2/1/2026

BITS Pilani
Pilani Campus

SS ZG681/ SE ZG681
Cyber Security
(Merged - SEZG681/SSZG681)
Vishal Gupta
Department of Computer Science and Information Systems
BITS Pilani Birla Institute of Technology and Science
Pilani Campus
Pilani Campus, Pilani Cyber Security – CS-3

1
 2/1/2026

Outline Overview

What is a Security Policy?

•Definition: A security policy is a statement that defines what is allowed and what is
• Overview forbidden in a computer system.
•It defines what security means for that system — without it, you can’t tell if
– Mandatory versus discretionary controls something is “secure” or “insecure”.
– What is a confidentiality model
Two parts:
• Bell-LaPadula Model • Security Goals – what you are trying to achieve (e.g., confidentiality, integrity,
– General idea availability).
– Description of rules • Rules – specific restrictions or permissions to achieve those goals.

• Tranquility
Example
•Policy: “Only HR staff can access employee salary records.”
•Mechanism: Password-protected HR portal and access control lists.
•If a finance intern accesses salary data without permission → policy violation.

2
 2/1/2026

Security Policy Types of Security Policies

• Policy partitions system states into: • Military (governmental) security policy

– Authorized (secure) – Policy primarily protecting confidentiality
• These are states the system can enter
• Commercial security policy
– Unauthorized (nonsecure)
– Policy primarily protecting integrity
• If the system enters any of these states, it’s a
security violation • Confidentiality policy
• Secure system – Policy protecting only confidentiality
– Starts in authorized state • Integrity policy
– Never enters unauthorized state – Policy protecting only integrity

3
 2/1/2026

What is Mandatory Access Example of MAC

Control (MAC)?
- Access decisions based on fixed policies
- Military environment:
- Controlled by system administrator/security policy, and not by individual • 'Secret' file → only users with 'Secret' or higher clearance
users. • 'Top Secret' officer → cannot post info into a 'Confiden al' file
- Characteristics: Centralized, rigid, very secure
- Uses security labels (Top Secret, Secret, Confidential)

- Enforced through formal models like Bell-LaPadula

How it works:

•Every subject (user/process) and object (file/resource) is assigned a security

label (e.g., Top Secret, Secret, Confidential, Unclassified).

•Access rules are based on these labels, using models like Bell-LaPadula
(confidentiality) or Biba (integrity).

4
 2/1/2026

What is Discretionary Access Example of DAC

Control (DAC)?
- Access decisions made by owner of the resource - Company environment:
- Uses Access Control Lists (ACLs) or capability tables • Alice creates a document → grants Bob read/write access
- Example: UNIX/Linux file permissions (rwx) • Alice denies access to Charlie
- Flexible, user-friendly, less secure - Similar to Google Docs sharing options

5
 2/1/2026

Key Differences Confidentiality Policy

Aspect MAC DAC

Control Central authority/policy Owner of data

Flexibility Rigid Flexible
• Goal: prevent the unauthorized disclosure of
Security High Lower information
Common Use Military, govt Businesses, personal – Deals with information flow
systems
Example Rule 'Secret' cannot read 'Top File owner grants access
– Unauthorized alteration of information is
Secret' secondary
• Multi-level security models are best-known
Summary examples
- MAC: Security-first, rigid, system decides
- DAC: User-friendly, flexible, owner decides – Bell-LaPadula Model basis for many, or most,
- Real-world systems often use a hybrid of both of these

6
 2/1/2026

Bell-LaPadula Model, Step 1 Example

• Security levels arranged in linear ordering security level subject object

– Top Secret: highest Top Secret Tamara Personnel Files
– Secret Secret Samuel E-Mail Files
– Confidential Confidential Claire Activity Logs
– Unclassified: lowest
Unclassified Bob Telephone Lists
• Levels consist of security clearance L(s)
• Tamara can read all files
– Objects have security classification L(o)
• Claire cannot read Personnel or E-Mail Files
• Bob can only read Telephone Lists

7
 2/1/2026

Reading Information Writing Information

• Information flows up, not down • Information flows up, not down
– ―Reads up‖ disallowed, ―reads down‖ allowed – ―Writes up‖ allowed, ―writes down‖ disallowed
• Simple Security Condition (Step 1) • *-Property (Step 1)
– Subject s can read object o iff, L(o) ≤ L(s) and s – Subject s can write object o iff L(s) ≤ L(o) and s
has permission to read o
has permission to write o
• Note: combines mandatory control (relationship of • Note: combines mandatory control (relationship of
security levels) and discretionary control (the security levels) and discretionary control (the
required permission) required permission)
– Sometimes called ―noreads up‖ rule – Sometimes called ―nowrites down‖ rule

8
 2/1/2026

Basic Security Theorem, Step 1 Example Scenarios

Military Context
A soldier with “Secret” clearance:
• If a system is initially in a secure state, and Can read: “Secret” or “Confidential” documents.
every transition of the system satisfies the Cannot read: “Top Secret” documents (No Read Up).
Cannot write: to “Confidential” or “Unclassified” systems (No Write Down).
simple security condition (step 1), and the
*-property (step 1), then every state of the
Corporate Context
system is secure In a company, suppose levels are:
Executives (High), Managers (Medium), Interns (Low).
Executives cannot send a confidential merger plan to interns (No Write Down).
Interns cannot access board meeting minutes (No Read Up).

