Outline for April 12, 2005

Reading: §4.5, 5.1, 5.2-5.2.2, 5.3


"Our ancestors, and those who were considered to be wise, were accustomed to say that it was necessary to control Pistoia by means of factions and Pisa by means of fortresses; so they fostered strife in various of their subject towns, so as to control them more easily. In those days, when there was stability of a sort in Italy, this was doubtless sensible; but I do not think it makes a good rule today. I do not believe any good at all ever comes from dissension. On the contrary, on the approach of the enemy, cities which are so divided inevitably succumb at once; the weaker faction will always go over to the invader, and the other will not be able to hold out."1

What does this paragraph say to a system administrator or security officer seeking insight to defend her systems?


  1. High-Level Policy Languages
    1. Characterization
    2. Example: DTEL
  2. Low-Level Policy Languages
    1. Characterization
    2. Example: Tripwire configuration file
  3. Goals of Confidentiality Policies
  4. Bell-LaPadula Model with Levels Only
    1. Security Levels
    2. Simple Security Property
    3. *-Property
    4. Basic Security Theorem
  5. Bell-LaPadula Model
    1. Compartments
    2. BLP as lattice structure
    3. Simple Security Property
    4. *-Property
    5. Basic Security Theorem
  6. DG/UX B2 UNIX System
    1. Hierarchy of levels
    2. Labels, explicit and implicit
    3. MAC tuples
  7. Tranquility
    1. Strong tranquility
    2. Weak tranquility

1. Niccolò Machiavelli, The Prince, George Bull trans., Penguin Books, New York, NY ©1995, p. 67

Here is a PDF version of this document.