In this paper, we extend previous results [1] in the protection and administration of information networks under partial orderings. We summarize previous results, and extend them to cover hierarchical networks. We consider distributed hierarchical administration, show a hierarchical network, and demonstrate a provably secure communications technique in which partial orderings are used to control flow, traffic analysis is minimized, local compromise does not cause global compromise, and distributed hierarchical administration works. We show means by which trusted and untrusted computing bases may be connected to form provably secure distributed information networks under partial orderings, and a risk analysis technique which takes advantage of the POset structure to reduce the complexity of analysis for these networks. We, summarize results and propose further extensions of this work.
Protection of information in modern information networks depends primarily on the ability to control the flow of information [1,2,3,4,5,6]. The partial ordering appears to be the most general mathematical structure required to accurately model the information flow behavior of a general purpose transitive information network [1]. Due to the complexity of modern information networks, manual analysis of information flow properties by administrators is impractical. Even with automated administrative assistance, large networks with a single administrator present tremendous exposures because one individual has total control, even if only at a flow policy level. In physically distributed networks, local administrators may require control over local information flow, while the global network may have higher level flow properties that must be enforced [6]. The potential compromise of a localized portion of a trusted network also makes nondistributed administration hazardous, and leads to a desire to analyze the effects of partial compromise. This leads us to the discussion of distributed and hierarchical control of information networks.
Unless otherwise stated, we assume throughout this paper that general purpose computing systems are used, and thus that transitivity holds for information flow [2]. We assume that there is no real difference from the standpoint of an information network between subjects and objects [1], and study the effects of information flow disregarding this distinction. We call the undistinguished subject/object an "information domain", abbreviated "domain". We view the effects of a human subject having access to multiple domains as a collusion between domains, and thus keep the mathematical analysis simple and yet general. The information flow relation "f" is specified in [1] as:
Collapse each equivalence class into a single domain, and get an antisymetric transitive binary algebra.
(S,{f}):
(a f b) and (b f c) => (a f c) ;transitive
(a f b) and (b f a) => (a = b) ;antisymetric
Note that in a structure where equivalence classes collapse, information in two non identical equivalence classes A and B can not be related so that ((A f B) and (B f A)) since this would make A and B identical by antisymetry. Furthermore, there can be no structure in which information flowing from A to B can reenter A since this would mean that (A f B) and (B f A) (by transitivity), and thus that A and B (and all other elements of this ring) are equivalent.
Thus, we have a relation "<" such that A < B iff (A != B) and (A f B). If there is a domain "b" so that not(b f b), then in all cases where there is a domain "a" so that a<b and a domain "c" so that b<c, we may eliminate domain b, and use instead, a<c. Thus we systematically eliminate any such domain from the structure without changing the effective information flow behavior. We conclude that the structure of interest is a reflexive, transitive, antisymetric, binary relation, commonly called a partial ordering, and that this seems the most general structure we can use to guarantee restricted information flow. We use the term "POset" to indicate a set whose elements are related by a partial ordering.
(S,{f}): for all a,b,c in S,
[(a f a) ;reflexive
and (a f b) and (b f c) => (a f c) ;transitive
and (a f b) and (b f a) => (a = b)] ;antisymetric
The effective POset under transitivity is formed by applying transitivity to information flow, and is easily displayed in a matrix form. This answers the question of reachability immediately without undue complexity to the observer. We call the effective POset under transitivity a "Flow Control POset" (FCP). An example network and its corresponding FCP are given in figure 1. Domains can always be labeled so as to produce an upper triangular FCP matrix since, if there is no reordering of a non upper triangular matrix to an upper triangular matrix, there must be two equivalent entries under our transitivity assumption. Every upper triangular boolean matrix maps into a unique POset, but not all upper triangular matrices map into a unique FCP. Finally, we note that completely independent subsets of a system can exist within a partial ordering, and that many distinct yet equivalent FCPs can thus exist.
a b c d e f g
a f - f f - f -
b - f - f f f f
c - - f - - - -
d - - - f - f -
e - - - - f f f
f - - - - - f -
g - - - - - - f
Figure 1 - An FCP Example
The corruptive effects of domain collusion can be
easily determined by ORing rows of any set of colluding domains to find
their effective joint flow. Similarly, the information accessible to a
set of colluding domains can be derived by ORing the respective columns
of the FCP matrix.
