### Create a StudySoup account

#### Be part of our community, it's free to join!

Already have a StudySoup account? Login here

# Computer & Info Security ECS 235A

UCD

GPA 3.75

### View Full Document

## 12

## 0

## Popular in Course

## Popular in Engineering Computer Science

This 59 page Class Notes was uploaded by Ashleigh Dare on Tuesday September 8, 2015. The Class Notes belongs to ECS 235A at University of California - Davis taught by Staff in Fall. Since its upload, it has received 12 views. For similar materials see /class/187788/ecs-235a-university-of-california-davis in Engineering Computer Science at University of California - Davis.

## Reviews for Computer & Info Security

### What is Karma?

#### Karma is the currency of StudySoup.

#### You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 09/08/15

OUTLINE FOR APRIL 132004 ECS 235 7 SPRING 2004 Outline for April 13 2004 1 Expressive power HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESP1VI Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme mop0579 2 Comparing Expressive Power of Models Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic 1parent models less expressive than monotonic multiparent models so ESPM more expressive than SP11 3 Typed Access Matrix Model a Add notion of type for entitiesiset of types T set of subject types TS Q T b New create rules specify subjectobject type c In command child type if something of that type created otherwise a parent type d Show type graph and cycles in it e Safety decidable for systems with acyclic MTAM schemes 4 Policy a De ne security policy secure system breach of security formally b Security models c Con dentiality integrity policies distinguish from military commercial policies d Role of trust in modeling e DAC vs MAC vs ORCON Wop96x Version of April 13 2004 112 pm Page 1 of1 OUTLINE FOR APRIL 1 2004 r N 9 He 0 gt1 00 O 10 Version of April 4 2004 756 pm ECS 235 7 SPRING 2004 Outline for April 1 2004 Basic components a Con dentiality b Integrity c Availability Threats a Snooping b Modi cation c Masquerading39 contrast with delegation d Repudiation of origin e Denial of receipt f Delay g Denial of service Role of policy a Example of student copying les from another b Emphasize policy de nes security c Distinguish between policy and mechanism Goals of security a Prevention b Detection c Recovery Trust a Hammer this home all security rests on trust b First problem security mechanisms correctly implement security policy walk through example of a pro gram that logs you in39 point out What is trusted c Second problem policy does What you want39 de ne secure precise Operational issues change over time a Costbene t analysis b Risk analysis comes into play in costbene t too c Laws and customs Hum an Factors a Organizational problems b People problems include social engineering Principles of Secure Design a Refer to both designing secure systems and securing existing systems b Speaks to limiting dam age Principle of Least Privilege a Give process only those privileges it needs b Discuss use of roles examples of systems which violate this vanilla UNIX and which maintain this Secure Xenix c Examples in programming making things setuid to root unnecessarily limiting protection domain39 modu larity robust programming d Example attacks misuse of privileges etc Principle ofFailSafe Defaults a Default is to deny Page 1 of 2 OUTLINE FOR APRIL 32003 I N 9 gt Version of April 3 2003 303 pm ECS 235 7 SPRING 2003 Outline for April 3 2003 Principle of Complete Mediation a All accesses must be checked b Forces systemwide view of controls c Sources of requests must be identi ed correatly d Source of problems caching because it may not re ect the state of the system correctly examples are race conditions DNS poisoning Principle of Open Design a Designs are open so everyone can examine them and know the limits of the security provided b Does not apply to cryptographic keys c Acceptance of reality they can get this info anyway Principle of Separation of Privilege a Require multiple conditions to be satis ed before granting permissionaccessetc b Advantage 2 accidentserrorsetc must happen together to trigger failure Principle of Least Common Mechanism a Minimize sharing b New service in kernel or as a library routine Latter is better as each user gets their own copy Principle of Psychological Acceptability a Willingness to use the mechanisms b Understanding model c Matching user s goal ACM and primitive operations Go over subjects objects includes subjects and state S O A whereA is ACM Transitions modify ACM entries primitive operations follow enter r into As0 delete r from Asa create subject s note As x Axs a for all x create object a note Ax0 a for all x destroy subject s destroy object a mwoposrsn Commands a command CSl sk 01 0k if r1 inAs1 01 and r2 inAs2 02 and rm in Asm 0m then 0171 0P2 apn end b Example 1 creating a le command create leQaj create objectf39 Page 1 of 2 OUTLINE FOR APRIL 3 2003 ECS 235 7 SPRING 2003 enter Own into Apf enter Read into Ap f enter Wn39le int0Apf end c Example 2granting one process read rights to a le command granlireadQJ q f if Own inApf then enter Read into Aqf end 8 What is the safety question a An unauthorized state is one in which a generic right r could be leaked into an entry in the ACM that did not previously contain r An initial state is safe for r if it cannot lead to a state in which r could be leaked b Question in a given arbitrary protection system is safety decidable c Monooperational protection systems decidable P Theorem there is an algorithm that decides Whether a given monooperational system and initial state is safe for a given generic right Proof nite number of command sequences can eliminate delete destroy Ignore more than one create as all others are conditioned on access rights in the matrix One exception no subjects then we need one create subject Bound s number of subjects possibly one more than in original 0 number of objects same g number of generic rights number of command sequences to inspect is at most 2g 1011 9 General case It is undecidable Whether a given state of a given protection system is safe for a given generic right a Represent TM as ACM39 reduce halting problem to it Version of April 3 2003 303 pm Page 2 of2 ECS 235B Foundations of Computer and Information Security Winter Quarter 2008 Outline for February 14 2008 1 Policies