Professional Documents
Culture Documents
Đề tài 5 PDF
Đề tài 5 PDF
12-31-2016
Omar Nouali
Research Center on Scientific and Technical Information
Mohand-Tahar Kechadi
University College Dublin School of Computer Science and Informatics
Recommended Citation
Fehis, Saad; Nouali, Omar; and Kechadi, Mohand-Tahar (2016) "A New Distributed Chinese Wall Security Policy Model," Journal of
Digital Forensics, Security and Law: Vol. 11 : No. 4 , Article 11.
DOI: https://doi.org/10.15394/jdfsl.2016.1434
Available at: http://commons.erau.edu/jdfsl/vol11/iss4/11
This Article is brought to you for free and open access by the Journals at
Scholarly Commons. It has been accepted for inclusion in Journal of Digital
Forensics, Security and Law by an authorized administrator of Scholarly
Commons. For more information, please contact commons@erau.edu.
(c)ADFSL
A New Distributed Chinese Wall Security Policy Model JDFSL V11N4
ABSTRACT
The application of the Chinese wall security policy model (CWSPM ) to control the informa-
tion flows between two or more competing and/or conflicting companies in cloud computing
(Multi-tenancy) or in the social network, is a very interesting solution.
The main goal of the Chinese Wall Security Policy is to build a wall between the datasets
of competing companies, and among the system subjects. This is done by the applying to
the subjects mandatory rules, in order to control the information flow caused between them.
This problem is one of the hottest topics in the area of cloud computing (as a distributed
system) and has been attempted in the past; however the proposed solutions cannot deal
with the composite information flows problem (e.g., a malicious Trojan horses problem),
caused by the writing access rule imposed to the subject on the objects.
In this article, we propose a new CWSP model, based on the access query type of the subject
to the objects using the concepts of the CWSP. We have two types of walls placement, the
first type consists of walls that are built around the subject, and the second around the
object. We cannot find inside each once wall two competing objects’ data. We showed that
this mechanism is a good alternative to deal with some previous models’ limitations. The
model is easy to implement in a distributed system (as Cloud-Computing). It is based on the
technique of Object Oriented Programming (Can be used in Cloud computing ”Software as
a service SaaS”) or by using the capabilities as an access control in real distributed system.
Keywords: Security Policy, Chinese Wall, Information flow, Distributed system, Cloud
Computing
c 2016 ADFSL Page 149
JDFSL V11N4 A New Distributed Chinese Wall Security Policy Model
two competitors using the same cloud infras- • ”The basis of the Chinese wall policy
tructure and the same provider. This may is that people are only allowed access to
cause issues of how to control the informa- information which is not held to conflict
tion flow between those competing compa- with any other information that they al-
nies and also between subjects in general. ready possess”(Brewer & Nash, 1989).
The Chinese Wall Security Policy CWSP is So, the user (subject) cannot access any
a very interesting candidate solution to the other information in conflict with the in-
above problem. The CWSP has already formation already possessed. So, each
been used in commercial applications; for subject has a Granted and a Denied set
instance, the UK’s financial sector, which of companies, where, each company in
provides consulting services, uses the CWSP Granted set has their competing com-
model. As consultants must respect the con- panies in the Denied set. The pairwise
fidentiality agreements, the CWSP is used (Granted, Denied), interpreted by the
to prevent such confidentiality from being build of the wall around the subject,
breached by avoiding the information flow named ”subject’s wall.” And we con-
that causes conflict of interest between in- clude that, ”we cannot find inside the
volved parties. same wall two competing objects’ data.”
The CWSP was defined and named by • ”Information can flow between two ob-
Brewer and Nash (BN model ). They have jects only via a subject, and informa-
developed their first model in 1989 (Brewer tion can flow between two subjects only
& Nash, 1989). The model became very via an object” (Sharifi & Tripunitara,
attractive and therefore many other mod- 2013), (malicious Trojan horse’s prob-
els based on the same idea have been pro- lem). So, from these points in our hand,
posed in subsequent years (Lin, 1989, 2000, we can apply by symmetry the build of
2002, 2003, 2007, 2015; Sharifi & Tripuni- the wall around the object as a same
tara, 2013). The model and its variant have rule to the subject (we cannot find in the
been successfully used in many applications same wall two competing objects’ data)
(Atluri, Chun, & Mazzoleni, 2004; Minsky, . So, we have the second wall around
2004; Hsiao & Hwang, 2010; Wu, Ahn, Hu, the object, named ”object’s wall.”
