Outline for April 20, 2000
- Greetings and felicitations!
- Office hours this week after today: W4-5, Th2-3
- Chinese Wall Policy
- Arises as legal defense to insider trading on London stock exchange
- Low-level entities are objects; all objects concerning the same
corporation form a CD (company dataset); CDs whose corporations are in
competition are grouped into COIs (Conflict of Interest classes)
- Intuitive goal: keep one subject from reading different CDs in the
same COI, or reading one CD and writing to another in same COI
- Simple Security Property: Read access granted if the object (a) is
in the same CD as an object already accessed by the subject, or (b) is
in a CD in an entirely different COI. Assumes correct initialization
- Theorems: (1) Once a subject has accessed an object, only other
objects in that CD are available within that COI; (2) subject has access
to at most 1 dataset in each COI class
- Exceptions: sanitized information
- * Property: Write access is permitted only if (a) read access is
permitted by the simple security property; and (b) no object in a
different CD in that COI can be read, unless it contains sanitized
information
- Comparison to BLP: (1) ability to track history; (2) in CW, subjects
choose which objects they can access but not in BLP; (3) CW requires
both mandatory and discretionary parts, BLP is mandatory only.
- ORCON
- Originator controls distribution
- DAC, MAC inadequate
- Solution is combination
- Role-based Access Control (RBAC)
- Definition of role
- Partitioning as job function
- Discuss Data General model
- Secure vs. Precise
- Confidentiality only
- Assume: output of a function encodes all available information about
inputs (such as resource usage, etc.)
- Protection mechanism: given function p, it's a function
m such that
either m = p for a given set of inputs, or m
produces an error message
- Confidentiality policy: function which checks that the particular
inputs are in the authorized set of inputs
- Security: m is secure iff there is an m' such that,
for all inputs,
m = m'(c(...)), i.e., m's values
consistent with
stated confidentiality policy
- Precision: m1, m2 distinct
protection mechanisms. m1 as precise as
m2 if, for all inputs, m1 = p
implies m2 = p. m1 is more
precise if
there is an input such that m1 = p and
m2 != p on that input.
- Union: m1 U m2 =
m3,
where m3 = p iff m1 =
p and
m2 = p; otherwise, m3 =
m1.
- ICBS: Let m1, m2 be
secure protection mechanisms for a program p and
policy c. Then m1 U m2
is also a secure protection mechanism for p and c.
Further, m1 U m2 is more precise
than either m1 or m2.
- Generalizing: for any program p and security policy c,
there exists
a precise, secure mechanism m* such that, for all
secure mechanisms m
associated with p and c, m* is more
precise than m.
- BUT: there is no effective procedure that determines a maximally
precise, secure mechanism for a policy and program.
Send email to
[email protected].
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 4/29/2000