We note that the POset in this context may be thought
of as a classification scheme, just as the Bell-LaPadula [3] and Biba
[4] models are classification schemes. We may have distinct yet
equivalent domains in an actual system, but the distinction isn't "real"
from the information flow standpoint. We must be aware of the fact that
they are equivalent from a flow standpoint in order to determine their
actual informational effects. We note that the POset model is designed
to be used to design flow controls in a given application. That is, the
application drives the need to flow information from place to place.
Once the information flows for an application are established, human
users may be allowed to effect or observe information in various domains
in the network.
In order to precisely determine the largest set of
domains which can effect a given domain in a network with time variant
flow control, we assume an initial configuration of the protection
system, and maintain a precise configuration that reflects the maximal
set of domains that could have effected each domain after each change in
the information flow (called a move). We call this configuration a
"time flow configuration" (TFC), and calculate it by remembering all
transitive flows into each domain for all moves as follows:
TFC @ move 0 = FCP
for N>0, TFC @ move N "(A f B)" =
1 for all X,Y s.t. TFC(X,Y) @ move N-1 => TFC(X,Y) @ move N
2 for all X s.t. TFC(X,A) @ move N-1 => TFC(X,B) @ move N
3 TFC(A,B) @ move N
4 for all X s.t. FCP(B,X) @ move N,
for all Y s.t. TFC(Y,B) @ move N => TFC(Y,X) @ move N
Our initial TFC is just the FCP of the initial
configuration, since this indicates all potential flows into each domain
from each other domain under transitivity. From this point forward,
every move "(A f B)", introduces the possibility that a previous
information flow to A transits to B and all objects in the transitive
closure of B's information flow. Rule 1 states that previous flows
remain after a move. Rule 2 states that all previous flows into A are
added to B. Rule 3 states that A is added to the flows to B. Rule 4
states that all resulting flows into B are added to all objects in the
transitive closure of flow from B. Rule 3 is implied by TFC(X,A) =>
TFC(X,B) if we assume (A f A).
Except for the FCP, this maintenance of the TFC takes
at most N squared time and space in the number of domains, and is linear
in the number of moves considered. The FCP computation takes at most N
squared time and space in the number of domains, and is performed only
once per TFC calculation. It is thus quite feasible to maintain the TFC
throughout the lifetime of a typical network.
By using the above mathematical basis, we may
automatically evaluate the FCP, TFC, equivalencies of domains, and the
effect of collusions under a given configuration of a protection system
with a flow relation. We may augment this basic capability with a set
of rules that determine whether a given configuration is allowable given
installation dependent parameters, to form a configuration evaluator
tailored for a given system. We may form a dynamic analysis system by
performing evaluations on configurations resulting from proposed moves,
and reporting on the effects. Finally, we may augment this capability
with a set of rules for proposing moves that are likely to be acceptable
to the protection system while fulfilling desired information flow
requests. This results in a provably correct automated administrative
assistant for maintaining policy constraints in such a network.
2 - Hierarchical Flow Control
A hierarchy is comprised of a set 'S' and a parent
relation 'p', where:
for all s in S,
1) exists s' in S s.t. (s' p s) and
2) not exists s'' in S s.t.
(s != s' != s'' != s) and (s'' p s) and
3) only one s in S s.t. (s p s)
A hierarchical flow control system is a system 'S' in
which domains correspond to elements of S, and s controls the flow of
information to and from s' iff (s p s'). Thus each domain controls flow
between all domains of which it is a parent. A hierarchy of
administrators thus exists, and discretionary controls of a "parent"
administrator are mandatory controls of a "child" administrator. The
analysis of valid moves over time for each level in the hierarchy is
used to enforce mandatory policies at that level. Information on actual
configurations may be used by parent administrators to allow more
accurate configuration control at the parent level, while localized
control allows distribution of responsibility. We may consider a
hierarchical system as being composed of a set of levels. No
communication may take place between domains at different levels without
the consent of administrators in each of the higher domain
administrators up to the SUP of the communicating domains.
Domains which are parents of other domains are not
general purpose processing domains in that there functionality is
limited to command, control, communications, and Intelligence functions
(C3I) required to administer the information flow within the network.
The hierarchical POset given in Figure 2 and its corresponding analysis
demonstrate this point.
