%PDF-1.4
%âăÏÓ
1 0 obj
<<
/Type /Page
/Parent 8 0 R
/Resources 3 0 R
/Contents 2 0 R
>>
endobj
2 0 obj
<< /Length 6872 >>
stream
q
1 i
72 746 468 -12 re
W n
0 0 0 1 K
2 J 0 j 1 w 10 M []0 d
/GS2 gs
72 745 m
540 745 l
72 742 m
540 742 l
S
Q
q
1 i
30 33 552 728 re
W n
BT
/TT2 1 Tf
10 0 0 10 30 761 Tm
0 g
/GS2 gs
0 Tc
0 Tw
( )Tj
ET
Q
BT
/TT2 1 Tf
10 0 0 10 72 749.333 Tm
0 0 0 1 k
/GS2 gs
0 Tc
0 Tw
(O)Tj
ET
q
1 i
30 33 552 728 re
W n
BT
8 0 0 8 33 761 Tm
0 g
( )Tj
ET
Q
BT
8 0 0 8 81.219 749.333 Tm
0.25 Tc
(UTLINE)Tj
ET
q
1 i
30 33 552 728 re
W n
BT
10 0 0 10 35 761 Tm
0 g
0 Tc
( )Tj
ET
Q
BT
10 0 0 10 122.098 749.333 Tm
0 Tc
( )Tj
ET
q
1 i
30 33 552 728 re
W n
BT
8 0 0 8 37 761 Tm
0 g
( )Tj
ET
Q
BT
8 0 0 8 126.598 749.333 Tm
0.25 Tc
(FOR)Tj
ET
q
1 i
30 33 552 728 re
W n
BT
10 0 0 10 39 761 Tm
0 g
0 Tc
( )Tj
ET
Q
BT
10 0 0 10 148.16 749.333 Tm
0.2 Tc
( M)Tj
ET
q
1 i
30 33 552 728 re
W n
BT
8 0 0 8 42 761 Tm
0 g
0 Tc
( )Tj
ET
Q
BT
8 0 0 8 163.549 749.333 Tm
0.25 Tc
(AY)Tj
ET
q
1 i
30 33 552 728 re
W n
BT
10 0 0 10 44 761 Tm
0 g
0 Tc
( )Tj
ET
Q
BT
10 0 0 10 179.104 749.333 Tm
0.2 Tc
[( 4, 2004)-16749.6(ECS 235 — S)]TJ
ET
q
1 i
30 33 552 728 re
W n
BT
8 0 0 8 46 761 Tm
0 g
0 Tc
( )Tj
ET
Q
BT
8 0 0 8 473.496 749.333 Tm
0.25 Tc
(PRING)Tj
ET
q
1 i
30 33 552 728 re
W n
BT
10 0 0 10 48 761 Tm
0 g
0 Tc
( )Tj
ET
Q
BT
10 0 0 10 507.5 749.333 Tm
0.2 Tc
( 2004)Tj
-43.55 -71.3333 TD
0 Tc
[(Version of May 4, 2004 7:21 pm)-29137.2(Page 1 of 1)]TJ
ET
q
1 i
30 33 552 728 re
W n
BT
/TT4 1 Tf
18 0 0 18 51 761 Tm
0 g
( )Tj
ET
Q
BT
/TT4 1 Tf
18 0 0 18 214.486 708 Tm
[(Outline f)25.2(or May 4, 2004)]TJ
ET
q
1 i
30 33 552 728 re
W n
BT
/TT2 1 Tf
10 0 0 10 55 761 Tm
0 g
( )Tj
ET
Q
BT
/TT2 1 Tf
10 0 0 10 72 677.333 Tm
[(1.)-1050(Biba)]TJ
1.8 -1.5 TD
[(a.)-1106.2(Lo)25.1(w-w)10(ater)20(-mark polic)15.1(y)]TJ
0 -1.3 TD
[(b)40(.)-1090(Ring polic)15.1(y)]TJ
T*
[(c.)-1106.2(Strict inte)15.1(grity)]TJ
-1.8 -1.5 TD
[(2.)-1050(Clark-W)40(ilson)]TJ
1.8 -1.5 TD
[(a.)-1106.2(Theme: military model does not pro)15.1(vide enough controls for commercial fraud, etc. because it does not )]TJ
1.8 -1.2 TD
[(co)15.1(v)15.1(er the right aspects of inte)15.1(grity)]TJ
-1.8 -1.3 TD
-0.0367 Tw
[(b)40(.)-1090(Data items: “Constrained Data Items” \(CDI\) to which the model applies, “Unconstrained Data Items \(UDIs\) )]TJ
1.8 -1.2 TD
0 Tw
[(to which no inte)15.1(grity checks are applied, “Inte)15.1(grity )50(V)111.1(eri)]TJ
/TT5 1 Tf
22.2174 0 TD
(̃)Tj
/TT2 1 Tf
0.5562 0 TD
[(cation Procedures” \(IVP\) that v)15.1(erify conformance )]TJ
