Aa2r큙  0 U`@` 0p P @P 0 @HH $ @d HHHH̀̀̀ff@  d Footnote TableFootnote**.\t.\t/ - :;,.!?/4 bs54 c0TOCHeading1Heading2   AEquationVariablesG(6:,6:-:C:h:;;A;< <$lastpagenum><$monthname> <$daynum>, <$year>"<$monthnum>/<$daynum>/<$shortyear>;<$monthname> <$daynum>, <$year> <$hour>:<$minute00> <$ampm>"<$monthnum>/<$daynum>/<$shortyear><$monthname> <$daynum>, <$year>"<$monthnum>/<$daynum>/<$shortyear> <$fullfilename> <$filename> <$paratext[Title]> <$paratext[Heading1]> <$curpagenum> <$marker1> <$marker2> (Continued)+ (Sheet <$tblsheetnum> of <$tblsheetcount>)Heading & Page <$paratext> on page<$pagenum>Pagepage<$pagenum>See Heading & Page%See <$paratext> on page<$pagenum>. Table All7Table<$paranumonly>, <$paratext>, on page<$pagenum>Table Number & Page'Table<$paranumonly> on page<$pagenum> AAA!!Headings-%HTML`5y'5|'5555@b1.FtC4.@e2.C a.Cb.:@':E:G:I:K:M:O:Q:S:U:e':j:lC c.C d.C e.C 5.C  a.:n:p:r:t:v:x:z:::::::::::::::::::::::::::::;;;;; ;";$;&;(;*;C;E;G;I;K;M;O;Q;S;UFv;YCFxF;{;};;;;F;;;;;;;F;;;;;;;F;;;;;CFFCFFCFD@;;;;;;;;;<< < < <<<<<<<<<=@=B=D=F=H=J=L=N=P=R=T=V=X=Z=\=^=`=b=d=f=h=j=l=n=p=r=tDB=x=z=|E=F>?^?`?b?d?f?h?j?l?n@ @@@@@@@@@@ @"@$@&@(@*@,@.Cb.FFFFFFFF!F#F,F.F@FBB3.B a.Bb.Bc.[dqdqdq HmRqHmRHRHR Footnote Hr@qHr@HzHz Single LineHqFootnote 5_  HDq HDHH Double LineHq Double Line5c 5e Hq  Single Line5h HZq  TableFootnote EGxRqEGxREPwEPw TableFootnoted5p HHˆ5xHHˆGe HHˆ5zHHˆl HHˆ5{HHˆW` HHˆ5}HHˆl HUV 5~HUV Wl6Version of   XNovember 25, 1999 10:52 pm V HUV 5HUV l H$ 5H$ WlKNovember 24, 1999 ECS 153 F ALL  1999 Page  W1 U H$ 5H$ l HUV 5HUV Ge HUV 5HUV l H$ 5H$ Ge H$ 5H$ l HHˆ5HHˆ00 `Notes for November 24, 1999 `Greetings and Felicitations!  `Puzzle of the Day ]` Clark-Wilson ^ pTheme: military model does not provide enough controls for commercial fraud,  etc . because it does not c@%cover the right aspects of integrity _r iData items: Constrained Data Items (CDI) to which the model applies, Unconstrained Data Items (UDIs) 0~lto which no integrity checks are applied, Integrity Verification Procedures (IVP) that verify conformance gto the integrity spec when IVP is run, Transaction Procedures (TP) takes system from one well-formed @state to another ` %Certification and enforcement rules: 0PC1. All IVPs must ensure that all CDIs are in a valid state when the IVP is run kC2. All TPs must be certified to be valid, and each TP is assocated with a set of CDIs it is authorized to manipulate ^E1. The system must maintain these lists and must ensure only those TPs manipulate those CDIs lE2: The system must maintain a list of User IDs, TP, and CDIs that that TP can manipulate on behalf of that ;user, and must ensure only those executions are performed. ^C3. The