ISRA Notes

security policies that identify the threats and define the requirements for ensuring a secure system.

Security mechanisms detect and prevent attacks and recover from those that succeed.

Conf: keeping data secret, only authorized personnel must have access to data and block
unauthorized access of data. Access control mechanisms support confidentiality. One access control
mechanism for preserving confidentiality is cryptography, which scrambles data to make it
incomprehensible.

Integrity refers to the trustworthiness of data or resources, and it is usually phrased in terms of
preventing improper or unauthorized change.

Integrity includes data integrity (the content of the information) and origin integrity (the source of
the data, often called authentication). EXAMPLE: A newspaper may print information obtained from
a leak at the White House but attribute it to the wrong source. The information is printed as
received (preserving data integrity), but its source is incorrect (corrupting origin integrity).

Integrity mechanisms fall into two classes: prevention mechanisms and detection mechanisms.

Prevention mechanisms seek to maintain the integrity of the data by blocking any unauthorized
attempts to change the data or any attempts to change the data in unauthorized ways.

Detection mechanisms do not try to prevent violations of integrity; they simply report that the data's
integrity is no longer trustworthy.

Availability refers to the ability to use the information or resource desired. Availability is an
important aspect of reliability as well as of system design because an unavailable system is at least
as bad as no system at all.

Confidentiality Policies:

The confidentiality policies emphasize on protection of confidentiality. A confidentiality policy is also

called Information Flow Policy, which prevents unauthorized disclosure of information.

Goals of Confidentiality Policies:

1. Confidentiality policies prevent unauthorized disclosure of information.

2. Unauthorized modification of information i.e., Integrity is secondary.

E.g., from book: Ship sunk message. in navy has high confidentiality whereas it’s integrity
and availability are maintained via redundancy in the systems and procedures.

3. Controls the information flow within an organisation.

Bell-Lapadula Model

Simplest way of confidentiality classification is a set of security clearances arranged in linear

ordering.
 Security Clearance means sensitivity levels, higher the clearance higher the sensitivity of
information and higher need to keep it confidential.

A subject will have a security clearance and an object will have a security classification or
security Label.

Goal of bell-lapadula model is to prevent read access of objects with security classification
higher than the subject’s clearance.

The model is based on tranquillity principle means you cannot change the security classification
once set. Like if you have Top secret, secret, conf, unclassified, you cannot add in between like
secret A level, secret B etc.

If S is set of Subjects and O is an Object then,

Let Is be the security clearance of subject s and lo be the security classification of object o.

Simple Security Property: S can read object O if and only if Io <= ls. And S has discretionary read
access to O. Ensures no read up

Define few clearances like Top secret, Secret, confidential, unclassified and then give an example
using subjects and objects.

Star Property: S can write to object O if and only if ls <=Io. S has discretionary write access to O.

Ensures no write down.

Basic Security Theorem: Lets S denote system with initial secure state S0 and T denotes the set
of state transformation. If every element of T satisfies Simple security property and star property
then the system is said to be secure in every state Si where i>=0.

Mandatory Access Control (MAC) is system-enforced access control based on subject clearance
and object labels. Subjects and objects have clearances and labels, respectively, such as
confidential, secret, and top secret. A subject may access an object only if the subject's clearance
is equal to or greater than the object's label. Subjects cannot share objects with other subjects
who lack the proper clearance, or “write down” objects to a lower classification level (such as
from top secret to secret). MAC systems are usually focused on preserving the confidentiality of
data.

Works for information shared within the organization not across different organization.

Helps in building chain of command, like a subject at lower level can write up to object at higher
level.

Discretionary access policy ensures information flow based on “Need to Know “basis.

Lattice Model: Helps in implementing Discretionary Need to Know.

No subject can access object of any label, unless reading them is necessary for that subject to
perform its function.

We expand above mentioned model, by assigned each security classification with a category.

So, a security level and a category will now together make a security level. Previously we only had
TOP Secret as security level, but now suppose we add CHN, PAK,US as categories to the documents,
then, TOP Secret and subsets of categories now becomes different security levels within Top secret.
Subject have security clearance and objects have security levels.

So, if a major has (TOP secret,{CHN}) security clearance then , he won’t be able to access a document
that belongs to say (Top Secret,{PAK}) because he does not have access to Pakistan files.

These categories are added based on “Need to Know”.

The sets of categories to which a person may have access is simply the power set of the set of
categories. Power set of set A means a set containing all subsets of A as it’s elements.

e.g.: A={1,2,3} then power set={{},{1},{2},{1,2}}

Simple Security:

A subject S can read object O if S dom O and S has discretionary read access to O.

S dom O→The security level (L,C) dominates a security level (L’, C’) if and only if L’ <=L and C’ is a
subset of C.

(L’ and C’ are for objects where as L,C are for subjects so it’s same as previous simple security
property with an addition saying C’ should be subset of C)

e.g.: George is cleared into security level (SECRET, { NUC, EUR} ), DocA is classified as (
CONFIDENTIAL, { NUC } ), DocB is classified as ( SECRET, { EUR, US}), and DocC is classified as (SECRET,
{ EUR }). Then:

George dom DocA and Doc C but George does not dom DOCB becoz {EUR,US} is not a subset of
{NUC,EUR}.

Star Property: A subject S has write access to Object O if O dom S and S has discretionary write
access to O.

O dom S means: The security level (O,C) for object dominates security clearance (S,C’) of a subject if
O<=S and C’ should be subset of C.

George(Secret,{NUC, Eur} Paul(Secret,{NUC,EUR,US}).

DocA(Confidential,{NUC}.

Doc A Conf<secret so George cannot write into docA,

Another e.g.: A colonel with (SECRET, { NUC, EUR }) clearance needs to send a message to a major
with (SECRET, { EUR }) clearance. The colonel must write a document that has at most the (SECRET, {
EUR }) classification. But this violates the *-property, because (SECRET, { NUC, EUR }) dom (SECRET, {
EUR }).

The model provides a mechanism for allowing this type of communication. A subject has a
maximum-security level and a current security level. The maximum-security level must dominate the
current security level. A subject may (effectively) decrease its security level from the maximum in
order to communicate with entities at lower security levels.

The colonel's maximum-security level is (SECRET, {NUC, EUR}). She changes her current security level
to (SECRET, {EUR }). This is valid, because the maximum-security level dominates the current security
level. She can then create the document at the major's clearance level and send it to him.

Do I need to study on DG/UX MAC Label examples.??

Integrity Policies

An inventory control system like ERP can function properly if the confidential data is released but it
cannot function if its integrity is compromised.

Integrity policies emphasize on the protection on integrity. Integrity policies focus on integrity rather
than confidentiality.

Focus is on commercial environments and not on military environments.

Operating Environment

1. Users will not write their own programs, but will use existing production programs and
databases. Like e.g.: an ERP solution.
2. . Programmers will develop and test programs on a nonproduction system; if they need
access to actual data, they will be given production data via a special process, but will use it
on their development system.
3. A special process must be followed to install a program from the development system onto
the production system.
4. The special process in requirement 3 must be controlled and audited.
5. The managers and auditors must have access to both the system state and the system logs
that are generated.

Operating Principles:

1. Separation of Duties: Maker checker rule.

If a critical function has two or more steps then it must be done by at least two individuals.
e.g.: moving of a functionality to production environment. If the developer is the one who
deploys and verifies it at production environment as well, then there might be a situation in
which there was mistake in development which can go undetected coz the developer goes
with same assumptions he made during the development phase. But if a different individual
checks the same functionality the chances of finding the mistake are higher.
2. Separation of Functions: Developers do not develop new programs on production systems
because of the potential threat to production data. Similarly, the developers do not process
production data on the development systems. Developers might have access to both but
3. Auditing: commercial systems must allow extensive auditing and thus have extensive logging
(the basis for most auditing). Logging and auditing are especially important when programs
move from the development system to the production system.

