T. Taylor. Comparison paper between the Bell and La Padula model and the SRI model. In Proceedings of the Symposium on Security and Privacy, pages 195--202, IEEE Computer Society, Oakland, CA, April 1984. 6  Home/Search   Document Not in Database   Summary   Related Articles   Check

....system state or behavior are overlooked, then they may provide channels for undesired communication despite verification that the application complies with the model. Channels of this kind were present in the Multics Interpretation [3] that was intended to exemplify the utility of the approach [20]. Next, the model proved too restrictive for some aspects of the behavior of real systems, so trusted subjects were introduced and allowed to violate the restrictions of the model. The problem with this approach was that there was no overarching security specification to constrain the behavior ....

T. Taylor. Comparison paper between the Bell and La Padula model and the SRI model. In Proceedings of the Symposium on Security and Privacy, pages 195--202, IEEE Computer Society, Oakland, CA, April 1984. 6

....are meant to allay: if the model is highly detailed and its definition of security correspondingly so, then one naturally wonders whether that definition is correct. The discovery of subtle quirks and outright flaws in certain well established security models shows that these doubts are not idle [9, 15]. Thus we are confronted with a dilemma: in order to be sure that it is itself correct, a security model should be simple and highly abstract; but in order that it can be used to verify usefully detailed system specifications, a model must be detailed and concrete. In my view, the correct escape ....

....in ways that give comprehensive guidance and assurance to the developers of trusted computer systems. 4 Comparison with other Models One of the most influential of security models is the one developed by Bell and La Padula [1] Recently, some security flaws have been found in the 10 model [9, 15] some of its rules have been found to admit covert storage channels. In this section, I will show how the attempt to verify the Bell and La Padula model with respect to the HDM model provides a systematic technique for detecting such flaws. In order to verify the Bell and La Padula model, we ....

[Article contains additional citation context not shown here]

T. Taylor. Comparison paper between the Bell and La Padula model and the SRI model. In Proceedings of the Symposium on Security and Privacy, pages 195--202, Oakland, CA, April 1984. IEEE Computer Society. 16

....the policy aspects are just assertions that must be true about that model in order to achieve the desired security. The combination of these two aspects is to specify a system that achieves the high level security requirements. Some examples may clarify this. In the Bell and LaPadula model [193, 21], the high level requirements are those of the military security policy [67] the target system is modeled as a state machine, and the policy assertions include state invariants and constraints on allowable transition functions. In the SeaView MLS database model [203] the high level requirements ....

....information flow. Like BLP, it uses a finite state machine system model. However, where BLP is based on state properties and allowed transitions, the SRI model simply allows only proper transitions which do not violate information flow rules, which is a much cleaner approach, at least conceptually [193, 99]. Goguen presents a model in the early 1980 s [91, 92] which deals with controlling the interference between subjects. Under certain conditions depending on the security properties, certain operations must be noninterfering with (i.e. invisible to) certain individuals. As an oversimplified ....

Taylor, T. Comparison paper between the bell and lapadula model and the sri model. In Proc. 1984 Symposium on Security and Privacy (1984), IEEE Computer Society, pp. 195--202.

.... of read and write found in [17] and [9] 15] The claim that BLP captures security relevant causal information, however loosely, that extensions to Generalized Noninterference do not may seem odd to many since it is widely believed that BLP and Noninterference are generally equivalent [6, 18]. The sense of equivalence used here seems to be that the set of systems which one model condones is the set of systems the other condones. It is worthwhile examining this thesis here since it is related to our claim that BLP takes security relevant causal information into account that ....

T. Taylor, "Comparison Paper between the Bell and LaPadula Model and the SRI Model," Proc. 1984 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Oakland, CA., 1984.

No context found.

TAYL84 Taylor, T., "Comparison Paper Between the Bell and La Padula Model and the SRI Model," 1984 Symposium on Security and Privacy, pp. 195-202, IEEE, May 1984.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC