The Goguen/Meseguer SecurityModel
George W. DinoltCS4605
[email protected] August 11, 2008 1
Elements
• Let S be the set of States the system can take on
• Let s0 ∈ S be the initial state
• Let U be the set of Users of the system
• Let C be the set of Commands that can be issued by Users
to cause a change of state
• Let OUT be the user visible outputs of the system
• Let L be the set of security labels.
[email protected] August 11, 2008 2
Functions
do : The state transition function
do : S × U × C → SConstructs a new state from a state, a user and a command
out : The output visible from a state
out : S × U → OUT
[email protected] August 11, 2008 3
Sequence Notation
Sequences: We let W = (U × C)∗ be the set of all possiblesequences of pairs of elements (u, c) where u ∈ U and c ∈ C.w ∈ W might be written as
w = 〈(u0, c0), (u1, c1), . . . , (un, cn)〉
Null Sequence: The sequence consisting of no elements, theempty or Null sequence is sometimes denoted by 〈〉.
Concatenation: If w = 〈(u0, c0), (u1, c1), . . . , (un, cn)〉 then wemay write rewrite w as
w = 〈(u0, c0), (u1, c1), . . . , (un−1, cn−1)〉 · (un, cn)
where “·” is sequence concatenation operator.
[email protected] August 11, 2008 4
Operating on Inputs
Extending do to sequences: Suppose x ∈ W and w = x ·(u, c) ∈W, then we can extend do to sequences, do : S ×W → S by:
do(s0, w) =
s0 if w = Null,
do(do(s0, x), u, c) if w = x · (u, c)(1)
do applied to a sequence of inputs is the state that results asa consequence of applying the inputs one after another in se-quence.
We will use the notation:
[[w]] = do(s0, w)
[email protected] August 11, 2008 5
Outputs From Sequences
If w ∈ W then we will use the notation
[[w]]u = out([[w]], u)
So [[w]]u is the output seen be the user u after the sequence of
commands w has been issued.
Note that in this approach we explicitly model the “output” seen
by users.
[email protected] August 11, 2008 6
Purge Users
Let G ⊆ U, w ∈ W, the purge of G from w is:
PG(w) =
Null if w = Null
PG(x) if w = x · (u, c) and u ∈ G
PG(x) · (u, c) if w = x · (u, c) and u /∈ G
i.e. PG(w) is the subsequence of w that has had all references
to commands that are issued by users in G removed.
Note that this is a “recursive” definition that uses the “rewrite”
notation for “w” that we described above.
[email protected] August 11, 2008 7
Purge Commands
Let A ⊆ C, w ∈ W, the purge of A from w is:
PA(w) =
Null if w = Null
PA(x) if w = x · (u, c) and c ∈ A
PA(x) · (u, c) if w = x · (u, c) and c /∈ A
i.e. PA(w) is the subsequence of w that has had all references
to commands that are issued by users in A removed.
[email protected] August 11, 2008 8
Purge Both
Let G ⊆ U and A ⊆ C, w ∈ W, the purge of (G, A) from w is:
PG,A(w) =
Null if w = Null
PG,A(x) if w = x · (u, c), u ∈ G and c ∈ A
PG,A(x) · (u, c) if w = x · (u, c) and u 6∈ G or c 6∈ A
i.e. PG(w) is the subsequence of w that has had all references
to commands that are issued by users in G removed.
[email protected] August 11, 2008 9
User Non-Interference
Suppose 〈S,U , C,OUT , do, out〉 is a system and suppose G ⊆ Uand W = (U × C)∗, then the users in G do not interfere with the
other users of the system if
∀w ∈ W, ∀u ∈ U\G, [[w]]u = [[PG(w)]]u
i.e. purging the actions of the set of users G does not change
the view of the system seen by the other users of the system.
[email protected] August 11, 2008 10
More Non Interference Notation
Suppose G, G′ ∈ U and A, A′ ∈ C. G does not interfere with G′ if
∀w ∈ W ∧ u ∈ G′ : [[w]]u = [[PG(w)]]u
and A does not interfere with A′ if
∀w ∈ W ∧ a ∈ A′ : [[w]]u = [[PA(w)]]u
We will write this as G : |G′ and A : |A′.
[email protected] August 11, 2008 11
MLS Security
Assume that the set of security labels, L, is a totally ordered.
Let 0 ∈ L be the smallest element and 1 ∈ L be the largest.
Let level : U → L. For all x ∈ L, we define:
U [−, x] = {u ∈ U : level(u) ≤ x}and
U [x,+] = {u ∈ U : level(u) ≥ x}The system (S, s0,U , C,L, do, out, level) is Multilevel Secure if
and only if:
∀x, x′ ∈ L : x < x′ ⇒ U [x′,+] : |U [−, x]