Notes for February 7, 1997 1. Hello a. Homework grades will be mailed back assoon as weºre done ... programs are the bottleneck. Sorry! 2. Puzzle of the day a. Key point: pornographic pictures or pirated software can be left behind in a Ñ.æ directory that the remove wonºt delete. 3. Bell-LaPadula Model a. Simple Security Property: no reads up b. Star Property: no writes down c. Discretionary Security Property: if mandatory controls say itºs okay, check discre- tionary controls. d. Then add categories: SSP is S cannot read O if L(S) < L(O) or if C(O) ø C(S); *P is S cannot write O if L(O) < L(S) or if C(S) ø C(O) e. Basic Security Theorem: A system is secure if its initial state is secure and no action violates the above rules. 4. ORCON (Originator Controlled; Graubert) a. Document/information can be passed on with approval of originator; real world justification is that originator of document trusts recipients not to release docu- ments which they should not. b. Untrusted subject x marks object O ORCON on behalf of organization X and indi- cates it is releasable to subjects acting on behalf of organization Y. not releasable to subjects acting on behalf of other organizations without Xºs per- mission any copies made have the same restriction c. DAC: canºt do this as the restriction would not copy over (y reads O into C, puts its own ACL on C) d. MAC: separate category withO, x, y. y wants to read O, copy to C; MAC means C has same category as O, x, y, so canºt give z access to C. Say a new organization w wants to provide data in B to y but not to be shared with x or z. Canºt use Oºs category. Hence you get explosion of categories. Real world parallel: individuals are Ñbriefedæ into a category and those represent a formal Ñneed to knowæ policy that is standard across the entity; ORCON has no central clearinghouse to categorize data; originator makes rules. 5. Solution? a. owner of object canºt change ACLºs relationship with object (MAC characteristic) b. on copy, ACL is copied as well (MAC characteristic) c. access control restrictions can be tailored on a per-subject/object basis (DAC characteristic)