from chinese wall security policy models to granular computing l.
Skip this Video
Loading SlideShow in 5 Seconds..
From Chinese Wall Security Policy Models to Granular Computing PowerPoint Presentation
Download Presentation
From Chinese Wall Security Policy Models to Granular Computing

Loading in 2 Seconds...

play fullscreen
1 / 72

From Chinese Wall Security Policy Models to Granular Computing - PowerPoint PPT Presentation

  • Uploaded on

From Chinese Wall Security Policy Models to Granular Computing. Tsau Young (T.Y.) Lin Computer Science Department, San Jose State University, San Jose, CA 95192, and Berkeley Initiative in Soft Computing, UC-Berkeley, Berkeley, CA 94720.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'From Chinese Wall Security Policy Models to Granular Computing' - laraine

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
from chinese wall security policy models to granular computing
From Chinese Wall Security Policy Models to Granular Computing

Tsau Young (T.Y.) Lin

Computer Science Department, San Jose State University, San Jose, CA 95192,


Berkeley Initiative in Soft Computing, UC-Berkeley, Berkeley, CA 94720

from chinese wall security policy
From Chinese Wall Security Policy. . .
  • The goal of this talk is to illustrate how granular computing can be used to solved a long outstanding problem in computer security.

1. Overview(Main Ideas)

2. Detail Theory


Brewer and Nash Vision

Formal Theory



New Methodology: Granular Computing

Classical Problem:Trojan Horses

overview granular computing
Overview - Granular computing

Historical Notes

1. Zadeh (1979) Fuzzy sets and granularity

2. Pawlak, Tony Lee (1982):Partition Theory(RS)

3. Lin 1988/9: Neighborhood Systems(NS) and Chinese

Wall (a set of binary relations. A non-reflexive. . .)

4. Stefanowski 1989 (Fuzzified partition)

5. Qing Liu &Lin 1990 (Neighborhood system)

overview granular computing6
Overview-Granular computing

Historical Notes

6. Lin (1992):Topological and Fuzzy Rough Sets

7. Lin & Liu: Operator View of RS and NS (1993)

8. Lin & Hadjimichael : Non-classificatory hierarchy (1996)

overview problem solving paradigm
OverviewProblem Solving Paradigm

Divide and Conquer

1. Divide: Partition (= Equivalence Relation)

2. Conquer: Quotient sets (Bo ZHANG, Knowledge Level Processing)

3. Could this be generalized?

overview example

Partition: disjoint granules(Equivalence Class)

[0]4 = {. . . , 0, 4, 8, . . .}={4n},

[1]4 = {. . . , 1, 5, 9, . . .} ={4n+1},

[2]4 = {. . . , 2, 6, 10, . . .} ={4n+2},

[3]4 = {. . . , 3, 7, 11, . . .} ={4n+3}.

Quotient set = Z/4 (Z/m)

overview new challenge
Overview-New Challenge?

Granulation: overlapping granules

B0 = {. . . , 0, 4, 8, 12,. . . 5,9, }

B1 = {. . . , 1, 5, 9, . . .}

B2 = {. . . , 2, 6, 10, . . ., 7,}

B3 = {. . . , 3, 7, 11, . . ., 6, }.

Quotient ?

overview granular computing new paradigm
Overview-Granular Computing - NewParadigm ?

Classical paradigm is unavailable for general granulation

Research Direction: New Paradigm ?

overview granular computing a new problem solving paradigm
Overview- Granular Computing a New Problem Solving Paradigm

Divide and Conquer (incremental development)

1. Divide: Granulation (binary relation)

Topological Partition

2. Conquer: Topological Quotient Set

application new paradigm
Application - New Paradigm ?


Applying an incremental progress

in granulation to

Classical problem in computer security

overview trojan horses
Overview - Trojan Horses
  • Classical Problem

Trojan Horses, e.g.virus propagation

overview trojan horses14
Overview - Trojan Horses

Grader G is a conscientious student but lacking computer skills.

So a classmate C sets up a tool box that includes, e.g., editor, spread sheet, …;

overview trojan horses15
Overview - Trojan Horses

C embeds a “copy program”

into G’s tool; it sends

a copy of G’s file to C

(university system normally allows students to exchange information)

overview trojan horses16
Overview - Trojan Horses
  • As the Grader is not aware of such

Trojan Horses, he cannot stop them;

  • The system has to stop them!

