Lattice

• A lattice is a mathematical structure that can be used as a framework for representing and clarifying the relationships between security labels.
• Mathematics is important to model and investigate certain aspects of computer system security
• mathematical models can reveal relationships and characteristics that are otherwise not apparent

Components of a Lattice

• A set S of discrete elements
• A partial ordering binary relation R on the elements of S
• A function called join that provides the unique least upper bound of any two elements in S
• A function called meet that provides the unique greatest lower bound of any two elements in S

Lattice Functions Join and Meet

• If a and b are in S then join(a,b) is the element c in S such that c is the unique least element for which (c R a) and (c R b)
• If a and b are in S then meet(a,b) is the element c in S such that c is the unique greatest element for which (a R c) and (b R a)

The Lattice of Security Labels

• S is the set labels
• R is the relationship dominates
• If x is an element of the lattice then: x = (labels, dominates, join, meet)
• The lattice is a four component structure or four-tuple consisting of:
• labels
• the relationship between labels, dominates
• join, the GLB, and meet, the LUB

Mathematical Security Modeling

• Does the use of mathematical structures like sets, relations, and lattices have anything to do with practical security problems?
• Two opinions prevail:
• accept that problems will always exist in computer systems, the reactive approach
• design systems with the use of mathematics that do not have security problems
• Most security people recognize the benefits of both approaches

Security Policies

• Security policies are sets of rules that must be enforced to mediate subject accesses to objects on a computer system
• expressed formally (with mathematical expressions)
• expressed informally (UNIX System V/MLS)
• Each policy must be expressed with respect to a specific security system that is described by a specification

Bell-La Padula (BLP) Confidentiality Model

• A formal description of allowable paths of information flow in a secure system
• Simple Security Property:
• A subject s may have read access to an object o only if the clearance of the subject dominates the classification of the object
• *-Property
• A subject s may have write access to an object o only if the classification of the object dominates the clearance of the subject

Biba Integrity Model

• A formal description of a model that prevents inappropriate modification of data
• Simple Integrity Property:
• A subject s may modify an object o only if the clearance of the subject dominates the classification of the object
• Integrity *-Property
• A subject s with read access to an object o can modify an object p only if the classification of o dominates the classification of p

Commercial Security Policies

• Clark-Wilson (integrity)
• a set of rules for a well formed transaction
• separation of duty (usually two signatures)
• Chinese Wall (confidentiality)
• Objects are owned by Company Groups which belong to Conflict Classes
• A conflict of interest occurs when a person can access information on competing companies