With a hierarchical structure, we may divide the
network into subnetworks which are independent except in that
connections to external portions of the network exist through the
consent of appropriate parents. Since a parent controls all flow to and
from a child, and since the child acts as a single domain to the parent,
the child sees only generically labeled incoming and outgoing
information flows. Flows may be added or removed at the parents whim,
with the child capable of arbitrarily using these flows from the
standpoint of the parent. This independence allows each domain to be
independently administered by its parent. The hierarchical structuring
also decreases the complexity of administration and the potential damage
caused by a wrong move by any single administrator.
--- ---
|A|-------------------------------|B| (AfB)
--- ---
/ \ / \
/ \ / \
/ \ / \
------------ ---------
| X---Z--o| | R---U|
| / \ / | (WfX)+(WfY)+(XfY)+ | / | (ifR)+(ifS)+
|W---Y | (XfZ)+(YfZ)+(Zfo) |i-S---T| (RfU)+(SfT)
------------ ---------
/ \
/ \
/ \
--------------
|i1---D--- |
| \ \ | (i1fD)+(i2fE)+(EfG)+
|i2-E---F o2| (DfF)+(EfF)+(Gfo2)+(Dfo2)
| \ / |
| G--- |
--------------
Figure 2 - A Hierarchical POset Network
In figure 2, we show a hierarchical POset network and
the corresponding flow relations (ignoring identity flows). Note that
external flows are designated by generic "i" and "o" domains. The
corresponding access matrices are provided in figure 3. The final
access matrix in figure 3 is the combination of all of the hierarchical
access matrices with generic inputs and outputs replaced by the actual
flows, and is thus the access matrix of the entire network. Domains
representing branches in the hierarchy are eliminated as they are C3I
domains, and can't themselves flow information to or from other domains
(except possibly through covert channels).
\ A B \ W X Y Z o \ i R S T U
------ ---------------- ----------------
A | f f W | f f f - - i | f f f - -
B | - f X | - f f f - R | - f - - f
Y | - - f f - S | - - f f -
Z | - - - f f T | - - - f -
o | - - - - f U | - - - - f
\ i1 i2 D E F G o2 \ W X D E F G Z R S T U
----------------------- ----------------------------------
i1 | f - f - - - - W | f f - f - - - - - - -
i2 | - f - f - - - X | - f f - - - f - - - -
D | - - f - f - - D | - - f - f - f - - - -
E | - - - f f f - E | - - - f f f - - - - -
F | - - - - f - - F | - - - - f - - - - - -
G | - - - - - f f G | - - - - - f f - - - -
o2 | - - - - - - f Z | - - - - - - f f f - -
R | - - - - - - - f - - f
S | - - - - - - - - f f -
T | - - - - - - - - - f -
U | - - - - - - - - - - f
Figure 3 - Hierarchical Access Matrices
Figure 4 shows the effective POset resulting from
applying transitive closure to the network shown above. Note that no
single administrator in the network is capable of computing the
effective flow matrix of the entire network from only local knowledge.
\ W X D E F G Z R S T U
----------------------------------
W | f f f f f f f f f f f
X | - f f - f - f f f f f
D | - - f - f - f f f f f
E | - - - f f f f f f f f
F | - - - - f - - - - - -
G | - - - - - f f f f f f
Z | - - - - - - f f f f f
R | - - - - - - - f - - f
S | - - - - - - - - f f -
T | - - - - - - - - - f -
U | - - - - - - - - - - f
Figure 4 - The Effective POset from Figures 2 and 3
To further limit the arbitrary use of flows without
explicit structural knowledge provided to administrators, an expert
system of the same sort provided in [1] may be used with a set of rules
which are to be enforced on the global access matrix. The computation
of transitive closure, time transitivity, and other required factors may
be carried out within the assistant without any administrator being
aware of more than a subset of the global information. Each
administrator may independently assure themselves that the matrices
presented them meet their flow requirements, and local administrative
assistants may be used by local administrators for added assurance.
In the hierarchical case, the network wide automated
administrative assistant is augmented to maintain a set of access
matrices, rules, databases, move suggestion methods, and administrators.