9
 2/1/2026

Strengths and Weaknesses Integrity Policies

Integrity Policies
Strengths •Goal: Protect data from unauthorized modification.
•Focus: Who can change the data and how it can be changed.
• Strong protection of confidentiality.
• Well-suited for environments where secrecy is critical (military, government). Formal Models:
• Simple and mathematically provable. •Biba Model – “No Write Up, No Read Down”
• Prevents low-integrity subjects from corrupting high-integrity data.
Limitations • Prevents contamination by reading untrusted data.
• Does not protect integrity (data correctness) or availability. •Clark-Wilson Model – More business-oriented
• For example, a user could still corrupt data as long as rules are not • Uses “well-formed transactions” and “separation of duties”.
broken.
• Too rigid for real-world businesses, where information sharing across levels is Example:
necessary. •Banking system:
• “No Write Down” can block legitimate workflows. (e.g., analysts wanting to • Only authorized transactions can change account balances.
share summarized reports with the public). • Clerks enter data, but managers approve transactions.

10
 2/1/2026

Introduction to the Biba Model Core Principles

• The Biba Integrity Model (developed by Kenneth Biba in 1977) is a formal state-transition Biba uses integrity levels (similar to security clearance levels in Bell-LaPadula).
model that focuses on data integrity rather than confidentiality (unlike Bell-LaPadula).
Two main rules define it:
• Goal: Prevent corruption of sensitive or important data by unauthorized or lower-integrity
sources. Simple Integrity Property (No Read Down)
A subject at a higher integrity level cannot read data at a lower integrity level.
• Principle: Ensure that information is trustworthy, accurate, and reliable. Reason: Prevents contamination of high-trust processes with untrusted/dirty data.

*-Integrity Property (No Write Up)

A subject at a lower integrity level cannot write to data at a higher integrity level.
Reason: Prevents untrusted users/programs from corrupting high-integrity data.

11
 2/1/2026

Intuition with an Analogy Examples

Think of a hospital system: Example 1: Financial Transactions

Doctors’ records (high integrity) High integrity: Bank’s core transaction database.
Nurses’ reports (medium integrity) Medium integrity: Customer service staff inputs.
Patient’s self-entered notes (low integrity) Low integrity: Customer’s online forms.

Using Biba: Application:

Doctors (high integrity) cannot read patient’s self-entered notes (low integrity) → avoids
medical decisions based on unreliable info. A customer (low) cannot directly update the core database (high).
Patients (low integrity) cannot overwrite doctors’ records (high integrity). A bank officer (high) cannot rely on customer-submitted forms (low) without validation.

12
 2/1/2026

Examples Examples

Software Development Military System

High integrity: Source code repository (production branch). High integrity: Strategic command data.
Medium integrity: Developer’s tested code. Medium integrity: Field officer reports.
Low integrity: User feedback or bug reports. Low integrity: Open-source intelligence (social media, rumors).

Application: Application:

A junior intern (low) cannot directly commit to the production branch (high). Commanders (high) cannot make decisions directly based on Twitter reports (low).
A senior developer (high) should not base fixes solely on unverified bug reports (low). Field soldiers (low/medium) cannot alter top-secret strategic documents (high).

13
 2/1/2026

Examples Advantages and Limitations

Operating Systems Advantages

Protects data reliability and correctness.
High integrity: Kernel files. Prevents malicious or accidental corruption of important resources.
Medium integrity: System applications. Useful in financial systems, healthcare, and defense where integrity matters most.
Low integrity: User applications.

Application: Limitations
Can be too strict → makes prac cal work harder (e.g., some mes high-level users do need to
A user program (low) cannot modify kernel files (high). read low-level data).
Kernel (high) cannot use outputs from untrusted user programs (low) without sanitization. Often implemented with trusted intermediaries (e.g., validation, sanitization, filters) to
bridge the gap.

14
 2/1/2026

Clark-Wilson Model Key Ideas

Well-Formed Transactions (WFTs)

• Proposed by David Clark and David Wilson in 1987. • Users cannot directly manipulate data.
• Instead, they must use programs (applications) that enforce rules.
• Unlike Biba (which was mathematical and abstract), the Clark-Wilson model is practical • Example: In a bank, you cannot directly edit an account balance. You must
and focuses on commercial systems such as banks, accounting, and business processes. perform a withdrawal or deposit transaction.