-22.7735 -1.2 TD
[(to the inte)15.1(grity spec when IVP is run, “T)35.2(ransaction Procedures” \(TP\) tak)10(es system from one well-formed )]TJ
T*
(state to another)Tj
-3.6 -1.4999 TD
[(3.)-1050(Certi)]TJ
/TT5 1 Tf
3.7995 0 TD
(̃)Tj
/TT2 1 Tf
0.5562 0 TD
(cation and enforcement rules:)Tj
-2.5557 -1.2 TD
[(C1. )55.2(All IVPs must ensure that all CDIs are in a v)25.1(alid state when the IVP is run)]TJ
T*
[(C2. )55.2(All )18.1(TPs must be certi)]TJ
/TT5 1 Tf
10.0927 0 TD
(̃)Tj
/TT2 1 Tf
0.5562 0 TD
[(ed to be v)25.1(alid, and each )18.1(TP is assocated with a set of CDIs it is authorized to manipu-)]TJ
-10.6489 -1.2 TD
(late)Tj
T*
[(E1. )18.1(The system must maintain these lists and must ensure only those )18.1(TPs manipulate those CDIs)]TJ
T*
-0.0207 Tw
[(E2. )18.1(The system must maintain a list of User IDs, )18.1(TP)111.1(, and CDIs that that )18.1(TP can manipulate on behalf of that user)40(, )]TJ
T*
0 Tw
[(and must ensure only those e)15.1(x)15.1(ecutions are performed.)]TJ
T*
[(C3. )18.1(The list of relations in E2 must be certi)]TJ
/TT5 1 Tf
17.2563 0 TD
(̃)Tj
/TT2 1 Tf
0.5562 0 TD
(ed to meet the separation of duty requirement.)Tj
-17.8125 -1.2 TD
[(E3. )18.1(The sysem must authenticate the identity of each user attempting to e)15.1(x)15.1(ecute a )18.1(TP)111.1(.)]TJ
T*
[(C4. )55.2(All )18.1(TPs must be certi)]TJ
/TT5 1 Tf
10.0927 0 TD
(̃)Tj
/TT2 1 Tf
0.5562 0 TD
(ed to write to an append-only CDI \(the log\) all information necessary to resonstruct )Tj
-10.6489 -1.2 TD
(the operation.)Tj
T*
-0.0093 Tw
[(C5. )55.2(An)15.1(y )18.1(TP taking a UDI as an input must be certi)]TJ
/TT5 1 Tf
20.0837 0 TD
0 Tw
(̃)Tj
/TT2 1 Tf
0.5562 0 TD
-0.0093 Tw
[(ed to perform only v)25.1(alid transformations, else no transforma-)]TJ
-20.6399 -1.2 TD
0 Tw
[(tions, for an)15.1(y possible v)25.1(alue of the UDI. )18.1(The transformation should tak)10(e the input from a UDI to a CDI, or the )]TJ
T*
[(UDI is rejected \(typically)65.2(, for edits as the k)10(e)15.1(yboard is a UDI\).)]TJ
T*
-0.0288 Tw
[(E4. Only the agent permitted to certify entities may change the list of such entities associated with a )18.1(TP)111.1(. )55.2(An agent )]TJ
T*
0 Tw
[(that can certify an entity may not ha)20(v)15.1(e)0( an)15.1(y e)15.1(x)15.1(ecute rights with respect to that entity)]TJ
-1.8 -1.5 TD
-0.03 Tw
[(4.)-1050(Chinese W)80.1(all )-30(Polic)15.1(y)]TJ
1.8 -1.5 TD
0 Tw
[(a.)-1106.2(Arises as le)15.1(g)5.1(al defense to insider trading on London stock e)15.1(xchange)]TJ
0 -1.3 TD
