Chinese Wall Security Policy Models: Information Flowsand Conflicting Trojan Horses

Tsau Young LinDepartment of Computer Science

San Jose State UniversitySan Jose, California 95192

tylin@cs.sjsu.edu

Article Outline

Glossary

I. Introduction

II. The Error in BN Theory

III. Chinese Wall Security Policies

IV. Chinese Wals, DAC Models and Trojan Horses

V. Granular Analysis and Computing

VI. The Induced Partitions

VII. The Complement of a Binary Relation

VIII. Conflict of Interests Relations (CIR)

IX. Some New Views of ACWSP

X. More Illustration and Examples

XI. Conclusion

1

Glossary

CIR-classes: Conflict of interest classes. Originally Brewer and Nash proposed that the CIR-classes can partition the set of all corporate data into mutually disjoint subsets. Unfor-tunately, their theory collapsed, because CIR-classes do overlap.

CWSP: Chinese Wall Security Policy Model. The model proposed by Brewer and Nash.Intuitively, the essential idea was to build a family of impenetrable walls among thedataset of competing companies.

ACWSP: Aggressive Chinese Wall Security Policy. A modified model of the CWSP. Thebasic concept is that the collection of CIR-classes is not a partition, but it is a binarygranulation.

Binary granulation: A collection of subsets, whose core or centers form a partition.

DAC model: Discretionary Access Control model. We can actually confine malicious Trojanhouses so that information will not flow into the enemy hands, it will flow only amongfriends.

Binary Classes/Neighborhood and Granulation: Geometrically a binary class/neighborhoodcan be view as an abstract neighborhood. Binary relation, binary granulation and binaryneighborhood system are equivalent.

2

1 Introduction

Recent events, such as eCommerce and homeland security, have prompted us to re-visit theidea of the Chinese wall security policy model. “The Chinese wall policy combines commercialdiscretion with legally enforceable mandatory controls..., perhaps, as significant to the financialworld as Bell-LaPadula’s policies are to the military.” This is an assertion in the abstract of[ [2]]; we believe it is still valid.

In 1989, Brewer and Nash(BN) proposed a very intriguing commercial security model -called Chinese Wall Security Model (CWSP) [ [2]]. Intuitively, the essential idea was to build afamily of impenetrable walls, called Chinese walls, among the dataset of competing companies.No data that are in conflict can be stored in the same side of Chinese walls. The proposal wasa great idea, unfortunately, BN’s model was base on

• The incorrect assumption that corporate data can be partitioned (decomposed) into mu-tually disjoin conflict of interest classes (CIR-classes); such a disjoint collection is calleda partition in mathematics; see e.g., [ [1]].

• Unfortunately, CIR-classes seldom disjoints; they do overlap, and hence Brewer and Nashtheory collapses.

In the same year at 1989 Aerospace Computer Security Application Conference, we reportedBN’s errors, and presented a modified model, called an aggressive Chinese Wall Security PolicyModel (ACWSP)[ [13]]. In that paper, we did not capture the essential strength of ACWSPmodel. A relatively inactive decade has passed; only few papers, which are, however, still basedon the same erroneous assumptions, appeared; e.g., [ [13]]. In this paper, by refining the ideaACWSP, we have successfully captured the intuitive intention of BN theory.

This theory is based on the development of a novel computing methodology. We observedthat (see Section 5.1 and 5.2 for technical definitions)

• Though the collection of CIR-classes is not a partition, it is a binary granulation.

Intuitively a binary granulation is a collection of subsets, whose ”core” or ”centers” form apartition; see the main text below. In terms of binary granulation, we recapture the spiritof Chinese wall security policy (CWSP) model. The results are more that CWSP model.With mild assumptions on DAC model (Discretionary Access Control), we can actually confinemalicious Trojan horses so that information will not flow into the ”enemy” hands; it will flowonly among ”friends”.

==My Conclision==

The CWSP model is not totally correct because the CIR classes do overlap. If companyA has interests conflict with company B, and company B has interests conflict with companyC, it is not necessary that company A has interests conflict with company C, so the transitiveproperty is not necessary true. Thus the CIR classes overlap.

3

2 The Error in BN Theory

Before we launch on the new theory, we recall some analysis from [ [13]]: Let O be the set ofall corporate date; in [ [2]], this set is called the set of all objects, where an object is a datasetof a company. In that paper, BN assumed O could be partitioned (decomposed) into mutuallydisjoint CIR-classes (conflict of interest classes/neighborhoods; geometrical terms are used inmathematics), namely, they formed a mathematical partition on O. Note that a partitioninduces an equivalence relation and vice versa; see Section 5.1. Hence BN’s assumption impliesCIR is an equivalence relation. In the following example, we shall show that CIR is not.

Let O={USA,UK,USSR} and CIR be the conflict of interest binary relation among threecountries. CIR can be read as ”in cold war with.” If CIR were transitive, then the followingtwo statements;

USA is in cold war with USSR, and

USSR is in cold war with UK,

would imply thatUSA is in cold war with UK.

Obviously the last statement is absurd. So we conclude that CIR cannot be an equivalencerelation (=a reflexive, symmetric and transitive binary relation). If CIR is not an equivalencerelation, CIR-classes do not form a partition; see Section 5.1. In other words, CIR-classes dooverlap. In BN’s language, company data that are in conflict can be in the same side of Chinesewall. Hence, BN’s theory collapses.

Table 1 illustrates a binary relation CIR. Table 2 illustrates the grouping of CIR-classes:The first column consists of all companies under consideration, the third column are X-class,where each X-class consists of all companies Y that are in conflict with X. Mathematically, anX-class (or X-neighborhood if geometric term is desirable) is defined by

CIRX = {Y | (X,Y) ∈ CIR}.Table 2 clearly indicates that X-classes are not disjoint.

==My Example==

The following two tables (Table 3 and Table 4) also show that the CIR-classes are notdisjoint.

3 Chinese Wall Security Policies

Chinese wall security policy arises in the UK’s financial sector that provides consulting servicesto other companies. In this section, we will examine BN’s simple security policy closely.

4

3.1 Simple Chinese Wall Security Policy

Continue BN’s notations: O is the set of all objects(corporate data),X,Y are objects in O.

BN-Version : ”people are only allowed access to information which is not held to conflict withany other information that they already possess.” See [ [2]], Section ”Simple Security”, p.207.

Remarks:

1.if (X,Y) 6∈ CIR,. then X and Y could be assigned to one single agent. Based on the worstcases scenario, we have to assume that information in X and Y have been disclosed to eachother (one agent knows both).

2. For convenience, we will assume each distinct client company has been assigned a uniqueand distinct virtual agent. Using virtual agent, the assignment of real world agents to com-panies becomes the role assignment of real world agent to the role of virtual agents. This isclosely related to the notion of role based model [ [10]],[ [8]].However, we will not use their termi-nology, because role based models have too many details that are unessential to our discussions.

3. In BN’s view, how agents are assigned to companies is an important issue. In fact,that was their base for claiming that Chinese wall security policy model cannot be modeled byBell-LaPdula model. We accept BN’s analysis and apply it to the problem of assigning humanagent to virtual agents. We will not elaborate further, since the issue is unrelated to our currentinterests.

With virtual agents, BN’s simple security can be expressed as:

L-Version-1 : the consultant (a virtual agent) x of company X may not grant the read accessof X to the consultant y of company Y if and only if there are conflict of interests between Xand Y ((X,Y) ∈ CIR).

The consultant y may make a copy, Copy of X, in Y(Even in the strict DAC model, this ispermissible [ [9]]). We will summarize the above grant access procedure, including making acopy, as:

• A direct information flow (DIF) from X to Y.

In terms of DIF, the simple security policy is :

L-Version-2 : There is no DIF from X to Y, if and only if (X,Y) ∈ CIR.

L-Version-1 and 2 are explicitly denied access and flow control models respectively.

5

==My Conclusion==

Both BN-version and L-version say that there would be no direct information flow fromX to Y if there are interests conflict between X and Y. Which means X can only access theinformation of Y only if there are no interests conflict between them.

4 Chinese Walls, DAC Models and Trojan Horses

In last section, we have analyzed and reformulated the simple Chinese wall security policy.However, policy is merely a ”statement of a wish.” We need to ask the fundamental question:

Are there reasonable systems that meet requirement?

As we have pointed out earlier, BN proposed (O,E), where E is an equivalence relation thatrepresents conflict of interests. Unfortunately, the real world notion of conflict is not an equiv-alence relation. That implies

systems based on BN model hardly exist.

In the same year, we proposed an aggressive Chinese wall security policy model (ACWSP)(O,CIR) to correct BN’s error [ [13]], where CIR, represents the conflict of interests binaryrelation. Such models are plenty; So the fundamental question becomes

Are the systems that meet the stated security policy really secure?

This is a hard problem. DAC model is not secure, if information flow is the security concern.Classical DAC model cannot control Trojan horses. In the present paper, we will show that

In ACWSP model (O,CIR), with some mild assumptions on CIR, no information may flowinto the ”enemy’s” hands; see K-2 below.

In other words, malicious Trojan horses can be confined in this new ACWSP.

4.1 Strong Chinese Wall Security Theorem

First, let us summarize few key notions:

K-1. The universe of discourse O is a classical set that represents the totality of the corporatedata. Following the convention of military security, a member of O will be called an object,and its virtual agent a subject. Intuitively, an object is a company dataset.

