Abstract

Security policies define who may use what information in a computer system. Protection mechanisms are built into a system to enforce security policies. In most systems, however, it is quite unclear what policies a mechanism can or does enforce.This paper defines security policies and protection mechanisms precisely and bridges the gap between them with the concept of soundness: whether a protection mechanism enforces a policy. Different sound protection mechanisms for the same policy can then be compared. We also show that the “union” of mechanisms for the same program produces a more “complete” mechanism. Although a “maximal” mechanism exists, it cannot necessarily be constructed.

Highlights

  • Within computer systems we distinguish between different kinds ot information based on a variety of reasons; in addition, we wish to control how each of the different kinds of information is used

  • The basic elements of our theory are: a precise definition of a security policy of information control, simple enough so that the ramifications of the policy are clear, and a protection mechanism whose purpose is to Enforce' a given security policy

  • While the above discussion suggests that soundness is a binary relation between protection mechanisms and security policies, such Is not the case

Read more

Summary

INTRODUCTION

Within computer systems we distinguish between different kinds ot information based on a variety of reasons (for example, privacy of individuals which the information describes, laws, cost of theft); in addition, we wish to control how each of the different kinds of information is used. The basic elements of our theory are: a precise definition of a security policy of information control, simple enough so that the ramifications of the policy are clear, and a protection mechanism whose purpose is to Enforce' a given security policy. We relate these two in terms of soundness and completeness. While the above discussion suggests that soundness is a binary relation between protection mechanisms and security policies, such Is not the case It depends on just what attributes of a program's execution are observable,. Though the union of mechanisms can be used to derive increasingly powerful mechanisms, the maximal protection mechanism cannot necessarily be effectively discovered

BASIC MODEL
SURVEILLANCE PROTECTION MECHANISM
ASSIGNMENT BOX
Replace the decision box in Q FALSE
HIGH WATER MARK PROTCCTION MECHANISM
CÜMPARISÜN OF PROTECTION MECHANISMS
PROTECTION MECHANISMS EXTENSIONS
CONCLUSIONS
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call