Answered step by step
Verified Expert Solution
Question
1 Approved Answer
Prove that the two properties of the hierarchy function ( see Section 5 . 2 . 3 ) allow only trees and single nodes as
Prove that the two properties of the hierarchy function see Section allow only trees and single nodes as organizations of objects.
Section is as following:
Let S be the set of subjects of a system and let O be the set of objects. Let P be the set of rights r for read, a for write, w for readwrite and e for empty Let M be a set of possible access control matrices for the system. Let C be the set of classifications or clearances let K be the set of categories, and let L C times K be the set of security levels. Finally, let F be the set of tuples fs fo fc where fs and fc associate with each subject maximum and current security levels, respectively, and fo associates with each object a security level. The relation dom from Definition is defined here in the obvious way.
The right called empty here is called execute in Bell and LaPadula However, they define execute as neither observation nor alterationand note that it differs from the notion of execute that most systems implement For clarity, we changed the e rights name to the more descriptive empty
The system objects may be organized as a set of hierarchies trees and single nodes Let H represent the set of hierarchy functions h : O PO These functions have two properties. Let oi oj ok in O Then:
PO is the power set of Othat is the set of all possible subsets of O
If oi oj then hoicap hoj
There is no set o o ok O such that oi in hoi for each i k and ok o
See Exercise
A state v in V of a system is a tuple b m f h where b in PS times O times P indicates which subjects have access to which objects, and what those access rights are; m in M is the access control matrix for the current state; f in F is the tuple indicating the current subject and object clearances and categories; and h in H is the hierarchy of objects for the current state. The difference between b and m is that the rights in m may be unusable because of differences in security levels; b contains the set of rights that may be exercised, and m contains the set of discretionary rights.
R denotes the set of requests for access. The form of the requests affects the instantiation, not the formal model, and is not discussed further here. Four outcomes of each request are possible: y for yes allowed n for no not allowed i for illegal request, and o for error multiple outcomes are possible D denotes the set of outcomes. The set W R times D times V times V is the set of actions of the system. This notation means that an entity issues a request in R and a decision in D occurs, moving the system from one state in V to another possibly different state in V Given these definitions, we can now define the history of a system as it executes.
Let N be the set of positive integers. These integers represent times. Let X RN be a set whose elements x are sequences of requests, let Y DN be a set whose elements y are sequences of decisions, and let Z VN be a set whose elements z are sequences of states. The ith components of x y and z are represented as xi yi and zi respectively. The interpretation is that for some t in N the system is in state zt in V; a subject makes request xt in R the system makes a decision yt in D and as a result the system transitions into a possibly new state zt in V
A system is represented as an initial state and a sequence of requests, decisions, and states. In formal terms, Sigma R D W z X times Y times Z represents the system, and z is the initial state of the system. x y z in Sigma R D W z if and only if xt yt zt zt in W for all t in Nx y z is an appearance of Sigma R D W z
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started