Outline for April 17, 2006

Reading: text, §5.2, 30

1. Greetings and felicitations!
2. Lattice models
   1. Poset, ≤ the relation
   2. Reflexive, antisymmetric, transitive
   3. Greatest lower bound, least upper bound
   4. Example with complex numbers
3. Bell-LaPadula Model (security levels)
   1. Security clearance, categories, levels
   2. Simple security condition (no reads up)
   3. *-property (no writes down)
   4. Discretionary security property
   5. Basic Security Theorem: if it is secure and transformations follow these rules, it will remain secure
4. Bell-LaPadula Model
   1. Apply lattice work
      1. Set of classes SC is a partially ordered set under relation dom with glb (greatest lower bound), lub (least upper bound) operators
      2. Note: dom is reflexive, transitive, antisymmetric
      3. Example: (A, C) dom (A′, C′) iff A ≤ A′ and C ⊆ C′; lub((A, C), (A′, C′)) = (max(A, A′), C ∪ C′), glb((A, C), (A′, C′)) = (min(A, A′), C ∩ C′)
   2. Simple security condition (no reads up)
   3. *-property (no writes down)
   4. Discretionary security property
   5. Basic Security Theorem: if it is secure and transformations follow these rules, it will remain secure
   6. Maximum, current security level
5. BLP: formally
   1. Elements of system: s_i subjects, o_i objects
   2. State space V = B×M×F×H where:
      B set of current accesses (i.e., access modes each subject has currently to each object);
      M access permission matrix; F consists of 3 functions: f_s is security level associated with each subject, f_o security level associated with each object, and f_c current security level for each subject
      H hierarchy of system objects, functions h: O→P(O) with two properties:
      1. If o_i ≠ o_j, then h(o_i) ∩ h(o_j) = ∅
      2. There is no set { o₁, ..., o_k } ⊆ O such that for each i, o_i+1 ∈ h(o_i) and o_k+1 = o₁.
   3. Set of requests is R
   4. Set of decisions is D
   5. W ⊆ R×D×V×V is motion from one state to another.
   6. System Σ(R, D, W, z₀) ⊆ X×Y×Z such that (x, y, z) ∈ Σ(R, D, W, z₀) iff (x_t, y_t, z_t, z_t-1) ∈ W for each i ∈ T; latter is an action of system
   7. Theorem: Σ(R, D, W, z₀) satisfies the simple security property for any initial state z₀ that satisfies the simple security property iff W satisfies the following conditions for each action (r_i, d_i, (b′, m′, f′, h′), (b, m, f, h)):
      1. each (s, o, x) ∈ b′ − b satisfies the simple security condition relative to f′ (i.e., x is not read, or x is read and f_s(s) dom f_o(o))
      2. if (s, o, x) ∈ b does not satisfy the simple security condition relative to f′, then (s, o, x) ∉ b′
   8. Theorem: Σ(R, D, W, z₀) satisfies the *-property relative to S′ ⊆ S, for any initial state z₀ that satisfies the *-property relative to S′ iff W satisfies the following conditions for each (r_i, d_i, (b′, m′, f′, h′), (b, m, f, h)):
      1. for each s ∈ S′, any (s, o, x) ∈ b′ − b satisfies the *-property with respect to f′
      2. for each s ∈ S′, if (s, o, x) ∈ b does not satisfy the *-property with respect to f′, then (s, o, x) ∉ b′
   9. Theorem: Σ(R, D, W, z₀) satisfies the ds-property iff the initial state z₀ satisfies the ds-property and W satisfies the following conditions for each action (r_i, d_i, (b′, m′, f′, h′), (b, m, f, h)):
      1. if (s, o, x) ∈ b′ − b, then x ∈ m′[s, o];
      2. if (s, o, x) ∈ b and x ∈ m′[s, o] then (s, o, x) ∉ b′