|
294
Chapter 8
■
Principles of Security Models, Design, and Capabilities
Goguen-Meseguer Model
The
Goguen-Meseguer model
is an integrity model, although not as well known as Biba
and the others. In fact, this model is said to be the foundation of noninterference concep-
tual theories. Often when someone refers to a noninterference model, they are actually
referring to the Goguen-Meseguer model.
The Goguen-Meseguer model is based on predetermining the set or domain—a list of
objects that a subject can access. This model is based on automation theory and domain
separation. This means subjects are allowed only to perform predetermined actions against
predetermined objects. When similar users are grouped into their own domain (that is, col-
lective), the members of one subject domain cannot interfere with the members of another
subject domain. Thus, subjects are unable to interfere with each other’s activities.
Sutherland Model
The
Sutherland model
is an integrity model. It focuses on preventing interference in sup-
port of integrity. It is formally based on the state machine model and the information flow
model. However, it does not directly indicate specific mechanisms for protection of integ-
rity. Instead, the model is based on the idea of defining a set of system states, initial states,
and state transitions. Through the use of only these predetermined secure states, integrity is
maintained and interference is prohibited.
A common example of the Sutherland model is its use to prevent a covert channel from
being used to influence the outcome of a process or activity. (For a discussion of covert
channels, see Chapter 9.)
Graham-Denning Model
The
Graham-Denning model
is focused on the secure creation and deletion of both subjects
and objects. Graham-Denning is a collection of eight primary protection rules or actions
that define the boundaries of certain secure actions:
■
Securely create an object.
■
Securely create a subject.
■
Securely delete an object.
■
Securely delete a subject.
■
Securely provide the read access right.
■
Securely provide the grant access right.
■
Securely provide the delete access right.
■
Securely provide the transfer access right.
Usually the specific abilities or permissions of a subject over a set of objects is defined in
an access matrix (aka access control matrix).
Select Controls Based On Systems Security Requirements
295
Select Controls Based On Systems
Security Requirements
Those who purchase information systems for certain kinds of applications—think, for
example, about national security agencies where sensitive information may be extremely
valuable (or dangerous in the wrong hands) or central banks or securities traders where
certain data may be worth billions of dollars—often want to understand their security
strengths and weaknesses. Such buyers are often willing to consider only systems that have
been subjected to formal evaluation processes in advance and have received some kind of
security rating. Buyers want to know what they’re buying and, usually, what steps they
must take to keep such systems as secure as possible.
When formal evaluations are undertaken, systems are usually subjected to a two-step
process:
1.
The system is tested and a technical evaluation is performed to make sure that the
system’s security capabilities meet criteria laid out for its intended use.
2.
The system is subjected to a formal comparison of its design and security criteria and
its actual capabilities and performance, and individuals responsible for the security and
veracity of such systems must decide whether to adopt them, reject them, or make some
changes to their criteria and try again.
Often trusted third parties are hired to perform such evaluations; the most impor-
tant result from such testing is their “seal of approval” that the system meets all essential
criteria.
You should be aware that TCSEC was repealed and replaced by the
Common Criteria (as well as many other DoD directives). It is still
included here as a historical reference and as an example of static-
based assessment criteria to offset the benefits of dynamic (although
subjective) assessment criteria. Keep in mind that the CISSP exam
focuses on the “why” of security more than the “how”—in other words,
it focuses on the concepts and theories more than the technologies and
implementations. Thus, some of this historical information could be
present in questions on the exam.
Regardless of whether the evaluations are conducted inside an organization or out of
house, the adopting organization must decide to accept or reject the proposed systems. An
organization’s management must take formal responsibility if and when a system is adopted
and be willing to accept any risks associated with its deployment and use.
The three main product evaluation models or classifi cation criteria models addressed
here are TCSEC, Information Technology Security Evaluation Criteria (ITSEC), and
Common Criteria.
Do'stlaringiz bilan baham: |
