Information Technology Reference
In-Depth Information
• CRR2: If P = (R i ,I j ) holds then mod(R i ) > mod(I j ) , i.e. new rule wins over installed rule
only if their ranges are equal; R i is installed as mod(R i ) over rg(I j ).
CRR2 can be re-phrased as “fresher rule wins over the same range”. Note that for
auditing purposes it is easy to reverse engineer the installed rule set state at any mo-
ment of time with the convention expressed by CRR1 and CRR2 and with logging of
all newly injected rules.
Resolution of Severe Conflicts. If P > (R i ,I j ) holds then conflict resolution is not possi-
ble. As a consequence of orthogonal relations 2, 3, 4, and 5 we can state that there are
always exactly two installed rules I j and, say, I j+1 that are in overlapping relation to R i
and neither of them is in inverted nesting relation to R i . However, if installed rule I j is
inversely nesting with R i then it is not possible to conclude in general how many more
installed rules are inversely nesting or overlapping with R i . Impossibility of severe
conflict resolution of this type will not affect the rule-base system performance since
P > (R i ,I j ) will be evaluated off-line (see section 7.2)
If P / (R i ,I j ) holds then a new rule is not a pinhole and CRR1 and CRR2 are not di-
rectly applicable. However, we can still benefit from conflict resolution rules using
the following simple overlapping conflict resolution (OCR) algorithm:
1. Define installed target rule for R i ; this will be one of the two adjacent installed
rules I j and, say, I j+1 with modality opposite to that of R i .
2. Split conflicting R i into two sub-rules R L i and R R i at a boundary with a target in-
stalled rule;
3. Apply CRR1 or CRR2 to resolve conflict between a target installed rule and R L i or
R R i .
Effectively this algorithm expands the interval of the non-target installed rule by
the sub-range of the R i that is overlapping with the installed target rule (Fig.2.b).
Statement. OCR algorithm does not violate CRR1 and CRR2 with regard to any of
original rules.
Discussion. The statement means that despite the fact that all original rules injected
into a rule base 'disappeared' in installed rules, and despite the presence of severe
conflict the algorithm works as if applied to resolve conflicts between a new rule and
all successfully injected original rules. Let P / (R i ,I j ) hold, and let I j+1 be another, non-
target overlap with new rule R i . Modality of target rule is either inherited from default
policy R 0 , or resulted from a light or from a severe conflict resolution. Let R L i be the
part of R i that has SID values in common with I j , then R L i is a pinhole left or right
adjusted to the target rule boundary. If mod(I j ) is inherited from R 0 then R L i is a pin-
hole in R 0 and the statement is correct. If mod(I j ) results from a light conflict resolu-
tion, i.e. I j was originated from a properly nested pinhole then, as follows from rules
orthogonality rg(R L i ) < rg(I j ) that also satisfies the statement. Finally, if mod(I j ) results
from severe conflict resolution the statement is also correct because the above consid-
erations can be applied recursively (initial step is in Fig. 2.b)..Thus our second re-
quirement is satisfied: there is no need to keep track of all original (and maybe obso-
lete) rules if CRR1, CRR2 , and OCR are deployed.
Search WWH ::




Custom Search