If global information flows are of import, a global access matrix may be
generated for each RBS checking procedure, and global computations may
be performed. Cases may arise where perfectly reasonable flows from
each administrative perspective are turned down by the global
administrative assistant because of global information effects (e.g.
the total number of transitive flows to a given node are limited to a
global maximum so as to limit the potential for illicit dissemination).
We may be forced to automate the process of suggesting modifications to
the network so as to allow local requests to be fulfilled whenever
possible without a large number of trials being rejected by the global
administrative assistant.
--- --- --- --- --- ---
|A| |A| |A| |A| |A| |A|
--- --- --- --- --- ---
| | | ... | | |
--- --- --- --- --- ---
|I| |I| |I| |I| |I| |I|
--- --- --- --- --- ---
| | | ... | | |
----------------------------------
Dbase----| |---Rules
Dbase----| |---Rules
Global Dbase--| RBS |-------Global Rules
Dbase----| |---Rules
Dbase----| |---Rules
----------------------------------
| | | ...|... | | |
--- --- --- | --- --- ---
|M| |M| |M| | |M| |M| |M|
--- --- --- | --- --- ---
---------------
|Global Matrix|
---------------
Figure 5 - A Hierarchical Rule Based Assistant
An architecture for a global rule based administrative
assistant for hierarchical POset networks is given in figure 5. Note
the multiplicity of administrators (A), move suggestion methods (I),
rules, databases, and access matrices (M), and the presence of a global
set of rules, access matrix, and database. Alternative architectures
are plausible, and further work is needed to determine the optimal
architecture of such an administrator for a given set of applications.
The design given is simply used to demonstrate the principal, and to
illustrate the global nature of some of the information used in the
global restriction of data flow properties.
If there are no global requirements that can't be
expressed in terms of purely local requirements, we may construct a
distributed administrative assistant with completely independent
administrative domains. If we can express global requirements in terms
of the requirements of a proper subset of the network administrators, we
may construct a distributed administrative system in which multiple
administrators effect varying subsets of the network, but still avoid a
global administration system. This class of distributed administrative
systems does not require that hierarchies of administrators exist, but
the analysis is significantly complicated with the introduction of loops
in administrative dependence. The potential exists for a seemingly
rational set of local rules to produce inconsistent results in the
global network, and it is fairly clear that the problem of determining
the behavior of such a system is NP-complete in the general case.
Further work is needed in this area.
The hierarchical administration of systems suggests a
network flow control scheme that would reduce traffic analysis and
routing problems. The scheme is to flow information towards the root of
the C3I tree as far as is appropriate, and then back down the
appropriate branches to the recipient. The reduction of traffic
analysis comes from the use of multiple encryptions wherein the sender
successively encrypts (recipient,data) pairs with the public keys of the
successive recipients of the message. Each recipient can only remove
one level of encryption, and thus can only know the routing information
required to make the next routing decision. Figure 6 shows an example
hierarchy in which we wish to send a message (Mb) from B to D.
+-+
|A|
+-+
/ \
+-+ +-+
|B| |C|
+-+ +-+
|
+-+
|D|
+-+
Figure 6 - An Example Message Routing in a Hierarchical System
The encryption, decryption, and routing for this
scheme are given below. We assume that public encryption keys Ex for
each domain 'x' in the system are globally available, and the the
corresponding decryption keys Dx for each domain 'x' are private to x.
The RSA cryptosystem [8] might be used for this purpose, but any
sufficiently secure public key system would suffice. Note that at each
phase of the routing, only a single step of the routing is known to the
involved domain. In particular, the local decryption of a message only
reveals the next receiver to the holder, and missending the message
doesn't allow any further routing or decryption.
Mb - message at B
B creates Ea(C,Ec(D,(Ed(Mb))), and sends it to A
A does Da(Ea(C,Ec(D,(Ed(Mb)))), and gets C,Ec(D,(Ed(Mb)))
A now knows to send Ec(D,Ed(Mb)) to C and does so
C does Dc(Ec(D,(Ed(Mb)))), and gets D,(Ed(Mb))
C now knows to send Ea(Mb) to D and does so
D does Dd(Ed(Mb)), and gets the original message Mb!
Flow in such a network may be limited by restricting
access to public keys so that A has Ex iff (A f x), but this makes the
routing problem significantly more difficult in that each key along the
route from the root of the tree to the recipient domain must be in the
set of domains that the source of the message may flow to. Since all
messages to non children must pass through a parent, parents have flow
control over the transmission of messages.
