Outline for April 20, 2000

  1. Greetings and felicitations!
    1. Office hours this week after today: W4-5, Th2-3
  2. Chinese Wall Policy
    1. Arises as legal defense to insider trading on London stock exchange
    2. Low-level entities are objects; all objects concerning the same corporation form a CD (company dataset); CDs whose corporations are in competition are grouped into COIs (Conflict of Interest classes)
    3. Intuitive goal: keep one subject from reading different CDs in the same COI, or reading one CD and writing to another in same COI
    4. Simple Security Property: Read access granted if the object (a) is in the same CD as an object already accessed by the subject, or (b) is in a CD in an entirely different COI. Assumes correct initialization
    5. Theorems: (1) Once a subject has accessed an object, only other objects in that CD are available within that COI; (2) subject has access to at most 1 dataset in each COI class
    6. Exceptions: sanitized information
    7. * Property: Write access is permitted only if (a) read access is permitted by the simple security property; and (b) no object in a different CD in that COI can be read, unless it contains sanitized information
    8. Comparison to BLP: (1) ability to track history; (2) in CW, subjects choose which objects they can access but not in BLP; (3) CW requires both mandatory and discretionary parts, BLP is mandatory only.
  3. ORCON
    1. Originator controls distribution
    2. DAC, MAC inadequate
    3. Solution is combination
  4. Role-based Access Control (RBAC)
    1. Definition of role
    2. Partitioning as job function
    3. Discuss Data General model
  5. Secure vs. Precise
    1. Confidentiality only
    2. Assume: output of a function encodes all available information about inputs (such as resource usage, etc.)
    3. Protection mechanism: given function p, it's a function m such that either m = p for a given set of inputs, or m produces an error message
    4. Confidentiality policy: function which checks that the particular inputs are in the authorized set of inputs
    5. Security: m is secure iff there is an m' such that, for all inputs, m = m'(c(...)), i.e., m's values consistent with stated confidentiality policy
    6. Precision: m1, m2 distinct protection mechanisms. m1 as precise as m2 if, for all inputs, m1 = p implies m2 = p. m1 is more precise if there is an input such that m1 = p and m2 != p on that input.
    7. Union: m1 U m2 = m3, where m3 = p iff m1 = p and m2 = p; otherwise, m3 = m1.
    8. ICBS: Let m1, m2 be secure protection mechanisms for a program p and policy c. Then m1 U m2 is also a secure protection mechanism for p and c. Further, m1 U m2 is more precise than either m1 or m2.
    9. Generalizing: for any program p and security policy c, there exists a precise, secure mechanism m* such that, for all secure mechanisms m associated with p and c, m* is more precise than m.
    10. BUT: there is no effective procedure that determines a maximally precise, secure mechanism for a policy and program.

Send email to bishop@cs.ucdavis.edu.

Department of Computer Science
University of California at Davis
Davis, CA 95616-8562


Page last modified on 4/29/2000