Presentation is loading. Please wait.

Presentation is loading. Please wait.

An information flow model FM is defined by

Published byRatna Hermanto Modified over 6 years ago

Similar presentations

Presentation on theme: "An information flow model FM is defined by"— Presentation transcript:

1 An information flow model FM is defined by
FM= (N, P, SC, , ->) N = { a, b, ... } is a set of logical storage objects or information receptacles. P = {p, q, ... } is a set of processes. SC security classes.

2 Harrison et al. , have recently demonstrated that in general it may be undecidable whether an access right to an object will "leak" to a process in a system whose access control mechanism is modeled by an access matrix [II, 15]. .

3 We sought to find suitable and viable restrictions according to which the security of a system would not only be decidable, but simply so. -Incorrect Our results show that suitable constraints do indeed exist, and moreover within the context of a richly structured model.

4 The class-combining operator "EB" is an associative and commutative binary operator that specifies, for any pair of operand classes, the class in which the re­sult of any binary function on values from the operand classes belongs. The class of the result of any binary function on objects a and b is thus q EB 􀂁- By extension, the class of the value of an n-ary function J(ai, ... ,an) is !11 EB ... EB gn, To avoid semantic ambiguities that may arise when two different functions over the same domain have overlapping ranges, we assume that the operator "EB" is independent of the function used to combine values. No generality is lost by this assumption since the effect of a function- dependent "EB" can be simulated by an appropriate set of processes using a function-independent "EB" [4 ]. The set of security classes is closed under "EB". -INcorrect

5 A flow relation "-->" is defined on pairs of security classes
A flow relation "-->" is defined on pairs of security classes. For classes A and B, we write A ----> B if and only if information in class A is permitted to flow into class B. Information is said to flow from class A to class B whenever information associated with A affects the value of information associated with B. In this paper we shall be concerned only with flows which result from (sequences of) operations that cause in­formation to be transferred from one object to another (e.g. copying, assignment, 1/0, parameter passing, and message sending). This includes flows along "legitimate" and "storage" channels. We shall not be concerned with flows along "covert" channels (i.e. a process's effect on the system load) [16]. Weak

6 a flow model FM is secure if and only if execution of a sequence of operations cannot give rise to a flow that violates the relation "-->". If a value f(a,, ... , a.) flows to an object b that is statically bound to a se­ curity class g, then g, EB ... EB Qn---+ g must hold. If J ( a,, ... , an) flows to a dynamically bound object b, then the class of b must be updated (if necessary) so that ,;i1 EB ... EB q, --> g holds for this case also. Assuming that "---->" is transitive, it is easily ,how that the security of individual operations implies that of arbitrary sequences of operations [4]. The assumption of transitivity is justified below. The model we have outlined is a simplified form of the one in [4]. The detailed model accounts for a set of "states" of an underlying computer system and a set of "transition operators" for describing state changes and their associated mformation flows. It also accounts for such implementation requirements as tags that mark memory locations with the class of information stored in them, or the necessity of nullifying a memory cell when it is deallocated.

7 Under certain assumptions, the model components SC, "---->", and "EB" form a universally bounded lattice. These assumptions are not arbitrary, but follow from the semantics of information flow. By this we mean either that no generality is lost by them or that they are required for consistency. Consistency means that all flows implied by a permissible flow should also be permitted by the flow relation. For example, if the statement begin b : = a; c : = b end is secure, then the statement c : = a should also be secure. Without a consistent flow structure, it would be possible to mas­ querade insecure operations as secure ones. A universally bounded lattice is a structure con­sisting of a finite partially ordered set together with least upper and greatest lower bound operators on the set [3, 21]. To show that (SC, ---+, EB) forms such a lattice, we establish that:

8 A universally bounded lattice is a structure con­sisting of a finite partially ordered set together with least upper and greatest lower bound operators on the set [3, 21]. To show that (SC, ---+, EB) forms such a lattice, we establish that: (!) (SC,->) is a partially ordered set. (2􀀯 SC is finite. 􀀱3􀀲 SC has a lower bound L such that L ---> A for all A E SC. (4) EB is a least upper bound operator on SC.

Download ppt "An information flow model FM is defined by"

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Operating System Security

Operating System Security
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.

1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
Verifiable Security Goals

Verifiable Security Goals
Data Flow Analysis 4 15-411 Compiler Design Nov. 8, 2005.

Data Flow Analysis Compiler Design Nov. 8, 2005.
Chapter 9: Subprogram Control

Chapter 9: Subprogram Control
A Platform-based Design Flow for Kahn Process Networks Abhijit Davare Qi Zhu December 10, 2004.

A Platform-based Design Flow for Kahn Process Networks Abhijit Davare Qi Zhu December 10, 2004.
User Domain Policies.

User Domain Policies.
Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.

Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.
Time, Clocks, and the Ordering of Events in a Distributed System Leslie Lamport (1978) Presented by: Yoav Kantor.

Time, Clocks, and the Ordering of Events in a Distributed System Leslie Lamport (1978) Presented by: Yoav Kantor.
CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.

CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.
WMS systems manage and coordinate several independent subtasks. The coordination problems get even more serious when the subtasks are performed on separate.

WMS systems manage and coordinate several independent subtasks. The coordination problems get even more serious when the subtasks are performed on separate.
Switch off your Mobiles Phones or Change Profile to Silent Mode.

Switch off your Mobiles Phones or Change Profile to Silent Mode.
Zvi Kohavi and Niraj K. Jha 1 Memory, Definiteness, and Information Losslessness of Finite Automata.

Zvi Kohavi and Niraj K. Jha 1 Memory, Definiteness, and Information Losslessness of Finite Automata.
CS162 Week 8 Kyle Dewey. Overview Example online going over fail03.not (from the test suite) in depth A type system for secure information flow Implementing.

CS162 Week 8 Kyle Dewey. Overview Example online going over fail03.not (from the test suite) in depth A type system for secure information flow Implementing.
SOFTWARE DESIGN (SWD) Instructor: Dr. Hany H. Ammar

SOFTWARE DESIGN (SWD) Instructor: Dr. Hany H. Ammar
An Improved Algorithm to Accelerate Regular Expression Evaluation Author: Michela Becchi, Patrick Crowley Publisher: 3rd ACM/IEEE Symposium on Architecture.

An Improved Algorithm to Accelerate Regular Expression Evaluation Author: Michela Becchi, Patrick Crowley Publisher: 3rd ACM/IEEE Symposium on Architecture.
Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch.

Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch.
DISTRIBUTED ALGORITHMS By Nancy.A.Lynch Chapter 18 LOGICAL TIME By Sudha Elavarti.

DISTRIBUTED ALGORITHMS By Nancy.A.Lynch Chapter 18 LOGICAL TIME By Sudha Elavarti.

Similar presentations

Ads by Google