In a trusted network such as that described above, a
network domain 'N' could reside in parallel with each domain so that
information passing through a portion of the tree need only have the
public key of N. This allows information to pass through the network
without effect on intermediate domains, and thus the public keys for
routing domains could be provided globally without requiring flow to all
of the intermediate domains. In the case of a compromise in a network
domain, only local routing information would be lost, and thus massive
collusion is necessary in order to attain complete message paths for any
significant portion of the network.
3 - Flow Between UCBs and TCBs
We now consider the problem of connecting trusted
computing bases (TCBs) and untrusted computing bases (UCBs) [5] to form
a network which enforces POset properties. Two communications
environments are considered; those with trusted paths, and those with
untrusted paths [7]. Simple design rules are given for the connectivity
of systems, and these rules are extended transitively to networks.
The implementation of a POset based TCB appears to be
straight forward. As an example, we could use a standard FCP matrix in
which we force the matrix to be upper triangular in hardware. A simple
implementation technique would be the use of ROM for the lower
triangular portion of the matrix, or a matrix access algorithm that
refuses requests to write into the lower triangular portion of the
matrix. We could augment this with a set of mappings (collusions)
between humans subjects and domains which would serve as a basis for
collusion analysis and permit automated administrative assistance.
In an untrusted computing base, we cannot trust the
system to prevent flow between domains, and therefore, from the
standpoint of systems which flow information to or from a UCB, the UCB
must be treated as a single domain. This is proven mathematically as
follows:
by assumption,
for all domains "A" and "B" within the UCB,
(A f B) and (B f A)
From antisymetry
for all "a" and "b"
[(a f b) and (b f a) => (a = b)]
thus A=B
In an environment with trusted communications paths,
two UCBs can communicate iff they are the same domain. If we have a
means for unidirectional communication, we can further permit UCBa to
communicate to UCBb iff (a f b). In such an environment, we can form a
POset TCB by using the physical properties of unidirectional
connectivity to protect information from illicit flow, and the physical
structure of the network to form the POset. Figure 7 shows these
conclusions pictorially.
UCB UCB UCB
----------------- ----- \ / -----
| --- \ / --- | | A |<-X->| B |
| |A| X |B| | ----- / \ -----
| --- / \ --- |
-----------------
UCB UCB UCB (AfB) UCB
----- ----- ----- -----
| A |<--->| A | | A |---->| B |
----- ----- ----- -----
Figure 7 - Flow Rules Between UCBs
In the case of TCBs communicating in a trusted
communications environment, we may permit any domain (A) in TCB1 to
communicate to any domain (B) in TCB2 iff (A f B). Again, this requires
unidirectional communication. If bidirectional communications are used,
we may only allow connections of the form:
(A f B) if A=B since,
by antisymetry [(a f b) and (b f a) => (a=b)].
As shown above, for any UCB (X), X must be single
domain (Xd). UCBs they can be used for passing information, so long as:
for all domains A that flow to X,
(A f Xd)
AND for all domains C that X flows to,
(Xd f C)
Figure 8 shows examples of legal connections:
TCB TCB UCB TCB
----------- ----------- --------- -----------
| --- | | --- | | | | --- |
| |A|<----------->|A|<------------>A | +------|A| |
| ---\ | | ---\ | +----/ | | | ---\ |
| --- | | --- | | | | | | --- |
| |C| | +------->|C|<---+ --------- | | |C| |
| --- | | | --- | |+-------->--- |
| ---/-------+ | ---/ | UCB || | ---/ |
| |B|------------>|B|--------+ --------- || | |B| |
| ---\ | | ---\ | | | <-----+| | ---\ |
| --- | | --- | +----->C<------+ | --- |
| |D| | | |D| | | | | |D| |
| --- | | --- | | | | --- |
----------- ----------- --------- -----------
Figure 8 - Connections Between TCBs and TCBs or UCBs
An implementation of unidirectional communications
between TCBs that is particularly appealing is one where the domain
being flown to (B) provides a public key to the domain being flown from
(A). This must be done in trust of the A's TCB (TCB1) to prevent the
key from being used to communicate information from B to A. The appeal
of this scheme is that we guarantee that flow goes only to B regardless
of violations in TCB1. This does not guarantee that a violation in TCB1
will not allow other domains to communicate to B, but assures that no
flow can occur from TCB1 to a domain in B's TCB (TCB2) that does not
exist in TCB1. Thus we protect the integrity of some of the data in
TCB2 even if TCB1 becomes untrusted.
