (C)

What does the Bell-LaPadula model generally illustrate?

Read and write operations for securing information (A)

Which of the following describes how users connect to the system with regards to their security classes?

They are not restricted to classes lower than their clearance. (C)

According to the Chinese Wall model, what does the "*-property" imply for a subject's access to data?

A subject is either restricted to reading and writing within a single company dataset or prevented from writing entirely. (F)

Which of the following is NOT a rule of the Chinese Wall model?

A subject can only write to an object if they have been granted access to the same company dataset and to all other datasets within the same company dataset. (B)

What does the "Simple Security Rule" of the Chinese Wall model allow a subject to do?

To read an object in the same company dataset as objects already accessed or an object from a completely different conflict of interest class. (B)

What is the purpose of the "Chinese Wall" in the model?

To restrict subjects from gaining access to information that could compromise the confidentiality of multiple companies. (D)

What is a conflict of interest class (CIC) in the context of the Chinese Wall model?

A group of company datasets that are considered confidential and require special access control. (D)

What is the primary aim of integrity-based mandatory policies such as the Biba model?

To ensure subjects cannot modify information they are not authorized to write. (C)

In the Biba model, what does the integrity level of an object reflect?

The potential damage from unauthorized modifications. (C)

What does the No Read Down rule in the Biba model imply?

A subject can read an object only if their integrity level is less than or equal to that of the object. (C)

Which property allows a subject to write to an object in the Biba model?

The subject's integrity level must be greater than or equal to the object's level. (B)

How do the BLP and Biba models differ in terms of information flow direction?

BLP flows upward, and Biba flows downward. (A)

What is the significance of the integrity level assigned to a subject in the Biba model?

It reflects the subject's trustworthiness to modify information. (B)

In the context of mandatory access control, what is a common feature of the Biba model?

It uses integrity classes to regulate access. (B)

What does the term 'lattice of security classes' refer to in relation to BLP and Biba models?

The structure that defines how information flows between classes. (D)

Flashcards

Chinese Wall Model

A security model that ensures subjects (users) cannot access data that creates a conflict of interest. It separates data into different 'company datasets' and 'conflict of interest classes' to prevent unauthorized access.

Simple Security Rule

A subject can only read data from either the same company datasets they've already accessed (within the wall) or from completely different conflict of interest classes.

*-Property

A subject can only write to data if they can already read it according to the Simple Security Rule, and the data is within the same company dataset.

Company Dataset

A collection of data belonging to a specific company or organization. Data within a company dataset should be considered sensitive and protected from unauthorized access.

Conflict of Interest Class

A group of different company datasets that have potential conflicts of interest with each other.

Mandatory Access Control (MAC)

A security control method where access restrictions are enforced based on predetermined rules set by a central authority, rather than individual ownership.

Untrusted Subjects in MAC

A fundamental principle of MAC where subjects (processes or users) are not trusted to avoid unauthorized access. They are assumed to potentially be compromised.

Bell-LaPadula Model

A type of MAC model that prioritizes confidentiality and prevents information from flowing from a higher security level to a lower one.

Biba Model

A type of MAC model that focuses on data integrity, ensuring that information is not modified by unauthorized entities.

Separation of Duty

A security principle that aims to prevent conflicts of interest by separating individuals from accessing sensitive information related to multiple, potentially competing, areas.

Covert Channel

A method of transmitting information in a covert manner, often bypassing security controls implemented by MAC.

Information Flow (IF) Models

The study of how information flows through a system, examining the movement of data from source to destination.

Types of Covert Channels

Covert channels can be categorized as either storage channels or timing channels.

Storage Channel

A covert channel that involves modifying storage locations to transmit information.

Timing Channel

A covert channel that uses delays in packet transmission over a network to convey information.

Lattice-Based Access Control (LBAC)

A type of MAC where a lattice (a mathematical structure) defines security levels for subjects and objects.

MAC Limitations

MAC models focus on controlling information flow through legitimate channels but cannot prevent data leaks through covert channels.

MAC Terminology

MAC, LBAC, rule-based access control, and multilevel access control are all terms used to describe the same concept.

Labeling Rules in Access Control

A security model where users are assigned security labels (e.g., Bank1, OilC1) that define their access rights to resources.

Top Security Label (⊤)

A type of security label that represents the highest level of access and is not assigned to users.

Dominated Security Labels

A user can access resources with a security label equal to or lower than their assigned label.

Principals in MAC

A concept in MAC where users create 'principals' with specific permissions.

