Outline for January 26, 1999

1. Greetings and felicitations!
   1. Please get your project proposals in as soon as possible, so you can get started
2. Bell-LaPadula Model
   1. Go through security levels, categories, compartments
   2. Describe simple security property (no reads up) and *-property (no writes down)
   3. State Basic Security Theorem: if it's secure and transformations follow these rules, it's still secure
   4. Add in discretionary security policy
3. BLP: formally
   1. Elements of system: s_i subjects, o_i objects,
   2. State space V = BxMxF where:
      B set of current accesses (i.e., access modes each subject has currently to each object);
      M access permission matrix;
      F consists of 3 functions: f_s is security level associated with each subject, f_o security level associated with each object, and f_c current security level for each subject
   3. Set of requests is R
   4. Set of decisions is D
   5. W SUBSETEQ RxDxVxV is motion from one state to another.
   6. System [[Sigma]](R, D, W, z₀) SUBSETEQ XxYxZ such that (x, y, z) IN [[Sigma]](R, D, W, z₀) iff (x_t, y_t, z_t, z_t-1) IN W for each i IN T; latter is an action of system
   7. Theorem: [[Sigma]](R, D, W, z₀) satisfies the simple security property for any initial state z₀ that satisfies the simple security property iff W satisfies the following conditions for each action (R_i, D_i, (b', M', f'), (b, M, f)):
      1. each (s, o, x) IN b' - b satisfies the simple security condition relative to f' (i.e., x is not read, or x is read and f_s(s) dominates f_o(o)
      2. if (s, o, x) IN b does not satisfy the simple security condition relative to f', then (s, o, x) NOTIN b'
      3. Theorem: [[Sigma]](R, D, W, z₀) satisfies the *-property relative to S' SUBSETEQ S, for any initial state z₀ that satisfies the *-property relative to S' iff W satisfies the following conditions for each action (R_i, D_i, (b', M', f'), (b, M, f)):
         • for each s IN S', any (s, o, x) IN b' - b satisfies the *-property with respect to f'
         • for each s IN S', if (s, o, x) IN b does not satisfy the *-property with respect to f', then (s, o, x) NOTIN b'
      4. Theorem: [[Sigma]](R, D, W, z₀) satisfies the ds-property iff the initial state z₀ satisfies the ds-property and W satisfies the following conditions for each action (R_i, D_i, (b', M', f'), (b, M, f)):
         • if (s_k, o_i, x) IN b' - b, then x IN M'[k, i];
         • if (s_k, o_i, x) IN b and x IN M'[k, i] then (sk, oi, x) IN b'
      5. Basic Security Theorem: A system [[Sigma]](R, D, W, z₀) is secure iff z₀ is a secure state and W satisfies the conditions of the above three theorems for each action.
   8. Biba
      1. Integrity levels and trust
      2. No reads down
      3. No writes up

   ---

   You can get this document in ASCII text, Framemaker+SGML version 5.5, PDF (for Acrobat 3.0 or later), or Postscript.

   ---

   
   Send email to cs253@csif.cs.ucdavis.edu. Department of Computer Science
   University of California at Davis
   Davis, CA 95616-8562
   
   

   ---

   Page last modified on 3/19/99