& Singhal, 2010; Tsai, Chen, Huang, Huang,
& Chou, 2011; Kesarwani et al., 2011; Xie, However, the object is a passive entity,
Ray, Adaikkalavan, & Gamble, 2013) in or- and is an opposite to the subject, considered
der to control the information flow between it as an ”active entity,” has an ”access right”
the competing subjects residing in the same Granted / Denied. The object is used to
system. More importantly, after an exten- store the data, so each object has a ”Stored
sive state-of-the-art on the proposed secu- right” (is not like the access right), where
rity models based on Chinese wall, we find we cannot store inside the same object, data
that the main goal of those models is to con- related to two competing companies. So,
trol the composite information flow (CIF ) the object has two sets Allied and Conflict,
between competing companies (a malicious where the Allied set has the companies (ob-
Trojan horse’s problem), caused by the ac- jects) who have a data stored inside the same
cesses in writing from the subjects on the object (so in allied ), and the Conflict set
objects. We can summarise these models by contains the companies (objects) in conflict
the following two important points: with the Allied set. The pairwise (Conflict,
Page 150
c 2016 ADFSL
A New Distributed Chinese Wall Security Policy Model JDFSL V11N4
Allied) can be interpreted by the build of the binary relation, equivalence relation and
the wall around the object, named ”object’s the partitions. And finally, a list of refer-
wall.” ences used in our work.
In our approach, each subject has a
security label composed by the pairwise 2. MODELS IDEA
(Granted, Denied), each object has a secu-
rity label composed by the pairwise (Con- ANALYSIS
flict, Allied) and the rule to execute the read- In this work, we based our idea on the access
ing or writing query is ”we cannot find two query type of the subject to the objects and
competing data inside the same wall (object’s the philosophy of the Chinese wall security
or subject’s wall ).” From this idea, we can policy CWSP. Its rule is the building of the
build walls between the competing compa- walls between the competing companies. In
nies, and so the concept of the policy of Chi- our model, we have two types of walls place-
nese wall (Brewer & Nash, 1989). The model ment, the first is built around the subject,
assures an efficient control of the direct and and the second around the object. We can-
composite information flow. not find inside the same wall two data re-
At this level and to apply our model of lated to two competing objects. So, we start
the policy of CWSP in distributed system, by these analysis:
the securities labels for the subject or object, The subject firstly, is freely to choose to
can manage they, by the server that host access to any object; at this step it’s im-
the subject/object. So, each access query portant to known the nature of this access:
of any subject to any object will associate it reading or writing access, as in following:
with the security label of the subject, where
it is verify by the server that host the ob- 2.1 Reading Queries:
ject. So, our model can be viewed as a dis- If the access is a reading request, or the sub-
tributed CWSP model (D-CWSPM). And, ject reads from the object, so we can inter-
also can be implemented based on a tech- pret this by the moving of the data from the
nique of Object Oriented Programming (Can object side into the subject side (inside the
be used in Cloud computing ”Software as a subject’s wall ). Therefore, there is a related
service SaaS”) or by using the capabilities as data (information) of the object inside this
an access control in real distributed system. wall. Consequently, the access is denied of
The remainder of the paper is organized this subject to the competing objects with
as follows: In section 2, we will present our the objects inside subject’s wall. Therefore,
idea illustrated by an example. In section the subject has two security labels:
3, we will present the formal model and in-
formation flow problems. In section 4, we • The Subject Wall Granted (SW G): Is
will present the D-CWSPM vs Access Matrix a set of objects, who theirs related data
(can be used in system based on matrix as an are in the subject’s side.
access control ). In section 5, we present the • Subject Wall Denied (SW D): The set
related previous works. In section 6, we will of all objects denied to moving theirs
present the implementation of D-CWSPM data into the subject’s side.
based on OOP. Then we will provide a con-
clusion with the future research directions, The pairwise (SW G, SW D), can be inter-
then in the appendix, the two main models preted, by the building of the wall around
(BN’s and Lin’s model) and the related of the subject.
c 2016 ADFSL Page 151
JDFSL V11N4 A New Distributed Chinese Wall Security Policy Model
Table 1. The Initial State of the Object’s Q4: Subject Sub1 reading access from the
Walls object Ob3 , we have inside the Sub1 ’s
wall a data related to the object Ob1
Object Object’s Wall and this object isn’t in conflict of inter-
Ob1 OWA = {Ob1 }; OWC = {Ob2 } est with the object Ob3 , so the access is
granted and also the moving of the data
Ob2 OWA = {Ob2 }; OWC = {Ob1 } from Ob3 to the subject Sub1 side, inside
Ob3 OWA = {Ob3 }; OWC = {Ob4 } of its wall. In the same time the access
Ob4 OWA = {Ob4 }; OWC = {Ob3 } denied to the object ob4 , in conflict with
Ob3 . So we update of the Sub1 ’s wall as
Ob5 OWA = {Ob5 }; OWC = {∅}
following:
Page 152
c 2016 ADFSL
A New Distributed Chinese Wall Security Policy Model JDFSL V11N4
SW G1 = {Ob1 , Ob3 } and 1. The first step is the reading: After the
SW D1 = {Ob2 , Ob4 }. reading access, we have inside Sub3 ’s
wall a data related to three objects Ob1 ,
Q5: Subject Sub1 writing access to the ob- Ob3 and Ob5 . So, the updating of the
ject Ob5 , so the moving data from the subject’s wall as following:
Sub1 side into the object Ob5 . It’s clear, SW G3 = SW G3 ∪ OW A5 ,
this data related to Ob1 or Ob3 . So prob- SW D3 = SW D3 ∪ OW C5
ably, the object Ob5 contains a data re-
lated to the objects Ob1 or Ob3 , and can- So, OW C5 set contains Ob2 .
not contains a two data related to two
competing objects (Ob2 in conflict with 2. The second step is the writing: the writ-
the object Ob1 and Ob3 with the object ing access to the object Ob2 , this, is not
Ob4 ). So we need to update the Ob5 ’s permitted, because the object is in the
wall as follow: Denied set (SW D3 ) of the subject. So,
the access is denied.
OW A5 = {Ob5 , Ob1 , Ob3 }, So, as a result, our malicious subject can-
OW C5 = {Ob2 , Ob4 }. not create a CIF between competing objects.
And in end we can view in table 2 and 3,
the final state of the Subjects’ and Objects’
The Ob5 ’s wall composed by the pair-
walls.
wise (OW A5 , SW C5 ).
Table 2. The End State of the Subject’s
Q6: Subject Sub2 writing access to the ob- Walls
ject Ob5 , so moving data from its in-
side (a data related to Ob2 ) into the Subject Subject’s Walls
object Ob5 . However, the object Ob5 Sub1 SW G1 = {Ob1 , Ob3 };
contains a data related to the object
Ob1 who it is in competition with Ob2 SW D1 = {Ob2 , Ob4 }
(Ob2 ∈ OW C5 ). And, this is in contra- Sub2 SW G2 = {Ob2 }; SW D2 = {Ob1 }
diction with the Chinese wall security Sub3 SW G3 = {Ob1 , Ob3 , Ob5 };
policy, so this query is denied and not
permitted. SW D3 = {Ob2 , Ob4 }
c 2016 ADFSL Page 153
JDFSL V11N4 A New Distributed Chinese Wall Security Policy Model
Table 3. The end state of the object’s walls • Intermediate level: we group all ob-
jects which concern the same corpora-
Object Object’s Walls tion together into what we call a com-
Ob1 OWA = {Ob1 }; OWC = {Ob2 } pany dataset (Brewer & Nash, 1989).
Ob2 OWA = {Ob2 }; OWC = {Ob1 } • Highest level: we associate with each
Ob3 OWA = {Ob3 }; OWC = {Ob4 } company dataset, say X, a ”Frechet
Ob4 OWA = {Ob4 }; OWC = {Ob3 } neighborhood”, denoted by CIN(X)
”Conflict of Interest Neighborhood of
Ob5 OWA = {Ob1 , Ob3 , Ob5 }; X”, where CIN(X) is the set of all com-
OWC = {Ob2 , Ob4 } pany datasets that are in conflict of in-
terest with X.
”we cannot find inside the same
wall, data related to two competing
3.2 Conflict of interest
objects” relation CIR
. Let CIR ⊆ OB × OB as a binary relation,
Formally as in the following: satisfies the following properties.
Page 154
c 2016 ADFSL
A New Distributed Chinese Wall Security Policy Model JDFSL V11N4
their related data inside the object obji . • SW D(Si ) = ∅ initialized by an empty
So, if there is an object objj ∈ OW Ci , set, because the subject is free to choose
that, the object obji cannot will con- any object
tain any related information of the ob-
ject objj . Otherwise, the object obji has
a data related to another object in the The pairwise (SW Gi , SW Di ) can it inter-
conflict of interest with the object objj . pret by the building of the wall around the
subject Si , so, we cannot find inside the same
And they are initially as following: wall two data related to two distinct compet-
ing objects.
• OW A(obji ) = obji , initialized by its 3.3.3 Query(Si , objj , mode)
self,
Any query made by a subject Si to access to
• OW C(obji ) = {objj ∈ the object objj with the mode equal to:
OB|(obji , objj ) ∈ CIR} • read: to read from the object
The pairwise (OW Ai , OW Ci ) can it inter- • write: to write into the object
pret by the building of the wall around the
object obji . So, we cannot find inside the The access is authorized, if and only if,
same wall, two data related to two distinct this condition is verified:
competing objects.
SW Gi ∩ OW Cj = ∅ And
3.3.2 SU SW Di ∩ OW Aj = ∅
Denote the set of all subjects, where each And in the same time:
subject Si has or associated with two subsets If the mode is Reading Query (Writing
of the object OB: into the subject side, inside the subject’s
wall ):
• SW G(Si ) ⊆ OB, Or simply SW Gi , the
set of the objects have a related data • SW Gi = SW Gi ∪ OW Aj
inside the subject wall of Si (read by
the subject). So, if there is an object • SW Di = SW Di ∪ OW Cj
objj ∈ SW Gi , so the subject Si contains
If the mode is Writing Query (In Object
a related data of the object objj .
side, inside the wall that round the object):
• SW D(Si ) ⊆ OB, Or simply SW Di , the
• OW Aj = SW Gi ∪ OW Aj
set of the objects denied to will be read
by the subject Si . So, if there is an • OW Cj = SW Di ∪ OW Cj
object objj ∈ SW Di , that the subject
Si cannot will contain (or read ) any re- Otherwise, the access is denied.
lated data of the object objj .
4. INFORMATION
And they are initially as following:
FLOW’S AND
• SW G(Si ) = ∅; initialized by an empty
set, because the subject isn’t yet read
D-CWSPM
any object; We give the following definition:
c 2016 ADFSL Page 155
JDFSL V11N4 A New Distributed Chinese Wall Security Policy Model
We will use proof by Recurrence; on the So the result of the DIF from A0 to A1 is:
number of DIFs between companies.
OW A0 ⊆ OW A1
Let n the number of DIFs between these
OW C0 ⊆ OW C1 .
two companies.
So, A0 ∈ OW A1 .
With n = 1:
First, the initial assertion: Since A = Let now our theorem is true with n − 1 DIFs
A0 → A1 = B is a DIF, or read data from and we need to verify, if is it true for n DIFs.
object A0 by any Subject Si , then write it So we have:
by the same subject to A1 = B:
A = A0 → A1 → ... → An−1
• Reading by the subject Si from the ob-
ject A0 is granted, if and only if: And we need to extend it to An = B, where
A ∈ OW CB . From the sequence of size n−1
SW Gi ∩ OW CA0 = ∅ And of the DIFs, we have:
SW Di ∩ OW AA0 = ∅
A = A0 ∈ OW A0 ⊆ OW A1 ⊆ OW A2 ⊆
And the result is: ... ⊆ OW An−1 .
