A security model is a specification of a security policy it describes the entities governed by the policy, it states the rules that constitute the policy.
There are various types of security models:
- Models can capture policies for confidentiality or for integrity.
- Some models apply to environments with static policies, others consider dynamic changes of access rights.
- Security models can be informal, semi-formal, or formal.
Model vs Policy
A security model maps the abstract goals of the policy to information system terms by specifying explicit data structures and techniques that are necessary to enforce the security policy. A security model is usually represented in mathematics and analytical ideas, which are then mapped to system specifications, and then developed by programmers through programming code.
For Example, if a security policy states that subjects need to be authorized to access objects, the security model would provide the mathematical relationships and formulas explaining how x can access y only through the outlined specific methods
A security policy outlines goals without regard to how they will be accomplished. A model is a framework that gives the policy form and solves security access problems for particular situations.
Read more about secuirty policies in my next post.
Here are three classic security architecture models:
- A lattice is a mathematical construct that is built upon the notion of a group.
- A lattice is a mathematical construction with:
- a set of elements
- a partial ordering relation
- The property that any two elements must have unique least upper bound and greatest lower bound
A security lattice model combines multilevel and multilateral security Lattice elements are security labels that consist of a security level and set of categories.
State Machine Models
In state machine model, the state of a machine is captured in order to verify the security of a system. A given state consists of all current permissions and all current instances of subjects accessing the objects. If the subject can access objects only by means that are concurrent with the security policy, the system is secure.
The model is used to describe the behavior of a system to different inputs. It provides mathematical constructs that represents sets (subjects, objects) and sequences. When an object accepts an input , this modifies a state variable thus transiting to a different state.
- The developer must define what and where the state variables are.
- The developer must define a secure state for each state variable.
- Define and identify the allowable state transition functions.
- The state transition function should be tested to verify that the overall m/c state will not compromise and the integrity of the system is maintained.
The model ensures that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level.
It is not concerned with the flow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an action, it can not change the state for the entity at the lower level.
The model also addresses the inference attack that occurs when some one has access to some type of information and can infer(guess) something that he does not have the clearance level or authority to know.