General model on information flow control

Existing models on lattice-based information flow have in common that they can be described analogously with respect to information flow between security classes (cf. Remark5.7). This observation is used to develop a general model for lattice-based information flow control in this section, which applies to partially ordered security classes generally. The model’s construction is based on the models for lattice-based information flow with respect to confidentiality and integrity, which are described in Section5.2.2. On the one hand, the general model is a consoli- dation and extension of the existing models for access control developed byBell and La Padula,

Denning, andBiba. On the other hand, restriction in the original design were removed and re- placed by more flexible elements, allowing the modelling of multiple security properties at the same time and the introduction of novel security properties beyond those already introduced by this thesis.

To define a general model for information flow control, the following definitions according to the model ofBell and La Padula(cf. Section5.2.2.1) are used.

• Subject S ∈S(cf. Def.5.3).

• Object O ∈O(cf. Def.5.4).

• Access attributesA= {r, w, e, a, c} (cf. Def.5.8);

• Access matrix M ∈M(cf. Def.5.9).

• Decision sequence Y ∈Y, timely ordered sequences (cf. Def.5.15).

• Request elements ‘get’, ‘give’, ‘release’, ‘rescind’, ‘change’, ‘create’, and ‘delete’ (cf. Def.5.14).

Further, the following definitions according toDenning’s model (cf. Def.5.22) are used.

• Security class SC ∈SC.

• Security binding SCB ∈SCB: (S∪O) ×SC.

• Class-combining operator⊕:SCB×SCB→SCB.

• Flow relation7→:SC×SC.

According to Denning’s Axioms (cf. Theorem5.2), (SC,7→,⊕,⊗) is a lattice with upper

bound SCH and lower bound SCL, and where ⊗:SCB×SCB→SCBis least upper bound

operator.

Analogously to the models for confidentiality (cf. Section 5.2.2.2) and integrity (cf. Sec- tion5.2.2.4), the following generalised definitions are made for state, state sequence, request, request sequence, and system.

Definition 5.31 (γ-state) A γ-state γ_{V is defined (analogously to c-state; cf. Def.B.1) a triple} γ_{V := (b, M, SCB) with}

• b ⊆_S×_O×_Aset of all subjects S∈_Shaving access to objects O∈_Oin what access mode, which is described by a set of access attributes A⊆A;

• M ∈_Maccess matrix in the state γ_{V ; and}

• SCB ⊆_SCBset of confidentiality security bindings describing the binding of confiden- tiality classes to subjects and objects.

Then,γ

Vis the set of γ-states γVi.

Definition 5.32 (γ-state sequence) A γ-state sequence is (analogously to c-state sequence; cf. Def.B.2) an arbitrary number of timely ordered γ-statesγ_V

i∈γV. Then,γZ:γVNis the set of

request sequences γ_Z i.

Definition 5.33 (γ-request) A γ-request is defined (analogously to c-request; cf. Def. B.3) a quadruple (S1, S2, Os,γG) ⊂S+×S+×O×γG with γG :=A∪ /0 ∪P(SCB). Then, γR:

S+×S+×O×γG is the set of requestsγRi.

Definition 5.34 (γ-request sequence) A γ-request sequence is (analogously to c-request se- quence; cf. Def. B.4) an arbitrary number of timely ordered γ-requests γ_R

i ∈γR. Then,

γ

Definition 5.35 (γ-system) LetγW⊂γ

R×D×γV×γV. A γ-systemγΣ(γR, D,γW,γz0)⊂γX× Y×γZis defined (analogously to c-system; cf. Def.B.5) by(γX,Y,γZ) ∈γΣ(γR, D,γW,γz0)

if and only if(γ_X

t,Yt,γZt,γZt−1) ∈γW for each t∈ N whereγz0:= ( /0, M, SCB) is initial state

with M∈_Minitial access matrix and SCB⊆_SCBinitial security bindings. γW is considered γ -state transition relation.

Further, a generalised form of the simple-security property and ∗-property is defined analo- gously to the properties of the models for confidentiality (cf. Section5.2.2.2) and integrity (cf. Section5.2.2.4).

Definition 5.36 (General simple-security property) (S, O, A) ∈S×O×Asatisfies thegen-

eral security condition relative to SCB ⊆SCBif and only if

(i) (A = e) ∨ (A = a) ∨ (A = c); and

(ii) ((A = r) ∨ (A = w)) ∧ (scb(O) 7→ scb(S))

with scb(S) ∈ SCB security binding of subject S and scb(O) ∈ SCB security binding of object O.

Analogously to the simple-security property (cf. Def. 5.18), secure and compromise are defined for γ-states, γ-state sequences, appearances of a γ-system and a γ-system.

Definition 5.37 (General ∗-property)

Let b(s : A1, ..., Ak) := {O : O ∈O∧ (∀i ∈ {1, ..., k} : (S, O, Ai) ∈ b)} where k ∈ N, A1, ..., Ak∈

A, and b the set of all subjects having access to what objects in what access mode of the

respective c-state (cf. Def.B.1).

Analogously to Def.5.25, a γ-state γ_{V = (b, M, SCB) ∈}c

Vsatisfies the general ∗-property

if and only if

∀S ∈S: b(s : w, a) 6= /0 ∧ b(s : r, w) 6= /0

⇒ ∀O1∈ b(s : r, w), O2∈ b(s : w, a) : scb(O1) 7→ scb(O2) .

with scb(O1), scb(O2) ∈ SCB ⊆SCBsecurity binding of object O1and O2, respectively.

Analogously to thegeneral secure condition (cf. Def.5.36), the satisfaction of thegeneral ∗-property is defined for γ-state sequences, appearances of a γ-system, and γ-system.