6

K-2 The key notion, conflict of interests, is represented by a binary relation CIR. Our analysisconcludes that CIR needs to satisfy following axioms; see Section 8.

CIR-1 : CIR is symmetric.CIR-2 : CIR is anti-reflexive.CIR-3 : CIR is anti-transitive.

We will obey the following

Convention : The symbol, CIR, always denotes a binary relation that satisfies the axioms.

Remarks:

K-3. We define CIF (composite information flow) from X to Y as a sequence of DIFs (directinformation flow), which starts from X and end at Y:

X = X0 → X1 → ... → Xn = Y

where each ”→” is a DIF.

K-4. We should stress here that simple security policy only regulate DIF’s (direct informationflows). Even if we know tha there is no DIF, it is possible to have CIFs (composite informationflow) that send information, say from X, via Z, to Y. In other words, two DIFs from X to Zand Z to Y could compose into one composite information flow from X via Z to Y.

Such CIFs have been identified as Trojan horses. Confining the malicious Trojan horses isactually the main contribution of ACWSP model.

K-5. Strong Chinese wall security policy

There is no CIF from X to Y, if and only if (X,Y) ∈ CIR.

Definition

1. Simple Chinese Wall Security Policy Model (SCWSP) is the pair (O,CIR) with simple Chi-nese wall security policy.

2. Aggressive Chinese Wall Security Policy Model (ACWSP) is the pair (O,CIR) with strongChinese wall security policy model

Chinese Wall Theorem. Aggressive Chinese wall security policy model is equivalent to Sim-ple Chinese security policy model

7

ACWSP ⇔ SCWSP

Proof: First, let us note the following FACTs: see Section ??

1. IAR and CIR are complement to each other.

2. IAR is an equivalence relation.

We need some notations. Let X be an object(a company data)of O. Let

1. CIRX(={Y | (X,Y)∈CIR}) be the CIR-class of X and

2. [X]IAR(={Y | (X,Y)∈IAR}), or simply [X], IAR-equivalence class of X

To prove this theorem, we need to establish the following strong Chinese wall security policyfor SCWSP:

There is no CIR from X to Y ⇐ (X,Y) ∈ CIR.

We will use indirect proof, so by assuming to the contrary, we have two conditions:

1. There is a sequence of DIFs(direct information flows)

X = X0 → X1 → ... → Xn = Y .

2. Y ∈ CIRX .

Our task is to derive a contradiction; we will prove by mathematical induction.First, the initial assertion:

If X = X0 → X1 is a DIF, then CIRx = CIRx1 and [X]IAR = [X1]IAR

To prove the assertion, note that X1, receiving information from X, cannot be in CIRX . Hence,by FACTs 4.1,

X1 ∈ [X]IAR

Since IAR an equivalence relation (FACTs 4.1), we have

[X1]IAR = [X]IAR

By the fact that they are the complements, we have

8

CIRX = CIRX1

So the initial assertion is proved.Next, we consider the general case. The arguments are essentially the same. By induction

assumption, we have

[X]IAR = [Xj]IAR and CIRX = CIRXj

Next, consider the DIF,

Xj → X(j+1)

Since Xj+1, receiving information from Xj, cannot be in CIRXj. By the FACTs 4.1 again,

Xj+1 ∈ [Xj]IAR = [X]IAR.

By the fact that IAR is an equivalence (FACTs 4.1) and CIR is its complement (FACTs 4.1),we have

[X]IAR = [Xj+1]IAR,

CIRX = CIRXj+1.

This completes the induction proof. In particular

Xn = Y ∈ [X]IAR

This is contrary to the assumption (Item 4.1). So we have proved the strong Chinese wallsecurity policy. That is, we prove SCWSP ⇒ ACWSP. The converse is obvious.

4.2 Flow Oriented DAC Models and Trojan Horses

In this section, we take the DAC view on ACSWP model.If the agent x explicitly denies the read access to y, then we say

No direct Information Flow (NIF) from X to Y is permitted.

or equivalently, the information flow from X to Y is denied.

In the information flows between objects are regulated by NIF, we say O is a flow orientedexplicitly denied DAC model. NIF defines a Binary relation (NIFR) among all objects.

9

Definition : A composite Information Flow (see K-4) from X to Y is called a malicious Trojanhorse, if NIF from X to Y is the given requirement.

Trojan Horse Theorem. If NIFR is anti-reflexive, symmetric and anti-transitive, then thefollowing three assertions are equivalent

Malicious Trojan Horses from X to Y may not occur

⇔ DIF from X to Y may not occur

⇔ (X,Y) ∈ NIFR.

NIFR is a DAC form of CIR, so this theorem follows immediate from Chinese wall theorem.

4.3 Illustration

Table 6 and Table 5 illustrate the CIR binary relation that satisfies the axioms, and its CIR-classes. One can see from the table that IAR is an equivalence relation.