Page 156
c 2016 ADFSL
A New Distributed Chinese Wall Security Policy Model JDFSL V11N4
And it is the same with the set of OW C. be represented by a matrix, where we call it,
Let, there is a subject Sj need to create a the object’s wall matrix (OW M ).
DIF between An−1 and An . So, the subject The OW M , be a matrix with element
Sj needs to read from An−1 then writing to OW M (i, j) corresponding to the members
An , so we have two following steps: of OB × OB, where the value of OW M (i, j)
is:
• The first step is reading from An−1 by
the subject and the consequence is: 1: The object obji contains (or stored inside
itself ) a data related to objj ;
SW Gj = SW Gj ∪ OW An−1
0: The object obji cannot contain any data
And
related to the object objj . Or the object
SW Dj = SW Dj ∪ SW Cn−1 . obji has a data related to an object in
the conflict of interest with the object
So A ∈ SW Gj and B ∈ OW CA ⊆ objj .
SW Dj .
-1: There isn’t any data related to the ob-
• The second step is writing to An , with ject objj or to its competing objects,
the condition, that SW Gj ∩OW Cn = ∅. stored inside the object obji ;
However, in our case, we have A ∈
SW Gj and A ∈ OW Cn , so the inter- Initially,
section is different from the empty set
(∅). • OW M (i, j) = 1 if i = j,
So, the writing query is denied because • OW M (i, j) = 0 if (obji , objj ) ∈ CIR,
A0 ∈ OW Cn . And the result is that
no CIF between those competing com- • otherwise −1.
panies A and B. QED
And we can define also two subsets of OB:
We conclude, that our distributed D-
CWSPM assures that no CIF between any • OW A(obji ) = {objj ∈
two companies if they are in conflict of in- OB|OW M (i, j) = 1} the set of all
terest. objects, have their data stored inside of
the object obji ,
5. D-CWSPM VS • OW C(obji ) = {objj ∈
ACCESS MATRIX OB|OW M (i, j) = 0} the set of all
objects denied to be stored inside of
In this section, we will present how to imple- the object Oi ,
ment our distributed model using the matrix
as mechanism, and to compare it with the The second wall in our model is the sub-
previous proposed models. ject’s wall. So for any subject Si , its
wall can be represented by, the pairwise
5.1 Access matrix Model (SW Gi , SW Di ). So the set of the walls can
Firstly, in our model, any object’s wall is be represented by a binary relation between
represented by the pairwise (OW A, OW C). subject and object, and can be represented
And The set of walls can be viewed as a bi- by a matrix, where we call it, the Subject’s
nary relation between objects, therefore can wall matrix (SW M ).
c 2016 ADFSL Page 157
JDFSL V11N4 A New Distributed Chinese Wall Security Policy Model
Page 158
c 2016 ADFSL
A New Distributed Chinese Wall Security Policy Model JDFSL V11N4
in the next section we will present the re- disjoint conflict of interest classes (COI-
lated application works of the CWSP in the classes), such a disjoint collection is called
environment as distributed system (Cloud- a partition in mathematics. COI-classes sel-
Computing, work-flow ). dom disjoint, they do overlap, and hence BN
theory collapses. Also, the authors did not
6.1 Related works based on distinguish between human users and sub-
access matrix jects that are processes running on behalf
The CWSPM was identified and so named of users. The BN’s write rule (*-property)
by Brewer and Nash (BN’s model ), where is successful in preventing such information
they developed a mathematical model for leakage by Trojan Horse. However, it does
this policy (Brewer & Nash, 1989). Their so at an unacceptable cost.
