Information flow models are critical for understanding how data flows within a system and ensuring it adheres to security policies. In this article, we explore information flow concepts, including partial ordering, and review four key access control models: Bell-LaPadula, Biba, Chinese Wall, and Clark-Wilson.
Information Flow Policies
At its core, information flow represents the movement of data between entities. Examples include:
- Read access: Information flows from an object to a subject.
- Write access: Information flows from a subject to an object.
To formalize information flow, we use partial ordering, which establishes a hierarchy among security levels. Partial ordering has three essential properties:
- Reflexivity: Each entity is at least as secure as itself, enabling self-access.
- Transitivity: If Entity A can send information to Entity B, and B to C, then A can send information to C.
- Antisymmetry: If A can send information to B and vice versa, they must have the same security level.
Key Access Control Models
1. Bell-LaPadula Model (BLP)
The Bell-LaPadula Model focuses on ensuring data confidentiality by restricting information flow.
- Subjects: Active entities like users or processes.
- Objects: Passive entities like files or databases.
- Security Labels: Objects are classified (e.g., Top Secret, Secret, Unclassified), and subjects require corresponding clearances.
Core Security Properties:
- Simple Security Property (No Read Up): Prevents subjects from reading data at a higher security level.
- Star (*) Property (No Write Down): Prevents subjects from writing data to a lower security level, avoiding data leaks.
- Strong Star Property: Subjects can only read/write at their own security level.
- Discretionary Access Control: Uses an access control matrix to enforce permissions.
Limitation: BLP only addresses confidentiality and assumes no insider threats or covert channels, making it impractical in dynamic systems.
2. Biba Model
The Biba Model complements Bell-LaPadula by ensuring data integrity instead of confidentiality.
- Integrity Levels: Represent the trustworthiness of entities. High levels are “clean,” and low levels are “dirty.”
Core Rules:
- Simple Integrity Property (No Write Up): Prevents subjects from corrupting higher integrity data.
- Star Integrity Property (No Read Down): Subjects cannot be corrupted by data from lower integrity levels.
Limitation: Like BLP, it assumes static security requirements and lacks real-world adaptability.
3. Chinese Wall Model
The Chinese Wall Model enforces conflict-of-interest (CoI) policies, ensuring that users cannot access conflicting data sets. This model dynamically adapts based on user activity.
Key Features:
- Dynamic Rules: Users can only access data that does not conflict with previously accessed data.
- Separation of Duties: Prevents fraudulent modifications by ensuring that no user has conflicting permissions.
Example:
A financial analyst working on Client A’s accounts cannot access data for Client B if they are competitors.
Use Case: Frequently applied in industries like finance and consulting, where data conflicts are common.
4. Clark-Wilson Model
The Clark-Wilson Model focuses on data integrity in commercial applications by implementing well-formed transactions and separation of duties.
Integrity Goals:
- Prevent Unauthorized Modifications: Enforce strict authentication.
- Prevent Improper Modifications: Ensure controls restrict authorized users from making invalid changes.
- Ensure Consistency: Maintain both internal and external consistency with well-formed transactions.
Core Mechanisms:
- Subjects interact with objects only through restricted programs that enforce security policies.
- Separation of duties ensures no single user can compromise the system.
Example: A bank system restricts account updates to predefined functions, such as deposits and withdrawals, reducing the risk of errors or fraud.
Comparing the Models
| Feature | BLP Model | Biba Model | Chinese Wall Model | Clark-Wilson Model |
|---|---|---|---|---|
| Focus | Confidentiality | Integrity | Conflict-of-Interest Policies | Integrity in Commercial Systems |
| Key Rule | No Read Up, No Write Down | No Write Up, No Read Down | Dynamic Access Based on Activity | Well-Formed Transactions |
| Real-World Adaptability | Limited | Limited | High | High |
| Use Case | Military Systems | High Integrity Systems | Financial & Consulting Firms | Banking, Enterprise Systems |
Conclusion
Information flow models like Bell-LaPadula, Biba, Chinese Wall, and Clark-Wilson offer distinct methods for managing data security, integrity, and conflict of interest. While BLP and Biba provide theoretical frameworks for static systems, the Chinese Wall and Clark-Wilson models are better suited for dynamic, real-world environments.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.