1. IAR-equivalence classes (complement of CIR-classes)

1. {A,B,C},2. {D,E}3. {F,G,H}

2. CIR-classes (they are not equivalence classes)

1. CIRF (=CIRG=CIRH),(see Table 6 for member list)

2. CIRD=CIRE,

3. CIRA(=CIRB=CIRC)

The two tables illustrate the following message:

• Information in any object of an IAR-equivalence class can flow to any member of thesame class; they are allies.

Table 7 and 8 illustrate a binary relation B CIR (Bad ”CIR” Relation) and B CIR-classes,where B CIR is anti-reflexive, symmetric, but not anti-transitive. Note that B IAR (Bas IAR),the Complement of B CIR, is not an equivalence relation in this case. In section 10, we givemore counter examples. They are more technical; we keep in the technical portion of this paper.

1. B CIR-classes (see Table 8 for member list)

1. B CIRH(=B CIRG=B CIRF ),

10

2. B CIRE,

2. B CIRD,

2. B CIRC(=B CIRB=B CIRA),

and

2. Their complement B IAR-classes

1. B IARH=B IARG=B IARF ={A,B,C,D,E},2. B IARE={A,B, C, D, F, G, H},2. B IARD={A,B, C, E, F,G, H},2. B IARC=B IARB=B IARA={D,E, F,G, H},

Through the tables, let us examine how Strong Chinese wall security policy is violated.(B CIR does not satisfies the axioms). Let us start with Object A.

1. Information of A may flow to any member of B IARa={D, E, F, G, H}, which consists of”alies” of A.

2. Some B IAR-classes do overlap, for example, B IARA∩B IARE={D,E, F,G, H}. So infor-mation of A may flow into D, since both A and D belongs to B IARA.

3. Information of D may flow to any member of B IARE={A,B,D,E, F,G, H}.4. To be specific, say information of D flows to F, which is in the B IARA-class

5. so Chinese wall security policy is violated, in other words, the malicious Trojan horsesoccur (information of A, by composition of two DIFs, A → D → F, flows to F, whichshould not happen since it is a member of B CIRA).

==My Conclusion==

The assumption in the simple chinese wall policy is not good enough. The real world notionof conflict is not an equivalence relation. That implies systems based on BN model hardly exist.The strong chinese wall security theorem fix this part and formally define the attribute of theCIR-classes: it is symmetric, anti-reflexive, and anti-transitive. And as for the strong chinesewall security policy, it must satisfy the fact that there is no composite information flow fromX to Y if and only if (X,Y) ∈ CIR.

5 Granular Analysis and Computing

Trojan horses in DAC model have been the weakest points of DAC model. Implicitly, BN’sCWSP is designed to handle. Unfortunately, their idea of using partition is a bit oversimplified.As explained in last few section, the idea of granulation seems working well. We will in nextfew section explain the new methodology.

11

5.1 Partitions and Equivalence Relations

A partition is a collection {Nj | j = 1, 2, ..} of disjoin subsets whose union is V. This geometricnotion naturaly defines an algebraic notion, an equivalence relation, as follows:

E = ∪j{(p, u) | p and u are in Nj}

This equivalence relation is reflexive, symmetric and transitive. Nj is called an equivalenceclass in mathematics. It also has been referred to as an elementary set, a block, a granule[ [21], [11], [19]]. Conversely, it should be clear an equivalence relation also define a partition;we skip the details.

Algebraically, a natural generalization of an equivalence relation is a binary relation. Geo-metrically, a ”common” generalization of a partition is a covering. Unfortunately, a coveringis not the geometric equivalence of a binary relation. The equivalent one is a more elaboratenotion; We will discuss in see next subsection.

5.2 Granulations by Binary Relations

Let R ⊆ V × U be a binary relation. We will re-express R geometrically.

For each object p ∈ V , we associate a subset (binary class) Np ⊆ U defined by

Np = {v ∈ U | (p, u) ∈ R}

It consists of all elements v that are related to p by the binary relation R. Geometrically, Np

can be regarded as a neighborhood of p in the following sense: the points in Np are ”near to” or”related to” p. We will use binary neighborhood (or binary class) to remind us algebraically it isdefined by a binary relation, and geometrically could be view as points in proximity; intuitively,Np is the nearest neighborhood of p.

Let E ⊆ V × V be an equivalence relation; note that we have assumed U = V. Then, eachNp is non-empty; they are either identical or totally disjoint. The collection of distinct Np’sforms a partition.

5.3 Binary Classes/Neighborhoods and Granulation

In stead of using a binary relation, we can define the binary classes/neighborhoods (granules)directly. Geometrically a binary class/neighborhod can be view as an abstract neighborhood.To help visualize the situation,we will use geometric language.

