19-10-2012, 04:31 PM
INTEGRITY CONSIDERATIONS FOR SECURE COMPUTER SYSTEMS
INTEGRITY C~ONSIDERATIONS.pdf (Size: 3.03 MB / Downloads: 63)
INTRODUCTION
OVERVIEW
Ensuring legitimate access to privileged information has become
a major area of concern for information processing technology. The
rapidly growing use of complex resource sharing information systems1
has emphasized the need to carefully identify and guarantee who has
which access to what data. Experience has indicated that the protection
issue is two-pronged: concerned both with the proper dissemination
of information and with that information's validity. Our
concern, in this paper, is an examination of how information validity
may be maintained.
Our context is the Secure General Purpose Computer Project of
the Air Force's Electronic Systems Division [1]. Its purpose is the
6 design, construction, and formal validation of a secure computer
utility for the military environment. The term secure computer
utility refers to an interactive, multi -)grammed, multiprocessor
computer system supporting resource sharing in a manner determined
by an information protection policy. Its effective enforcement of
the protection policy must be formally validated before it can be
certified, by the appropriate authority, for use with classified
information.
Access Modes
The above example presented a rather abstract form of access,
independent of the semantics associated with an access. In general,
access domains are partitioned on the basis of the mode (semantics)
of the access. In this paper we will be concerned with three abstract
modes of acces~i observation, modification, and invocation.
Access permission, for each of these modes, will be explicitly
identified.
Observation, as the name implies, relates to the viewing of information
by a subject. Central to observation is the testing of
information. We state that observation is the testing of information
that res3ults in a choice of distinct states of the obseiving subject
(and possibly distinct outputs). In other words, the observing subject
can make a choice based on the observed information, and that choice
manifests itself in the resulting state of the observer.
Modification may be defined in terms of observation. A subject
modifies information if its value is changed so that an observation,
by a subject (possibly distinct from the modifier), results in a
different state than previous observations (a discernable change).
Security Policy
The protection pollcies invest'gated, to date, have addressed
the problem of information security. Security denotes the property
of protection against compromise: unauthorized dissemination of
information. The security policy defines access domains of subjects
based on considerations derived from DoD security attributes of subjects
and objects. Several axiomatic systems [2] [3] represent this
policy. We present a model defining this policy below.