Outline for February 3, 2003

Discussion Problem

If we do not wish to fight, we can prevent the enemy from engaging us even though the lines of encampment be merely traced out on the ground. All we need to do is to throw something odd and unaccountable in his way.

Tu Mu relates a strategm of Chu-ko Liang, who in 149 B.C., when occupying Yang-p'ing and about to be attacked by Ssu-ma I, suddenly struck his colors, stopping the beating of the drums, and flung open the city gates, showing only a few men engaged in sweeping and sprinkling the ground. This unexpected proceeding had the intended effect; for Ssu-Ma I, suspecting an ambush, actually drew off his army and retreated.¹

What does this paragraph say to a system administrator or security officer seeking insight to defend her systems?

Outline for the Day

1. Bell-LaPadula Model
   1. Compartments
   2. BLP as lattice structure
   3. Simple Security Property
   4. *-Property
   5. Basic Security Theorem
2. DG/UX B2 UNIX System
   1. Hierarchy of levels
   2. Labels, explicit and implicit
   3. MAC tuples
3. Tranquility
   1. Strong tranquility
   2. Weak tranquility
4. Integrity models
   1. Requirements
      1. Users won't write their own programs, but will use existing programs, databases, etc.
      2. Programmers develop and test programs on non-production systems
      3. Installing a program from the development system requires a special process
      4. This process must be controlled and auditable
      5. System managers must be able to access the system state and the system logs
   2. Separation of duty
   3. Separation of function
   4. Auditing
5. Biba: mathematical dual of BLP
   1. P may read O if L(P) ≤ L(O) and C(P) ⊆ C(O)
   2. P may write O if L(O) ≤ L(P) and C(O) ⊆ C(P)
   3. Combined with BLP: continue example