# Security Models

Tom Kelliher, CS 325

Oct. 31, 2011

### Announcements

Status reports due.

### From Last Time

Trust and security policies.

### Outline

1. Modeling multiple levels of security.

2. Modeling theoretical limitations of security systems

### Coming Up

Trusted operating system design.

# Modeling Multiple Levels of Security

That is, the military model.

## Lattice

A lattice defines a partial order on a set using a user-defined operator. The operator must satisfy two properties over the set:

1. Transitive: If and then .

2. Antisymmetric: If and then .

A bounded lattice has a top and bottom:

1. is the top if for all in .

2. is the bottom if for all in .

Examples:

1. The power set of under the operation is a subset of.''

Is it bounded?

2. The natural numbers under the mathematical operation .

Is it bounded? Isn't it a total order?

1. Goal is to describe secure information flows and acceptable information flows between subjects and objects.

3. denotes the classification of .

Similarly, denotes the clearance of .

Suppose:

• .

• .

• .

• .

1. What objects can be allowed to read? ?

Necessary properties for ensuring confidentiality:

1. Simple security property: may read only if .

Information should only flow from less secure objects to more secure objects.

Biba's integrity model is similar -- non-trusted information should not influence trusted information.

# Modeling Theoretical Limitations of Security Systems

1. Is security configuration X attainable?

2. Given security configuration Y, can subject S gain access to object O?

3. Trivial example.

Suppose has a transferable read right on .

## Graham-Denning Model

Model consists of subjects, objects, an access control matrix (all subjects are also treated as objects, to implement the control'' right), and a set of rights.

Two special rights: own (on objects) and control (on subjects)

Operations:

1. Create object; create subject. Creating subject owns or controls, respectively.

2. Delete object; delete subject. Deleting subject must own or control, respectively.

3. Read access right R of S on O. Subject must control S or own O.

4. Grant right R to S on O. Subject must own O.

5. Delete right R of S on O. Subject must own O or control S.

6. Transfer right R to S on O. Subject must have R* (transferable version of R) on O.

Graham-Denning is a general access control model.

Harrison-Ruzzo-Ullman generalizes Graham-Denning to ask if certain situations are obtainable.

Take-Grant Systems are yet another model.

Thomas P. Kelliher 2011-10-30
Tom Kelliher