# Outline for April 27, 2004

1. BLP: formally
1. Elements of system: si subjects, oi objects,
2. State space V = B × M × F × H where:
B set of current accesses (i.e., access modes each subject has currently to each object);
M access permission matrix;
F consists of 3 functions: fs is security level associated with each subject, fo security level associated with each object, and fc current security level for each subject
H hierarchy of system objects, functions h: O->P(O) with two properties:
If oioj, then h(oi) ∩ h(oj) = Ø
There is no set { o1, ..., ok } ⊆ O such that for each i, oi+1h(oi) and oi+1 = o1.
3. Set of requests is R
4. Set of decisions is D
5. WR × D × V × V is motion from one state to another.
6. System Σ(R, D, W, z0) ⊆ X × Y × Z such that (x, y, z) ∈ Σ(R, D, W, z0) iff (xt, yt, zt, zt-1) ∈ W for each iT; latter is an action of system
7. Theorem: Σ(R, D, W, z0) satisfies the simple security property for any initial state z0 that satisfies the simple security property iff W satisfies the following conditions for each action (ri, di, (, , , ), (b, m, f, h)):
(i) each (s, o, x) ∈ - b satisfies the simple security condition relative to (i.e., x is not read, or x is read and fs(s) dominates fo(o))
(ii) if (s, o, x) ∈ b does not satisfy the simple security condition relative to , then (s, o, x) ∉
8. Theorem: Σ(R, D, W, z0) satisfies the *-property relative to S for any initial state z0 that satisfies the *-property relative to S iff W satisfies the following conditions for each action (ri, di, (, , , ), (b, m, f, h)):
(i) for each s, any (s, o, x) ∈ - b satisfies the *-property with respect to (ii) for each s, if (s, o, x) ∈ b does not satisfy the *-property with respect to , then (s, o, x) ∉
9. Theorem: Σ(R, D, W, z0) satisfies the ds-property for any initial state z0 that satisfies the ds-property iff W satisfies the following conditions for each action (ri, di, (, , , ), (b, m, f, h)):
(i) if (s, o, x) ∈ - b, then x[s, o];
(ii) if (s, o, x) ∈ b and x[s, o], then (s, o, x) ∉
10. Basic Security Theorem: A system Σ(R, D, W, z0) is secure iff z0 is a secure state and W satisfies the conditions of the above three theorems for each action.
2. BLP: formally
1. Define ssc-preserving, *-property-preserving, ds-property-preserving
2. Define relation W(ω)
3. Show conditions under which rules are ssc-preserving, *-property-preserving, ds-property-preserving
4. Show when adding a state preserves those properties
5. Example instantiation: get-read for Multics
3. Tranquility
1. Strong tranquility
2. Weak tranquility
4. System Z and the controversy
5. Goals of integrity policies