Foundations of Computer SecurityLecture 8: MLS Example: Part IIIDr. Bill YoungDepartment of Computer SciencesUniversity of Texas at AustinLecture 8: 1 MLS Example: Part IIIMLS Thought ExperimentRecall that we’ve assigned sensitivity labels to documents andclearances to individuals within our MLS environment. Now we’reattempting to answer the following confidentiality question:How are the permissions administered and checked? According towhat rules?Clearance Sensitivity(Secret: {Crypto}) (Confidential: {Crypto})(Secret: {Crypto, Nuclear}) (Top Secret: {Crypto})Lecture 8: 2 MLS Example: Part IIIA Little VocabularyIn the type of security policy we’re constructing, the followingterms are often used:Objects: the information containers protected by the system(documents, folders, files, directories, databases, etc.)Subjects: entities (users, processes, etc.) that execute activitiesand request access to objects.Actions: operations, primitive or complex, executed on behalfof subjects that may affect objects.The subjects in our MLS example are the humans; the objects arethe folders containing information.Lecture 8: 3 MLS Example: Part IIIThe Dominates RelationGiven a set of security labels (L, S), comprising hierarchical levelsand categories, we can define an ordering relation among labels.Definition: (L1, S1) dominates (L2, S2) iff1L1≥ L2in the ordering on levels, and2S2⊆ S1.We usually write (L1, S1) ≥ (L2, S2).Note that this is a partial order, not a total order. I.e., there aresecurity labels A and B, such that neither A ≥ B nor B ≥ A.Lecture 8: 4 MLS Example: Part IIIDominates ExampleIn the following table, for which pairs does Label 1 dominateLabel 2?Label 1Label 2 Dominates?(Secret: {Crypto}) (Confidential: {Crypto}) Yes(Secret: {Crypto, Nuclear}) (Top Secret: {Crypto}) No(Secret: {Nuclear}) (Unclassified: {}) YesDoes this suggest how you might decide whether to allow a subjectto read an object?Lecture 8: 5 MLS Example: Part IIISimple Security PropertyThe following rule appears to capture our intuition about when asubject can read an object.The Simple Security Property: Subject S with clearance(LS, CS) may be granted read access to object O with classification(LO, CO) only if (LS, CS) ≥ (LO, CO).Can you guess why it’s “only if” instead of “if and only if”?Operationally, an individual asking to see a document must showthat his clearance level dominates the sensitivity level of thedocument.Lecture 8: 6 MLS Example: Part IIILessonsThe dominates relation formalizes a relationship between anytwo labels.The Simple Security Property shows how to use dominates todecide whether a read access should be allowed.Next lecture: MLS Example: Part IVLecture 8: 7 MLS Example: Part
View Full Document