A binary granulation is an assignment that assigns to each object p ∈ V , a (possibly empty)subset Bp ⊆ U :

B : V → 2U

12

We will refer to the collection, {Bp | p ∈ V }, a binary neighborhood system and each Bp as abinary neighborhood of p ∈ V . They are called a basic neighborhood and a basic neighborhoodsystem respectively in [ [14]]. Though the subset Bp sounds arbitrary, it can be regarded as a bi-nary neighborhood Np of a binary relation, for all p. Formally, let us collect the comments into a

Proposition. Binary relation, binary granulation, and binary neighborhood system are equiva-lent.

In other words, given the map B (or the collection {Bp ⊆| p ∈ V }), there is a binary relationR ⊆ V ×U such that Bp = Np and vice versa. So we will use binary relation, binary granulation,and binary neighborhood system interchangeably and use B to denote all of them. The proofis straight forward; we skip the details.

In application, a binary neighborhood at p

Bp = {v | (p, v) ∈ B}is often assigned a descriptive name, called elementary concept (or an attribute value bydatabase community). The collection C of all those elementary concepts is called the con-cept space (or attribute domain). Formally, we define

A granular structure consists of 4-tuple

(V,U,B,C)

were V is called the object space, U is the data space (V and U could be the same set), Bis a neighborhood system, and C is the concept space which consists of all the names of thefundamental neighborhoods of B. If B is a binary neighborhood system (binary relation), thenthe 4-tuple(V,U,B,C) is called a binary granular structure.

==My Conclusion==

The idea of granulation works well for the Trojan horses problem in DAC model. Basically,the binary relation, binary granulation, and binary neighborhood system are equivalent.

6 The Induced Partitions

In [ ??, ??], T.Y.Lin observed that the binary granulation relation,

B : V → 2U

induced naturally a partition: one can consider the collection

{B−1(w) | w ∈ 2U}, called inverse image of w under B.

13

It is easy to verify that the collection forms a partition on V. We call it the induced partitionof B, and denoted by EB.

The equivalence class, [p]EB= B−1(Bp), or simply write as [p], is called the center or core of Bp.

Proposition 1. The center [p] consists of all those points that have the same binary neighbor-hood Bp (”same” in the sense of set theory).

Proposition 2. If B ⊆ V × V is a symmetric binary relation, and EB is its induced equivalencerelation, then each B-binary neighborhood is a union of EB-equivalence classes.

Proof: Let Bp be the binary neighborhood of p. Let x ∈ Bp, and assume x and y are EB-equivalence. By definition of equivalence in EB, they have the same neighborhood, Bx = By.By the symmetric of B, x ∈ Bp implies p ∈ Bx = By, and hence y ∈ Bp. In other words, bothx and y are in Bp. Since y is arbitrary, this proves [x] ⊆ Bp, that is Bp contains the equivalenceclass [x] of its member x. QED

This proposition is one of the main technical result; it will have a strong impact on ChineseWalls; see next section.

==My Conclusion==

The binary granulation relation B naturally induced a partition. It can be called the inducedpartition of B, and denoted by EB, and the equivalence class [p]EB

is called the center or coreof Bp.

7 The Complement of a Binary Relation

Let us recall some definitions

A symmetric binary relation B is a binary relation such that for every (u, v) ∈ B implies(v, u) ∈ B.

A binary relation B is anti-reflexive, if B is non-empty and no pair (v, v) is in B. That is,B ∩∆ = ∅, where ∆ = {(v, v) | v ∈ V } is called diagonal set.

A binary relation B is anti-transitive, if B is non-empty and if (u, v) belongs to B implies thatfor all w either (u,w) or (w, v) belongs to B.

The complement, B′ = V × V ∼ B, is called the complement binary relation (CBR) of B.

Proposition 3. If B is symmetric, anti-reflexive and anti-transitive, then B’ is an equivalencerelation.

14

Proof: B is anti-reflexive, so the diagonal set is contained in the complement, that is, B’ isreflexive. Assume (u,w) and (w, v) are in B’, that is, (u,w) and (w, v) do not belong to B, thenby anti-transitive, (u, v) does not belong to B either (that is, (u, v) ∈ B′);QED

Corollary 4. If B is symmetric, anti-reflexive and anti-transitive, then B’ is the induced equiv-alence relation EB.

Proof: Let v ∈ V and Bv be its binary neighborhood. We want to show that for any u, whichis B’-equivalent to v, is EB-equivalent to v, that is, Bv = Bu.

First, we will show Bv ⊆ Bu: Note that (u, v) ∈ B′, by assumption. Let p be a point in thev’s neighborhood, that is, (v, p) ∈ B. Then, by anti-transitive and symmetric, (u, p) belong toB(otherwise, (u, v) ∈ B, which is absurd). That is, p is in the neighborhood of u. So we haveproved that Bv ⊆ Bu.

