You are implementing a security kernel that aligns with the reference monitor concept to enforce the access control policy prohibiting unauthorized information disclosure. Which of the following is correct about your implementation?
A. Information as constrained data items is well-formed to prevent conflict of interest.
B. Lipner’s model is a formal model that can support your design and enforce the policy.
C. A subject with a confidential clearance can not write to a file classified as top secret.
D. All information flows from high to low-security level is blocked with no exceptions per the Bell-Lapadula model.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Lipner’s model is a formal model that can support your design and enforce the policy.
The access control policy in question is prohibiting unauthorized information disclosure or enforcing confidentiality. Lipner’s model can achieve the policy which combines both the BPL and Biba elements model to provide confidentiality and integrity.
Even though Lipner’s model is essentially an integrity model, “integrity concerns are orthogonal to confidentiality concerns and should be treated either separately or in a mixed policy. In a system with both confidentiality and integrity constraints, only accesses that pass both tests may be allowed.” (Dr. Bill Young) So, a conclusion is made like this: Lipner’s model “combines the elements of BPL and Biba model to provide confidentiality and integrity.” (Karthikeyan Dhayalan)
The Clark-Wilson and Chinese Wall Model
Information as constrained data items is well-formed implies the Clark-Wilson model which enforces integrity through well-formed transactions and separation of duty, while the Brewer and Nash model (aka Chinese Wall) enforces confidentiality by preventing the conflict of interest.
Write-up As Integrity Concern
The write-up operation is a concern of integrity, not confidentiality; e.g., a subject with a confidential clearance can not write to a file classified as top secret.
Trusted Subjects As Exception
Trusted subjects, not restricted by the Star-property, at a higher security level can write to an object at a lower level, as introduced in CISSP PRACTICE QUESTIONS – 20210128.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
您正在實作一個符合參考監視器(reference monitor)概念的安全核心(security kernel)，以實現一個禁止未經授權的資訊揭露(unauthorized disclosure)的存取控制政策。 關於您的實作，以下哪項是正確的？
A. 資訊若屬受限資料項目(constrained data items)必須格式正確(well-formed)，以防止利益衝突。
C. 具有機密許可(confidential clearance)的主體不能寫入被歸類為最高機密的檔案。