Write a paper on the following: Describe each formal model of security (Pictures are attached) and what the differences are between them. Describe these models’ limitations. Which one would you recommend to the project company?
Confidentiality Models 113
Discretionary access models
terms of access control matrices is the Graham-Denning security model (13).
This model defines eight explicit rules for secure manipulation of the access
control matrix. Developers may apply these rules as a formal means of verify-
ing the security of the access control mechanisms, and then use these mecha-
nisms for discretionary protection of information,
Figure 6.4 illustrates the relationships in models for discretionary access con-
trol. Taken together, these models offer defenders several options to control
the access rights to files, devices, and other objects on defended computers.
Many implementations of these access controls exist for a variety of operating
systems. However, due to the nature of discretionary protection (users may or
may not follow policy), it is insufficient to verify protections to information,
which need mandatory access control.
An access control lise (ACL) is a mechanism that implements access control
for a rescate (eg. a ble device or area of memory) on the computer by ems
mitating the use or agents who are permitted to access the resource and
stating, either implicitly or aplicitly, the permissions granted to each user or
agent (1) Figure 63 diagrams an ACL for file protection. As an operational
convenience users are often enumerated by establishing groups, but this does
not change the formal semantics of the ACL Formally, this forms an alge
bra of turpis coupling users with privileges related to the object. The opera
tions on this algebra identify allowed actions similar to the preceding access
group discussion (12] Cenerally, ACLs are tightly associated with the objects
requires polling of all of the objects on the computer. This level of indirection
de protect, which means that analysis of all of the rights that an agent has
limits the generality of the properties that can be proved from ACLS.
An acress matrix is a rectangular array of cells, with one row per subject and
ope column pes object. The entry in a cell-that is, the entry for a particular
subject-object pair-indicates the access mode that the subject is permitted
to sercise on the objed (1l. This extends the semantics of ACL by allowing
semantics across objects and across agents. One formal model expressed in
Confidentiality, as described in Chapter 1, is one of the core properties on
which security is based. If an organization cannot prevent unauthorized
disclosure of information, then it is difficult for that organization to retain
control over the use of that information. When the information is critical
enough, a clear and unambiguous structure for the analysis of confidential-
ity becomes useful. This section describes two such structures: Bell-LaPadula,
and Chinese Wall.
The Bell-La Padula model (2) has both mandatory and discretionary com-
ponents for expressing confidentiality properties in computer systems. Each
object in the system has a label expressing its degree of confidentiality, and
this label may not be changed or removed from the object (the “tranquility
principle”). Each subject has both a clearance level and a current confiden-
tiality level, which may not exceed the clearance level, and is no lower than
the maximum confidentiality of the information that has been read. Bell and
LaPadula express algebraic semantics in a state-machine form, then define it.