Outline for February 22, 2012

Reading: §8.2, 8.3

Unwinding Theorem
1. Locally respects
2. Transition-consistent
3. Unwinding theorem
Access Control Matrix interpretation
1. Model
2. ACM conditions
3. Policy conditions
4. Result
Policies that change over time
1. Generalization of noninterference
2. Example

Table of Notation

notation		meaning
S		set of subjects s
Σ		set of states σ
O		set of outputs o
Z		set of commands z
C		set of state transition commands (s, z), where subject s executes command z
C^*		set of possible sequences of commands c₀, ..., c_{n_i}
ν		empty sequence
c_s		sequence of commands
T(c, σ_i)		resulting state when command c is executed in state σ_i
T^(c_s*, σ_i)		resulting state when command sequence c_s is executed in state σ_i
P(c, σ_i)		output when command c is executed in state σ_i
P^(c_s*, σ_i)		output resulting state when command sequence c_s is executed in state σ_i
proj(s, c_s, σ_i)		set of outputs in P^(c_s*, σ_i) that subject s is authorized to see
π_G,A(c_s)		subsequence of c_s with all elements (s, z), s ∈ G and z ∉ A deleted
dom(c)		protection domain in which c is executed
∼^dom(c)		equivalence relation on system states
π^′_d(c_s)		analogue to π above, but with protection domain and subject included
w_n		v₁, …, v_n where v₁ ∈ C^*
w		sequence of elements of C leading up to current state
cando(w, s, z)		true if s can execute z in current state
pass(s, z)		give s right to execute z
prev(w_n)		w_n−1
last(w_n)		v_n

ECS 235B, Foundations of Computer and Information Security
Winter Quarter 2012