# Outline for January 26, 1999

1. Greetings and felicitations!
1. Please get your project proposals in as soon as possible, so you can get started
1. Go through security levels, categories, compartments
2. Describe simple security property (no reads up) and *-property (no writes down)
3. State Basic Security Theorem: if it's secure and transformations follow these rules, it's still secure
4. Add in discretionary security policy
3. BLP: formally
1. Elements of system: si subjects, oi objects,
2. State space V = BxMxF where:
B set of current accesses (i.e., access modes each subject has currently to each object);
M access permission matrix;
F consists of 3 functions: fs is security level associated with each subject, fo security level associated with each object, and fc current security level for each subject
3. Set of requests is R
4. Set of decisions is D
5. W SUBSETEQ RxDxVxV is motion from one state to another.
6. System [[Sigma]](R, D, W, z0) SUBSETEQ XxYxZ such that (x, y, z) IN [[Sigma]](R, D, W, z0) iff (xt, yt, zt, zt-1) IN W for each i IN T; latter is an action of system
7. Theorem: [[Sigma]](R, D, W, z0) satisfies the simple security property for any initial state z0 that satisfies the simple security property iff W satisfies the following conditions for each action (Ri, Di, (b', M', f'), (b, M, f)):
1. each (s, o, x) IN b' - b satisfies the simple security condition relative to f' (i.e., x is not read, or x is read and fs(s) dominates fo(o)
2. if (s, o, x) IN b does not satisfy the simple security condition relative to f', then (s, o, x) NOTIN b'
3. Theorem: [[Sigma]](R, D, W, z0) satisfies the *-property relative to S' SUBSETEQ S, for any initial state z0 that satisfies the *-property relative to S' iff W satisfies the following conditions for each action (Ri, Di, (b', M', f'), (b, M, f)):
• for each s IN S', any (s, o, x) IN b' - b satisfies the *-property with respect to f'
• for each s IN S', if (s, o, x) IN b does not satisfy the *-property with respect to f', then (s, o, x) NOTIN b'
4. Theorem: [[Sigma]](R, D, W, z0) satisfies the ds-property iff the initial state z0 satisfies the ds-property and W satisfies the following conditions for each action (Ri, Di, (b', M', f'), (b, M, f)):
• if (sk, oi, x) IN b' - b, then x IN M'[k, i];
• if (sk, oi, x) IN b and x IN M'[k, i] then (sk, oi, x) IN b'
5. Basic Security Theorem: A system [[Sigma]](R, D, W, z0) is secure iff z0 is a secure state and W satisfies the conditions of the above three theorems for each action.
8. Biba
1. Integrity levels and trust 