BIBA Integrity Model

It focuses on Integrity of a system.

It is dual or opposite of bell-lapadula model.

Levels of Integrity:

The description might vary from organization to organization, but the typical integrity levels would
include: ordered from low to high

1. Untrusted
2. Slightly trusted
 3. Trusted
4. Highly Trusted
5. Unimpeachable

The data at higher is level is more accurate and more reliable. These integrity levels are different
from the security levels that were referred in Bell-lapadula Model.

Access Modes:

Modify: means a subject can write to an object.

Observe: means a subject can read to an object

Invoke: means a subject can call another subject.

Execute: means a subject can execute an object. Execute implies to files that can be executed like
scripts, exe’s, etc.

Simple Integrity Property: No read down. A subject S can read an Object O if and only if the
I(s)<=I(o).

Start Property: No write up. A subject S can write to an object O if and only if I(o)<=I(s)

Invocation Property: A subject S1 can invoke another subject S2 if and only if I(S2) <=I(S1).

A process can only invoke subjects at an equal or lower level. A process from below cannot request
higher access.

Explanation: Simply put, the Biba Integrity Model is meant to ensure that high-value assets with a
high level of integrity can remain isolated from lower-grade assets, which might corrupt them in
some way. To this end, any new objects created within a system are given the same level of integrity
as the process that created them. This effectively prevents any process from giving data a higher
integrity than it had previously. E.g.: If I’m a normal user and I can create new users, I can only give
them permission till my level, I cannot grant them admin rights. If new users require admin privilege
a user with equivalent or higher privilege should grant that permission.

Practical Application:

In computer system, low-level processes are only allowed to look at but not influence system data
and files. Even attempts to archive malware in a directory where higher level processes normally
read data would fail, as the low-level perpetrator would be denied access to write to that folder.

E.g.: Mandatory Integrity Control which gives Integrity levels as System, High, Medium, Low.

Standard users receive medium, elevated users receive high. Processes you start and objects you
create receive your integrity level (medium or high) or low if the executable file’s level is low; system
services receive system integrity. Objects that lack an integrity label are treated as medium by the
operating system—this prevents low integrity code from modifying unlabelled objects.
Clark-Wilson Integrity Model

This model uses transactions or change controls as the basic operations rather than integrity levels.

E.g.: In a bank money transfer, the transaction is the transfer.

Designed for commercial environments.

Integrity Principles:

• No changes allowed by unauthorized subjects.

• No unauthorized changes by authorized subjects.
• Maintaining internal and external consistency.

Data that is subject to integrity control is called Constrained Data Item (CDI)

Data that is not subject to data integrity is called Unconstrained Data Item (UDI).

For Eg. Transactional data in a bank is CDI, whereas the gifts selected by the account holder on
opening account is UDI. The functioning of the bank depends on CDI and not on UDI.

The set of CDI plus set of UDI represents all the data present in the system.

Integrity state or consistency state or valid state is defined as below:

The data is said to be in consistent state if:

D+YB-W=TB

D→ money deposited in a day • W →money withdrawn in a day • YB→ the amount of money in all
accounts at the end of yesterday. • TB→ the amount of money in all accounts so far today

Before and after each action the consistency condition must hold. For example, if a depositor
transfers money from one account to another, the transaction is the transfer; two operations, the
deduction from the first account and the addition to the second account, make up this transaction.
Each operation may leave the data in an inconsistent state, but the well-formed transaction must
preserve consistency.

Another feature in commercial environment is the integrity of the transaction themselves. Someone
must certify that the transactions are performed correctly.

The model also defines two sets of procedures.

Integrity verification procedures, or IVPs, test that the CDIs conform to the integrity constraints at
the time the IVPs are run. In this case, the system is said to be in a valid state.

E.g.: The balances in the accounts are CDIs; checking that the accounts are balanced, as described
above, is an IVP

Transformation procedures, or TPs, change the state of the data in the system from one valid state
to another; TPs implement well-formed transactions.