[(b)40(.)-1090(Lo)25.1(w-le)25.1(v)15.1(el entities are objects; all objects concerning the same corporation form a CD \(compan)15.1(y dataset\); )]TJ
1.8 -1.2 TD
(CDs whose corporations are in competition are grouped into COIs \(Con)Tj
/TT5 1 Tf
28.772 0 TD
(ß)Tj
/TT2 1 Tf
0.5562 0 TD
(ict of Interest classes\))Tj
-31.1281 -1.3 TD
-0.011 Tw
[(c.)-1106.2(Intuiti)25.1(v)15.1(e)0( goal: k)10(eep one subject from reading dif)25.1(ferent CDs in the same COI, or reading one CD and writing )]TJ
1.8 -1.2 TD
0 Tw
(to another in same COI)Tj
-1.8 -1.3 TD
[(d.)-1050(Simple Security Property: Read access granted if the object \(a\) is in the same CD as an object already )]TJ
1.8 -1.2 TD
[(accessed by the subject, or \(b\) is in a CD in an entirely dif)25.1(ferent COI. )55.2(Assumes correct initialization )]TJ
-1.8 -1.3 TD
-0.0007 Tw
[(e.)-1106.2(Theorems: \(1\) Once a subject has accessed an object, only other objects in that CD are a)20(v)25.1(ailable within that )]TJ
1.8 -1.2 TD
0 Tw
(COI; \(2\) subject has access to at most 1 dataset in each COI class)Tj
-1.8 -1.3 TD
[(f.)-1217.2(Exceptions: sanitized information)]TJ
T*
-0.0324 Tw
[(g.)-1050(*-Property: )30(Write access is permitted only if \(a\) read access is permitted by the simple security property; and )]TJ
1.8 -1.2 TD
0 Tw
[(\(b\) no object in a dif)25.1(ferent CD in that COI can be read, unless it contains sanitized information)]TJ
-1.8 -1.3 TD
[(h.)-1050(K)25.1(e)15.1(y result: information can only )]TJ
/TT5 1 Tf
15.062 0 TD
(ß)Tj
/TT2 1 Tf
0.5562 0 TD
[(o)25.1(w)0( within a CD or from sanitized information)]TJ
-15.6182 -1.3 TD
[(i.)-1272.2(Comparison to BLP: \(1\) ability to track history; \(2\) in CW)92(, subjects choose which objects the)15.1(y can access )]TJ
1.8 -1.2 TD
[(b)20(ut not in BLP; \(3\) CW requires both mandatory and discretionary parts, BLP is mandatory only)65.2(.)]TJ
-1.8 -1.3 TD
[(j.)-1272.2(Comparison to Clark-W)40(ilson: specialization of Clark-W)40(ilson.)]TJ
ET
endstream
endobj
3 0 obj
<<
/ProcSet [ /PDF /Text ]
/Font << /TT2 4 0 R /TT4 5 0 R /TT5 6 0 R >>
/ExtGState << /GS2 7 0 R >>
>>
endobj
4 0 obj
<<
/Type /Font
/Subtype /TrueType
/FirstChar 32
/LastChar 151
/Widths [ 250 0 0 0 0 0 0 0 333 333 500 0 250 333 250 0 500 500 500 500 500
500 0 500 0 0 278 278 0 0 0 0 0 722 667 667 722 611 556 722 0 333
0 722 611 889 722 722 556 0 667 556 611 722 722 944 0 722 0 0 0
0 0 0 0 444 500 444 500 444 333 500 500 278 278 500 278 778 500
500 500 500 333 389 278 500 500 722 500 500 444 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 444 444 0 0 1000 ]
