I’ve decided to begin studying for the Systems Security Certified Practitioner (SSCP) exam offered through (ISC)2 since I’ve started to drift away from the security world due to my educational pursuits. In my studies I’ve come across a few security models that I feel are worth quickly summarizing which include the Bell-La Padula, Biba, and Clark-Wilson models.

Bell-La Padula Model
The Bell-La Padula model is an access control model that is commonly used by the U.S. government. It is probably better known as the “no read up, no write down” model. It uses a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from Unclassified, For Official Use Only, Confidential, Secret, Top Secret, etc. The model, however, has no clear distinction of protection and security.

The model emphasizes data confidentiality and controlled access to classified information. To control access to this information the clearance of the subject is compared to the classification of the objects in order for the subject to be granted access to the object.

Two mandatory access control and one discretionary access control rules are defined:

• Simple Security Policy – A subject at a given security level may not read an object at a higher security level. The subject may not “read up”. For example, a person with a Secret clearance level may not read a report that is labeled with Top Secret.
• The *-property or Confinement property – A subject at a given security level may not write to any object with a lower security level. The subject may not “write down”. Note: Trusted subjects are not restricted by this property.
• The Discretionary Security Property – Use of an access matrix to specify the discretionary access control.

There also exists a strong *-property that does not allow subjects to write to objects with a higher security level, thus effectively removing the “write up” permission. This is an added integrity layer.

Biba Model
The Biba security model was developed to address a weakness in the Bell-La Padula model. The Biba model addresses integrity which was missing in the confidentiality focused Bell-La Padula model. Much like the Bell-La Padula model, the Biba model uses objects and subjects. However, objects and subjects are grouped into integrity levels instead of given security labels. The Biba Model also carries a clever catch phrase: “no read down, no write up”.

In order to preserve integrity, subjects may create content at or below their own integrity level and view content at or above their own integrity level. This helps to prevent data corruption thus preserving integrity.

In similar fashion to the Bell-La Padula model, the Biba model also has a couple of security rules:

• A subject at a given level of integrity must not read an object at a lower integrity level (no read down). This is known as the Simple Integrity Axiom.
• A subject at a given level of integrity must not write to any object at a higher level of integrity (no write up). This is known as the * (star) Integrity Axiom.

Clark-Wilson Model
The Clark-Wilson model is concerned with information integrity using an integrity policy that defines enforcement rules (E) and certification rules (C). The basic principle of the model revolves around the idea of a transaction which is a series of operations.

The model essentially boils down to data items and processes that operate on these data items. A Constrained Data Item (CDI) is considered the key data item in the model. An Integrity Verification Procedure (IVP) ensures that all CDIs in the system are valid. Transformation Procedures (TPs) are the transactions that enforce the integrity policy. A Transformation Procedure takes as input a Constrained Data Item or Unconstrained Data Item (UDI) (possible system input from users) and produces a Constrained Data Item. A Transformation Procedure must transition the system from one valid state to another valid state via certification.

The Clark-Wilson triple is the relationship that exists between the components of an authenticated principal, a set of programs (Transformation Procedures), and data items (Constrained Data Items and Unconstrained Data Items). Based on the model’s two rulesets, Certification Rules and Enforcement Rules, there exists nine external and internal rules that ensure integrity of the data items.

• C1—When an IVP is executed, it must ensure the CDIs are valid.
• C2—For some associated set of CDIs, a TP must transform those CDIs from one valid state to another.

Since we must make sure that these TPs are certified to operate on a particular CDI, we must have E1 and E2.

• E1—System must maintain a list of certified relations and ensure only TPs certified to run on a CDI change that CDI.
• E2—System must associate a user with each TP and set of CDIs. The TP may access the CDI on behalf of the user if it is “legal.”

This requires keeping track of triples (user, TP, CDIs) called “allowed relations.”

• C3—Allowed relations must meet the requirements of “separation of duty.”

We need authentication to keep track of this.

• E3—System must authenticate every user attempting a TP. Note that this is per TP request, not per login.

For security purposes, a log should be kept.

• C4—All TPs must append to a log enough information to reconstruct the operation.

When information enters the system it need not be trusted or constrained (i.e. can be a UDI). We must deal with this appropriately.

• C5—Any TP that takes a UDI as input may only perform valid transactions for all possible values of the UDI. The TP will either accept (convert to CDI) or reject the UDI.

Finally, to prevent people from gaining access by changing qualifications of a TP:

• E4—Only the certifier of a TP may change the list of entities associated with that TP.

1. http://theory.stanford.edu/~ninghui/courses/Fall03/papers/clark_wilson.pdf
2. http://en.wikipedia.org/wiki/Clark-Wilson_model
3. http://en.wikipedia.org/wiki/Biba_Integrity_Model
4. http://en.wikipedia.org/wiki/Bell-LaPadula_Model
5. http://crypto.stanford.edu/~ninghui/courses/Fall03/papers/landwehr_survey.pdf