Let q ∈ Bu plays the role as p, by a similar arguments, we can show that Bu ⊆ Bv. So wehave proved u and v have the same neighborhood, that is, Bu = Bv. This conclude the proof:B′ ⊆ EB.

To prove the reverse inclusion, note that (u, v) ∈ EB implies Bu = Bv. Let p be a point inthe neighborhood, that is, both (u, p) and (p, v) belong to B. By anti-transitive and symmetric,(u, v) belongs to B’. This proves the assertion. QED

8 Conflict of Interests Relations (CIR)

In spite of their error, Brewer and Nash’s intuitive idea was a fascinating one. To keep theirspirit, in [ [14]] we reformulated the model based on a general binary relation; however, theexpected sharpness and crispness of the model sere lost. With the notion of the inducedequivalence relation, in this section, we will show that some crispness can be re-captured.

8.1 Axioms of CIR

Let O be a set of objects; an object is a dataset of a company. We observed that, CIR ⊆ O×Oas a binary relation, satisfies the following properties.

CIR-1: CIR is symmetric.

CIR-2: CIR is anti-reflexive

CIR-3: CIR is anti-transitive

It should be clear CIR-2 is necessary; a company cannot conflict to itself. If company A isin conflicts with B, B is certainly in conflicts with A, so CIR-1 is valid. To see CIR-3, let usrecall the analysis of Section 2, and observe that the argument is applicable to any country,not just UK; So we have anti-transitivity for CIR.

15

Let ECIR be the induced equivalence relation of CIR. In this paper a new ”axiom” will beexplicitly added, though it is implied by the others (See Proposition 2 at Section 6)

CIR-4: The granulation of CIR and partition of ECIR are compatible, in the sense thateach CIR-class(neighborhood) is a union of ECIR-equivalence classes

In [ [17]], we have placed Chinese walls on the boundaries of CIR-classes. But note that eachof these boundaries is one-sided; it is not the boundary of other side. They are not solidboundaries. This ”new axiom” implies that such boundaries are actually on some boundariesof ECIR-equivalence classes; they are boundaries of both sides, so are crisp boundaries.

8.2 IAR - the Complement of CIR

CIR-5(IAR): If we interpret CIR as ”is an adversary of”-relation, then the complement is ”isan ally of”-relation(IAR). IAR is an equivalence relation, by Corollary 4.

Theorem CIR is a symmetric and anti-reflexive and anti-transitive binary relation. Its comple-ment IAR is an equivalence relation.

Let [X]IAR be the IAR-equivalence class containing X. Then, we note that [X]IAR = [Y ]IAR∀Y ∈[X]IAR. Hence their complements are equal, so we have

Corollary CIRY ∀Y ∈ [X]IAR. In other words, the information of any object in [X]IAR canflow freely among themselves.

9 Some New Views of ACWSP

The new observation on CIR gives a new insight to the Chinese Wall Security Policy model.In other words, the proposed aggressive model is a solid model, on which Chinese walls can belocated precisely the boundaries of ECIR-equivalence classes.

Here are the new views of theorems in [ []] and [ [2]].

Theorem 1. Once a agent Si has accessed an object Oj, the only other objects Ok accessible bySi is inside the allied dataset of Oj, which is the outside of CIROj

.

Theorem 2. The minimum number of agents which allow every object to be accessed by atleast one agent is n, where n is the number of ECIR-equivalence clases.

Theorem 3. The flow of unsanitized information is confined to its allied dataset; sanitizedinformation may, however, flow freely through the system.

16

10 More Illustration and Examples

In Section 5.2, we have shown that binary relations, binary granulations, and binary neighbor-hood systems are essentially equivalent notion. Here is an example. Table 1 is in the form ofbinary relation, while Table 9 is in the form of a binary granulation or a binary neighborhoodsystem. Intuitively, the latter table is a table of adversary lists.

The adversary lists naturally induce an equivalence relation ECIR on O: Two companies Xand Y are equivalence, if they have the identical adversary list. Mathematically, ECIR is anequivalence relation; see Section 6. Intuitively, companies that have the same enemies mostlikely will ally together. This fact is proved in Corollary 4, Section 7., namely, ECIR = IAR,where the latter one can be interpreted as ”is an ally of”-relation. Both theoretically andintuitively, we conclude that there are information low among the allies. So the Chinese wallshould only be built around the boundary of the ECIR = IAR-classes. In other words, a CIR-class (binary neighborhood) should either contain or exclude a IAR-classes completely, that is,CIRX is a union of IAR-classes; See Table 10 for an illustration.

The proposition 2 (of Section 6) is the best possible. In the following, we will give ”counter”examples to illustrate that the symmetric of B is needed in the proposition. A binary relationBIR, ”bad conflict of interests”-relation is defined in Table 11. In this example, the twocompanies D and E are not symmetrically BIR-related and the two BIR-binary neighborhoods,BIRC and BIRD are not EBIR definable; recall that a subset is definable, if the set is a unionof EBIR-equivalence classes.

