Outline for January 31, 2007

1. Greetings and Felicitations!
2. BLP: formally, continued
   1. Theorem: Σ(R, D, W, z₀) satisfies the simple security property for any initial state z₀ that satisfies the simple security property iff W satisfies the following conditions for each action (r_i, d_i, (b′, m′, f′ , h′), (b, m, f, h)):
      1. each (s, o, x) ∈ b′-b satisfies the simple security condition relative to f′ (i.e., x is not read, or x is read and f_s(s) dom f_o(o))
      2. if (s, o, x) ∈ b does not satisfy the simple security condition relative to f′, then (s, o, x) ∉ b′
   2. Theorem: Σ(R, D, W, z₀) satisfies the *-property relative to S′ ⊆ S, for any initial state z₀ that satisfies the *-property relative to S′ iff W satisfies the following conditions for each (r_i, d_i, (b′, m′, f′ , h′), (b, m, f, h)):
      1. for each s ∈ S′, any (s, o, x) ∈ b′-b satisfies the *-property with respect to f′
      2. for each s ∈ S′, if (s, o, x) ∈ b does not satisfy the *-property with respect to f′, then (s, o, x) ∉ b′
   3. Theorem: Σ(R, D, W, z₀) satisfies the ds-property iff the initial state z₀ satisfies the ds-property and W satisfies the following conditions for each action (r_i, d_i, (b′, m′, f′ , h′), (b, m, f, h)):
      1. if (s, o, x) ∈ b′-b, then x ∈ m′[s, o];
      2. if (s, o, x) ∈ b and x ∈ m′[s, o] then (s, o, x) ∉ b′
   4. Basic Security Theorem: A system Σ(R, D, W, z₀) is secure iff z₀ is a secure state and W satisfies the conditions of the above three theorems for each action.
3. Using the model
   1. Define ssc-preserving, *-property-preserving, ds-property-preserving
   2. Define relation W(ω)
   3. Show conditions under which rules are ssc-preserving, *-property-preserving, ds-property-preserving
   4. Show when adding a state preserves those properties
   5. Example instantiation: get-read for Multics
4. Tranquility
   1. Strong tranquility
   2. Weak tranquility
5. System Z and the controversy