E.g.: Depositing money, withdrawing money, and transferring money between accounts are TPs
The model establishes a system of subject-program-object relationship.

--Such that subject has no direct access to the object.

--subject is required to access an object using a well-formed transaction

There are two sets of rules defined

CR and ER, CR i.e. Certification Rules are to define how system should behave.

ER i.e. Enforcement Rules are to enforce the system to behave the way we want.

There are two certification rules:

Certification rule 1 (CR1): When any IVP is run, it must ensure that all CDIs are in a valid state.

Certification rule 2(CR2): TP’s must transform a set of CDI’s from one valid state to another. Because
we must make sure that the TP’s is actually certified to operate on a CDI, we have ER1 and ER2.

ER1: system must maintain a list of certified relations and ensure that the TP’s certified to run a CDI
change only that CDI.

ER2: System must associate a user with each TP and set of CDIs. The TP may access the CDI on behalf
of the user if it is “legal.” This requires keeping track of triples (user, TP, {CDIs}) called “allowed
relations. Users must access CDI’s only by means of TP’s for which they are authorized.

CR3: Assignment of TP’s to users i.e. allowed relations must satisfy separation of duties. i.e. different
users must be assigned different roles and different function allocated. For confirming this we have
ER3.

ER3: system must authenticate every user per TP. E.g. UPI pin when you try to make a payment.

CR4: The operations of Tp’s must append to a log with enough info to reconstruct the operation.

CR5: Tp’s operating on UDI’s must result in valid CDI’s.

Access Control Systems

Introduction
Definition 1: Access controls are security features that control how users and systems communicate
and interact with other systems and resources.

Definition 2: Access controls are set of policies and techniques used for restricting access to
information, tools and locations.

Own Definition 3: Controlling the access to information, tools or location.

Definition 4: A process by which use of system resources is regulated(controlled) as per a security

policy and is (the use of the system resource) permitted only by authorized entities (users, programs,
processes or others) according to the policy.

Access→ flow of information between subject (the user) and the resource (the system).
Subject→ an entity that request for access to a resource or to data within a resource. E.g.(user,
process, program etc.)

Resource/Object→ the entity that contains data/information, the entity to which the access is
controlled. E.g.: a computer database, a file, program, printer etc.

Access Right→describes the way in which the subject has access to object. E.g.:: Read, Write,
Execute, Delete, create, Search.

Access controls helps organisations to control, restrict and protect a resource’s CIA.

In a broad sense, all of computer security is concerned with access control.

An access control mechanism mediates between a user (or a process executing on behalf of a user)
and system resources, such as applications, operating systems, firewalls, routers, files, and
databases. The system must first authenticate an entity seeking access. Typically, the authentication
function determines whether the user is permitted to access the system at all. Then the access
control function determines if the specific requested access by this user is permitted. A security
administrator maintains an authorization database that specifies what type of access to which
resources is allowed for this user. The access control function consults this database to determine
whether to grant access. An auditing function monitors and keeps a record of user accesses to
system resources.

The above three things mentioned are elements of Access control System(basically identification is
under authentication)

1. Identification 2. Authentication 3. Authorization 4. Auditing

Access Control Principles

1. Principle of Least Privileges: Every process and every user of the system should operate
using the least set of privileges necessary to perform the task. If a nothing is specifically
configured for a user or a group that the user belongs to, then by default the user should not
have access to the system resource.
i.e., Default no access. There is also a temporal aspect to least privilege. E.g., when you
install something, you approve it using Admin rights after that for ordinary task you are just
a normal user.
2. Separation of Duties: means requiring more than one person to complete a task. Carefully
separate duties or conflicting areas of responsibility so people involved in checking for
inappropriate use are not also capable of making such inappropriate use. This reduces
opportunities for unauthorized or un-intentional modification or misuse of assets or
information.
3. Need to know: It is based on the concept that individuals should be given access only to the
information that they absolutely require in order to perform their job duties

Access Control Attributes

Attributes are characteristics that define specific aspects of subjects, objects and env conditions that
help in defining access control.