MAC with Principal-Based Access Control

This model uses security labels to control access and prevents conflicts of interest, akin to the Bell-LaPadula model, a foundational security model.

SELinux (Security-Enhanced Linux)

An operating system security module providing MAC capabilities and other security features.

Subjects, Objects, Domains, and Types in SELinux

In SELinux, subjects (processes) are assigned 'domains' and objects (resources) are assigned 'types' (classes) to control access.

What is the Biba model?

Biba model is an access control model that focuses on maintaining the integrity of data. It aims to prevent unauthorized modifications to data. It assigns integrity levels to users (subjects) and data (objects).

What is the 'No Read Down' rule in Biba?

In the Biba model, a subject is allowed to read an object only if the subject's integrity level is less than or equal to the object's integrity level. This prevents reading lower integrity data by higher integrity subjects, ensuring the data's purity.

What is the 'No Write Up' rule in Biba?

In the Biba model, a subject is allowed to write to an object only if the subject's integrity level is greater than or equal to the object's integrity level. This ensures that only authorized users with higher integrity can modify data, preventing manipulation.

How do Biba and Bell-LaPadula (BLP) models relate?

Both the Bell-LaPadula (BLP) and Biba models manage information flow in a system. BLP focuses on confidentiality and prevents information from flowing upwards. Biba focuses on integrity and prevents information from flowing downwards.

How do Biba's rules compare to BLP's?

The Biba model's rules are designed to prevent unauthorized modifications to data. These rules are the opposite of the BLP model's rules, which aim to protect confidentiality.

Can a single label be used for both confidentiality and integrity?

In a system, the same label can be used to represent both confidentiality and integrity levels.

Why is the Biba model important?

The Biba model is a core element of information security that is crucial for preventing malicious actions that disrupt the accuracy of information. It plays a vital role in securing critical systems and data and is widely implemented in various technologies.

What is the ∗-property in MAC?

The ∗-property prevents subjects from writing information to security classes with lower sensitivity than their security clearance. This helps to block Trojan horse attacks, where malicious code might try to move data to a less secure area.

How does the ∗-property protect data?

The ∗-property helps ensure that subjects can only write information to security classes with the same or higher sensitivity than their security clearance. This is essential for maintaining information security in a system.

What is the meaning of 'write access' in BLP?

In the context of the Bell-LaPadula model, write access typically means both reading and writing the contents of an object. Append access is another option, allowing you to write only, but not read.

What operations are typically focused on in BLP?

The Bell-LaPadula model is primarily explained through the read and write operations. Other operations such as creating or deleting objects might be included under the ∗-property, as they modify the state of the object.

How do mandatory and discretionary access controls work together in BLP?

Mandatory access control restrictions in the Bell-LaPadula model work in conjunction with discretionary access control. If the access control matrix doesn't authorize an operation, the mandatory controls won't be needed, since the operation is rejected anyway.

Can users login with a label less sensitive than their clearance in BLP?

In the Bell-LaPadula model, users can log in using a security label that's less sensitive than their clearance. This is a common feature that doesn't contradict the model's core principles.

What is the strong ∗-property?

The strong ∗-property is a stricter version of the ∗-property, where subjects are only allowed to write to objects if their security clearance matches the object's sensitivity level precisely. This helps prevent data destruction by subjects with lower security levels.

How does the strong ∗-property mitigate data destruction?

The ∗-property, in its strong form, helps alleviate the concern about unclassified subjects destroying or damaging classified data. It prevents subjects from writing to objects with different sensitivity levels, which is crucial for data integrity.

Study Notes

Access Control

• Mandatory Access Control (MAC) enforces access control based on rules set by a central authority.
• MAC doesn't rely on ownership concepts.
• MAC distinguishes between users and subjects. Users are trusted, subjects are not.
• Users are trusted not to disclose sensitive information outside the system.
• Subjects aren't trusted – they may contain malicious code.
• Subjects and objects are assigned security levels (security classes).
• Security level of objects reflects the information's sensitivity.
• Security level of subjects reflect user trustworthiness.
• Requests to access objects are regulated by the subjects' security classes.

Information Flow Models

• Information flow (IF) models by Denning (1976) focus on information flow between security classes.
• An object is viewed as a container of information, e.g., files or database relations.
• Information flow is controlled by assigning a security class or label to each object.

