Mandatory Flow Control Models

Similar documents
Mandatory Access Control (MAC)

On the Derivation of Lattice Structured Information Flow Policies

Semantic comparison of security policies : from access control policies to flow properties

Relations. Relations. Definition. Let A and B be sets.

Security: Foundations, Security Policies, Capabilities

The Bell-LaPadula Model

Towards information flow control. Chaire Informatique et sciences numériques Collège de France, cours du 30 mars 2011

Preliminaries. Chapter Introduction to the Course Aim Evaluation Policy

Non-interference. Christoph Sprenger and Sebastian Mödersheim. FMSEC Module 11, v.2 November 30, Department of Computer Science ETH Zurich

CSC Discrete Math I, Spring Relations

Distributed Operating Systems Security - Foundations, Covert Channels, Noninterference. Marcus Völp / Hermann Härtig 2010

An Introduction to the Theory of Lattice

Any Wizard of Oz fans? Discrete Math Basics. Outline. Sets. Set Operations. Sets. Dorothy: How does one get to the Emerald City?

Econ Lecture 2. Outline

Section Summary. Relations and Functions Properties of Relations. Combining Relations

Equivalence relations

Lecture 2. Econ August 11

2MA105 Algebraic Structures I

IBM Research Report. Automatic Composition of Secure Workflows

TWO TYPES OF ONTOLOGICAL STRUCTURE: Concepts Structures and Lattices of Elementary Situations

DG/UX System. MAC Regions

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

(a) We need to prove that is reflexive, symmetric and transitive. 2b + a = 3a + 3b (2a + b) = 3a + 3b 3k = 3(a + b k)

Formal Methods for Information Security

Mathematical Foundations of Logic and Functional Programming

Math 6802 Algebraic Topology II

cse303 ELEMENTS OF THE THEORY OF COMPUTATION Professor Anita Wasilewska

A formal model for access control with supporting spatial context

Lecture 4. Algebra, continued Section 2: Lattices and Boolean algebras

Diskrete Mathematik Solution 6

1. To be a grandfather. Objects of our consideration are people; a person a is associated with a person b if a is a grandfather of b.

CAS 745 Supervisory Control of Discrete-Event Systems. Slides 1: Algebraic Preliminaries

Generating Permutations and Combinations

Methods of AI. Practice Session 7 Kai-Uwe Kühnberger Dec. 13 th, 2002

Sequences. We know that the functions can be defined on any subsets of R. As the set of positive integers

Derivative Operations for Lattices of Boolean Functions

GENERALIZED DIFFERENCE POSETS AND ORTHOALGEBRAS. 0. Introduction

1.2 Posets and Zorn s Lemma

Earlier this week we defined Boolean atom: A Boolean atom a is a nonzero element of a Boolean algebra, such that ax = a or ax = 0 for all x.

Dynamic Noninterference Analysis Using Context Sensitive Static Analyses. Gurvan Le Guernic July 14, 2007

Noninterference, Transitivity, and Channel-Control Security Policies 1

Definition: A binary relation R from a set A to a set B is a subset R A B. Example:

Belief Propagation on Partially Ordered Sets Robert J. McEliece California Institute of Technology

MATH 318 Mathematical Logic Class notes

Universal Algebra for Logics

5.5 Deeper Properties of Continuous Functions

The Linearity of Quantum Mechanics at Stake: The Description of Separated Quantum Entities

Tree sets. Reinhard Diestel

A Class of Partially Ordered Sets: III

A Comment on the "Basic Security Theorem" of Bell and LaPadula*

ACLT: Algebra, Categories, Logic in Topology - Grothendieck's generalized topological spaces (toposes)

{x : P (x)} P (x) = x is a cat

Economics 204 Summer/Fall 2011 Lecture 2 Tuesday July 26, 2011 N Now, on the main diagonal, change all the 0s to 1s and vice versa:

Sequential product on effect logics

Consequences of the Completeness Property

2.2 Some Consequences of the Completeness Axiom

Boolean Algebras. Chapter 2

Strange Combinatorial Connections. Tom Trotter

Securing the Web of Things

A Logician s Toolbox

Utility Representation of Lower Separable Preferences

Topology Proceedings. COPYRIGHT c by Topology Proceedings. All rights reserved.

Projection-valued measures and spectral integrals

MEREOLOGICAL FUSION AS AN UPPER BOUND

University of Oxford, Michaelis November 16, Categorical Semantics and Topos Theory Homotopy type theor

a) Let x,y be Cauchy sequences in some metric space. Define d(x, y) = lim n d (x n, y n ). Show that this function is well-defined.

Data Cleaning and Query Answering with Matching Dependencies and Matching Functions

Universal Totally Ordered Sets

INTRODUCING MV-ALGEBRAS. Daniele Mundici

THE DIRECT SUM, UNION AND INTERSECTION OF POSET MATROIDS

Discrete Mathematics: Lectures 6 and 7 Sets, Relations, Functions and Counting Instructor: Arijit Bishnu Date: August 4 and 6, 2009

Canonical extension of coherent categories

Weighting Expert Opinions in Group Decision Making for the Influential Effects between Variables in a Bayesian Network Model

Class Notes on Poset Theory Johan G. Belinfante Revised 1995 May 21

SCHEMA NORMALIZATION. CS 564- Fall 2015

Lecture Notes The Algebraic Theory of Information

Part IA Numbers and Sets

1 Invertible Elements, Pure Monoids

Some exercises on coherent lower previsions

a + b = b + a and a b = b a. (a + b) + c = a + (b + c) and (a b) c = a (b c). a (b + c) = a b + a c and (a + b) c = a c + b c.