idea is the grouped of the dataset of com- It is easy to see that the BN write rule has
panies in conflict of interest classes (COI ), the following implications (Sandhu, 1992):
so a set of partitions and applying to sub- A subject which has read objects from two
jects a mandatory ruling, where all subjects or more company datasets cannot write at
are allowed access to at most one dataset be- all. And, a subject which has read ob-
longing to each such conflict of interest class jects from exactly one company dataset can
(security rule ). Where, the access is only write to that dataset. These implications are
granted if the object requested: clearly unacceptable (if the computer sys-
tem is to be used for something more than
a) Is in the same Company Dataset as an a read-only repository of confidential infor-
object already accessed by that subject, mation)(Sandhu, 1992). Under this regime
or, a consultant can work effectively so long as
he or she is assigned to exactly one company
b) Belongs to an entirely different Conflict (however, even then the consultants is for-
of Interest Class. bidden to write public information). When
the consultant is assigned to a second com-
Access, means read or write. So, this pany, he or she will be unable to write any
to answer that no direct information flow information into the system. Consequently,
(DIF ) between competing companies. And the model proposed is very restrictive as it
also they prevents the CIF by the application allows a consultant to work for one company.
of the start-property rule to write access, Sandhu (Sandhu, 1992) improves upon
where is only permitted if, the: this model by making a clear distinction be-
tween users, principals, and subjects, de-
a) Access is permitted by the simple
fines a lattice-based security structure, and
security rule, and,
shows how the CWP complies with the Bell-
b) No object can be read which is in a dif- Lapadula model (Bell & La Padula, 1976).
ferent Company Dataset to the one for In the same year, Lin announces a modi-
which write access is requested and con- fied model, called an aggressive Chinese Wall
tains un-sanitized information. Security Policy Model (ACWSPM )(Lin,
1989) to fix the errors of BN. The error is
The proposal was a great idea. Unfor- that the conflict of interest (COI ) is a binary
tunately, BN’s model was based on incor- relation (CIR), and not, an equivalence class
rect assumption that corporate data can (partitions). The CIR is non-reflexive, sym-
be partitioned (decomposed ) into mutually metric and Anti-transitive. The Lin’s idea is
c 2016 ADFSL Page 159
JDFSL V11N4 A New Distributed Chinese Wall Security Policy Model
the construction of a partition, so an equiv- of the DIF / CIF by the using of the
alence relation. Lin, extend the CIR rela- same BN’s idea (Brewer & Nash, 1989), un-
tion to an equivalence relation (partition). sanitized/sanitized information and also the
However, then the known properties of a bi- read/write access type, where: In BN the un-
nary relation do not support the elegance sanitized information is confined to its self-
and crispness of an equivalence relation, the company but in Lin to allied dataset. So,
enthusiasm was lost. the inheriting of the problem (Sandhu, 1992)
Based on the work of Pawlak (Pawlak, ”consultant to work for one company only”
1984) (Pawlak, 1997), Lin in (Lin, 2002), to ”consultant to work for one allied com-
show that the lack of crispness of the panies only”. So, no difference between the
ACWSP, since CIR cannot produce a par- problem of the DIF and the CIF inside the
tition. However, the partition, can be re- same company / allied companies (as a set
captured by the induced equivalence relation of objects in the same of a single company).
of a binary relation. The idea is ”each binary There is a recent and interested work pro-
relation induced equivalence relation” (Lin, posed by Sharifi and al. (Sharifi & Tripuni-
2002)-(Lin, 2007). The induced equivalence tara, 2013), where they proposed a Least-
relation named by IAR ”In allied with” re- Restrictive Enforcement of the CWSPM
lation used by Lin is the complement of CIR based on graph representation.Their enforce-
(Theorem: CIR is a symmetric and anti- ment mechanism mediates read attempts
reflexive and anti-transitive binary relation. only to prevent subject-violations, and write
Its complement IAR is an equivalence rela- attempts only to prevent object-violations.
tion). However, there is a strong mathematical
In the end Lin applied a rules to subjects confusion between the notion of the class,
based on CIR relation and an allied parti- partition, equivalence binary relation and
tion, all this to answer that no information the transitivity property (page 3 ). Also,
flow can will occur between the competing their graph representation is very complex
companies. for the implementation.
From these previous models, we are ob- Finally, our new model in this article is
serving, that both models BN and Lin, based easy for the implementation based access
on the partitioning of the companies in set of matrix and fixing the problems of the pre-
class (partitions). In BN’s model the com- vious proposed models.
peting companies in the same partition, how- In the first, our main objective is the ap-
ever, in Lin’s model the allied companies in plication of the CWSP in the Cloud Com-
the same partition. The partitions in BN’s puting, and the social network and not the
model can overlap (example A in conflict proposition of a new model for the CWSP.
with B, B with C and C with D). In Lin’s However, and after analyses of the pre-
model the partition based on the comple- vious proposed models (Brewer & Nash,
ment of the CIR relation (induced equiva- 1989)-(Sandhu, 1992), and theirs applica-
lence relation), can overlap if the CIR rela- tions (Atluri et al., 2004) (Hsiao & Hwang,
tion is not ”ant-transitive”, case named by 2010) (Wu et al., 2010) (Tsai et al., 2011)
Lin as a ”Bad CIR Relation” (page 10 in (Kesarwani et al., 2011) (Xie et al., 2013)
(Lin, 2003)), so a real case excluded by Lin’s (Alqahtani, Gamble, & Ray, 2013) (Minsky,
model! 2004), we are surprising by many problems.
Also, we are observing, that, Lin in For example the problem of the Conflict of
(Lin, 1989)-(Lin, 2007) fix the problems interest (COI) is a set of disjoint class or a
Page 160
c 2016 ADFSL
A New Distributed Chinese Wall Security Policy Model JDFSL V11N4
In the end, there is an interesting work • Subject Class: This class is the set of
(Minsky, 2004), named by ”A Decentralized all subject in our system, where each in-
Treatment of a Highly Distributed Chinese- stance has an single identification, and
Wall”, however, they based on wrong model, can access to any object in our sys-
the Brewer and Nash model (Brewer & Nash, tem, by using the object interfaces, and
1989). CWSP rule.
c 2016 ADFSL Page 161
JDFSL V11N4 A New Distributed Chinese Wall Security Policy Model
Page 162
c 2016 ADFSL
A New Distributed Chinese Wall Security Policy Model JDFSL V11N4
in the past based on the wrong models. to each such group as a conflict of inter-
est class.
4. The model can be used in Inter-process
communication (IPC ), so not always
and only between subject and object.
So to extending it between processes
(subjects) as active entity in the same
system.
c 2016 ADFSL Page 163
JDFSL V11N4 A New Distributed Chinese Wall Security Policy Model
• Definition l: • Theorem 3:
N , a boolean matrix with elements If for some conflict of interest class X
N (v, c) corresponding to the members there are Xv company datasets then the
of S×C which take the value true if sub- minimum number of subjects which will
ject sv has, or has had, access to object allow every object to be accessed by at
Oc or the value false if Sv has not had least one subject is Xv .
access to object O0 Once some request
9.1.3 Sanitized Information
R(u, r) by subject Su to access some
new object Or has been granted then • Definition 2:
N (u, r) must be set true to reflect the For any object Oa ,
fact that access has now been granted.
Ya = Yo implies that Oa contains sani-
Thus, without loss of generality, any re-
tized information
quest R(u, r) causes a state transition
whereby N is replaced by some new N , Ya <> Yo implies that Oa contains un-
N 0. sanitized information
• Axiom 5:
• Axiom 2:
Access to any object Or by any sub- Yo ⇐⇒ Xo
ject su is granted if and only if for all
In other words, if an object bears the
N (u, c) = true (i.e. by D1, su has had
security label Yo then it must also bear
access to Oo )
the label Xo and vice versa. theorem 2
tells us that all subjects can access this
((Xo <> Xr )or(yc = yr )). company dataset.
• Axiom 3: • Axiom 6:
N (v, c) =false, for all (v, c) represents Write access to any object Ob by any
an initially secure state. subject Su is permitted if and only if
N 0 (u, b) = true and there does not exist
• Axiom 4: any object Oa (N 0 (u, a) = true) which
can be read by Su for which:
If N (u, c) is everywhere false for some
su then any request R(u, r) is granted. Ya <> Yb and Ya <> Yo .
• Theorem 1: • Theorem 4:
Once a subject has accessed an object The flow of un-sanitized information is
the only other objects accessible by that confined to its o,wn company dataset;
subject lie within the same company sanitized information may however flow
dataset or within a different conflict of freely throughout the system.
interest class.
