Reading: §5.2.3–5.2.4, 5.3, 5.4; handout Due: Homework #2, due April 26, 2013
Bell-LaPadula: formal model
Set of requests is R
Set of decisions is D
W ⊆ R × D × V × V is motion from one state to another.
System Σ(R, D, W, z0) ⊆ X × Y × Z such that (x, y, z) ∈ Σ(R, D, W, z0) iff (xt, yt, zt, zt−1) ∈ W for each t ∈ T; latter is an action of system
Theorem: Σ(R, D, W, z0) satisfies the simple security condition for any initial state z0 that satisfies the simple security condition iff W satisfies the following conditions for each action (ri, di, (b′, m′, f′, h′), (b, m, f, h)):
each (s, o, x) ∈ b′−b satisfies the simple security condition relative to f′ (i.e., x is not read, or x is read and fs(s) dom fo(o); and
if (s, o, x) ∈ b does not satisfy the simple security condition relative to f′, then (s, o, x) ≠ b′
Theorem: Σ(R, D, W, z0) satisfies the *-property relative to S′ ⊆ S for any initial state z0 that satisfies the *-property relative to S′ iff W satisfies the following conditions for each (ri, di, (b′, m′, f′, h′), (b, m, f, h)):
for each s ∈ S′, any (s, o, x) ∈ b′−b satisfies the *-property with respect to f′; and
for each s ∈ S′, if (s, o, x) ∈ b does not satisfy the *-property with respect to f′, then (s, o, x) ≠ b′
Theorem: Σ(R, D, W, z0) satisfies the ds-property iff the initial state z0 satisfies the ds-property and W satisfies the following conditions for each (ri, di, (b′, m′, f′, h′), (b, m, f, h)):
if (s, o, x) ∈ b′−b, then x ∈ m′[s, o]; and
if (s, o, x) ∈ b and x ∈ m′[s, o], then (s, o, x) ≠ b′
Basic Security Theorem: A system Σ(R, D, W, z0) is secure iff z0 is a secure state and W satisfies the conditions of the above three theorems for each action.