that change over time a Generalization of noninterference b Example 2 Composing deterministic noninterferenceisecure systems 3 Nondeducibility a Event system b Deducibly secure c Composing deducibly secure systems 4 Generalizednoninterference a Assumptions and nondeducibility b Composing generalized noninterference systems c Feedbackifree systems 5 Restric veness a State machine model b Composing restrictive systems Notation C set of commands s z Where s executes operation z C set of sequences of commands It generalized noninterference analogue to the purge function TEGA v empty string 0 sequence of commands Pc 0 output from command 0 being executed in state 0 Pcx oi outputs when command sequence 0 is executed in state 0 pr0js 0 0 set of outputs in Pcx 0i that subject 3 is authorized to see w sequence of elements of C leading up to current state cand0w S z true if s can execute z in current state passs z give 3 right to execute z w V1 v where V E C prevWn Wm 1mm v TEL projection function deleting all High inputs from trace Version of February 13 2008 at 758 Page 1 of 1 ECS 235 Computer and Information Security Spring Quarter 2005 Outline for April 26 2005 l BellLaPadula Model security classi cations only a Go through security clearance classi cation b Describe simple security condition no reads up property no writes down discretionary security prop er c State Basic Security Theorem if it s secure and transformations follow these rules it s still secure 2 BellLaPadula Model security levels a Go through security clearance categories levels 3 Lattice models a Poset s the relation b Re exive antisymmetric transitive c Greatest lower bound least upper bound d Example with complex numbers 4 BellLaPadula Model a Apply lattice work i Set of classes SC is a partially ordered set under relation 5 with GLB greatest lower bound LUB least upper bound operators ii Note is re exive transitive antisymmetric iii Examples A C s A39 C39 iffA sA39 and C Q Cquot LUBA C A C maxA A C U C GLBA C A C39 minA A C n C b Describe simple security condition no reads up property no writes down discretionary security prop c State Basic Security Theorem if it s secure and transformations follow these rules it s still secure d Maximum current security level 5 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 6 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions f5 is security level associatedwith each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h O gtPO with two properties If 0 0 then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 am E h0 and 0k1 01 c Set of requests is R d Set of decisions is D e W E RxDx Vx Vis motion from one state to another f System 2R D W 20 QXx YxZ such that x y z E 2R D W 20 iff x y 2 2H E Wfor each 139 E T39 latter is an action of system g Theorem 2R D W 20 satis es the simple security property for any initial state 20 that satis es the simple security property iff W satis es the following conditions for each action ri b39 m39 f h39 b m f h i each s a x E b39 7 1 satis es the simple security condition relative tof ie x is not read or x is read and fjs dominatesf00 Last changed on April 24 2005 at 637 pm Page 1 of 2 ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l ECS 235 Computer and Inform ation Security N 9 gt Last changed on April 13 2005 at 707 pm Spring Quarter 2005 Outline for April 14 2005 Schematic Protection Model a Create operations and attenuation Expressive power Wop06x HRU vs SPM Multiparent joint creates in HRU Adding multiparent joint creates to SPM giving ESPM Simulation of multiparent joint creates by 2parent joint creates Monotonic ESPM monotonic HRU equivalent Safety question in ESPM decidable if acyclic attenuating scheme Comparing Expressive Power of Models Wop06x Graph representation Go through 3parent joint create as simulated by 2parent joint create Correspondence between two schemes in terms of graph representation Formal de nition of scheme A simulating scheme B Model expressive power Result monotonic lparent models less expressive than monotonic multiparent models so ESPM more expressive than SPll Typed Access Matrix Model 09057 Add notion of type for entitiesiset of types T set of subject types TS Q T New create rules specify subjectobject type In command child type if something of that type created otherwise a parent type Show type graph and cycles in it Safety decidable for systems with acyclic MTAM schemes Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l OUTLINE FOR APRIL 20 2004 ECS 235 7 SPRING 2004 Outline for April 20 2004 1 Example DGUX UNIX a Labels and regions b Multilevel directories c File object labels d MAC tuples 2 BLP formally a Elements of system s subjects 0 objects b State space V BxMxeH Where B set of current accesses ie access modes each subject has currently to each object M access permission matrix F consists of 3 functions is security level associated with each subject f0 security level associated with each object and fc current security level for each subject H hierarchy of system objects functions h OgtPO with two properties If 0 aj then h0 h0j 0 There is no set 01 0k Q 0 such that for each 139 0H1 E h0 and ak 01 c Set of requests isR d Set of decisions is D e W E RxDx VxVis motion from one state to another Version of April 20 2004 456 pm Page 1 of l

### BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.

### You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

## Why people love StudySoup

#### "There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."

#### "I used the money I made selling my notes & study guides to pay for spring break in Olympia, Washington...which was Sweet!"

#### "Knowing I can count on the Elite Notetaker in my class allows me to focus on what the professor is saying instead of just scribbling notes the whole time and falling behind."

#### "It's a great way for students to improve their educational experience and it seemed like a product that everybody wants, so all the people participating are winning."

### Refund Policy

#### STUDYSOUP CANCELLATION POLICY

All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email support@studysoup.com

#### STUDYSOUP REFUND POLICY

StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here: support@studysoup.com

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to support@studysoup.com

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.