Can it?

overview trojan horses17
Overview - Trojan Horses

Can it?

In general, NO

With constraints, YES

Chinese (Great) Wall Security Policy.

overview trojan horses18
Overview - Trojan Horses

Direct Information flow(DIF); CIF, a sequence of DIF’s, leaks the information legally !!!



Trojan horse(DIF)




  • End of Overview



In UK, a financial service company may consulted by competing companies. Therefore it is vital to have a lawfully enforceable security policy.


  • Brewer and Nash (BN) proposed Chinese Wall Security Policy Model (CWSP) 1989 for this purpose
  • The idea of CWSP was, and still is, fascinating;
  • Unfortunately, BN made a technical error.
  • BN’s Vision
bn intuitive wall model
BN: Intuitive Wall Model
  • Built a set of impenetrable Chinese Walls among company datasets so that
  • No corporate data that are in conflict can be stored in the same side of the Walls
  • 5
policy simple cwsp scwsp
Policy: Simple CWSP (SCWSP)

"Simple Security", BN asserted that

"people (agents) are only allowed

access to information which is not

held to conflict with any other

information that they (agents)

already possess."

could policy enforce the goal
Could Policy Enforce the Goal?
  • “YES” BN’s intent; technical flaw
  • Yes, but it relates an outstanding difficult problem in Computer Security
first analysis
First analysis


No single agent can read data X and Y

that are in CONFLICT

Is SCWSP adequate?

formal simple cwsp
Formal Simple CWSP

SCWSP says that a system is secure, if

“(X, Y)  CIR  X NDIF Y “

“(X, Y)  CIR  X DIF Y “

(need to know may apply)

CIR=Conflict of Interests Binary Relation

more analysis
More Analysis

SCWSP requires no single agent can read X and Y,

  • but do not exclude the possibility a sequence of agents may read them

Is it secure?

aggressive cwsp acwsp
Aggressive CWSP (ACWSP)

The Intuitive Wall Model implicitly requires: No sequence of agents can read X and Y:

A0 reads X=X0and X1,

A1 reads X1and X1,

. . .

An reads Xn=Y

can scwsp enforce acwsp
Can SCWSP enforce ACWSP?

Related to a Classical Problem

Trojan Horses

current states
Current States

1.BN-Theory (Rough Computing)-failed

2.Granular Computing Method

formal model
Formal Model

When an agent, who has read both X and Y, considers a decision for Y,

  • information in X may be used

consciously or unconsciously.

formal model dif
Formal Model (DIF)

So the fair assumptions are:

if the same agent can read X and Y

  • X has direct information flowed into Y, in notation, X DIF Y
  • also Y DIF X . . .
formal simple cwsp36
Formal Simple CWSP

SCWSP says that a system is secure, if

“(X, Y)  CIR  X NDIF Y “

“(X, Y)  CIR  X DIF Y “

CIR=Conflict of Interests Binary Relation

composite information flow
CompositeInformation flow

CompositeInformation flow(CIF) is

a sequence of DIFs , denoted by 

such that

X=X0X1 . . .  Xn=Y

And we write X CIF Y


formal aggressive cwsp
Formal Aggressive CWSP

Aggressive CWSP says that a system is secure, if

“(X, Y)  CIR  X NCIF Y “

“(X, Y)  CIR  X CIF Y “

the problem
The Problem

Simple CWSP  ? Aggressive CWSP

This is a malicious Trojan Horse problem

need acwsp theorem
Need ACWSP Theorem
  • Theorem If CIR is anti-reflexive, symmetric and anti-transitive, then
  • Simple CWSP  Aggressive CWSP
  • BN’s solution
  • GrC Solution
bn theory failed

BN assumed:

  • Corporate data are decomposed into

Conflict of Interest Classes


(implies CIR is an equivalence relation)

bn theory

BN assumption: CIR-classes

Class B

i, j, k

f, g, h

Class C


l, m, n

bn theory44
  • Can they be partitioned?

France, German


US, Russia


bn theory45
  • Is CIR Equivalence Relation?