list of relations in E2 must be certified to meet the separation of duty requirement. WE3. The sysem must authenticate the identity of each user attempting to execute a TP. jC4. All TPs must be certified to write to an append-only CDI (the log) all information necessary to resonstruct the operation. kC5. Any TP taking a UDI as an input must be certified to perform only valid transformations, else no transhformations, for any possible value of the UDI. The transformation should take the input from a UDI to a NCDI, or the UDI is rejected (typically, for edits as the keyboard is a UDI). pE4. Only the agent permitted to certify entities may change the list of such entities associated with a TP. An @^agent that can certify an entity may not have any execute rights with respect to that entity.  h`(ORCON (Originator Controlled; Graubert)  lDocument/information can be passed on with approval of originator; real world justification is that origina@Rtor of document trusts recipients not to release documents which they should not.  Untrusted subject  x  marks object  O  ORCON on behalf of organization  X  and indicates it is releasable to sub05jects acting on behalf of organization  Y . dnot releasable to subjects acting on behalf of other organizations without  X s permission @*any copies made have the same restriction Ū` DAC: cant do this as the restriction would not copy over ( y  reads  O  into  C , puts its own ACL on  C )  CMAC: separate category with O ,  x ,  y .  y  wants to read  O , copy to  C ; MAC means  C  has same category as  O ,  x , ઈ9y , so cant give  z  access to  C . "*Say a new organization  w  wants to provide data in  B  to  y  but not to be shared with  x  or  z . Cant use  O s cate-gory. Hence you get explosion of categories. kReal world parallel: individuals are briefed into a category and those represent a formal need to know npolicy that is standard across the entity; ORCON has no central clearinghouse to categorize data; originator @ makes rules. + Solution? 07Qowner of object cant change ACLs relationship with object (MAC characteristic) 4on copy, ACL is copied as well (MAC characteristic) @[access control restrictions can be tailored on a subject/object basis (DAC characteristic) ^~`Malicious logic `^Quickly review Trojan horses, viruses, bacteria; include animal and Thompsons compiler trick AO`%Logic Bombs, Worms (Schoch and Hupp) HHˆ5HHˆld:>!! $$:?$$"B!G Bm Z $$:A$$ l} :D%  G eHeadings Table } :F  G e } :H  G e }l:J"&l G eHeading Level }:L%' G eParagraph Format }:N&( G e Comments }l:P')l G e2 }:R(* G e Heading1 }:T)O G e d:c-- $$:d+$$½V- =:7^bf~zvrnjUX[IMQ.14FC@=:7GBm ` _ ^ ] \ [ $$:f+$$%,, l}$ :i#T1$ $W eCharacter Macros }l :k#l $W e } :m# $W e }$$H:o#.2$$H$W  e Character }l$:q#13l$$W!  e Replace With }$:s#24$$W"  e Comments }$4H:u#35$4H$W#  e }l4:w#46l4$W$  e¢ }4:y#5F4$W%  e }$”H:#<8$”H$W&  e }l”:#79l”$W'  e... }”:#8”$W(  e }$„H:#?;$„H$W)  e }l„:#:<l„$W*  e- }„:#;7„$W+  e }$tH:#B>$tH$ W,  e }lt:#=?lt$ W-  e-- }t:#>:t$ W.  e }$dH:#EA$dH$ W/  e }ld:#@Bld$ W0  e° }d:#A=d$ W1  e }$TH:#HD$TH$ W2  e }lT:#CElT$ W3  e® }T:#D@T$ W4  e }$DH:#6G$DH$ W5  e }lD:#FHlD$ W6  e© }D:#GCD$ W7  e }$ :#]M$ $ W8 eGeneral Macros } :# $ W9 e } :# $ W: e }\ :#\ $ W; e }$h:#IN$h$W<  e Macro Name }h:#MOh$W=  e Replace With }h:#NPh$W>  eHead }\:#OQ\$W?  e Comments }$h:#PR$h$W@  e }h:#QSh$WA  e }h:#RTh$WB  e }\;#S.\$WC  e }$ ;#mX$ $ WD eCross-Reference Macros } ;# $ WE e }D ;#D $ WF e }$;#UY$$ WG  e Macro Name };!#XZ$ WH  e Replace With }D;##Y[D$ WI  e Comments }$;%#Z\$$ WJ  e See Also };'#[]$ WK  eSee <$paratext> }D;)#\ID$ WL  e }$Z ;B#9b$Z $ WM eSystem Macros }Z ;D#Z $ WN e }Z ;F#Z $ WO e }\Z ;H#\Z $ WP e }$jh;J#^c$jh$ WQ  e Macro Name }jh;L#bdjh$ WR  e Replace With }jh;N#cejh$ WS  eHead }\jh;P#df\jh$ WT  e Comments }$zh:;R#eg$zh:$ WU  e StartOfDoc }zh:;T#fhzh:$ WV  e }zh:;V#gizh::$ Y 4e ����e <$defaulttitle> W����e AZe }\zh:;X#h\zh:$ WX  e }$h;z#qk$h$ W\  eEndOfLastSubDoc }h;|#jlh$ W]  e }h;~#kmh$ W^  e }\h;#lU\h$ W_  e }$Xh:;#uo$Xh:$ W`  eStartOfLastSubDoc }Xh:;#npXh:$ Wa  e }Xh:;#oqXh::$ ~ 4e b����e <$defaulttitle> }����e Ae }\Xh:;#pj\Xh:$ Wc  e }$Hh;#ys$Hh$ Wd  eEndOfFirstSubDoc }Hh;#rtHh$ We  e }Hh;#suHh$ Wf  e }\Hh;#tn\Hh$ Wg  e }$h:;#}w$h:$ Wh  eStartOfFirstSubDoc }h:;#vxh:$ Wi  e }h:;#wyh::$ { 4e j����e <$defaulttitle> z����e A|e }\h:;#xr\h:$ Wk  e }$h;#{$h$ Wl  e EndOfSubDoc }h;#z|h$ Wm  e }h;#{}h$ Wn  e }\h;#|v\h$ Wo  e }$h:;#$h:$ Wp  eStartOfSubDoc }h:;#~h:$ Wq  e }h:;#h::$ x 4e [����e <$defaulttitle> r����e Aye }\h:;#z\h:$ Ws  e }$h;#i$h$ Wt  e EndOfDoc }h;#h$ Wu  e }h;#h$ Wv  e }\h;#~\h$ Ww  e } ;#  $ G eHTML Options Table } ;# $ G e } ;# $ G e };# $ G eControl };# $ G eValue }H;# H$ G e Comments };# $ G e Image Format };# $ g % 0001IMAGGIF E MACP0001GIF }H;# =H$ G e } <+ , G eHTML Mapping Table } <+ , G e } < + , G e } < + , G e } <+ , G e }.<+., !G eFrameMaker Source Item }~<+~, !G e HTML Item }6<+6, !G e }6.<+6., !g %Include EAuto# }.<+., !G e Comments }<+, "G e }H<+H, "G eElement }6<+6, "g %New Web EPage? }6< +6, "G e }<"+, "G e }<$+, #G eP:Body }H<&+ H, #G eP }6<(+!6, #G eN }6<*+ "6, #G eN }<,+!2, #G e d<.%% $$6, 'G. eX:Page }H<{+57H, 'G/ e See Also }6<}+686, 'G0 eN }6<+796, 'G1 eN }<+80, 'G2 e }<+C;, (G3 eX:Heading & Page }H<+:<H, (G4 e See Also }6<+;=6, (G5 eN }6<+<>6, (G6 eN }<+=5, (G7 e }<+H@, )G8 eC:EquationVariables }H<+?AH, )G9 eEM }6<+@B6, )G: eN }6<+AC6, )G; eN }<+B:, )G< e }<+ME, *G= e C:Emphasis }H<+DFH, *G> eEM }6<+EG6, *G? eN }6<+FH6, *G@ eN }<+G?, *GA e }<+RJ, +GB eP:Title }H<+IKH, +GC eH* }6<+JL6, +GD eN }6<+KM6, +GE eN }<+LD, +GF e },<+WO,, ,GG e P:TableTitle }H,<+NPH,,, ,3 eLI He Parent = OL A0e Depth = 0 }6,<+OQ6,, ,GI eN }6,<+PR6,, ,GJ eN },<+QI,, ,GK e }<+\T, -GL eP:TableFootnote }H<+SUH, -GM eP }6<+TV6, -GN eN }6<+UW6, -GO eN }<+VN, -GP e }<+aY, .GQ eP:Rule }H<+XZH, .GR eP }6<+Y[6, .GS eN }6<+Z\6, .GT eN }<+[S, .GU e }<+f^, /GV e P:Numbered1 }H<+]_H, /GW eH* }6<+^`6, /GX eN }6<+_a6, /GY eN }<+`X, /GZ e }<+kc, 0G[ e P:Numbered }H<+bdH, 0G\ eH* }6<+ce6, 0G] eN }6<+df6, 0G^ eN }<+e], 0G_ e }<+ph, 1G` eP:Mapping Table Title }H<+giH, 1Ga eP }6<+hj6, 1Gb eN }6<+ik6, 1Gc eN }<+jb, 1Gd e }<+um, 2Ge eP:Mapping Table Cell }H<+lnH, 2Gf eP }6<+mo6, 2Gg eN }6<+np6, 2Gh eN }<+og, 2Gi e }<+zr, 3Gj eP:ManHeading2 }H<+qsH, 3Gk eP }6<+rt6, 3Gl eN }6<+su6, 3Gm eN }<+tl, 3Gn e }<+w, 4Go e P:ManHeading }H<+vxH, 4Gp eP }6<+wy6, 4Gq eN }6=+xz6, 4Gr eN }=+yq, 4Gs e }=+|, 5Gt e P:ManBody }H=+{}H, 5Gu eP }6= +|~6, 5Gv eN }6= +}6, 5Gw eN }= +~v, 5Gx e }=+ , 6Gy e P:LetteredA }H=+H, 6Gz eH* }6=+6, 6G{ eN }6=+6, 6G| eN }=+{, 6G} e }=+, 7G~ e P:Lettered }H=+H, 7G eH* }6=+6, 7G eN }6=+ 6, 7G eN }=!+, 7G e }=#+ , 8G e P:Indented }H=%+ H, 8G eP }6='+ 6, 8G eN }6=)+ 6, 8G eN }=++ , 8G e }=-+, 9G eP:HeadingRunIn }H=/+H, 9G eP }6=1+6, 9G eN }6=3+6, 9G eN }=5+ , 9G e }=7+, :G e P:Heading2 }H=9+H, :G eH* }6=;+6, :G eN }6==+6, :G eN }=?+, :G e }=A+", ;G e P:Heading1 }H=C+H, ;G eH* }6=E+6, ;G eN }6=G+6, ;G eN }=I+, ;G e }=K+', <G eP:Heading Info }H=M+ H, <G eP }6=O+!6, <G eN }6=Q+ "6, <G eN }=S+!, <G e }=U+,$, =G e P:Footnote }H=W+#%H, =G eP }6=Y+$&6, =G eN }6=[+%'6, =G eN }=]+&, =G e }=_+1), >G! eP:CellHeading }H=a+(*H, >G" eP }6=c+)+6, >G# eN }6=e+*,6, >G$ eN }=g++#, >G% e }=i+6., ?G& e P:CellBody }H=k+-/H, ?G' eP }6=m+.06, ?G( eN }6=o+/16, ?G) eN }=q+0(, ?G* e },=s+"3,, @G+ e P:Bulleted }H,=u+24H,,, @1 eLI e Parent = UL A,e Depth = 0 }6,=w+356,, @G- eN }6,=y+466,, @G. eN },={+5-,, @G/ e }$D?]#<8$D$ AW4  eCSS Export Encoding }D?_#79D$ AW5  e ISO-8859-1 }hDH?a#8^hDH$ AW6  e }?c#?;$ BG7 eExport Encoding }?e#:<$ BG8 e ISO-8859-1 }H?g#;7H$ BG9 e }?i#>$ CG: e!Copy Files Imported by Reference }?k#=?$ CG; eN }H?m#>:H$ CG< e }l@ EAl DG= e1 }@ @B DG> eTitle }@A DG? e }l@HDl EG@ e4 }@CE EGAe Numbered1 }@D@ EGB e }l@KGl FGC e4 }@FH FGDe Numbered }@GC FGE e }l@NJl GGF e5 }@IK GGGe LetteredA }@!JF GGH e }l@#QMl HGI e5 }@%LN HGJe Lettered }@'MI HGK e }l@)*Pl IGL e3 }@+OQ IGM e Heading2 }@-PL IGN e },F+[S,, JG2 e P:Romanedi }H,F+RTH,,, JP eLI [e Parent = OL A\e Depth = 0 }6,F+SU6,, JGQ eN }6,F+TV6,, JGR eN },F+U,, JGS e },F+*X,, KGT e P:Romaned }H,F+WYH,,, KU eLI Ye Parent = OL AZe Depth = 0 }6,F+XZ6,, KGV eN }6,F +Y[6,, KGW eN },F"+ZR,, KGX e dLeftdRightd ReferenceddHeadingsd+HTMLd#HTML f@PB TitleBody. f@NE B Numbered1 N:.Numbered. f@N B Numbered N:.\t. f@N B Numbered N:.\t. f@ B Footnote. f@NE B Numbered1 N:.Numbered. f@T BHeading2Body. f@T B HeadingRunInBody. f@ B Indented. @@ B Body. $f@AE B$. LetteredA A:.Lettered. f@ B TableFootnote. f@T B TableTitleT:Table : . @@ BHeader Double Line. f@T B TableTitleT:Table : . @@ B Mapping Table Title. $f@A B$. Lettered A:.\t. f@ B CellFooting. $f@AE B$. LetteredA A:.Lettered. $f@A B$. Lettered A:.\t. @@ BFooter. @@ BMapping Table Cell. @@BMapping Table Title. f@ BRule. @@ B Mapping Table Cell. @@ B Mapping Table Cell. @@ BMapping Table Cell. @@ B $ H l      D h  ManHeading. @@BMapping Table Cell. 6$f@R B6. RomanedR:.. 6$f@R B6. Romanedi R:.. f@ B CellHeading. f@ BBody.  f@P B Heading InfoBody. f@ BBody. f@ B CellHeading. f@ B Bulleted\t. f@ BCellBody. f@ BCellBody.  f@PBTitleBody.  @@ B ManHeading2.  f@T BHeading1Body. @@ B $ H l      D h  ManBody. BEmphasisBEquationVariables B B B B B 33BB 33B B B B B B BThinMediumDoubleThick@ Very Thin H&5H&5H&5H&5H&5Format A H&5H&5H&5H&5H&5Format BH Mapping TableH Mapping Table vDl h pH   h h h     ( h h h h  N A H >p J H 6 6 K  "#$ %&'I ()*$ $./0$$h$123$4h $456$”h$789$„h $:;<$th $= > ? $dh $@ A B $Th $C D E $Dh $F G H $ $I J K L $ $MNOP$$QRST$ $UVW$$XYZ$$[\]$Z $^_`a$j$bcde$z:$fghi$$jklm$X:$nopq$H$rstu$:$vwxy$$z{|}$:$~$$ $$   C$   !,      ",!!!!!!#,""""""@,## #!#"#%K,&$'$($)$*$&$,+%,%-%.%/%'%,0&1&2&3&4&(&,5'6'7'8'9')',:(;(<(=(>(*(,?)@)A)B)C)+),D*E*F*G*H*,*,I+J+K+L+M+,-+,N,O,P,Q,R,.,,S-T-U-V-W-/-,X.Y.Z.[.\.0.,]/^/_/`/a/1/,b0c0d0e0f020,g1h1i1j1k131,l2m2n2o2p242,q3r3s3t3u353,v4w4x4y4z464,{5|5}5~5575,6666686,7777 797, 8 8 8 88:8,99999;9,:::::<:,;;;;;=;,<< <!<"<><,#=$=%=&='=?=,(>)>*>+>,>@>,-?.?/?0?1?,#?,2@3@4@5@6@$DB$7A8A9ACA$:B;BC?CE @DADBDFD CEDEEEGE FFGFHFHF IGJGKGIG LHMHNHH OIPIQI,K,RJSJTJUJVJ,$J,WKXKYKZK[KComment6:+d BlackT!WhiteddARedddGreendd BluedCyandMagentad YellowHeader/Footer $1Header/Footer $1Header/Footer $2Header/Footer $2IndexIndexCommentCommentSubjectSubjectAuthorAuthorGlossaryGlossaryEquationEquation Hypertext Hypertext  Cross-Ref Cross-Ref Conditional TextConditional TextPositionFMPrivatePositionFMPrivateRangeEndFMPrivateRangeEndFMPrivate HTML Macro HTML Macro M.Times.B Times-Bold FrameRoman M.Times.P Times-Roman FrameRoman M.Times.BITimes-BoldItalic FrameRoman M.Helvetica.BHelvetica-Bold FrameRoman M.Times.I Times-Italic FrameRomanO HelveticaATimes#Regular#RomanBoldRegularItalic&: MH>NMOoTȂUY5[ X`2hܱCאgk{}WAp XN V dTjK-RZū|.%eʩRqWQ9b-JHy