Page 80 - DCAP516_COMPUTER_SECURITY
P. 80
Computer Security
Notes 7.4 Models of Security
It is common practice, when we want to understand a subject, to build a logical model and study
that logical model. Of course, the logical model is useful only to the extent that it corresponds to
the real system, but we can try to get better models. Models of security are used for a number of
purposes.
1. To test the policy for consistency and adequate coverage.
2. To document the policy.
3. To validate the policy; i.e. to determine that the policy meets its requirements.
There are many useful models of security, most of which focus on multi-level security. We shall
discuss some of these, despite this author’s documented skepticism that multi-level security
systems are feasible with today’s hardware running today’s operating systems.
Multi-Level Security
The idea of multi-level security is that some data are more sensitive than others. When we try to
formalize a model of multi-level security using the most obvious model, we arrive at a slight
problem. Consider the four traditional security classifications and their implied order.
Unclassified ≤ Confidential ≤ SECRET ≤ Top Secret
This is an example of what mathematicians call a total ordering. A total ordering is a special case
of an ordering on a set. We first define partial ordering.
A partial order (or partial ordering) is defined for a set S as follows.
1. There is an equality operator, =, and by implication an inequality operator, ≠.
Any two elements of the set, a ∈ S and b ∈ S can be compared.
Either a = b or a ≠ b. All sets share this property.
2. There is an ordering operator ≤, and by implication the operator ≥.
If a ≤ b, then b ≥ a. Note that the operator could be indicated by another symbol.
3. The operator is transitive.
For any a ∈ S, b ∈ S, c ∈ S, if a ≤ b and b ≤ c, then a ≤ c.
4. The operator is antisymmetric.
For any a ∈ S, b ∈ S, if a ≤ b and b ≤ a, then a = b.
If, in addition to the above requirements for a partial ordering, it is the case that for any two
elements a ∈ S, b ∈ S, that either a ≤ b or b ≤ a, then the relation is a total ordering. We are fairly
familiar with sets that support a total ordering; consider the set of positive integers.
In models of the security world, it is often the case that two items cannot be compared by an
ordering operator. It has been discovered that the mathematical object called a lattice provides
a better model of security.
A lattice is a set S that supports a partial order, with the following additional requirements.
1. Every pair of elements a ∈ S, b ∈ S possess a common upper bound; i.e., there is an element
u ∈ S, such that a ≤ u and b ≤ u.
2. Every pair of elements a ∈ S, b ∈ S possess a common lower bound; i.e., there is an element
l ∈ S, such that l ≤ a and l ≤ b.
74 LOVELY PROFESSIONAL UNIVERSITY
