W​‌‍‍‍‌‍‍‍‌‍‍‍‌‌‌‌‌‌‍‍​rite a paper on the following: Describe each formal model of security (Pictures are attached) and what the differences are between them. Describe these models’ limitations. Which one would you recommend to the project company? 


Confidentiality Models 113

Discretionary access models

terms of access control matrices is the Graham-Denning security model (13).

This model defines eight explicit rules for secure manipulation of the access

control matrix. Developers may apply these rules as a formal means of verify-

ing the security of the access control mechanisms, and then use these mecha-

nisms for discretionary protection of information,

Figure 6.4 illustrates the relationships in models for discretionary access con-

trol. Taken together, these models offer defenders several options to control

the access rights to files, devices, and other objects on defended computers.

Many implementations of these access controls exist for a variety of operating

systems. However, due to the nature of discretionary protection (users may or

may not follow policy), it is insufficient to verify protections to information,

which need mandatory access control.

An access control lise (ACL) is a mechanism that implements access control

for a rescate (eg. a ble device or area of memory) on the computer by ems

mitating the use or agents who are permitted to access the resource and

stating, either implicitly or aplicitly, the permissions granted to each user or

agent (1) Figure 63 diagrams an ACL for file protection. As an operational

convenience users are often enumerated by establishing groups, but this does

not change the formal semantics of the ACL Formally, this forms an alge

bra of turpis coupling users with privileges related to the object. The opera

tions on this algebra identify allowed actions similar to the preceding access

group discussion (12] Cenerally, ACLs are tightly associated with the objects

requires polling of all of the objects on the computer. This level of indirection

de protect, which means that analysis of all of the rights that an agent has

limits the generality of the properties that can be proved from ACLS.

An acress matrix is a rectangular array of cells, with one row per subject and

ope column pes object. The entry in a cell-that is, the entry for a particular

subject-object pair-indicates the access mode that the subject is permitted

to sercise on the objed (1l. This extends the semantics of ACL by allowing

semantics across objects and across agents. One formal model expressed in


Confidentiality, as described in Chapter 1, is one of the core properties on

which security is based. If an organization cannot prevent unauthorized

disclosure of information, then it is difficult for that organization to retain

control over the use of that information. When the information is critical

enough, a clear and unambiguous structure for the analysis of confidential-

ity becomes useful. This section describes two such structures: Bell-LaPadula,

and Chinese Wall.

The Bell-La Padula model (2) has both mandatory and discretionary com-

ponents for expressing confidentiality properties in computer systems. Each

object in the system has a label expressing its degree of confidentiality, and

this label may not be changed or removed from the object (the “tranquility

principle”). Each subject has both a clearance level and a current confiden-

tiality level, which may not exceed the clearance level, and is no lower than

the maximum confidentiality of the information that has been read. Bell and

LaPadula express algebraic semantics in a state-machine form, then define it.