|
|
|
ACCESS CONTROL MODELS To permit rigorous study of access control policies, models of various policies have been developed. Early work was based on detailed definitions of policies in place in the U.S. government, but later models have addressed commercial concerns. The following sections contain the overviews of several models. Lattice Models In a lattice model, every resource and every user of a resource is associated with one of an ordered set of classes. The classes stemmed from the military designations top secret, secret, confidential, and unclassified. Resources associated with a particular class maybe used only by those whose associated class is as high as or higher than that of the resources. This scheme’s applicability to governmentally classified data is obvious; however, its application in commercial environments may also be appropriate. The Bell-LaPadula Model The lattice model took no account of the threat that might be posed by a Trojan horse lurking in a program used by people associated with a particular class that, unknown to them, copies information into a resource with a lower access level. In governmental terms, the Trojan horse would be said to effect de facto downgrading of classification. Despite the fact that there is no evidence that anyone has ever suffered a significant loss as a result of such an attack, such an attack would be very unattractive and several in the field are rightly concerned about it. Bell and LaPadula devised a model that took such an attack into account. The Bell-LaPadula model prevents users and processes from reading above their security level, as does the lattice model (i.e., it asserts that processes with a given classification cannot read data associated with a higher classification). In addition, however, it prevents processes with any given classification from writing data associated with a lower classification. Although some might feel that the ability to write below the process’s classification is a necessary function — placing data that is not sensitive, though contained in a sensitive document, into a less sensitive file so that it could be available to people who need to see it — DoD experts gave so much weight to the threat of de facto downgrading that it felt the model had to preclude it. All work sponsored by the National Computer Security Center (NCSC) has employed this model. The term “higher”, in this context, connotes more than a higher classification — it also connotes a superset of all resource categories. In asserting the Bell-LaPadula model’s applicability to commercial data processing, Lipner omits mention of the fact that the requirement for a superset of categories may not be appropriate outside governmental circles. Considerable nomenclature has arisen in the context of the Bell-LaPadula model. The read restriction is referred to as the simple security property. The write restriction is referred to as the star property, because the asterisk used as a place-holder until the property was given a more formal name was never replaced. The Biba Model In studying the two properties of the Bell-LaPadula model, Biba discovered a plausible notion of integrity, which he defined as prevention of unauthorized modification. The resulting Biba integrity model states that maintenance of integrity requires that data not flow from a receptacle of given integrity to a receptacle of higher integrity. For example, if a process can write above its security level, trustworthy data could be contaminated by the addition of less trustworthy data. The Take-Grant Model Although auditors must be concerned with who is authorized to make what type of access to what data, they should also be concerned about what types of access to what data might become authorized without administrative intervention. This assumes that some people who are not administrators are authorized to grant authorization to others, as is the case when there are discretionary access controls. The take-grant model provides a mathematical framework for studying the results of revoking and granting authorization. As such, it is a useful analytical tool for auditors. The Clark-Wilson Model Wilson and Clark were among the many who had observed by 1987 that academic work on models for access control emphasized data’s confidentiality rather than its integrity (i.e., the work exhibited greater concern for unauthorized observation than for unauthorized modification). Accordingly, they attempted to redress what they saw as a military view that differed markedly from a commercial one. In fact, however, what they considered a military view was not pervasive in the military. The Clark-Wilson model consists of subject/program/object triples and rules about data, application programs, and triples. The following sections discuss the triples and rules in more detail. Triples All formal access control models that predate the Clark-Wilson model treat an ordered subject/object pair — that is, a user and an item or collection of data, with respect to a fixed relationship (e.g., read or write) between the two. Clark and Wilson recognized that the relationship can be implemented by an arbitrary program. Accordingly, they treat an ordered subject/program/object triple. They use the term “transformational procedure” for program to make it clear that the program has integrity-relevance because it modifies or transforms data according to a rule or procedure. Data that transformational procedures modify are called constrained data items because they are constrained in the sense that only transformational procedures may modify them and that integrity verification procedures exercise constraints on them to ensure that they have certain properties, of which consistency and conformance to the real world are two of the most significant. Unconstrained data items are all other data, chiefly the keyed input to transformational procedures. Once subjects have been constrained so that they can gain access to objects only through specified transformational procedures, the transformational procedures can be embedded with whatever logic is needed to effect limitation of privilege and separation of duties. The transformational procedures can themselves control access of subjects to objects at a level of granularity finer than that available to the system. What is more, they can exercise finer controls (e.g., reasonableness and consistency checks on unconstrained data items) for such purposes as double-entry bookkeeping, thus making sure that whatever is subtracted from one account is added to another so that assets are conserved in transactions.
|