Study Materials

3.a) Explain briefly about Mandatory Access Control and Discretionary Access Control.

Ans: Mandatory Access Control allows new access control modules to be loaded, implementing new security policies. Some provide protections of a narrow subset of the system, hardening a particular service

Discretionary access control means that each object has an owner and the owner of the object gets to choose its access control policy. There are loads of objects in Windows that use this security model, including printers, services, and file shares. All secure kernel objects also use this model, including processes, threads, memory sections, synchronization objects such as mutexes and events, and named pipes

b) Describe briefly the Bell-La Padula model and its limitations. [6]

Ans: The Bell-Lapadula model is designed to facilitate information sharing in a secure manner across information domains. Within the model a hierarchy of levels is used to determine appropriate access rights. For example, using conventional DND document labeling standards, SECRET is treated above CONFIDENTIAL. The Bell-Lapadula model uses axioms of “read-down” and “write-up”. Therefore, assuming appropriate need-to-know, an individual in a SECRET domain is authorized to “read-down” into the CONFIDENTIAL domain since personnel with sufficient clearance for SECRET are also cleared for CONFIDENTIAL. However, the user in the SECRET domain may never be authorized to “writedown”. This occurs because the clearance in the CONFIDENTIAL domain is not sufficient to handle the SECRET information.

Similarly, an individual in a SECRET domain is not authorized to “read-up” from a TOP SECRET domain. This happens because the SECRET domain does not include a sufficient clearance. However, an individual in the SECRET domain may be authorized to “write-up” to the TOP SECRET domain. This happens as a result of the inherent ability for all personnel in the TOP SECRET domain to have sufficient clearance to read the lower domain information.

Limitations

• Restricted to Confidentiality.

• No policies for changing access rights; a complete general downgrade is secure; intended for systems with static security levels.

• Contains covert channels: a low subject can detect the existence of high objects when it is denied access.

• Sometimes, it is not sufficient to hide only the contents of objects. Their existence may have to be hidden, as well.