Sometimes individual data are less sensitive than their aggregate. For example: The budgets of individual departments of a company may not reveal much information. But collectively, they reveal where the company is concentrating its resources, and thus telegraph its business strategy. In the 1996 movie "Mission: Impossible", the recovery of a NOC (non-official cover) list is a focus of Agent Ethan Hunt. One half of the list contains the codenames of secret agents, and the other half contains the agents' real names. Each half individually reveals sensitive information, and their combination reveals even more information.

Aggregation is particularly relevant in the context of databases. For the purpose of this problem, suppose that a database comprises a number of datasets. (A dataset might be a table or a view.) Further, suppose that each dataset is assigned a sensitivity label such as Unclassified, Secret, or Top Secret. Then it might be the case that datasets A and B are both Unclassified, but that their aggregation is Secret. To model this, let the function L(R), where R is a set of datasets---for example, R={A,B}--- denote the sensitivity of the aggregation of all the datasets in R. As healthiness conditions on L, we require that: For all A, L({A}) = sensitivity of A. If R R' then L(R) L(R'). Your goal in this problem is to develop a MAC model for this scenario. Suppose that an object is a document containing information derived from the database---e.g., the result of queries on datasets. A subject, as usual, is a process executing on behalf of a user. An entity is either a subject or an object. a. Construct your own real-world example, using the database model above, of aggregate data that are more sensitive than their constituents. Your example should include at least three datasets. Identify what L(R) is for each possible subset R of your datasets. b. Suppose that each object (and subject) is labelled with its sensitivity (or clearance). We could then attempt to employ the Bell and LaPadula security conditions ("no read up, no write down"). However, we claim that these conditions are insufficient to guarantee the following policy: P1: An object never contains information whose sensitivity is higher than the object's label. Using your example database from part 1, prove this claim by exhibiting a series of read and write operations that effect such an information flow. You may freely invent entities and their labels. c. Instead of sensitivity, suppose that each entity is labelled with a set of datasets. Give new conditions for reading and writing. Your conditions should guarantee the following policy: P2: If X is labelled with R, then the information in datasets R should be allowed to flow to X, and information from datasets other than those in R should not be allowed to flow to X.