/Encoding /WinAnsiEncoding
/BaseFont /Times-Roman
/FontDescriptor 9 0 R
>>
endobj
5 0 obj
<<
/Type /Font
/Subtype /TrueType
/FirstChar 32
/LastChar 121
/Widths [ 250 0 0 0 0 0 0 0 0 0 0 0 250 0 0 0 500 0 500 0 500 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 944 0 778 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 500 0 0 0 444 333 0 0 278 0 0 278 0 556 500 0 0 444
0 333 556 0 0 0 500 ]
/Encoding /WinAnsiEncoding
/BaseFont /Times-Bold
/FontDescriptor 10 0 R
>>
endobj
6 0 obj
<<
/Type /Font
/Subtype /TrueType
/FirstChar 222
/LastChar 223
/Widths [ 556 556 ]
/Encoding /MacRomanEncoding
/BaseFont /Times-Roman
/FontDescriptor 11 0 R
>>
endobj
7 0 obj
<<
/Type /ExtGState
/SA true
/SM 0.02
/OP false
/op false
/OPM 1
/BG2 /Default
/UCR2 /Default
/HT /Default
/TR2 /Default
>>
endobj
8 0 obj
<<
/Type /Pages
/Kids [ 1 0 R ]
/Count 1
/MediaBox [ 0 0 612 792 ]
>>
endobj
9 0 obj
<<
/Type /FontDescriptor
/Ascent 750
/CapHeight 662
/Descent -250
/Flags 34
/FontBBox [ -168 -218 1000 898 ]
/FontName /Times-Roman
/ItalicAngle 0
/StemV 84
/XHeight 450
/StemH 84
>>
endobj
10 0 obj
<<
/Type /FontDescriptor
/Ascent 750
/CapHeight 676
/Descent -250
/Flags 262178
/FontBBox [ -168 -218 1000 935 ]
/FontName /Times-Bold
/ItalicAngle 0
/StemV 133
/XHeight 461
/StemH 139
>>
endobj
11 0 obj
<<
/Type /FontDescriptor
/Ascent 750
/CapHeight 662
/Descent -250
/Flags 34
/FontBBox [ -168 -218 1000 898 ]
/FontName /Times-Roman
/ItalicAngle 0
/StemV 84
/XHeight 450
/StemH 84
>>
endobj
12 0 obj
<<
/S /D
>>
endobj
13 0 obj
<<
/Nums [ 0 12 0 R ]
>>
endobj
14 0 obj
<<
/CreationDate (D:20040504192910-07'00')
/ModDate (D:20040712142229-07'00')
/Producer (PSNormalizer.framework)
>>
endobj
15 0 obj
<<
/Type /Catalog
/Pages 8 0 R
/PageLabels 13 0 R
/Metadata 18 0 R
>>
endobj
18 0 obj
<< /Type /Metadata /Subtype /XML /Length 824 >>
stream
2004-05-04T19:29:10-07:00
2004-07-12T14:22:29-07:00
PSNormalizer.framework
2004-05-04T19:29:10-07:00
2004-07-12T14:22:29-07:00
2004-07-12T14:22:29-07:00
endstream
endobj
xref
0 19
0000000016 65535 f
0000000016 00000 n
0000000102 00000 n
0000007027 00000 n
0000007150 00000 n
0000007702 00000 n
0000008095 00000 n
0000008280 00000 n
0000008431 00000 n
0000008522 00000 n
0000008733 00000 n
0000008950 00000 n
0000009162 00000 n
0000009193 00000 n
0000009237 00000 n
0000009371 00000 n
0000000017 00002 f
0000000000 00001 f
0000009463 00000 n
trailer
<<
/Size 19
/Info 14 0 R
/Root 15 0 R
/ID[<076740473c2b70baef477561aa191dd1>]
>>
startxref
10371
%%EOF