Title: CSCI283 Fall 2005 Lecture III Part 1
1Security PolicySlides added on to clarify
definitions of precision and security
- CSCI283 Fall 2005 Lecture III Part 1
- GWU
2Secure, Precise MechanismsMath. Definition
provided in earlier slides
- Program a function with multiple inputs and one
output - Let p be a function
- p I1 ? ... ? In ? R
- Then p is a program with
- n inputs ik ? Ik, 1 k n, and
- one output r ? R
3The functionExplanation of math definition
- The function is what needs to be provided to the
user - p is what the user needs to obtain
4Protection Mechanism Math. Definition provided
in earlier slides
- p I1 ? ... ? In ? R
- A protection mechanism m for p is a function
- m I1 ? ... ? In ? R ? E
- such that when ik ? Ik, 1 k n, either
- m(i1, ..., in) p(i1, ..., in) or
- m(i1, ..., in) ? E.
- E is set of error outputs, m defines what errors
are allowed
5Protection Mechanism Explanation of math
definition
- The protection mechanism m for p provides either
- the value of p or
- an error
- It can provide nothing else no other function,
for example - The error may be a security-related,
parameter-related (e.g. divide by zero) or a
reliability-related error
6Protection mechanism Explanation of math
definition
p(i1 i2 .. in)
p(i1 i2 .. in)
i1 i2 .. in
m
p
error
7General Security Policy
- Example Reveal a value if it is smaller than 5
- Does not say anything about the functions input
parameters, only about its output
8Confidentiality Policy Math. Definition provided
in earlier slides
- Confidentiality policy for program p says which
inputs can be revealed - c I1 ? ... ? In ? A
- where A ? I1 ? ... ? In is set of inputs
available to observer
9Confidentiality Policy Explanation of math
definition
- Confidentiality policy for program p says which
inputs can be revealed to a mechanism that
determines the function, i.e. the inputs are not
directly revealed to the user
Only some values
i1 i2 .. in
c
10Security mechanism Math. Definition provided in
earlier slides
- m I1 ? ... ? In ? R ? E
- m secure iff
- m A ? R ? E
- such that, for all ik ? Ik, 1 k n
- m(i1, ..., in) m(c(i1, ..., in))
- m returns values consistent with c
11Security mechanism Explanation of math definition
- Is there some m which can operate only on the
values allowed by the confidentiality policy c
and still produce m?
12Security mechanism Explanation of math definition
p(i1 i2 .. in)
p(i1 i2 .. in)
i1 i2 .. in
m
p
error
p(i1 i2 .. in)
Only some values
i1 i2 .. in
c
?m
error
13Precision Math. Definition provided in earlier
slides
- m1, m2 distinct protection mechanisms for program
p under policy c - m1 as precise as m2 (m1 m2) if,
- for all inputs i1, , in,
- m2(i1, , in) p(i1, , in) ? m1(i1, , in)
p(i1, , in) - m1 more precise than m2 (m1 m2) if
- there is an input (i1, , in) such that
- m1(i1, , in) p(i1, , in) and
- m2(i1, , in) ? p(i1, , in).
14Precision Explanation of math definition
- m1 as precise as m2 (m1 m2)
- means that, if m2 does not give an error, m1 does
not. Think of m1 as at least as precise as m2 - If m2 does give an error, this says nothing about
what m1 does it may or may not give an error - m1 more precise than m2 (m1 m2) means that
there are some places where m2 gives an error,
but m1 does not, i.e. it says that when m2 gives
an error, at least one time m1 does not