Because the POset has the transitivity property, a
network comprised of TCBs and UCBs connected by the above rules will
maintain the flow control properties of the network's POset. In the
case of a violation of the POset policy within a TCB, the damage to the
entire network can be no worse than making all domains in that TCB equal
since:
for all domains (Dx,Dy) in the TCB,
(Dx f Dy) and (Dy f Dx) => (Dx = Dy)
Any violation in a UCB effects only that UCB's domain.
We may straight forwardly use collusion analysis to determine the
effects of flow violations and time transitivity. In fact, the use of a
computer network to implement an information network in this case is
completely transparent, and all analysis that is operative in the
information network applies directly to the computer network. Thus we
may connect computer networks without loss of assurance so long as we
follow the connection rules, again because of transitivity.
In a network with untrusted communications paths, we
may encrypt and authenticate connections of the same form as those in
the trusted communications case, and we will still have an appropriately
connected network with the transitive flow protection properties stated
above. Some care must be taken to assure that the cryptosystems offer
sufficient protection for the application at hand and that
communications protocols do not introduce covert channels. The
sufficiency of cryptosystems is application dependent, and has been
covered in previous works [5] [7] [8]. A scheme with arbitrary delay on
end to end confirmations and a constant portion of system time and space
dedicated to the network functions would tend to reduce covert channels,
but their complete elimination is unlikely.
We may also attempt to form a communications scheme in
which we pass information through domains which are not supposed flow
from or to the communicating domains. If we ignore the traffic analysis
and routing problems, have a suitable end to end encryption and
authentication technique, and use only TCBs for encryption and
decryption, we should be able to form a network with any physical
connections we desire. This places a high degree of risk in the
cryptosystem, and does not prevent denial of services attacks, etc.
This is an appropriate topic for further research.
In our method, we include a "network" domain in each
of the computer network's TCBs and use the RSA [8] for authentication
and encryption. To flow information, we forcibly encrypt it with the
recipient's public key and authenticate it with the sender's private
key. We then flow it to the network domain. This domain is limited to
network functions and must be proven correct. Normal routing operations
are then performed to communicate with other TCBs and flow information
to the appropriate recipient, who may decrypt information using the
sender's public key for authentication and the recipient's private key
for decryption. Since the encryption and decryption functions as well
as the key distribution are provided for by TCBs, domains may only
communicate to appropriate domains. Since only the recipient's TCB has
the recipient's private key, and only the sender's TCB has the sender's
private key, the previously stated network assurances are maintained.
This is analogous to the analysis of more restricted cases [7], and
similar problems, solutions, and restrictions apply in these more
general networks.
4 - Risk Assessment in Distributed Domain Networks
In a network based on distributed domains,
communication, and thus the ability to disseminate and modify
information are limited. If we assume that the system is properly
implemented and that external attackers are successfully thwarted by
common techniques, we are left with the effects of internal abuse. We
note that our discussion is based on the launching of attacks by
individuals or groups of individuals, but the method works equally well
in the analysis of accidental leaks and corruption of information.
Since individuals in such a network may access
multiple domains, it is convenient to consider individuals as collusions
of domains. We may quickly see that the maximal effect of an individual
is the combined transitive effects of all domains which that individual
can effect, and that the maximal dissemination is the combined
transitive domains effecting the individual. To consider groups of
individuals who might collude to launch an attack, we assume collusion
and treat them as a single individual.
In order to assess risk in such a system, we consider
corruptive effects and dissemination effects independently, and the add
them for the joint effect. Just as in standard risk assessment
techniques [9], we assign dollar values to resources and probabilities
to attacks, but unlike the standard analysis, we have a firm basis for
separation of resources, and thus a means for reducing the complexity of
analysis. Our technique is then quite simple:
Assign each domain a dissemination value (Vd) and a modification value (Vm) which correspond to the financial value of illicit dissemination and modification respectively.
Assign each human subject a yearly probability of illicit dissemination (Pd) and a yearly probability of illicit modification (Pm) which correspond to the likelihood of a successful attack of the type described being launched by each individual in a given year.
