This document discusses various security models: 1. It describes several common security models including Bell-LaPadula (focused on confidentiality), Biba (integrity), Clark-Wilson (integrity at the transaction level), and Brewer-Nash (focused on conflict of interest). 2. It explains key aspects of security models like state machine models (ensuring secure state transitions), multilevel lattice models (strict layers of subjects and objects), and non-interference models (preventing leakage of high-level information to low-level users). 3. Matrix models and information flow models are also summarized briefly, with the latter focused on allowing and denying information flows between objects.

1. Security Architecture-
Security Models
Suraj singh
References: As mentioned in my previous slides, Shaun Harris CISSP books and
official ISC2 books
This Photo by Unknown Author is licensed under CC BY-ND

2. Security
Model
categories
State
machine
model

3. Security
Models
Bell La Padula
Confidentiality
Model.
Biba Integrity
Model.
Clark Wilson
integrity
Model.
Brewer
Nash(Chinese
wall) model.
Graham
denning
Model.
Harrison-
Ruzzo-Ullman
Model.

4. Access
components
Subject
Object
Information
flow

5. State
machine
model
System at any point of time –is
state of the system
This model says that when a
system Transitions from one
state to another, it should do
that in secure state.
What actions are permitted at
any point in time to ensure
secure state of the system is
maintained.
Focus is also on time, A model
system’s state can only change
at distinct points in time e.g.
when an event occurs.
Once the system is considered
to be in secure state, this
model will make sure every
access to the system is as per
security policy to maintain
secure state.
As an example if a server is in
secure state before windows
update, it should be in secure
state after a windows update.

6. Multilevel
lattice model
Defined as strict layers or
lattices or discreet layers of
subjects and objects with
minimal or no interface
between these layers.
Hierarchical lattice, of layers
of higher /lower privileges.
Subjects and objects are
assigned security clearance
levels and classification level
which define what layer they
are assigned to.
i.e. subjects-> security
clearance level
Objects -> classification level
Security labels are attached
to subjects and Objects
Clearance of subjects is
compared with classification
of objects to determine
access, usually if they are at
same level access is allowed.
Define rules that allow/deny
access between them, based
on the layers they are in.
Treat similar subjects and
objects with similar
restrictions.

7. Matrix based Models
• Organizing subjects and objects in the form of access control matrix
object1(john’s trainings folder) object2 object3
Subject1 full write read
Subject2 No Access Full write
Subject3 Read No Access No access

8. Non-
interference
Models
To ensure High level actions(inputs) do not determine
what Low-level users can see (outputs).
Type of multilevel lattice model, with a higher degree of
strictness, limiting any higher-classified information from
being shared with lower privileged subjects, even when
high privileged subjects are using the system at the same
time. Preventing covert channels leaking information.
Complete isolation between security levels. Subjects are
isolated from each other with security levels that they
cannot interfere with each other’s activities, hence
information from higher level can not flow to low level.
Subjects operating at one level can not interfere with
operations of subjects at another level.

9. Information Flow Models
Focuses on how
information is
allowed/denied between
individual objects.
Used to make sure
information is properly
protected throughout a
given process.
Used to identify potential
covert channels and
unintended flow of
information

10. Security
Models : Bell
–LaPadulla
Confidentiality model ( To
prevent disclosure)
Subjects are active parties,
objects are the passive
parties .
Model system uses security
labels , subjects->clearance
level, objects->classification
level.
Implements a set of rules to
control access between
subjects and objects
Simple security property rule
:No read up (subject can read
at same level or lower level)
* property rule : No write
down(subject can write
information at same level or
higher but not lower level to
prevent disclosure)
Strong * property rule : Read
and write at same level.
Used in US DOD.
Cons of the model
•Does not talk about integrity and
availability.
•Does not cover need to know
•One to one mappings of subjects and
objects, that’s where other models
come in.

11. BIBA integrity Model
Also lattice based
model,with multiple
levels.
Modes of access
read,write,read/write as
we saw in bell-lapadulla.
Uses subjects and
objects and clearance
and classification levels
like Bell.
Focused on Integrity Rules
simple integrity rule: No read
down (subject can read
information from objects at
higher level and same level but
he can not read from lower
level)
* integrity property rule : No
write up : (Can write at same
level or lower but can not write
at level above) to prevent
corrupting higher accuracy data
to be corrupted.

12. Clark Wilson
Integrity
Model
FOCUSES ON INTEGRITY AT
TRANSACTION LEVEL
PREVENT UNDESIRABLE
CHANGES BY AUTHORIZED
SUBJECTS.
ENSURE SYSTEM CONTINUES
TO BEHAVE CONSISTENTLY
MEDIATION BETWEEN SUBJECT
AND OBJECT TO MAINTAIN
INTEGRITY OBJECTIVES.
SUBJECT-
PROGRAM(APPLICATION)-
OBJECT.
PROGRAM PROVIDES-
IDENTIFICATION,AUTHENTICAT
ION,AUTHORIZATION.

13. Brewer Nash(Chinese wall)
Model
• Focuses on conflict of interest.

14. Graham
denning
Object and
subject
creation
How they are
assigned rights
How
ownership of
objects is
managed.
Focuses on
controlling
objects and
subjects at
very basic level

15. Harrison
ruzzo Ullman
model Similar to graham
denning.
Set of generic rights and
finite set of commands

16. Q and A