CSCI283 Fall 2005 Lecture III Part 1

1
Security PolicySlides added on to clarify
definitions of precision and security

• CSCI283 Fall 2005 Lecture III Part 1
• GWU

2
Secure, Precise MechanismsMath. Definition
provided in earlier slides

• Program a function with multiple inputs and one
  output
• Let p be a function
• p I1 ? ... ? In ? R
• Then p is a program with
• n inputs ik ? Ik, 1 k n, and
• one output r ? R

3
The functionExplanation of math definition

• The function is what needs to be provided to the
  user
• p is what the user needs to obtain

4
Protection Mechanism Math. Definition provided
in earlier slides

• p I1 ? ... ? In ? R
• A protection mechanism m for p is a function
• m I1 ? ... ? In ? R ? E
• such that when ik ? Ik, 1 k n, either
• m(i1, ..., in) p(i1, ..., in) or
• m(i1, ..., in) ? E.
• E is set of error outputs, m defines what errors
  are allowed

5
Protection Mechanism Explanation of math
definition

• The protection mechanism m for p provides either
  
• the value of p or
• an error
• It can provide nothing else no other function,
  for example
• The error may be a security-related,
  parameter-related (e.g. divide by zero) or a
  reliability-related error

6
Protection mechanism Explanation of math
definition
p(i1 i2 .. in)
p(i1 i2 .. in)
i1 i2 .. in
m
p
error
7
General Security Policy

• Example Reveal a value if it is smaller than 5
• Does not say anything about the functions input
  parameters, only about its output

8
Confidentiality Policy Math. Definition provided
in earlier slides

• Confidentiality policy for program p says which
  inputs can be revealed
• c I1 ? ... ? In ? A
• where A ? I1 ? ... ? In is set of inputs
  available to observer

9
Confidentiality Policy Explanation of math
definition

• Confidentiality policy for program p says which
  inputs can be revealed to a mechanism that
  determines the function, i.e. the inputs are not
  directly revealed to the user

Only some values
i1 i2 .. in
c
10
Security mechanism Math. Definition provided in
earlier slides

• m I1 ? ... ? In ? R ? E
• m secure iff
• m A ? R ? E
• such that, for all ik ? Ik, 1 k n
• m(i1, ..., in) m(c(i1, ..., in))
• m returns values consistent with c

11
Security mechanism Explanation of math definition

• Is there some m which can operate only on the
  values allowed by the confidentiality policy c
  and still produce m?

12
Security mechanism Explanation of math definition
p(i1 i2 .. in)
p(i1 i2 .. in)
i1 i2 .. in
m
p
error

p(i1 i2 .. in)
Only some values
i1 i2 .. in
c
?m
error
13
Precision Math. Definition provided in earlier
slides

• m1, m2 distinct protection mechanisms for program
  p under policy c
• m1 as precise as m2 (m1 m2) if,
• for all inputs i1, , in,
• m2(i1, , in) p(i1, , in) ? m1(i1, , in)
  p(i1, , in)
• m1 more precise than m2 (m1 m2) if
• there is an input (i1, , in) such that
• m1(i1, , in) p(i1, , in) and
• m2(i1, , in) ? p(i1, , in).

14
Precision Explanation of math definition

• m1 as precise as m2 (m1 m2)
• means that, if m2 does not give an error, m1 does
  not. Think of m1 as at least as precise as m2
• If m2 does give an error, this says nothing about
  what m1 does it may or may not give an error
• m1 more precise than m2 (m1 m2) means that
  there are some places where m2 gives an error,
  but m1 does not, i.e. it says that when m2 gives
  an error, at least one time m1 does not