Cryptography

Lecture Security Models and design principles

02

Dr. Pabudi Abeyrathne. pabudi.a@[Link]

Senior Lecturer
Faculty of Computing
NSBM Green University
 What is a Security Model ?

• A security model is a conceptual framework that describes the security

policies and mechanisms used to protect a system or network.
• It defines the rules, procedures, and practices that govern how security
is implemented, maintained, and monitored.
• A security model typically includes a set of security requirements,
security controls, and security mechanisms that work together to
ensure the confidentiality, integrity, and availability of information and
resources.
 What is a Security Model ?

• The security model may be used to describe how security is

implemented at various levels, such as the operating system level, the
network level, or the application level.
• Security models are used to,
• Test a particular policy for completeness and consistency.
• Helps in conceptualizing design and implementation.
• To ensure that the security controls are effective and properly implemented.
• To facilitate compliance with relevant security regulations and standards.
 Security Models

• There are several types of Classic Security Models.

1. Bell-LaPadula Model
2. Biba Model
3. Clarke Wilson Security Model (Chinese Model)
4. Brewer Nash Model
5. Take Grant Model
 1 . Bell-LaPadula Model

• The BLP model was developed in the 1970s as a formal model for
access control.
• This model relies on the access control concept.
• In the model, each subject and each object is assigned a security class .
• Here, the classification of Subjects(Users) and Objects(Files) are
organized in a non-discretionary fashion, with respect to different
layers of secrecy
• In the simplest formulation, security classes form a strict hierarchy
and are referred to as security levels .
• The BLP model is a formal description of the allowable paths of
information flow in a secure system.
• The BLP defines security requirements for systems that concurrently
handles data at different sensitivity levels.
• The BLP addresses confidentiality (ensures that information do
not flow to those who are not cleared for that level)
• Consists of 3 security rules.
1. Simple Security Property
2. * Security Property
3. Strong * property
 Rules of Bell-LaPadula Model

Simple Security Property – “No read up”.

A subject cannot read data from a security level higher than subject’s
security level.
* Security Property – “No write down”.
A subject cannot write data to a security level lower than the subject’s
security level.
Strong * Property – “no read/write up or down”.
A subject with read/write privilege can perform read/write functions
only at the subject’s security levels
• This figure illustrates the need for the
*-property. Here, a malicious subject
passes classified information along by
putting it into an information
container labeled at a lower security
classification than the information
itself. This will allow a subsequent
read access to this information by a
subject at the lower clearance level.
 The need-to-know principle

• This principle states that a user shall only have access to the
information that their job function requires, regardless to their security
clearance level or other approvals.
• In other words: a User needs permissions & a Need-to-know.
• That Need-to-know is strictly bound to a real requirement for the User
to fulfill its current role.
A given user Tony may have “Top Secret” Clearance, but according to his
Need-to-know would only ever get to see data concerning “Alpha”.

Tony
 2. Biba Model

• The Biba model has a similar structure to the BLP model, but it
addresses integrity rather than confidentiality.
• Objects and users are assigned integrity levels that form a partial
order, similar to the BLP model.
• The integrity levels in the Biba model indicate degrees of
trustworthiness, or accuracy, for objects and users, rather than levels
for determining confidentiality.

For example, a file stored on a machine in a closely monitored data center would be
assigned a higher integrity level than a file stored on a laptop.
 Rules of Biba Model

Simple Integrity Axiom: “No read down”

A subject at a specific clearance level cannot read data at a lower
classification.
This prevents subjects from accessing information at a lower integrity
level.
This protects integrity by preventing bad information from moving up
from lower integrity levels.
 Rules of Biba Model

Integrity Axiom: “No write up”

A subject at a specific clearance level cannot write data to a higher
classification.
This prevents subjects from passing information up to a higher integrity
level than they have clearance to change.
This protects integrity by preventing bad information from moving up to
higher integrity levels.
Invocation
The property whereby a subject at one integrity level is prohibited from
invoking or calling up a subject at a higher level of integrity.
 3. Clark-Wilson Model

• The Clark-Wilson model was created in 1987.

• It differs from previous models because it was developed with the
intention to be used for commercial activities.
• This model addresses all the goals of integrity.
• Clark Wilson dictates that the separation of duties must be enforced,
subjects must access data through an application, and auditing is
required.
• Clark-Wilson features an access control triple.
• The access control triple is composed of the user, transformational
procedure, and the constrained data item.
• It was designed to protect integrity and prevent fraud. Authorized
users cannot change data in an inappropriate way

TRANSFORMATION PROCESS: Here, the Subject’s request to

access the Constrained Data Items is handled by the
Transformation process which then converts it into permissions
and then forwards it to Integration Verification Process

INTEGRATION VERIFICATION PROCESS: The Integration

Verification Process will perform Authentication and
Authorization. If that is successful, then the Subject is given
access to Constrained Data Items.
 4. Brewer Nash Model

• The Brewer and Nash model is similar to the Bell-LaPadula model and
is also called the Chinese Wall model.
• It was developed to prevent conflict of interest (COI) problems.
• As an example, imagine that your security firm does security work for
many large firms. If one of your employees could access information
about all the firms that your company has worked for, he might be able
to use this data in an unauthorized way.
• Therefore, the Chinese Wall model is more context oriented in that it
prevents a worker consulting for one firm from accessing data
belonging to another, thereby preventing any COI
The firm is advising two competing banks
 5. Take Grant Model

