January 24, 2024 Outline

Reading: text, §5.2.2–5.2.3
Due: Extra Credit #B, due January 30; Homework #2, due February 2; Project selection, due January 26

Module 17 (Reading: text, §5.2.2)

1. Maximum, current security level
2. Example: Trusted Solaris

Module 18 (Reading: {text, §5.2.3)

4. Bell-LaPadula: formal model
   1. Set of requests is R
   2. Set of decisions is D
   3. W ⊆ R × D × V × V is motion from one state to another.
   4. System Σ(R, D, W, z₀) ⊆ X × Y × Z such that (x, y, z) ∈ Σ(R, D, W, z₀) iff (x_t, y_t, z_t, z_t−1) ∈ W for each i ∈ T; latter is an action of system
   5. Theorem: Σ(R, D, W, z₀) satisfies the simple security condition for any initial state z₀ that satisfies the simple security condition iff W satisfies the following conditions for each action (r_i, d_i, (b′, m′, f′, h′), (b, m, f, h)):
      1. each (s, o, x) ∈ b′ − b satisfies the simple security condition relative to f′ (i.e., x is not read, or x is read and f_s(s) dom f_o(o)); and
      2. if (s, o, x) ∈ b does not satisfy the simple security condition relative to f′, then (s, o, x) ∉ b′
   6. Theorem: Σ(R, D, W, z₀) satisfies the *-property relative to S′ ⊆ S for any initial state z₀ that satisfies the *-property relative to S′ iff W satisfies the following conditions for each (r_i, d_i, (b′, m′, f′, h′), (b, m, f, h)):
      1. for each s ∈ S′, any(s, o, x) ∈ b′ − b satisfies the *-property with respect to f′; and
      2. for each s ∈ S′, if (s, o, x) ∈ b does not satisfy the *-property with respect to f′, then (s, o, x) ∉ b

Matt Bishop Office: 2209 Watershed Sciences Phone: +1 (530) 752-8060 Email: mabishop@ucdavis.edu

ECS 235B, Foundations of Computer and Information Security Version of January 24, 2024 at 7:20PM

You can also obtain a PDF version of this.