Definition 1: Information Flow Model

• A triple (SC, →, ⊕) defines an IF model, where:
  • SC is a set of security classes (access classes or security labels)
  • → (may-flow) is a binary relation between security classes.
  • ⊕ (class combiner operator) combines two security classes.

Information Flow Models: Denning's Axioms

• Axiom 1: SC is finite.
• Axiom 2: The may-flow relation (→) is a partial order.
• Axiom 3: SC has a least element (w.r.t.).
• Axiom 4: ⊕ is a least upper bound operator.

Dominance

• A > B (A dominates B) if B → A. A strictly dominates B if A > B and A ≠ B.

Confidentiality-based Policies: Bell-LaPadula

• Aim: prevents information leaks to unauthorized subjects.
• Subjects and objects are assigned security levels.
• The security level of the object reflects its sensitivity
• The security level of the subject reflects the user's trustworthiness
• Access requests are regulated by security classes.
• A subject (user) can connect to the system at a security class dominated by its security class.

The Bell-LaPadula Model

• Key idea: augment discretionary access control (DAC) with MAC to enforce information flow policies.
• Two-step approach is used:
  1. Establish a discretionary access control matrix D.
  2. Authorize operations through mandatory access controls.
• Initially defined for read and write operations (R,W)

The Bell-LaPadula: Rules (No Read Up - No Write Down)

• Simple Security (ss-): subject s can read object o if s's level is at least as high as o's level (s ≥ o).
• • Property (or *-): subject s can write to object o if s's level is at most as low as o's level (s ≤ o).

Integrity-based Policies: Biba

• Aim: prevents unauthorized modification of information.
• Subjects and objects are assigned integrity levels.
• Object's integrity level reflects trust and potential damage.
• Subject's integrity level reflects trustworthiness of inserting/modifying/deleting information.
• Requests are regulated by integrity classes.

The Biba Model

• Rules are the opposite ("No read down, no write up")
  • Simple integrity property: s can read o only if subject's integrity level is ≤ object's integrity level (w(s) ≤ w(o))
  • Integrity *-property: s can write to o only if subject's integrity level is > object's integrity level (w(s) > w(o)) -w means integrity function
• The Biba and Bell-LaPadula rules are the "duals" of each other.

Combining BLP and Biba

• Models can use the same lattice of security classes (although information flows in different directions).

Case 1: Single Label

• Uses a single label for confidentiality and integrity.
• Subjects can read/write only if both subject and object have the same security class.

Case 2: Independent Labels, Same Directions

• Uses independent labels for confidentiality and integrity (based on two separate lattices).
• Subject can read if its confidentiality level is greater than or equal to the object's and its integrity level is less than or equal to the object's.

Case 3: Independent Labels, Opposite Directions

• Uses independent labels for confidentiality and integrity (and separate lattices).
• The highest confidentiality level has the lowest integrity and vice versa.

Separation of Duty: Chinese Wall

• Aims to prevent conflicts of interest and inadvertent disclosure in advisory systems (e.g., law firms, consultants).
• Separate datasets from competitors
• When an object/dataset is accessed, create a "wall" around it, preventing access to a different dataset by the same subject.

Chinese Wall Model

• A subject can access an object if it's in the same dataset or belongs to a different conflict of interest class.
• Write access is restricted to the datasets the subject has read access, and no other datasets.

Criticisms: Chinese Wall

• The rules limit operational flexibility since a user may not read information or write it to more than one company.

MAC Implementations

• Early implementations (e.g., Honeywell SCOMP, US Air Force SACDIN, Boeing MLS LAN) were military-oriented.

MAC Implementations: SELinux

• SELinux adds a MAC layer for Linux. It uses domains (subject levels), types (object levels) and classes for objects. It uses access and labeling rules.

MAC Implementations: AppArmor

• AppArmor a MAC for Linux that extends Unix DAC model.
• AppArmor is described using file paths and capabilities (privileges).

MAC Implementations: MIC

• Windows's Mandatory Integrity Control (MIC) enforces integrity rules, ensuring a subject's integrity level is greater than or equal to an object's to write.

MAC and Covert Channels

• Covert channels are unauthorized intra-system channels that circumvent security policies, despite subjects maintaining access permissions.
• Covert channels can be based on timing, storage and network access.

Concluding Remarks on MAC

• MAC is based on regulations dictated by a central authority.
• MAC differentiates between trusted users and untrusted subjects.
• Lattice-based access controls (LBAC) define security levels for objects and subjects.
• MAC policies typically safeguard information flow over overt (legitimate) channels, but not over covert channels.