Subject Attributes: Subjects Identifier, Name, organization, dept, job title and so on.

Object Attributes: are nothing but metadata of the object. E.g. for a file, the metadata would be title
of the file, date created, modified, location, owner

Env. Or contextual Attributes: They describe the operational, technical, and even situational
environment or context in which the information access occurs. For example, attributes, such as
current date and time, the current virus/hacker activities, and the network’s security level (e.g.,
Internet vs. intranet), are not associated with a particular subject nor a resource, but may
nonetheless be relevant in applying an access control policy. .e.g: if you wfh, then few things won’t
be accessible.

Action Attributes or Access Rights: action being performed on the object. read, write, modify,
execute, approve etc.

Access control criteria can be based on role, groups, locations, time, transaction type etc.

e.g., if you are ceo role, then you will be able to access all thing allowed for that role. If ceo changes,
we just change the mapping of the person to that ceo role, which will change the permissions.

Access Control Matrix

Access Control Matrix: A table created with subjects and objects as rows and columns of a matrix, a
particular element of the matrix will determine what access right the subject has to the object and
indicates what actions a subject can take on the object.

The access rights that are assigned to individual subjects is called capability List.

Access Control List lists users and their respective access rights for each object.

e.g.:
 Subjects/Objects File 1 File 2 File 3
Subject 1. Alice Own, read, write Own, read, write
Subject 2. Bob Read Own, read, write Write
Sub 3. Charlie Read, Write Read

The above table is Access Control Matrix that list down subjects and objects and shows what actions
individuals subjects can take on individual objects.

If we break the table row wise then it will make up a Capability List.

e.g. (Alice: File 1-Own, read, write, File2-None, File3: own, read, write)

(Charlie: File 1: Read, Write, File2: Read, File3: None) etc.

If we break the table column wise then it will make up ACL.

e.g. (File1: Alice-Read, Write, Own; Bob: Read; Charlie: Read, Write)

(File 2: Alice-None; Bob: Own,Read,Write; Charlie:Read)

Access matrix with domain switching is when one user changes from one user to another.

e.g : In ubuntu, you login with you userid and password and then you switch to root.

Therefore, in reference to above figure, the user D0 can switch to D1. So, by default D0 does not
have write-execute permissions to F0 but when he switches to D1 then he gets all the permissions.

Access Control Models/Policies

In the access control model of security, an access control matrix associates rights for operations on
objects with subjects. The objects may for example be files and devices; the subjects may for
example be users; the operations may be reading and writing
Access control policies are embodied in Authorization database as per above figure. They have what
kind of access is permitted, under what circumstances and to whom.

Different type of access control models:

1. Discretionary Access Control or Identity Based Access Control:

A means of restricting access to objects (e.g., files, data entities) based on the identity and
need-to-know of subjects (e.g., users, processes) and/or groups to which the object belongs.
The controls are discretionary in the sense that a subject with a certain access permission is
capable of passing that permission (perhaps indirectly) on to any other subject (unless
restrained by mandatory access control). E.g. Unix, when you login into unix using userid,
pwd, there will be configuration saved for you userid saying what permissions you have and
the permission change with every user.
2. Attribute based/policy-based access control: controlling access to the objects based on a
particular policy which combine attributes together.
Policy are statements that take attributes and say what is allowed and what isn’t.
e.g.: In our office, deny access after 8pm; cannot attach specific type of files in mail like exe,
or dll etc. This takes object attributes into consideration;
3. History Based Access Control: Access is granted or declined based on the real-time
evaluation of a history of activities of the inquiring party, e.g., behaviour, time between
requests, content of requests. For example, the access to a certain service or data source
can be granted or declined on the personal behaviour, e.g., the request interval exceeds one
query per second. E.g. Likendin profile viewing if it exceed certain value, then linkedin block
additional viewing of profiles and then asks for premium.
4. Mandatory Access Control: Mandatory Access Control (MAC) is system-enforced access
control based on subject clearance and object labels. Subjects and objects have clearances
and labels, respectively, such as confidential, secret, and top secret. A subject may access an
object only if the subject's clearance is equal to or greater than the object's label. Subjects
cannot share objects with other subjects who lack the proper clearance, or “write down”
objects to a lower classification level (such as from top secret to secret). MAC systems are
usually focused on preserving the confidentiality of data.
E.g., a major will have top secret clearance, a particular soldier based on his work might also
have top secret clearance, so both will be able to access top secret data irrespective of their
roles; SE Linux
5. Role Based on Access Control: Role-based access control (RBAC) restricts access based on a
person's role within an organization and has become one of the main methods for advanced
access control. RBAC lets employees have access rights only to the information they need to
do their jobs and prevents them from accessing information that doesn't pertain to them. An
employee's role in an organization determines the permissions that individual is granted and
ensures that lower-level employees can't access sensitive information or perform high-level
tasks.
e.g.: you POS, had manager, cashier, sales person etc... based on each role a particular
functionality was made available or not available to the user.
6. Responsibility Based Access Control:
Access control based on the responsibilities
Access Control Techniques

Access Control Techniques are used to implement the Access control Model mentioned above. It’s
not one to one, but you have to use combination of these to achieve an access control model.

Different types of Access control Techniques are

1. Rule-Based Access Controls; E.g.: Firewall rule settings

2. Constrained User Interfaces; E.g.: Role Tailored Client on Nav
3. Access Control Matrix
4. Access Control Lists
5. Content Dependent Access Controls
6. Context Dependent Access Controls

1. Rule Based Access Controls:

RBAC uses specific rules that indicate what can or cannot happen between subject and
object.
Attribute based access control is an advanced implementation of Rule BAC. While rule based
applies to all users, the Attribute based provides more comparative control and can be more
specific.
The subject should meet a set of rules before it can access the object.
It is not necessarily identity based i.e. it can be applicable to all users irrespective of their
identity.
Example: Firewall Settings, blocked websites on our company network.
How it’s done: example:
An enterprise will create an ACL and will add rules as needed. Then
• Connect the ACL to a resource object based on the rules.
• When one tries to access a resource object, it checks the rules in the ACL list.
• If a person meets the rules, it will allow the person to access the resource. Like if one
can log in only once a week then it will check that the user is logging in the first time
or he has logged in before as well.
• This is how the Rule-based access control model works. These are basic principles
followed to implement the access control model.
2. Constrained User Interface
Restrict user access by not allowing them to see certain data or certain functionality
Example: views—allows access to only certain data.
Role based dashboard in RTC client MS NAV, MS CRM etc.
Menu’s, shells with limited commands e.g. cisco cmd.
Physically constrained user interface→ e.g., showing only few buttons on keypad of ATM
3. Content Dependent Access Control
Access decisions are based on an attribute of an object. E.g., a file with sensitivity tag of
private, conf, public etc.
Content Dependent Access Control is a method for controlling access of users to resources,
based on the content of the resource. CDAC is primarily used to protect databases
containing potentially sensitive data. A good example would be a patient record
management system that allows different people to access records depending on what they
 contain. A nurse may have access to blood tests, for example, unless the blood test is an HIV
test (the system has to check which test it is in order to determine if the access is allowed).
Only certain people can access such a record. One can argue that anti-virus software is a
content-based access control system - as it allows access only to files that do not contain
viruses.
4. ACM: refer above
5. ACL: refer above.
6. Context Dependent Access Control:
Access control decisions are made based on the contextual or environmental attributes like
location, rather than sensitivity of data.
e.g.: A doctor can edit/read/write patient document while in hospital but when outside, he
only has read only permission.
e.g.: A firewall makes context-based access control decisions when they collect state
information of the packet before allowing into the network.