11 Conclusions

The intuitive idea behind Brewer and Nash theory is useful for commercial security. By the newrequirements in eCommerce and homeland security, we re-visited the BN-theory. In [ [17]], wefuzzify the ACWSP model to make it more susceptible to uncertainty. In this paper, we refineACWSP model by the new development of granular computing. The results are somewhatsurprising, we can confine the malicious Trojan horses.

References

[1] Richard A. Brualdi. Introductory Combinatorics. Prentice Hall, 1992.

[2] Brewer David D.C. and Michael J. Nash. The chinese wall security policy. IEEE Symposiumon Security and Privacy, pages 206–214, 1988.

[3] edited by Aiken. Attribute based data model and polyinstantiation. Educatoin and Society,IFIP-Transaction, 12th Computer World Congress, pages 472–478, Sep. 1992.

[4] D.K. Hsiao and F. Harary. A formal system for information retrieval from files. Com-mun.ACM, 13:236–243, Feb. 1970.

17

[5] L.A.Zadeh. Some reflections on information granulation and its centrality in granularcomputing, computing with words, the computational theory of perceptions and precisi-ated natural language. T.Y.Lin, Y.Y.Yao, L.Zadeh(eds.), Data Mining Rough Sets, andGranular Computing.

[6] L.A.Zadeh. Fuzzy sets and information granularity. M.Gupta, R.Ragade andR.Yager(eds.), Advances in Fuzzy Set Theory and Applications, North-holland, Amster-dam, pages 3–18, 1979.

[7] S.A.Demurjian and S.A.Hsiao. The multimodel and multilingual database systems-aparadigm for the studying of database systems. IEEE Transaction on Software Engi-neering, 14, Aug. 1988.

[8] Coyne E.J. Feinstein H.L. Sandhu, R.S. and C.E. Youman. Role based access controlmodels. IEEE Computer, 29:38–47, Feb. 1996.

[9] R.Sanghu S.Osborn and Q.Munawer. Configuring role based access control to enforcemandatory and discretionary access control policies. ACM Transaction on Informationand Systems Security, 3:85–106, May 2002.

[10] T.C.Ting. A user-role based data security approach. Database Security: Status andProspects, C.Landwehr(ed.), 1988.

[11] T.T.Lee. Algebraic theory of relational database. The Bell System Technical Journal,62:3159–3204, Dec. 1983.

[12] T.Y.Lin. Neighborhood systems and relational database. Proceedings of ACM SisteenAnnual Computer Science Conference, page 725, Feb. 1988.

[13] T.Y.Lin. Chinese wall security policy-an aggressive model. Preceedings of the FifthAerospace Computer Security Application Conference, pages 286–293, Dec. 1989.

[14] T.Y.Lin. Neighborhood Systems-A Qualitative Theory for Fuzzy and Rough Sets. DukeUniversity, North California, 1997.

[15] T.Y.Lin. Granular computing on binary relations i: Data mining and neighborhood sys-tems. In: Rough Sets In Knowledge Discovery, pages 107–121, 1998.

[16] T.Y.Lin. Granular computing on binary relations ii: Rough set representations and belieffunctions. In: Rough Sets In Knowledge Discovery, pages 121–140, 1998.

[17] T.Y.Lin. Chinese wall security model and conflict analysis. the 24th IEEE ComputerSociety International Computer Software and Applicatoins Conference (Compsac2000),Taipei, Taiwan, Oct. 2000.

[18] T.Y.Lin. Feature completion. Communicatoin of IICM (Institute of Information andComputing Machinery, Taiwan), Proceeding for the workshop ”Toward the Foundation onData Mining”, 5:57–62, May 2002.

18

[19] T.Y.Lin. A theory of derived attributes and attribute completion. Proceedings of IEEEInternational Conference on Data Mining, 2002 Dec.

[20] W.Chu and Q.Chen. Neighborhood and associative query answering. Journal of IntelligentInformation Systems, 1:355–382, 1992.

[21] Z.Pawlak. Rough sets. International Journal of Information and Computer Science,11:341–356, 1982.

[22] Z.Pawlak. On conflicts. International Journal of Man-Machine Studies, 21:127–134, 1984.

12 Appendix-about the methodology

Let us say few words about the history of the new methodology. It is especially interesting forthis conference, the very first idea was started from David Hsiao who is one of the founder ofthis group. I would like to take this chance to thank him for bringing me to this group andintroduce the idea of partitioning (granulation) in database.