Properties of the Integers

Lecture 3: Decidability

Relations. Definition 1 Let A and B be sets. A binary relation R from A to B is any subset of A B.

MAT 570 REAL ANALYSIS LECTURE NOTES. Contents. 1. Sets Functions Countability Axiom of choice Equivalence relations 9

Language-based Information Security. CS252r Spring 2012

Circle-based Recommendation in Online Social Networks

COSE312: Compilers. Lecture 14 Semantic Analysis (4)

Week 4-5: Generating Permutations and Combinations

Commutative Algebra Lecture 3: Lattices and Categories (Sept. 13, 2013)

A Theory for Comparing the Expressive Power of Access Control Models

A UNIVERSAL SEQUENCE OF CONTINUOUS FUNCTIONS

Math 5801 General Topology and Knot Theory

Introduction. Normalization. Example. Redundancy. What problems are caused by redundancy? What are functional dependencies?

New Similarity Measures for Intuitionistic Fuzzy Sets

COMP 182 Algorithmic Thinking. Relations. Luay Nakhleh Computer Science Rice University

Math.3336: Discrete Mathematics. Chapter 9 Relations

REAL ANALYSIS: INTRODUCTION

COMPLETE LATTICES. James T. Smith San Francisco State University

Data representation and classification

Foundations of Mathematics

Transcription:

Mandatory Flow Control Models Kelly Westbrooks Department of Computer Science Georgia State University April 5, 2007

Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models The Bell-LaPadula Model The Biba Model

Mandatory Flow Control Models Mandatory Flow Control Models Definition The Mandatory Flow Control Models are the subset of computer security models that require access control of all subjects and objects under its control on a systemwide basis. Only trusted objects are allowed to violate access control rules in a mandatory flow control model.

Information Flow Control The major problem with the Access Control Matrix Model The Confinement Problem: How to determine whether there is any mechanism by which a subject authorized to access an object may leak information contained in that object to some other subjects not authorized to access that object. The confinement problem is undecidable due to the characteristic of discretionary transfer of access rights between subjects in the acess control matrix model. Security control should be applied to the information in addtion to the subject holding the information.

Information Flow Control Information Flow Control Definition Information Flow Control is concerned with how information is disseminated or propagated from one object to another. System entities are partitioned into security classes Every channel through which information can flow between security classes has regulation applied to it.

Lattice Model The Lattice Model Introduced by Dr. Dorothy Denning of Georgetown University The best known information flow control model. Based upon the concept of a lattice from mathematics. The security of a system based upon the lattice model is easily proven mathematically.

Lattice Model The Lattice Model (continued) Definition A relation between set A and set B is a subset of A B Definition A partial order is a relation between A and A with the following properties: reflexive a A, a a antisymmetry a, b A, a b and b a a = b transitivity a, b, c A, a b and b c a c A total order is a partial order such that a, b A, a b or b a

Lattice Model The Lattice Model (continued) Definition A poset, or partially ordered set is a set P equipped with a partial order. A linearly ordered set is a set equipped with a total order. Definition Given a poset P and a subset S P, the supremum of S is the element s P such that x {y P z S, z y}, s x. The infimum of S is the element i P such that x {y P z S, y z}, x i. Definition A lattice is a poset P such that S P, S = 2, S has both a supremum and an infimum.

Lattice Model The Lattice Model (continued) All subjects and objects are partitioned into security classes. Security classes form a poset. Information flow only occurs in the direction of the partial ordering; information can only flow from a lower class to a higher class.

Lattice Model The Lattice Model (continued) Definition A lattice model of secure information flow is the 7-tuple S, O, SC, F,,, S set of subjects O set of objects SC poset of security classes F the binding function F : S O SC The infimum operator on SC The supremum operator on SC The flow relation on pairs of security classes.

Flow Properties of a Lattice Flow Properties of a Lattice In addition to reflexitivity, antisymmetry, and transitivity, there are two other mathematical properties of a lattice that are useful for secure information flow control models: aggregation A C and B C A B C separation A B C A C and B C

Multilevel Security Multilevel Security is a special case of the lattice-based information flow model. There are two well-known multilevel security models: The Bell-LaPadula Model Focuses on confidentiality of information The Biba Model Focuses on system integrity

The Bell-LaPadula Model The Bell-LaPadula Model L is a linearly ordered set of security levels C is a lattice of security categories The security level is called the clearence if applied to subjects, and classification if applied to objects. Each security category is a set of compartments that represent natural or artificial characteristics of subjects and objects and is used to enforce the need-to-know principle. The lattice of security classes is L C. If A B SC, A dominates B if A s level is higher than B s level and B s category is a subset of A s category.

The Bell-LaPadula Model The Bell-LaPadula Model (continued) Security with respect to confidentiality in the Bell-LaPadula model is described by the following two axioms: Simple security property reading information from an object o by a subject s requires that F (s) dominates F (o) *-property Writing information to an object o by a subject s requires that F (o) dominates F (s)

The Biba Model The Biba Model L is a linearly ordered set of integrity levels C is a lattice of integrity categories Integrity categories are used to enforce the need-to-have principle. The lattice of security classes is L C.

The Biba Model The Biba Model (continued) Security with respect to integrity in the Biba model is described by the following two axioms: Simple security property Writing information to an object o by a subject s requires that F (s) dominates F (o) *-property Reading information from an object o by a subject s requires that F (o) dominates F (s)

Comparison of Two Multilevel Models Comparison of Two Multilevel Models The Bell-LaPadula Model is concerned with information confidentiality subjects reading from an object must have higher a security class than the object. objects being written to by a subject must have higher security class than the subject. The Biba model emphasizes information integrity subjects writing information to an object must have higher a security class than the object. objects being read from by a subject must have higher security class than the subject.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback