Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

Strong Tranquility Property

Definitions

Definition 1

A secure level of the tranquility property where security clearance levels and security classification levels are first initialized and then cannot be modified during the overall lifecycle of the system.

This tranquility level imposes more stringent constraints on the system than weak tranquility.

A system with strong tranquility is tranquil and complies with the tranquility principle.

Note

If not specified otherwise, the tranquility propertyrefers to both security clearance levels and security classification levels. But the concept may be applied to only security clearance levels or security classification levels, in which case it is recommended to express it explicitly.

Related Terms

Quotes

...

The introduction of BLP caused some excitement: here was a straightforward security policy that was clear to the intuitive understanding, yet still allowed people to prove theorems. But John McLean showed that the BLP rules were not in themselves enough. He introduced System Z, defined as a BLP system with the added feature that a user can ask the system administrator to temporarily declassify any file from High to Low. In this way, Low users can read any High file without breaking the BLP assumptions.

Bell’s argument was that System Z cheats by doing something the model doesn’t allow (changing labels isn’t a valid operation on the state), and McLean’s argument was that it didn’t explicitly tell him so. The issue is dealt with by introducing a tranquility property. The strong tranquility property says that security labels never change during system operation, while the weak tranquility property says that labels never change in such a way as to violate a defined security policy.

The motivation for the weak property is that in a real system we often want to observe the principle of least privilege, and start a process at the uncleared level, even if the owner of the process were cleared to ‘Top Secret’. If she then accesses a confidential email, that session is automatically upgraded to ‘Confidential’; and in general, her process is upgraded each time it accesses data at a higher level (this is known as the high water mark principle). As subjects are usually an abstraction of the memory management subsystem and file handles, rather than processes, this means that state changes when access rights change, rather than when data actually moves.

(Anderson, 2001, p. 143)

Bibliography

Include Page
QUOT:Anderson, 2008, p. 247
QUOT:Anderson, 2008, p. 247
Include Page
QUOT:Anderson, 2001, p. 143
QUOT:Anderson, 2001, p. 143
Include Page
QUOT:Bell, 1988, p. 11-ii
QUOT:Bell, 1988, p. 11-ii

Bibliography

See Also

Filter by label (Content by label)
showLabelsfalse
sorttitle
cqllabel = "

...

strong-tranquility-property"