dclabel-eci11-0.2: Dynamic labels to assign confidentiality and integrity levels in scenarios of mutual distrust

DCLabel.Core

Contents

Synopsis

Constructors

newtype Disj Source

A disjunction of ordered elements. The empty list '[]' corresponds to the disjunction of all principals. In other words, conceptually, [] = [P_1 / P_2 / ...]

Constructors

MkDisj 

Fields

disj :: [Principal]
 

newtype Conj Source

A conjunction of ordered elements. The empty list '[]' corresponds to the single disjunction of all principals. In other words, conceptually, [] = {[P_1 / P_2 / ...]}

Constructors

MkConj 

Fields

conj :: [Disj]
 

data Label Source

A label is a conjunction of disjunctions, where MkLabelAll is the constructor that is associated with the conjunction of all possible disjunctions.

Constructors

MkLabelAll 
MkLabel 

Fields

label :: Conj
 

Instances

Eq Label 
Read Label 
Show Label 
ToLNF Label

Reduce a label to LNF. First it applies cleanLabel to remove duplicate principals and categories. Following, it removes extraneous/redundant categories. A category is said to be extraneous if there is another category in the label that implies it.

NewPriv Label 
PrettyShow Label 
CanActFor Priv Priv 
CanActFor Priv TCBPriv 
CanActFor TCBPriv Priv 
NewDC String Label 
NewDC Principal Label 
NewDC Label String 
NewDC Label Principal 
NewDC Label Label 
ConjunctionOf String Label 
ConjunctionOf Principal Label 
ConjunctionOf Label String 
ConjunctionOf Label Principal 
ConjunctionOf Label Label 
DisjunctionOf String Label 
DisjunctionOf Principal Label 
DisjunctionOf Label String 
DisjunctionOf Label Principal 
DisjunctionOf Label Label 

DC Labels

class Eq a => Lattice a whereSource

(Bounded) Lattice definition

Methods

bottomSource

Arguments

:: a

Bottom of lattice

topSource

Arguments

:: a

Top of lattice

joinSource

Arguments

:: a 
-> a 
-> a

Join of two elements

meetSource

Arguments

:: a 
-> a 
-> a

Meet of two elements

canflowtoSource

Arguments

:: a 
-> a 
-> Bool

Partial order relation

data DCLabel Source

A DC label for secrecy and integrity.

Constructors

MkDCLabel 

Fields

secrecy :: Label
 
integrity :: Label
 

emptyLabel :: LabelSource

A label without any disjunctions or conjunctions. This label, conceptually corresponds to the label consisting of a single category containing all principals. In other words, conceptually, emptyLabel = {[P_1 \/ P_2 \/ ...]}

allLabel :: LabelSource

The dual of emptyLabel, allLabel consists of the conjunction of all possible disjunctions, i.e., it is the label that implies all other labels. In other words, conceptually, allLabel = {[P_1] /\ [P_2] /\ ...}

Principals

newtype Principal Source

Principal is a simple string.

Constructors

MkPrincipal 

Fields

name :: String
 

Instances

Eq Principal 
Ord Principal 
Read Principal 
Show Principal 
NewPriv Principal 
Singleton Principal 
PrettyShow Principal 
NewDC Principal Principal 
NewDC Principal Label 
NewDC Label Principal 
ConjunctionOf Principal Principal 
ConjunctionOf Principal Label 
ConjunctionOf Label Principal 
DisjunctionOf Principal Principal 
DisjunctionOf Principal Label 
DisjunctionOf Label Principal 

principal :: String -> PrincipalSource

Generates a principal from an string.

Priviliges

data TCBPriv Source

Privilege object is just a conjunction of disjunctions, i.e., a Label. A trusted privileged object must be introduced by trusted code, after which trusted privileged objects can be created by delegation.

Constructors

MkTCBPriv 

Fields

priv :: Label
 

type Priv = LabelSource

Untrusted privileged object, which can be converted to a TCBPriv with delegatePriv.

class Lattice a => RelaxedLattice a whereSource

Class extending Lattice, by allowing for the more relaxed label comparison canflowto_p.

Methods

canflowto_p :: TCBPriv -> a -> a -> BoolSource

Relaxed partial-order relation

noPriv :: TCBPrivSource

Privilege object corresponding to no privileges.

rootPrivTCB :: TCBPrivSource

Privilege object corresponding to the "root", or all privileges. Any other privilige may be delegated using this privilege object and it must therefore not be exported to untrusted code.

delegatePriv :: TCBPriv -> Priv -> Maybe TCBPrivSource

Given trusted privilige and a "desired" untrusted privilege, return a trusted version of the untrusted privilige, if the provided (trusted) privilige implies it.

createPrivTCB :: Priv -> TCBPrivSource

This function creates any privilege object given an untrusted privilege Priv. Note that this function should not be exported to untrusted code.

class CanActFor a b whereSource

Class used for checking if a computation can use a privilege in place of the other. This notion corresponds to the DLM "can-act-for".

Methods

canActFor :: a -> b -> BoolSource

Can use first privilige in place of second.

Label/internal operations

and_label :: Label -> Label -> LabelSource

Given two labels, take the union of the disjunctions, i.e., simply perform an "and". Note the new label is not necessarily in LNF.

or_label :: Label -> Label -> LabelSource

Given two labels, perform an "or". Note that the new label is not necessarily in LNF.

class ToLNF a whereSource

Class used to reduce labels to LNF. It is used to overload the reduce function used by the Label, SLabel, ILabel, and DCLabel.

Methods

toLNF :: a -> aSource

Instances

ToLNF DCLabel 
ToLNF Label

Reduce a label to LNF. First it applies cleanLabel to remove duplicate principals and categories. Following, it removes extraneous/redundant categories. A category is said to be extraneous if there is another category in the label that implies it.

ToLNF SLabel 
ToLNF ILabel 

cleanLabel :: Label -> LabelSource

Removes any duplicate principals from categories, and any duplicate categories from the label. To return a clean label, it sorts the label and removes empty disjunctions.

implies :: Label -> Label -> BoolSource

Determines if a label implies (in the logical sense) another label. In other words, d1 \ ... dn => d1' \ ... dn'.

Properties: 1. forall X, ALL implies X := True 2. forall X/=ALL, X implies ALL := False 3. forall X, X implies [] := True 4. forall X/=[], [] implies X := False