Further, the rules for a secure system are defined analogously to the models for confiden- tiality (cf. Section5.2.2.2) and integrity (cf. Section5.2.2.4).

Definition 5.38 (γ-rule) A γ-rule is (analogously to a c-rule; cf. Def. B.6) a function γ

ρ :

γ

R×γV→D×γV. A γ-rule maps a γ-request and a γ-state to a decision and a γ-state.

A γ-ruleγ

ρissecurity preserving if and only if

∀(γ_R,γ_{V) ∈}γ

R×γV∃D ∈D∃γV0∈γV:

γ

ρ(γR,γV) = (D,γV0) ∧γ_{V is secure γ-state ⇒}γ

Analogously, a γ-rule γ

ρ is ∗-property preserving if and only if the γ-state γV satisfies the

generalised∗-property implies that γ-stateγ

V0 satisfies the generalised∗-property.

The handling of γ-requests by a γ-rule and the response of a γ-system are defined analo- gously to rules and systems (cf. Def.5.20).

Definition 5.39 (10 γ-rules for a secure γ-system) Analogously tocΩandiΩ(and therefore,

analogously to the rules for a secure system Ω defined by LaPadula et al. [127]), γΩ:=

{γ

ρ1, ...,γρ10} is the set of γ-rules for a secure γ-system whereγρi:=ρifor i∈ {3, 5, 6, 7, 9, 10}

andγ_ρ

1,γρ2,γρ4,γρ8are defined with scb(S), scb(O), scb(O0) ∈SCBrespective security bind-

ings of subject S∈Sand objects O, O0∈O:

• γ-Rule 1 (get-read)γ

ρ1: A subject S gets read access to an object O if:

(i) (security preserving) the access attribute r is an element of the corresponding entry of the access matrix, and scb(O) 7→ scb(S); and

(ii) (∗-property preserving) for all objects O0 _{where S can write to (i.e., access in ap-}

pend and write mode) is true: scb(O) 7→ scb(O0).

• γ-Rule 2 (get-append)γ

ρ2: A subject S gets append access to an object O if

(i) (security preserving) the access attribute a is an element of the corresponding entry of the access matrix; and

(ii) (∗-property preserving) for all objects O0 where S can read from (i.e., access in read and write mode) is true: scb(O0) 7→ scb(O).

• γ-Rule 4 (get-write)γ

ρ4: A subject S gets execute access to an object O if

(i) (security preserving) the access attribute w is an element of the corresponding entry of the access matrix, and scb(O) 7→ scb(S);

(ii) (∗-property preserving [append]) for all objects O0 where S has append access is true: scb(O) 7→ scb(O0);

(iii) (∗-property preserving [read]) for all objects O0 where S has read access is true: scb(O0) 7→ scb(O); and

(iv) (∗-property preserving [write]) for all objects O0_{where S has write access is true:}

scb(O0) = scb(O).

• γ-Rule 8 (change-SCB)γ

ρ8: A subject S can change the security bindings SCB ⊆SCB

if

(i) (security preserving/∗-property preserving) S changes only security bindings of ob- jects that no subject has access to.

• γ-Rules 3, 5, 6, 7, 9, 10 are constructed analogously to the rules 3, 5, 6, 7, 9, 10 (respec- tively) ofΩ, since these rules describe general system behaviour, which does not change

Having defined the model, it is possible to formulate the General Security Theorem analo- gously to the Confidentiality Theorem (cf. Theorem5.3) and the Integrity Theorem (cf. Theo- rem5.4).

Theorem 5.5 (General Security Theorem) Each γ-rule inγ

Ωis security preserving and ∗- property preserving. Further, a γ-systemγ

Σ(γR, D,γW,γz0)usingγΩis secure and satisfies the

generalised∗-property ifγ_z

0is a secure γ-state which satisfies the generalised ∗-property.

Proof The proof is analogous to part (iii) of the proof of Lemma5.1by using the generalised definitions instead of confidentiality definitions, and particularly by using the fact that (SC,7→)

is partially ordered (which is a necessary prerequisite, cf. Remark5.6) in conjunction with the general simple-security property(cf. Def.5.36) and the general ∗-property (cf. Def.5.37). Remark 5.8 (Modelling confidentiality and integrity) Confidentiality can be modelled in the generalised model for information flow control by definingSC:=cSC, and this implies that

γ

Σ(γR, D,γW,γz0)=cΣ(cR, D,cW,cz0). Integrity can be modelled similarly by definingSC:=

i

SC, which implies that γΣ(γR, D,γW,γz0)=iΣ(iR, D,iW,iz0). Further, confidentiality and

integrity can be modelled at the same time by using combined security classes that are de- fined as pairs of confidentiality and integrity classes [175] which are defined by: c,iSC⊂

c

SC×iSCwithc,iSCi= (cSCi,iSCi) ∈c,iSCwherecSCi∈cSCandiSCi∈iSC. Allowed in-

formation flow is defined: c,iSC17→c,iSC2if and only ifcSC17→cSC2andiSC17→iSC2where c,i_SC

1,c,iSC2∈c,iSC,cSC1,cSC2∈cSC, andiSC1,iSC2∈iSC. Then,(c,iSC,7→) is partially or-

dered and finite (due to the fact thatc_SCandi_SCare partially ordered and finite). Therefore, Denning’s Axioms apply (cf. Theorem5.2) and(c,iSC,7→,⊕,⊗) is a lattice with lower bound

c,i_SC

L= (cSCL,iSCL) and upper boundc,iSCH= (cSCH,iSCH).

In document Tackling cloud compliance through information flow control (Page 153-157)