• The Take-Grant model is a formal access control model that focuses on the
granting and taking of permissions or privileges between subjects and
objects in a system.
• It is used to analyze and define the flow of permissions and access rights
within a system.
• This model allows subjects with the take right to remove take rights from
other subjects. Subjects possessing the grant right can grant this right to
other subjects.
• The create and revoke operations work in the same manner: Someone with
the create right can give the create right to others and those with the
revoke right can remove that right from others.
 Secure Design Principles

• One of the most important phases in the software development life cycle
(SDLC) is the design phase.
• During this phase, software specifications are translated into architectural
blueprints that can be coded during the implementation (or coding) phase
that follows.
• When this happens, it is necessary for the translation to be inclusive of
secure design principles.
• It is also important to ensure that the requirements that assure software
security are designed into the software in the design phase.
 Granting read-only access to a
database for a user who only
1. Principle of Least Privilege needs to retrieve information,
rather than providing full
administrative privileges.

• The Principle of Least Privilege means that you ensure people only have
enough access that they need to do their job.
• For instance: if you design a system which holds sensitive customer
financial information, it’s good practice to limit who can access that
information.
• The main objective of least privilege is containment of the damage that
can result from a security breach that occurs accidentally or intentionally
• Some of the examples of least privilege include the military security rule
of “need-to-know” clearance level classification, modular programming,
and non-administrative accounts.
 Separating the roles of system
administrators and developers to
2. Principle of Separation of duties reduce the risk of unauthorized
changes or malicious activities.

• The idea behind Separation of Duties is that no single role should have too
much authority.
• This is different from the concept of Least Privilege.
• While that focuses on making sure that people only have the privileges,
they need to do their job, this is about making sure their job isn’t too big.
• When someone does a job that’s too big, we fall right back to the point
where they’ll need lots of permissions to do that job.
• Also, when someone has many duties in their job, it means that they’re
susceptible to making poor decisions..
 Combining firewalls, intrusion detection
systems, and secure coding practices to
3. Principle of Defense in depth mitigate risks at various levels within a
system.

• A defense-in-depth strategy, aka a security-in-depth strategy, refers to a

cybersecurity approach that uses multiple layers of security for holistic
protection.
• A layered defense helps security organizations reduce vulnerabilities, contain
threats, and mitigate risk.
• In simple terms, with a defense-in-depth approach, if a bad actor breaches one
layer of defense, they might be contained by the next layer of defense.
• In other words, defense in depth is not putting all the eggs in one basket.
• Second, incorporating the defense of depth in software can be used as
a deterrent for the curious and nondetermined attackers when they are
confronted with one defensive measure over another.
 A system may be designed to shut
4. Principle of Failing Securely down or enter a secure mode
when a critical error occurs.

• Fail secure is the security principle that ensures that the software reliably
functions when attacked and is rapidly recoverable into a normal business
and secure state in the event of design or implementation failure.
• Fail secure is primarily an availability design consideration, although it
provides confidentiality and integrity protection as well.
• Failure should not give the user additional privileges, and it should not
show the user sensitive information like database queries or logs.
Examples
• The user is denied access by default and the account is locked out after the maximum number (clipping
level) of access attempts is tried.
• Errors and exceptions are explicitly handled, and the error messages are non-verbose in nature.
 5. Principle of Open Design

• The Principle of Open Design says that your system security shouldn’t rely
on the secrecy of your implementation.
• This is a particularly important principle for security concepts like
cryptographic implementations (Kerckhoff’s principle).
• According to open design principle, the security of your software should
not be dependent on the secrecy of the design.
Examples
• For example, encryption algorithms, such as the Advanced Encryption Standard (AES) and Triple Data
Encryption Standard (3DES), are publicly vetted and have undergone elaborate security analysis, testing,
and review by the information security community.
 6. Principle of Avoiding Security by Obscurity

• The inverse of the open design principle is security through obscurity.

• It is based on the idea that any information system is secure as long as security
vulnerabilities remain hidden, making it less likely that they will be exploited by a
malicious attacker.
• Obscurity means keeping the underlying system’s security loopholes a secret to all but
the most important stakeholders, such as key developers, designers, project managers
or owners.
• Typically, a hacker’s approach in exploiting a system begins with identifying its known
vulnerabilities.
• If there is no public information on those weak areas, hackers will find the system
more difficult to penetrate and will eventually delay or postpone its malicious
objective.
• Example: Proprietary communication protocols may be intentionally kept undocumented or hidden from public knowledge.
 7. Principle of Minimizing Attack Surface Area

• Every feature and functionality of a system is a potential attack vector.

• Even security functionality can contain vulnerabilities and have a negative
security impact.
• By minimizing the exposed system services and other interfaces, it leaves
less room for vulnerabilities and allows ease of security assessment.
• Example:
If the application doesn't require file uploads, disable that functionality to eliminate
the potential vulnerabilities associated with file handling.
.
 8. Principle of Psychological Acceptability

• Psychological acceptability is the security principle that states that security

mechanisms should be designed to maximize usage, adoption, and
automatic application.
• A fundamental aspect of designing software with the psychological
acceptability principle is that the security protection mechanism.
- Easy of use.
- Do not affect accessibility.
- Transparency to the user.

• Examples: Complex password policies.

 Other Design Considerations

• In addition to the core software security design considerations covered

earlier, there are other design considerations that need to be considered
when building software
Programming language
Data type, format, range, and length
Database security
Interface
Interconnectivity
Questions
Thank you !