Information Security Models for Confidentiality and Integrity

Information Security Models bridge the gap between security policy statements (which explain which users should have access to data) and the operating system implementation (which allows an administrator to configure access control). The models help map abstract goals onto mathematical relationships that underpin whichever implementation is eventually chosen (Windows, Unix, MacOS etc).

The Bell-LaPadula Model

This model was developed in the 1970s for the US Military by David Bell and Leonard LaPadula of Mitre Corporation. It was developed in response to a single problem – information leakage. The military were using time-sharing mainframe systems and were concerned that highly classified information could leak from those users who were cleared to see it, down to those users who were not – i.e. data of many classifications resided on the system, and users with many levels of clearance potentially had access to it.

BLP is a Hierarchical State Machine Model: it has many layers (a lattice) and maintains a secure state – each rule is security preserving, and transactions proceed only if the system moves from its existing secure state to another secure state.

Three access rules are utilised in BLP:

• Dominance Relation: the clearance level of a user (subject) maps to the classification of files (object). Users with a particular clearance will only be able to access files of a particular classification and below.
• Discretionary Security: specific users are granted specific modes of access.
• Data flows upwards: BLP enforces the confidentiality aspect of access control in that data can only move up the lattice from lower levels of classification to higher.

Given its concentration on protecting information from flowing in the wrong direction, BLP is also categorised as an Information-Flow Model.

BLP was the first model to define three fundamental modes of access, read, write and read/write, though users cannot be assigned to more than one access mode:

• The Simple Security Property – users can read data of a lower classification
• The Star Security Property – users can write data to an area of higher classification
• The Strong Star (Tranquility) Property – users can read and write to own level only.

Biba Model

The major drawback of the BLP model was that it only considered the confidentiality of data. There was no consideration given to the ‘need-to-know’ principle – users were free to read all data at their own and lower levels of classification. Therefore, shortly after the development of BLP, Ken Biba developed a model that considered data integrity. Focussed on the commercial sector where, at the time, the integrity of data had more importance than its confidentiality, the Biba model is concerned with preventing data from low integrity environments polluting high integrity data.

Like BLP, Biba has three properties:

• The Simple Integrity Property – Data can be read from a higher integrity level
• The Star Integrity Property – Data can be written to a lower integrity level
• The Invocation Property – User cannot request service (invoke) from a higher integrity level

Biba is the opposite of BLP: whereas BLP is a WURD model (Write Up, Read Down), Biba is RUWD (Read Up, Write Down).

Clark-Wilson Integrity Model

The Clark-Wilson model, published in 1987 by David Clark and David Wilson, builds on BLP and Biba, introducing the concept of a program arbitrating a subjects access to an object in an access triple (a relationship of subject, program and object). It addresses all three integrity goals:

• Preventing unauthorised users from making any modifications
• Preventing authorised users from making unauthorised modifications
• Maintaining internal and external consistency

A well formed transaction, as defined by Clark-Wilson is one that only permits modification of data if that modification meets the three integrity goals listed above.

Brewer Nash Model

The Brewer Nash model – also known as the Chinese Wall model – provides access controls that change dynamically depending on the previous actions of a user. It is typically used to protect against conflicts of interest, for example between the Mergers & Acquisitions and Stock Trading arms of an investment bank. Once a particular user has accessed a particular object in one half of a data store, their access to the other half is immediately revoked. Again, Brewer Nash is an Information Flow Model – no information can flow between two entities that could result in a conflict of interest.

Graham-Denning Model

Graham-Denning is much less abstract than those previously considered. Whilst they don’t define how security or integrity ratings are defined or modified, Graham-Denning introduces several critical primitive protection rights:

• Create Object
• Create Subject
• Delete Object
• Delete Subject
• Grant Access Right
• Delete Access Right
• Transfer Access RIght

These models together are well worth understanding for they are the underpinning of modern access control implementations like that by Lipner – the 1982 combination of BLP and Biba that forms the basis of the Windows NT security model.