Noninterference Security Model

C.

The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can see.This is in contrast to other security models that control information flows between differing levels of users,By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel.

The model ensures that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level.

It is not concerned with the flow of data, but rather with what a subject knows about the state of the system.

So if an entity at a higher security level performs an action, it can not change the state for the entity at the lower level.

The model also addresses the inference attack that occurs when some one has access to some type of information and can infer(guess) something that he does not have the clearance level or authority to know.

The following are incorrect answers: The Bell-LaPadula model is incorrect.The Bell-LaPadula model is concerned only with confidentiality and bases access control decisions on the classfication of objects and the clearences of subjects.

The information flow model is incorrect.The information flow models have a similar framework to the Bell-LaPadula model and control how information may flow between objects based on security classes.Information will be allowed to flow only in accordance with the security policy.

The Clark-Wilson model is incorrect.The Clark-Wilson model is concerned with change control and assuring that all modifications to objects preserve integrity by means of well-formed transactions and usage of an access triple (subjet - interface - object)

References: CBK, pp 325 - 326 - AIO3, pp.

290 - 291 - AIOv4 Security Architecture and Design (page 345) AIOv5 Security Architecture and Design (pages 347 - 348) https://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models#Noninterference_Models.

The security model that ensures that actions that take place at a higher security level do not affect actions that take place at a lower level is the Bell-LaPadula model.

The Bell-LaPadula model is a multilevel security model used for enforcing confidentiality policies. It was designed to address the confidentiality of data in computer systems. This model defines a set of rules that determine how information can be accessed and manipulated based on its sensitivity level.

The Bell-LaPadula model is based on the concept of a "security clearance" which is assigned to each user of the system. The security clearance determines the level of information that the user is allowed to access. The Bell-LaPadula model defines two basic security principles: the "no-read-up" principle and the "no-write-down" principle.

The "no-read-up" principle states that a user with a lower security clearance is not allowed to read information at a higher security level. This principle ensures that users with lower clearance cannot access sensitive information that they are not authorized to see.

The "no-write-down" principle states that a user with a higher security clearance is not allowed to write information to a lower security level. This principle ensures that users with higher clearance cannot modify or corrupt less sensitive information.

The Bell-LaPadula model is a strict model that is designed to prevent unauthorized access to sensitive information. It does not address issues related to integrity or availability of data. Other security models such as the Clark-Wilson model address these concerns.

In summary, the Bell-LaPadula model is a security model that enforces confidentiality policies by ensuring that actions that take place at a higher security level do not affect actions that take place at a lower level.