Outline for February 17, 2012

Reading: §8.2

Deterministic noninterference
1. Model of system
2. Example
3. Relationship of output to states
4. Projections and purge functions
Alternative definition of security policy
1. Output-consistent
2. Security policy
3. Alternate projection function
4. Noninterference-secure with respect to the policy $r$
Unwinding Theorem
1. Locally respects
2. Transition-consistent
3. Unwinding theorem

Table of Notation

notation		meaning
S		set of subjects s
Σ		set of states σ
O		set of outputs o
Z		set of commands z
C		set of state transition commands (s, z), where subject s executes command z
C^*		set of possible sequences of commands c₀, ..., c_{n_i}
ν		empty sequence
c_s		sequence of commands
T(c, σ_i)		resulting state when command c is executed in state σ_i
T^(c_s*, σ_i)		resulting state when command sequence c_s is executed in state σ_i
P(c, σ_i)		output when command c is executed in state σ_i
P^(c_s*, σ_i)		output resulting state when command sequence c_s is executed in state σ_i
proj(s, c_s, σ_i)		set of outputs in P^(c_s*, σ_i) that subject s is authorized to see
π_G,A(c_s)		subsequence of c_s with all elements (s, z), s ∈ G and z ∉ A deleted
dom(c)		protection domain in which c is executed
∼^dom(c)		equivalence relation on system states
π^′_d(c_s)		analogue to π above, but with protection domain and subject included

A PDF version is available here.

UC Davis sigil

ECS 235B, Foundations of Computer and Information Security
Winter Quarter 2012