Notes for February 6, 1998
[ ended here ]
- Greetings and felicitations!
- Reading: Pfleeger, pp. 277-280
- Anyone can drop anything in there - and they usually do!
- Lock and Key
- Associate with each object a lock; associate with each process that has
access to object a key (it's a cross between ACLs and C-Lists)
- Example: use crypto (Gifford). X object enciphered with key K.
Associate an opener R with X. Then:
OR-Access: K can be
recovered with any Di in a list of n deciphering transformations,
so R = (E1(K), E2(K), ...,
En(K)) and any process with access to any of
the Di's can
access the file
AND-Access: need all n deciphering functions to get
K: R = E1(E2(...En(K)...))
- Mandatory vs. Discretionary;
- security levels
- Bell-LaPadula Model
- Simple Security Property: no reads up
- Star Property: no writes down
- Discretionary Security Property: if mandatory controls say it's okay, check
- Basic Security Theorem: A system is secure if its initial state is secure
and no action violates the above rules.
- ORCON (Originator Controlled; Graubert)
- Document/information can be passed on with approval of originator; real
world justification is that originator of document trusts recipients not to
release documents which they should not.
- Untrusted subject x marks object O ORCON on behalf of
organization X and indicates it is releasable to subjects acting on
behalf of organization Y.
not releasable to subjects acting on
behalf of other organizations without X's permission
made have the same restriction
c. DAC: can't do this as the restriction would not copy over (y
reads O into C, puts its own ACL on C)
- MAC: separate category withO, x, y. y wants to
read O, copy to C; MAC means C has same category as
O, x, y, so can't give z access to C.
a new organization w wants to provide data in B to y but
not to be shared with x or z. Can't use O's category.
Hence you get explosion of categories.
Real world parallel: individuals are
"briefed" into a category and those represent a formal "need to know" policy
that is standard across the entity; ORCON has no central clearinghouse to
categorize data; originator makes rules.
- owner of object can't change ACL's relationship with object (MAC
- on copy, ACL is copied as well (MAC characteristic)
- access control restrictions can be tailored on a subject/object basis (DAC
You can also see this document
in its native format,
in ASCII text.
Send email to
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 2/14/98