• Goal: Ensure that data in a system remains consistent, correct, and valid according to Separation of Duties (SoD)
business rules. • No single user should have full control over a critical process.
• Example: In accounting, one person writes checks, another approves them.
• It defines integrity as the prevention of unauthorized users making changes and
authorized users making improper changes.
Certification & Enforcement Rules
• Certain rules govern how the system operates:
• Certification Rules (C-Rules): Ensure that programs correctly implement
business rules.
• Enforcement Rules (E-Rules): Ensure that only authorized users use
certified programs.

15
 2/1/2026

Core Components Certification and

Enforcement Rules
The model introduces three main entities: Certification Rules (C-Rules)
• CDIs (Constrained Data Items): Data that must always remain valid (e.g., 1. C1: All TPs must be certified to ensure they transform CDIs from one valid state
account balances). to another.
• UDIs (Unconstrained Data Items): External inputs that are not yet validated 2. C2: For each TP, a list of authorized users must be defined.
(e.g., customer input forms). 3. C3: All UDIs must be transformed into CDIs by a TP.
• TPs (Transformation Procedures): Trusted programs that manipulate CDIs in a 4. C4: Integrity must be verifiable — system must log transactions for auditing.
controlled manner (e.g., deposit or withdrawal functions).
Enforcement Rules (E-Rules)
1. E1: The system must enforce certification rules.
2. E2: The system must ensure only authorized users can run TPs on specific
CDIs.
• This enforces separation of duties.

16
 2/1/2026

Examples Examples
Example 1: Banking System
Example 3: Airline Reservation System
• CDI: Customer’s account balance.
• CDI: Seat availability database.
• UDI: Customer’s deposit slip.
• UDI: Customer’s ticket booking request.
• TP: “Deposit Money” program.
• TP: Reservation program.
• Rule Application:
• Rule: Only certified TP can update seat database. Customer cannot directly
• Customer cannot directly change balance (no free edit).
mark a seat as “booked.”
• Deposit slip (UDI) is verified, then TP updates balance (CDI).
• Logs record the transaction (audit trail).

Example 2: Inventory Management

• CDI: Stock levels in warehouse database.
• UDI: Supplier delivery form.
• TP: “Update Stock” function.
• SoD:
• One employee enters delivery info.
• Another employee approves the stock update.
This prevents fraud (e.g., someone inflating stock levels to cover theft).

17
 2/1/2026

Advantages and Limitations Availability

Advantages
• Practical: Directly applicable to real-world business environments. • X set of entities, I resource
• Fraud Prevention: Separation of duties stops insider threats. • I has availability property with respect to X if all
• Auditability: Logging ensures accountability.
• Data Consistency: Transactions enforce valid states. x  X can access I
• Types of availability:
Limitations
• Requires trusted software (TPs) — if these are flawed, the model fails. – traditional: x gets access or not
• More complex than Biba or Bell-LaPadula. – quality of service: promised a level of access (for
• High administrative overhead (certification, enforcement, auditing). example, a specific level of bandwidth) and not meet it,
even though some access is achieved
In short:
The Clark-Wilson model ensures integrity by enforcing:
• Well-formed transactions (no free editing of data).
• Separation of duties (no one person controls everything).
• Certification + Enforcement rules (policies + mechanisms).
• It is the go-to model for business/commercial integrity protection.

18
 2/1/2026

Availability Policies Types of Access Control

Availability Policies • Discretionary Access Control (DAC, IBAC)

•Goal: Ensure resources are available to authorized users when needed. – individual user sets access control mechanism to allow
•Focus: Prevent denial of service (DoS), resource starvation.
or deny access to an object
Example: • Mandatory Access Control (MAC)
•Web hosting policy:
“System must be up 99.9% of the time. Any DoS attempts will trigger firewall
– system mechanism controls access to object, and
blocks.” individual cannot alter that access
• Originator Controlled Access Control (ORCON)
– originator (creator) of information controls who can
access information

19
 2/1/2026

Question Answer Part 1

• Policy disallows cheating • Bill cheated

– Includes copying homework, with or without – Policy forbids copying homework assignment
permission – Bill did it
• CS class has students do homework on computer – System entered unauthorized state (Bill having a copy
of Anne’s assignment)
• Anne forgets to read-protect her homework file • If not explicit in computer security policy,
• Bill copies it certainly implicit
• Who cheated? – Not credible that a unit of the university allows
something that the university as a whole forbids, unless
– Anne, Bill, or both? the unit explicitly says so

20
 2/1/2026

Answer Part 2

• Anne didn’t protect her homework

– Not required by security policy
• She didn’t breach security
• If policy said students had to read-protect
homework files, then Anne did breach
security
Thanks
– She didn’t do this

21