|
|
|
The Brewer-Nash Model The Brewer-Nash model, published in 1989, uses basic mathematical theory to implement dynamically changing access authorizations. This model can provide integrity in an integrated data base. In addition, it can provide confidentiality of information if the integrated data base is shared by competing companies; subjects can access only those objects that do not conflict with standards of fair competition. Implementation involves grouping data sets into discrete classes, each class representing a different conflict of interest (e.g., classified information about a company is not made available to a competitor). Assuming that a subject initially accesses a data set in each of the classes, the subject would be prevented from accessing any other data set in each class. This isolation of data sets within a class provides the capability to keep one company’s data separate from a competitor’s in an integrated data base, thus preventing authorized users from making improper modifications to data outside their purview. Implementing Integrity Models The integrity models may be implemented in various ways to provide the integrity protection specified in the security policy. National Computer Security Center Report 79–91 discusses several implementations, including those by Lipner, Boebert and Kain, Lee and Shockley, Karger, Jueneman, and Gong. These six implementations are discussed in the following sections. The Lipner Implementation The Lipner implementation, published in 1982, describes two ways of implementing integrity. One uses the Bell-LaPadula confidentiality model, and the other uses both the Bell-LaPadula model and the Biba integrity model. Both methods assign security levels and functional categories to subjects and objects. For subjects, this translates into a person’s clearance level and job function (e.g., user, operator, applications programmer, or systems programmer). For objects, the sensitivity of the data or program and its functions (e.g., test data, production data, application program, or system program) are defined. Lipner’s first method, using only Bell-LaPadula model, assigns subjects to one of two sensitivity levels — system manager and anyone else — and to one of four job categories. Objects (i.e., file types) are assigned specific levels and categories. Most of the subjects and objects are assigned the same level; therefore, categories become the most significant integrity (i.e., access control) mechanism. The applications programmers, systems programmers, and users are confined to their own domains according to their assigned categories, thus preventing unauthorized users from modifying data. Lipner’s second method combines Biba’s integrity model with the Bell-LaPadula basic security implementation. This combination of models helps prevent contamination of high-integrity data by low-integrity data or programs. The assignment of levels and categories to subjects and objects remains the same as for Lipner’s first method. Integrity levels are used to avoid the unauthorized modification of system programs; integrity categories are used to separate domains that are based on functional areas (e.g., production or research and development). This method prevents unauthorized users from modifying data and prevents authorized users from making improper data modifications. Lipner’s methods were the first to separate objects into data and programs. The importance of this concept becomes clear when viewed in terms of implementing the Clark-Wilson integrity model; because programs allow users to manipulate data, it is necessary to control which programs a user may access and which objects a program can manipulate. The Boebert and Kain Implementations Boebert and Kain independently proposed (in 1985 and 1988, respectively) implementations of the Goguen-Meseguer integrity model. This implementation uses a subsystem that cannot be bypassed; the actions performed on this subsystem cannot be undone and must be correct. This type of subsystem is featured in the system’s logical coprocessor kernel, which checks every access attempt to ensure that the access is consistent with the security policy being invoked. Three security attributes are related to subjects and objects in this implementation. First, subjects and objects are assigned sensitivity levels. Second, subjects are identified according to the user in whose behalf the subject is acting, and objects are identified according to the list of users who can access the object and the access rights users can execute. Third, the domain (i.e., subsystem) that the program is a part of is defined for subjects, and the object type is defined according to the information contained within the object. When the system must determine the kind of access a subject is allowed, all three of these security attributes are used. Sensitivity levels of subjects and objects are compared to enforce the mandatory access control policy. To enforce discretionary access control, the access control lists are checked. Finally, access rights are determined by comparing the subject domain with the object type. By isolating the action rather than the user, the Boebert and Kain implementation ensures that unauthorized users cannot modify data. The use of domains requires that actions be performed in only one location and in only one way; a user who cannot access the domain cannot perform the action.
|