I have some questions to solve. Problem is about computer security.

Assume basic classes
S (subjects),
O (objects) and
L (security levels), equiped with a total order. L has a minimal
element b and a maximal element t.

Every subject and object are assigned with a security level. Which is
expressed by cl (classification). Functions, cl: S->L and O->L.

1.    Formally express that a subject can only read objects that are
from a lower security level.

2.    Rather than expressing that a subject shall only write objects
to higher security levels, the model will be refined in the following
way. In addition to the static classification of subjects (through
cl), there is an introduction of a dynamic "write-classification" of
subject s. This is denoted by "wcl(s)" of type L, which expresses that
s is allowed to write to security levels above wcl(s). After a
read-event the write-classification may be adjusted as to assure
confidentiality of all data read until now. What should be the initial
value of wcl(s)? Formally express how, after reading object o, the new
value of wcl(s) depends on the old value of wcl(s)

3 As last, the model is extended by introducing a "forget(s,o)" event.
This event expresses that object o is removed from the knowledge of
subject s. After this event, the "write-classification" must be
adjusted to the new situation. Formally express how, after forgetting
object o, the new value of wcl(s) depends on the old value of wcl(s)

Any suggestion?? Thank you for your time.

---

Request for Question Clarification by maniac-ga on 27 Sep 2006 17:50 PDT

Hello Zorroww,

Hmm. I can't tell from your question how you want to "formally
express" the relationships, so I'll provide an outline of the
solutions in terms of pseudo code and text. Let me know if this is
sufficient (then I'll rewrite this as an answer) or if not - what
format you need to formally express the solution.

I'll use cl(O) to refer to O's security level & cl(S) to refer to S's
security level.
I will use wcl(S) to refer to the same concept you've described as well.

[1] Reading objects below (and at??) S's security level.

  if cl(O) < cl(S) then
    SUCCESS
  else
    FAILURE
  end if

(change to <= if "at" S's security level is OK)

Why - because cl(S) represents the upper limit on data (the O's) that S can read.

[2] Writing data based on data "read" up to this point.

a. Initial value
  wcl(S) = b

Why - because that's the lowest security level.

b. After reading object O

  if cl(O) > wcl(S) then
    wcl(S) = cl(O)
  end if

Why - if O is a higher classification level than wcl(S) [and less than
cl(S)], then you need to increase wcl(S) to cl(O).

Note - for a proper answer in the third part - you must remember ALL
the objects read by S to this point - perhaps in a list associated
with S.

[3] Adding "forget"

I can't easily express this in pseudo code, but let's walk through the solution.

Note that unlike the answer to [2], wcl(S) depends on the maximum
level of ALL the objects read to the current time by S. The simple
solution I provided for [2] needs to be augmented to implement forget
by remembering the objects read to the current time. Based on that,
let's say you have a list like

  [O1, O2, ..., O10]

to remember that you've read objects O1 through O10. wcl(S) is the
maxiumum of cl(On) of those objects. When you "forget" an object like
O3, you need to remove O3 from the list, yielding

  [O1, O2, O4, O5, ..., O10]

and wcl(S) will now be computed as max(cl(On)) for the remaining
objects in that list.

Please indicate if this is adequate as an answer or provide the
information requested above (the format of your "formal language" to
express the solutions) so I can complete the answer.

  --Maniac

---

Clarification of Question by zorroww-ga on 28 Sep 2006 03:05 PDT

Hello Maniac,

Tnx for helping. From this point I can solve the question by myself. 

I ask you fore one more opinion:

Maniac:
"[1] Reading objects below (and at??) S's security level."

No, it is a below.
Therefore I wonder question 2. You solve it with:

  if cl(O) > wcl(S) then
    wcl(S) = cl(O)
  end if

But now wcl(S)>=cl(O). A +1 behind wcl(S) seems to be impossible to me
because you can get out of bounds(N+1). Do I see this right??

You have give me the information to solve so this answer is adequate to me.

Hello Zorroww,

I am glad to help. Let me walk through the general approach for
security between subjects and objects as well as clarifying the
answers for the specific questions.

To clarify for "usrhlp" and others reading this for the first time,
the general name for the type of classification and access control
mechanisms you are referring to is often called "Multi Level Security"
(MLS). In an MLS, the system is controlling access by programs (and
users / subjects) to the files (or objects) on the system based some
relatively simple methods such as:
 o information at a higher level cannot be accessed at a lower level,
as a result, a subject cannot read files above their "maximum"
security level
 o information at a lower level should not be stored at a higher level
[though your example explicitly allows this]
A lot of the basic research on this was done in the late 1970's and early 1980's.
  http://csrc.nist.gov/publications/history/index.html
is a good reference for publications made during that period. There
are plenty of other references available, a search for a phrase such
as
  multi level security
  B1 computer security
  computer security model

To answer the specific questions in light of the clarification you made:

I'll use cl(O) to refer to O's security level & cl(S) to refer to S's
security level. I will use wcl(S) to refer to the same concept you've
described as well.

[1] Reading objects below S's read security level.

  if cl(O) < cl(S) then
    SUCCESS
  else
    FAILURE
  end if

Let me note that if cl(S) = b, then S cannot read ANY object on this
system (due to the inequality check). Let me also note that if cl(O) =
t, that object cannot be read by ANY subject (ditto).

Why - because cl(S) represents the upper limit on data (the O's) that S can read.

[2] Writing data based on data "read" up to this point.

a. Initial value
  wcl(S) = b

Why - because that's the lowest security level.

b. After reading object O

  if cl(O) > wcl(S) then
    wcl(S) = cl(O)
  end if

Why - if O is a at or below wcl(S), we don't need to update wcl(S). If
you read a higher classification level than wcl(S) [and less than
cl(S) since you could read it], then you need to increase wcl(S) to
cl(O).

Note that since your definition of wcl(S) means that S must write to
cl's higher than wcl(S), the minimum level you can write to is "b+1"
or higher. Also note in the answer to [1] you cannot read data at
level "t" - so the highest level of object that can be read is "t-1"
which would set wcl(S) to "t-1", requiring writes to level "t" - which
is data that cannot be read (or "write only data")!

Note - for a proper answer in the third part - you must remember ALL
the objects read by S to this point - perhaps in a list associated
with S.

[3] Adding "forget"

I can't easily express this in pseudo code, but let's walk through the solution.

Note that unlike the answer to [2], wcl(S) with the presence of
"forget" depends on the maximum level of ALL the objects read to the
current time by S. The simple solution I provided for [2] needs to be
augmented to implement forget by remembering the objects read to the
current time. Based on that, let's say you have a list like

  [O1, O2, ..., O10]

to remember that you've read objects O1 through O10. wcl(S) is the
maxiumum of cl(On) of those objects. When you "forget" an object like
O3, you need to remove O3 from the list, yielding

  [O1, O2, O4, O5, ..., O10]

and wcl(S) will now be computed as max(cl(On)) for the remaining
objects in that list.

The same comments added to the end of [2] also apply to this solution as well.

Please make a clarification request if some part of the answer is
unclear or if you need additional information on some part of the
answer. I would be glad to help.

Good luck with your work.

  --Maniac

I am a security expert but that makes no sense to me :D

usrhlp