Skip to end of banner
Go to start of banner

Weak Tranquility Property (Dictionary Entry)

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Weak Tranquility Property

Definitions

Definition 1

A secure level of the tranquility property where security clearance levels and security classification levels are first initialized and then may be modified following a procedure that assures the legitimacy / authority of the person ordering the change, and the security of the system throughout the transition to the new state.

This tranquility level imposes less constraints on the system than strong tranquility but more constraints than no tranquility.

A system with weak tranquility is tranquil and complies with the tranquility principle.

Note

If not specified otherwise, the tranquility property refers to both security clearance levels and security classification levels. But the concept may be applied to only security clearance levels or security classification levels, in which case it is recommended to express it explicitly.

Related Terms

Quotes

The introduction of BLP caused some excitement: here was a straightforward security policy that was clear to the intuitive understanding, yet still allowed people to prove theorems. But John McLean showed that the BLP rules were not in themselves enough. He introduced System Z, defined as a BLP system with the added feature that a user can ask the system administrator to temporarily declassify any file from High to Low. In this way, Low users can read any High file without breaking the BLP assumptions.

Bell’s argument was that System Z cheats by doing something the model doesn’t allow (changing labels isn’t a valid operation on the state), and McLean’s argument was that it didn’t explicitly tell him so. The issue is dealt with by introducing a tranquility property. The strong tranquility property says that security labels never change during system operation, while the weak tranquility property says that labels never change in such a way as to violate a defined security policy.

The motivation for the weak property is that in a real system we often want to observe the principle of least privilege, and start a process at the uncleared level, even if the owner of the process were cleared to ‘Top Secret’. If she then accesses a confidential email, that session is automatically upgraded to ‘Confidential’; and in general, her process is upgraded each time it accesses data at a higher level (this is known as the high water mark principle). As subjects are usually an abstraction of the memory management subsystem and file handles, rather than processes, this means that state changes when access rights change, rather than when data actually moves.

(Anderson, 2001, p. 143)

Bibliography

See Also

  • No labels

Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.

This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.