Our approach is essential based on a computational theory of granulation, called granularcomputing. It has originated from four facets: Let us speak in the chronological order. Thefirst one is David Hsiao. In his attribute based database model, Hsiao clusters the attributedomain into semantically related granules(equivalence classes); Clustering is a very importanttechnique in database that stores logically related data in physical proximity [ [4], [7], [3]]. Thesecond ones, probably the deepest ones, is actually buried in the design of fuzzy control systems.The explicit discussion of the concept is in the article [ [6]]; its newest version is in [ [5]]. Thethird groups are from theory of data. Both Z.Pawlak and T.T.Lee observed independently thatattributes of a relation induce partitions on the set of entities [ [21], [11]] and studied the datafrom such observation. Pawlak called it rough set theory, while Lee named it the algebraictheory of relational databases. The last one comes from approximate retrieval [ [12], [20]]. Todevelop a theory of approximate retrieval in database, we imported the notion of approximationfrom the continuous world to the discrete world; we have called it neighborhood systems, whichcan be viewed as a geometric (topological) theory of granulations [ [15], [16]]. Having citingso many works, we should note that the notion of partitions (=equivalence relations) is avery ancient notion in mathematics; it can be dated back to Euclid time, for example, thecongruence, and the notion of granulation (neighborhoods) can be traced back to Cauchy.Here, however, the focus is on the computable side of the notion; so the notion has been calledgranular computing. The methodology has far reaching consequence, for example, there areapplications to the foundation of database mining (e.g., association rules)[ [18], [19]]. In thispaper we apply it to security, more precisely, on conflict analysis [ [22]], which is a essentialnotion in commercial security.

19

COMPANY COMPANYA FB CC BC DD CD EE DF AF GG F

Table 1: A General CIR-relation

X-COMPANY CIR-class of XA → {F}B → {C}C → {B,D}D → {C,E}E → {D}F → {A,G}G → {F}

Table 2: CIR-classes: They do overlay, e.g, CIRE ∩ CIRC = {D}

COMPANY COMPANYA FA CB CC BC DD CE DF AF G

Table 3: A General CIR-relation

20

X-COMPANY CIR-class of XA → {F,C}B → {C}C → {B,D}D → {C}E → {D}F → {A,G}

Table 4: CIR-classes: They do overlay

COMPANY COMPANYA DA EA FA GA HB DB EB FB GB HC DC EC FC G

COMPANY COMPANYD AD BD CD FD GD HE AE BE CE FE GE HF AF B

COMPANY COMPANYF CF DF EG AG BG CG DG EH AH BH CH DH E

Table 5: CIR-relation that satisfies anti-reflexive, symmetric and anti-transitive

X-COMPANY CIR-class of XA → {D,E,F,G,H}B → {D,E,F,G,H}C → {D,E,F,G,H}D → {A,B,C,F,G,H}E → {A,B,C,F,G,H}F → {A,B,C,D,E}G → {A,B,C,D,E}H → {A,B,C,D,E}

Table 6: CIR-classes of anti-reflexive, symmetric and anti-transitive

21

COMPANY COMPANY COMPANY COMPANYA F E DA G F AA H F BB F F CB G G AB H G BC F G CC G H AC H H BD E H C

Table 7: B CIR-relation that does not satisfy anty-transitive

X-COMPANY B CIR-class of XA → {F,G,H}B → {F,G,H}C → {F,G,H}D → {E}E → {D}F → {A,B,C}G → {A,B,C}H → {A,B,C}

Table 8: B CIR-classes for ”CIR” does not satisfy anti-transitive

COMPANY Binary neighborhood CenterA → {F} {A,G}B → {C} {B}C → {B,D} {C}D → {C,E} {D}E → {D} {E}F → {A,G} {F}G → {F} {A,G}

Table 9: Adversary List

22

COMPANY Binary neighborhood Center Union of equiv. clsA → {F} {A,G} {[F]}B → {C} {B} {[C]}C → {B,D} {C} {[B],[D]}D → {C,E} {D} {[C],[E]}E → {D} {E} {[D]}F → {A,G} {F} {[A],[G]}G → {F} {A,G} {[F]}Table 10: CIR-classes are Unions of IAR-equivalence classes

COMPANY COMPANYA FB CC BC DD CD EE CF AF GG F

Table 11: BIR-relation (D and E are not symmetry)

COMPANY Binary neighborhood CenterA → {F} {A,G}B → {C} {B,E}C → {B,D} {C}D → {C,E} {D}E → {C} {B,E}F → {A,G} {F}G → {F} {A,G}

Table 12: Binary granulation of BIR-relation

23

COMPANY Binary neighborhood Center Lower approximationA → {F} {A,G} {[F]}B → {C} {B,E} {[C]}C → {B,D} {C} {[B],[D]}D → {C,E} {D} {[C]}E → {C} {B,E} {[C]}F → {A,G} {F} {[A],[G]}G → {F} {A,G} {[F]}

Table 13: The Lower approximation of the granules of BIR-relation (BIRC is not the union ofEBIR-classes)

24