Outline for January 27, 2012

Reading: §4.6–4.7, [LT05], 5.2.1–5.2.2

1. English policy
   1. Authorized Use Policy
   2. Electronic Mail Policy
2. Secure, precise
   1. Observability postulate
   2. Theorem: for any program p and policy c, there is a secure, precise mechanism m^* such that, for all security mechanisms m associated with p and c, m^* ≈ m
   3. Theorem: There is no effective procedure that determines a maximally precise, secure mechanism for any policy and program
3. Bell-LaPadula Model: intuitive, security classifications only
   1. Show level, categories, define clearance and classification
   2. Lattice: poset with ≤ relation reflexive, antisymmetric, transitive; greatest lower bound, least upper bound
   3. Apply lattice
      1. Set of classes SC is a partially ordered set under relation dom with glb (greatest lower bound), lub (least upper bound) operators
      2. Note: dom is reflexive, transitive, antisymmetric
      3. Example: (A, C) dom (A′, C′) iff A ≤ A′ and C ⊆ C′; lub((A, C), (A′, C′)) = (max(A, A′), C ∪ C′); glb((A, C), (A′, C′)) = (min(A, A′), C ∩ C′)
   4. Simple security condition (no reads up), *-property (no writes down), discretionary security property
   5. Basic Security Theorem: if it is secure and transformations follow these rules, it will remain secure
   6. Maximum, current security level

ECS 235B, Foundations of Computer and Information Security Winter Quarter 2012