* Reading*:

- Greetings and felicitations!
- Lattice models
- Poset, ≤ the relation
- Reflexive, antisymmetric, transitive
- Greatest lower bound, least upper bound
- Example with complex numbers

- Bell-LaPadula Model (security levels)
- Security clearance, categories, levels
- Simple security condition (no reads up)
- *-property (no writes down)
- Discretionary security property
- Basic Security Theorem: if it is secure and transformations follow these rules, it will remain secure

- Bell-LaPadula Model
- Apply lattice work
- Set of classes
*SC*is a partially ordered set under relation*dom*with*glb*(greatest lower bound),*lub*(least upper bound) operators - Note:
*dom*is reflexive, transitive, antisymmetric - Example: (
*A*,*C*)*dom*(*A′*,*C′*) iff*A*≤*A′*and*C*⊆*C′*;*lub*((*A*,*C*), (*A′*,*C′*)) = (*max*(*A*,*A′*),*C*∪*C′*),*glb*((*A*,*C*), (*A′*,*C′*)) = (*min*(*A*,*A′*),*C*∩*C′*)

- Set of classes
- Simple security condition (no reads up)
- *-property (no writes down)
- Discretionary security property
- Basic Security Theorem: if it is secure and transformations follow these rules, it will remain secure
- Maximum, current security level

- Apply lattice work
- BLP: formally
- Elements of system:
**s**_{i}subjects,**o**_{i}objects - State space
*V*=*B*×*M*×*F*×*H*where:

*B*set of current accesses (i.e., access modes each subject has currently to each object);

*M*access permission matrix;*F*consists of 3 functions:*f*_{s}is security level associated with each subject,*f*_{o}security level associated with each object, and*f*_{c}current security level for each subject

*H*hierarchy of system objects, functions*h*:*O*→*P*(*O*) with two properties:- If
*o*_{i}≠*o*_{j}, then*h*(*o*_{i}) ∩*h*(*o*_{j}) = ∅ - There is no set {
*o*_{1}, ...,*o*_{k}} ⊆*O*such that for each*i*,*o*_{i}_{+1}∈*h*(*o*_{i}) and*o*_{k}_{+1}=*o*_{1}.

- If
- Set of requests is
*R* - Set of decisions is
*D* *W*⊆*R*×*D*×*V*×*V*is motion from one state to another.- System Σ(
*R*,*D*,*W*,*z*_{0}) ⊆*X*×*Y*×*Z*such that (*x*,*y*,*z*) ∈ Σ(*R*,*D*,*W*,*z*_{0}) iff (*x*_{t},*y*_{t},*z*_{t},*z*_{t}_{-1}) ∈*W*for each*i*∈*T*; latter is an action of system - Theorem: Σ(
*R*,*D*,*W*,*z*_{0}) satisfies the simple security property for any initial state*z*_{0}that satisfies the simple security property iff*W*satisfies the following conditions for each action (*r*_{i},*d*_{i}, (*b′*,*m′*,*f′*,*h′*), (*b*,*m*,*f*,*h*)):- each (
**s**,**o**,*x*) ∈*b′*−*b*satisfies the simple security condition relative to*f′*(i.e.,*x*is not read, or*x*is read and*f*_{s}(**s**)*dom**f*_{o}(**o**)) - if (
**s**,**o**,*x*) ∈*b*does not satisfy the simple security condition relative to*f′*, then (**s**,**o**,*x*) ∉*b′*

- each (
- Theorem: Σ(
*R*,*D*,*W*,*z*_{0}) satisfies the *-property relative to*S′*⊆*S*, for any initial state*z*_{0}that satisfies the *-property relative to*S′*iff*W*satisfies the following conditions for each (*r*_{i},*d*_{i}, (*b′*,*m′*,*f′*,*h′*), (*b*,*m*,*f*,*h*)):- for each
*s*∈*S′*, any (**s**,**o**,*x*) ∈*b′*−*b*satisfies the *-property with respect to*f′* - for each
*s*∈*S′*, if (**s**,**o**,*x*) ∈*b*does not satisfy the *-property with respect to*f′*, then (**s**,**o**,*x*) ∉*b′*

- for each
- Theorem: Σ(
*R*,*D*,*W*,*z*_{0}) satisfies the ds-property iff the initial state*z*_{0}satisfies the ds-property and W satisfies the following conditions for each action (*r*_{i},*d*_{i}, (*b′*,*m′*,*f′*,*h′*), (*b*,*m*,*f*,*h*)):- if (
**s**,**o**,*x*) ∈*b′*−*b*, then*x*∈*m′*[**s**,**o**]; - if (
**s**,**o**,*x*) ∈*b*and*x*∈*m′*[**s**,**o**] then (**s**,**o**,*x*) ∉*b′*

- if (

- Elements of system:

Version of April 17, 2006 at 12:25 PM

You can also obtain a PDF version of this.