9.2 Lin’s Model:
• Theorem 2: In this section and before to present the Lin’s
A subject can at most have access to model we start by some by presenting some
one company dataset in each conflict of properties related to the binary relations,
interest class. then the Lin’s model.
Page 164
c 2016 ADFSL
A New Distributed Chinese Wall Security Policy Model JDFSL V11N4
9.2.1 Binary Relation Property however, the expected sharpness and crisp-
Let V a set of objects (or elements), and we ness of the model, which are reflections some
recall some definitions: characteristics of equivalence relations, are
lost. With the notion of the induced equiva-
• A binary relation is a subset, B ⊆ V ×V lence relation, in this section, we will present
for each object p ∈ V , we associate a set the mains points of Lin’s model based on in-
Bp defined by: duced equivalence.
Let O be a set of objects; an object is a
Bp = {v ∈ V |pBv} or Bp = {v ∈
dataset of a company. In Lin’s model the
V |(p, v) ∈ B}.
conflict of interest is a binary relation, noted
That consists of all elements v that are by CIR. Where CIR ⊆ O × O, satisfies the
related to p by B. Bp is called a binary following properties:
neighbourhood.
If the binary relation is an equivalence CIR-1: CIR is symmetric.
relation, then Bp is the equivalence class CIR-2: CIR is anti-reflexive.
containing p.
CIR-3: CIR is anti-transitive.
• A symmetric binary relation B is a bi-
nary relation such that for every (u, v) ∈ It should be clear CIR-2 is necessary; a
B implies (v, u) ∈ B. company cannot conflict to itself. If com-
pany A is in conflicts with B, B is certainly
• A binary relation B is anti-reflexive: if in conflicts with A, so CIR-1 is valid.
B is non-empty and no pair (v, v) is in To see CIR-3, let O = {U SA, U K, U SSR}
B. That is, B ∩ ∆ = ∅, where ∆ = be a set of three countries. Let CIR be ”in
{(v, v)|v ∈ V } is called diagonal set. cold war with”. If the relation ”in cold war
• A binary relation B is anti-transitive: if with” were transitive, then the following two
B is non-empty and if (u, v) belongs to statements:
B implies that for all w either (u, w) or (1) USA is in cold war with USSR.
(w, v) belongs to B. (2) USSR is in cold war with UK.
would imply that
Let the complement, B 0 = V × V ∼ (3) USA is in cold war with UK.
B, is called the complement binary relation Obviously, this is absurd. In fact this ar-
(CBR) of B. gument is applicable to any country; In other
Proposition: if B is symmetric, anti- words, (2) and (3) cannot be both true for
reflexive and anti-transitive, then B 0 is an any country (that replaces UK ). So we have
equivalence relation (Lin, 2007). anti-transitivity for CIR.
Corollary 4: If B is symmetric, anti- Let ECIR be the induced equivalence rela-
reflexive and anti-transitive, then B 0 is the tion of CIR. In this model a new ”axiom”
induced equivalence relation EB . will be explicitly added, though it is implied
by the others (See Proposition 2 )
9.2.2 Model
In spite of their error, Brewer and Nash’s CIR-4: The granulation of CIR and parti-
intuitive idea is a fascinating one. To keep tion of ECIR are compatible, in the sense
their spirit, in (Lin, 1989) Lin reformulated that each CIR-neighbourhood is a union
the model based on a general binary relation; of ECIR -equivalence classes.
c 2016 ADFSL Page 165
JDFSL V11N4 A New Distributed Chinese Wall Security Policy Model
• Theorem 1:
Once a agent Si has accessed an object
Oj , the only other objects Ok accessible
by Si is either inside the allied dataset
of Oj or outside of CIROj .
• Theorem 2:
The minimum number of agents which
allow every object to be accessed by at
least one agent is n, where n is the num-
ber of ECIR -equivalence classes.
• Theorem 3:
The flow of un-sanitized information is
confined to its allied dataset; sanitized
information may, however, flow freely
through the system.
Page 166
c 2016 ADFSL
A New Distributed Chinese Wall Security Policy Model JDFSL V11N4
c 2016 ADFSL Page 167
JDFSL V11N4 A New Distributed Chinese Wall Security Policy Model
Page 168
c 2016 ADFSL