Outline for April 20, 2000
1. Greetings and felicitations!
a. Office hours this week after today: W4-5, Th2-3
2. Chinese Wall Policy
a. Arises as legal defense to insider trading on London stock exchange
b. Low-level entities are objects; all objects concerning the same corporation form a CD (company dataset);
CDs whose corporations are in competition are grouped into COIs (Conflict of Interest classes)
c. Intuitive goal: keep one subject from reading different CDs in the same COI, or reading one CD and writing
to another in same COI
d. Simple Security Property: Read access granted if the object (a) is in the same CD as an object already
accessed by the subject, or (b) is in a CD in an entirely different COI. Assumes correct initialization
e. Theorems: (1) Once a subject has accessed an object, only other objects in that CD are available within that
COI; (2) subject has access to at most 1 dataset in each COI class
f. Exceptions: sanitized information
g. * Property: Write access is permitted only if (a) read access is permitted by the simple security property;
and (b) no object in a different CD in that COI can be read, unless it contains sanitized information
h. Comparison to BLP: (1) ability to track history; (2) in CW, subjects choose which objects they can access
but not in BLP; (3) CW requires both mandatory and discretionary parts, BLP is mandatory only.
3. ORCON
a. Originator controls distribution
b. DAC, MAC inadequate
c. Solution is combination
4. Role-based Access Control (RBAC)
a. Definition of role
b. Partitioning as job function
c. Discuss Data General model
5. Secure vs. Precise
a. Confidentiality only
b. Assume: output of a function encodes all available information about inputs (such as resource usage, etc.)
c. Protection mechanism: given function p, it's a function m such that either m = p for a given set of inputs, or
m produces an error message
d. Confidentiality policy: function which checks that the particular inputs are in the authorized set of inputs
e. Security:m is secure iff there is an m' such that, for all inputs, m = m'(c(...)), i.e., m's values consistent with
stated confidentiality policy
f. Precision: m1, m2 distinct protection mechanisms. m1 as precise as m2 if, for all inputs, m1 = p implies m2 =
p. m1 is more precise if there is an input such that m1 = p and m2 ? p on that input.
g. Union: m1 ? m2 = m3, where m3 = p iff m1 = p and m2 = p; otherwise, m3 = m1.
h. ICBS: Let m1, m2 besecure protection mechanisms for a program p and policy c. Then m1 ? m2 is also a
secure protection mechanism for p and c. Further, m1 ? m2 is more precise than either m1 or m2.
i. Generalizing: for any program p and security policy c, there exists a precise, secure mechanism m* such
that, for all secure mechanisms m associated with p and c, m* is more precise than m.
j. BUT: there is no effective procedure that determines a maximally precise, secure mechanism for a policy
and program.