NO (will prove)

some mathematics
Some Mathematics

A partition  Equivalence Relation

Class B

i, j, k

f, g, h

Class C


l, m, n

some mathematics47
Some Mathematics

Partition  Equivalence relation

  • X  Y (Equivalence Relation)

if and only if

  • both belong to the same class/granule
equivalence relation
Equivalence Relation

Generalized Identity

  • X  X (Reflexive)
  • X  Y implies Y X (Symmetric)
  • X  Y, Y Z implies X  Z (Transitive)
is cir symmetric
Is CIR Symmetric?
  • US  (conflict) USSR


  • USSR  (conflict) US ?
  • YES
is cir transitive
Is CIR Transitive?
  • US  (conflict) Russia
  • Russia  (conflict)UK
  • UK  ? US


is cir reflexive
Is CIR Reflexive?
  • Is CIR self conflicting?
  • US  (conflict) US ?
  • NO
overlapping cir classes
Overlapping CIR-classes
  • CIR is not an equivalence relation, so CIR classes do overlap


Iraq, . . .


bn theory54

BN-Theory Failed, but

BN’ intention is valid

new theory
New Theory

Formalize BN’s intuition:

O: the set of objects(company datasets)

X, Y, . . . are objects

summary on simple cwsp
Summary on Simple CWSP
  • “X and Y has no conflict then they can be read by same agent “
  •  “(X, Y)  CIR  X NDIF Y”
  • B(X) ={Y | X NDIF Y }

={Y | (X, Y )  CIR }

  • 6
granule access lists
Granule (“Access Lists”)

B(X) is a set of objects that information of X canNOT be flow into.

  • Granule / Neighborhood
  • “Access Denied Lists”
dac and grc
DAC and GrC

The association

B: O  2O ;  X  B(X)

  • DAC (Discretionary Access Control Model)
  • Basic (binary) Granulation/Neighborhood System
derived equivalence relation
Derived Equivalence Relation

The inverse images of B is a partition (an equivalence relation)

C ={Cp | Cp =B –1 (Bp) p  V}

This is the heart of this talk

the set c of the center sets of cir
The set C of the center sets of CIR

The set C of center sets Cp is a partition

US, UK, . . .

Iraq, . . .

German, . . .

c and cir classes
C and CIR classes
  • IJAR=Cp

Cp -classes


Cp -classes

c and cir classes62
C and CIR classes

Cp -classes


Cp -classes

c and cir classes63
C and CIR classes
  • CIR: Anti-reflexive, symmetric, anti-transitive

Cp -classes


Cp -classes

derived equivalence relation64
Derived Equivalence Relation
  • Cp is called the center set of Bp
  • A member of Cpis called a center.
derived equivalence relation65
Derived Equivalence Relation
  • The center set Cp consists of all the points that have the same granule
  • Center set Cp = {q | Bq= Bp}
aggressive cwsp theorem
Aggressive CWSP Theorem
  • Theorem. If CIR is anti-reflexive, symmetric, anti-transitive, then

C=IJAR(=complement of CIR).

aggressive cwsp
Aggressive CWSP
  • CIR (with three conditions) only allows information sharing within one IJAR-class
  • An IJAR-class is an equivalence class; so there is no danger the information will spill to outside.
  • Theorem If CIR is anti-reflexive, symmetric and anti-transitive, then
  • Simple CWSP  Strong CWSP

1. Classical Problem Solving Paradigm requires partitioning (equivalence relation) may be too strong

2. Classical idea is extended to granulation (binary relation)


3. A small success in apply new paradigm to computer security

4. CWSP is one of the the bigger problem, managing the Information Flow Model in DAC; this was considered impossible in the past.


5. BN’s requirements implies IJAR is an equivalence class. However, if we impose “need to know” constraint, then IJAR is not an equivalence class. Under such constraints, we have weaker form of CWSP theorem

appendix aggressive cwsp theorem
AppendixAggressive CWSP Theorem
  • If CIR is anti-transitive non-empty and if (u, v)  CIR implies that  w  V (at least one of (u, w) or (w, v) belongs to CIR ). Let (x, y) and (y, z) be in IJAR, we need to show that (x, z) be in IJAR. Assume contrarily, it is in CIR, by anti-transitive, one and only one of (x, y) or (y, z) be in CIR, that is the contradiction.