Determine a yearly expected loss for each subject (Ls) as the sum of Vd*Pd for each domain which can flow to the subject and Vm*Pm for each domain which the subject can flow to. This is easily done by using collusion analysis where a subject is represented as the collusion of all flows to and from that subject's domains.
Determine the system wide expected loss (Lsys) as the sum of Ls for all subjects 's'.
To reduce Lsys, we have a number of alternatives, combinations of which may lead to optimizations. The technique indicates that Lsys may be reduced by the following techniques:
reduce |s| - the number of subjects with access, without increasing the access of the remaining subjects.
reduce Vd, Vm for domains - the values of domains, perhaps by eliminating unnecessary information or making more domains with lower individual values.
reduce Ls - the expected loss per individual, perhaps by separation or reallocation of duties
reduce Pd, Pc - the likelihood of employee attack, perhaps by increased background checks or increased security awareness.
We note again that we assume that we have implemented a provably correct flow control system, and that it is operating properly. Thus, we are considering the "normal loss" expected of a system. A mathematical programming package might be well suited to the optimization of this type of system. The optimal solution of this problem appears to be quite complex, and further work in this domain might be of some interest. Finally, we note that determining the probabilities of attacks is essentially impossible without good statistics, and since this is so critical to accurate prediction, it is a limiting factor in any such technique.
We have extended previous results in structuring information networks for protection against illicit dissemination and modification to include distributed and hierarchical administration whereby the threat of even administrators may be reduced significantly. We have shown a method of routing information in these networks which prevents all preventable traffic analysis, maintains a high degree of security and integrity, and allows distributed and hierarchical administration. We have shown the connection rules for forming trusted POset computer networks with trusted and untrusted flow control computing bases. We have given a risk analysis technique which takes advantage of the mathematical structure of POsets to reduce the complexity of analysis and optimization, and shown that specific risk reduction techniques are indicated because of the mathematical results.
We conclude that the design of provable secure distributed information networks based on POsets with distributed administration is feasible, and that the use of such networks may significantly reduce the risk due to illicit uses of information networks. We further conclude that a significant research and development effort will be necessary in order to bring this type of network into fruitful application.
Further research will be required in order to design practical systems of this sort. In particular, the derivation of a method for the generation of moves for analysis by automated administrative assistants is a significant problem. The use of distributed administrative assistants without global knowledge depends on the development of policies for flow control which are adequate for the desired result while not requiring global knowledge. These policy developments are critical to the eventual use of these networks, and basic research in this area is required to establish the classes of policies that make this feasible. Approximations of globally dependent policies to localized independent policies also offers considerable hope, and is of considerable interest to other areas in distributed processing. The extension of these results to administrative POset dependence rather than hierarchical dependence are likely to coincide with the development of better understanding of policy limits.
Cryptographic protocols for operation in these networks must be detailed and proven secure. Results in this area are dependent on a cryptographic protocol theory which has yet to be fully developed. Minimization of expected loss and cost benefit analysis in the implementation of available techniques is required if the ramifications of design and policy decisions are to be well understood.
[1] F. Cohen, "Protection and administration of information networks with partial orderings." Computers and Security, V5#3, 1986
[2] F. Cohen, "Computer Viruses", Dissertation at U. of Southern California, Jan. 1986
[3] D. Bell and L. LaPadula, "Secure Computer Systems: Mathematical Foundations and Model", The Mitre Corp. 1973
[4] K. Biba, "Integrity Considerations for Secure Computer Systems", USAF Electronic Systems Division, 1977
[5] M. Klein, "Department of Defense Trusted Computer System Evaluation Criterion", 1983, Department of Defense, Ft. George G. Meade, Md.
[6] Proceedings of the Department of Defense Computer Security Center Invitational Workshop on Network Security, New Orleans, La. March 19-22, 1985.
[7] F. Cohen, "A Secure Computer Network Design", Computers and Security, V5#3, 1985
[8] R. Rivest, A. Shamir, L. Adleman, "A Method for Obtaining Digital Signatures and Public Key Cryptosystems", CACM V21#2 (Feb. 1978) PP120-126
[9] T. Saltmarsh, P. Browne, "Data Processing - Risk Assessment", Advances in Computer Security Management, V2, 1983.