Systems Security Certified Practitioner – SSCP – Question0134

Which security model ensures that actions that take place at a higher security level do not affect actions that take place at a lower level?

A.
The Bell-LaPadula model
B. The information flow model
C. The noninterference model
D. The Clark-Wilson model

Correct Answer: C

Explanation:

The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can see. This is in contrast to other security models that control information flows between differing levels of users, By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel.
The model ensures that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level.
It is not concerned with the flow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an action, it can not change the state for the entity at the lower level.
The model also addresses the inference attack that occurs when some one has access to some type of information and can infer(guess) something that he does not have the clearance level or authority to know.
The following are incorrect answers:
The Bell-LaPadula model is incorrect. The Bell-LaPadula model is concerned only with confidentiality and bases access control decisions on the classfication of objects and the clearences of subjects.
The information flow model is incorrect. The information flow models have a similar framework to the Bell-LaPadula model and control how information may flow between objects based on security classes. Information will be allowed to flow only in accordance with the security policy.
The Clark-Wilson model is incorrect. The Clark-Wilson model is concerned with change control and assuring that all modifications to objects preserve integrity by means of well-formed transactions and usage of an access triple (subjet interface -object).
References: CBK, pp 325 -326 AIO3, pp. 290 -291 AIOv4 Security Architecture and Design (page 345) AIOv5 Security Architecture and Design (pages 347 -348) https://en.wikibooks.org/wiki/Security_Architecture_and_Design/Secu…