Family name: Chaparro Gonzalez First name: Diego E-mail: dchaparro@acm.org 2002: Homework 2 : Security policy models ---------------------------------------------------------- 1.- Biba model functionality in practise =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+= a) static Biba model ==================== Mandatory Biba model has NWU (Not Write Up) and NRD (Not Read Down). An example of this model could be a client-server program, for example a Web server and a http client, in which the client can read data from the server but it can't write into the server, and the server can write own data to the client but can't read from it.[1] b) Subject low water mark model =============================== An example of this model could be a machine connected to a network, and this machine has processes running. These processes are in the high level, and this processes can read data from the network (low leveli integrity). But when a process read data from the network, its own integrity level is lowered to the same level as the object (data from the network) that has read. It happens because the processes can read malicious code from the network.[1] c) Object low water mark model ============================== For example, it can be a database of a company, and this database is in a middle level of integrity, and there are two kinds of people that can write in the database, the administrators (with high level) and the clients (with low level of integrity). If a client modifies a record in the database, this record is lowered to a low level as the client, because the company doesn't trust in the data written by the clients.[1] 2.- Chinese Wall =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+= Because could be situations in which it's not sufficient. For example, there are three datasets, two of them belong to the same conflict of interest class: Bank1 and Bank2, and the third from another interest class: Company1. And there are two subjects, the first subject access to Bank1 and Company1. And the second subject is allowed to access to Bank2 and Company1. In this case the first subject could read information from Bank1 and write it to Company1, and then subject 2 would read information about Bank1 in Company1, and it should not happen, bacause it would violate the Wall Chinese.[2] For this reason is necessary the *-property of Chinese Wall. 3.- Lattices =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+= a) == b) == The a) and d) are lattices. The b) example isn't a lattice because it doesn't fulfil with the principles of lattices, because it doesn't have an upper bound H. And the c) example isn't a lattice because it doesn't have a lower bound L. [3] 4.- Models in practice =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+= The Unix System V/MLS implementation of the Bell-La Padula has some smaller changes in comparison with the Bell-La Padula Model. One of them is that the write operation is only allowed on the same level, it's not allowed to write to a high level.[4] And it's in this way to provide integrity protection to the model. 5.- Feedback =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+= I have been about 10 to 12 hours doing this homework. For me, it was a bit difficult. REFERENCES: =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+= [1] Anderson, Ross, Security Engineering: A Guide to Building Dependable Distributed Systems, Wiley, 2001 [2] Dr. David F.C. Brewer and Dr. Michael J. Nash, The Chinese Wall Security Policy, May 1989, URL: http://www.gammassl.co.uk/topics/chinesewall.html [3] Dorothy E. Denning, A Lattice Model of Secure Information Flow, Communications of the ACM, 1976 [4] Rule Set Based Access Control (RSBAC) for Linux, URL: http://www.rsbac.org