_____--_____-- a particular collection of value assignments (i.e. to computerregisters, memory, secondary stores, relevant network devices, etc.

____ --____ --the set of all possible protection states (i.e., a universal set)

______________--______________-- a state that deals only with assignments relevant to security/protection

____ --____ -- the set of all authorized protection states

_________--_________-- state s is safe iff s ______ --______ -- security has been breached whenever a system enters state

s for which s _____________--_____________-- a security policy should define what constitutes Pauth

__________________--__________________--a security mechanism should ensure that a systemnever reaches a state in

If a policy is Pauth, then why is it impractical to enumerate Pauth?

a better solution: define policy in terms of who has access to whatSubject(s) and Asset (a).

a is confidential to s iff other subjects ____________________ a. Confidentiality Policy

a has integrity to s iff s _________ a. Integrity Policy

a is available to s iff s is __________________ a. Availability Policy

Consider a policy for maintaining the confidentiality of government documents.

policy model --policy model -- a set of policies (abstractly, a set of policy properties)

level numeric

equivalent

Top Secret 4

Secret 3

Confidential 2

Unclassified 1

-- assets -- subjects

Simple Security Propertylevel numeric

equivalent

Top Secret 4

Secret 3

Confidential 2

Unclassified 1

Subject s can read asset aiff clearance(s) ≥ classification(a)

This property has been widely used for years.

However, the Simple Security Property only applies to reads.What about writes?

Simple Security Propertylevel numeric

equivalent

Top Secret 4

Secret 3

Confidential 2

Unclassified 1

Subject s can read asset aiff clearance(s) ≥ classification(a)

Another Issue: Why does the Simple Security Property not enforce a Need-to-know policy?

*-PropertySubject s can write to asset a

iff clearance(s) classification(a)

a multi-level confidentiality model circa 1986

It is common to include codewords in addition toclassification and clearance. (e.g., DesertStorm, Umbra)

In this system a security classification/clearance consists of an ordered pair: ( level, set of codewords )

We can define access using a dominance relation, dom, as follows:let clearance(s) = ( sLevel, sCodewords ) classification(a) = ( aLevel, aCodewords )

dom(s, a) means sLevel ≥ aLevel and c [(c aCodewords) (c sCodewords)]

Examplev = (TopSecret, {Iraq, Iran, Nato, China)}w = (Secret, {Iraq})x = (TopSecret, {Nato})y = (Confidential, {Nato})z = (Confidential, {Iran, Iraq, Nato})

Simple Security PropertySubject s can read asset a

iff ( dom(s, a) and read acm[s, a] )

A system is said to be secure (in the sense of confidentiality) giventhat it maintains the following two properties:

*-PropertySubject s can write to asset a

iff ( dom(a, s) and write acm[s, a] )

Simple Security PropertySubject s can read asset a

iff ( dom(s, a) and read acm[s, a] )

*-PropertySubject s can write to asset a

iff ( dom(a, s) and write acm[s, a] )

Following these properties is it possible for someone write to a document they cannot read?

Following these properties is it possible for someone read a document they cannot write?

How can a superior communicate with a subordinate?

Raising an asset’s security levelThis has little impact except for future limited access.

Solution:

Neither clearances nor classifications change throughout the system’s lifetime.

Lowering an asset’s security levelThis violates the *-property.

Two Types of TranquilityStrong Tranquility

Weak TranquilityClearances and classifications can only change in a way that preserves both the simple security property and the *-property.

Simple Security PropertySubject s can write asset a

iff integrity(s) integrity(a)

*-PropertySubject s can read to asset a

iff integrity(s) integrity(a)

Ken Biba, 1975

read only up

write only down

Low water mark principle

High water mark principle

Execute PropertyAction p1 can execute an action p2

iff integrity(p1) integrity(p2)

Multi-level Models

Multi-lateral Models

Top SecretTop Secret

SecretSecret

ConfidentialConfidential

UnclassifiedUnclassified

Asset Group 1Asset Group 1 Asset Group 2Asset Group 2 Asset Group 3Asset Group 3

S1S1 S2S2 S3S3 S4S4

This model is often used in the service industry where knowledge of sensitive informationcomes from multiple different competing and non-competing companies.(e.g. consulting companies, law practices, insurance companies)

a multi-lateral hybrid model, Brewer & Nash 1989

ExampleA financial consulting firm has the following clients: Oracle, Microsoft, General Motors, Ford Motor Co. and Toyota.

Consider the potential conflicts of interest.

Simple Security PropertySubject s can read asset a iff a' (a’ readable by s)[ company(a) competitors(company(a')) ]

OR company(a) = company(a') ]

Consider that assets are partitioned into conflict of interest groups (industrial competitors).

*-PropertySubject s can write to asset a iff a satisfies the Simple Security Property for s AND a' (a’ readable by s)[ competitors(company(a')) =

OR company(a) = company(a') ] ]

Rules (numbered to match Bishop)

CR1. The system has procedures to verify the integrity of every constrained data item (CDI).

a security model of double-entry book keeping, 1987

CR2. A CDI’s integrity must be maintained whenever a transformation procedure (TP) is applied.

ER1. The only way to change a CDI is by applying a proper TP.

ER2. Subjects can only initiate selected TPs on selected CDIs.

CR3. The Rule ER2 restrictions must enforce an appropriate separation of duty policy on subjects.

CR5. Certain special TPs can produce CDIs from unrestricted data.

CR4. The application of a TP must store enough info in an append-only CDI to be able to reconstruct the transaction.

ER3. The system must authenticate subjects attempting to initiate a TP.

ER4. Only special subjects (i.e., security officers) are permitted to alter authorized-related data.