Skip to Main content Skip to Navigation

Vers une évaluation quantitative de la sécurité informatique

Marc Dacier 1
1 LAAS-TSF - Équipe Tolérance aux fautes et Sûreté de Fonctionnement informatique
LAAS - Laboratoire d'analyse et d'architecture des systèmes
Abstract : Current computing systems have to protect the data they hold and to fit easily into versatile working environnments. These objectives, sécurity and flexibility, can be antinomic. The conflict usually leads to the use of systems that offer an acceptable security level, yet not maximal. Defining such security level requires evaluation methods. This is the topic of the thesis.
the author presents the existing evaluation criteria and the so-called risk analysis methods. This introduces the need for a formal framework that can modelize any system and evaluate its effectiveness to implement well-defined protection goals.
Computer security formal models do not fit that purpose. the author schows that they use a worst case hypothesis about the behaviour of the users, incompatible with a realistic modeling.
The author offers a solution to relax the hypothesis of the "take-grant" model. Then, he defines a new model, called the privilege graph, more efficient to deal with some protections schemes. He illustrates its use in the context of unix systems.
Finally, the author proposes a computer security evaluation method by computing the time and required to an intruder for breaking into the system. He defines a mathematical framework to represent the system and to obtain such measures. To do so, the provileg graph is transformed into a stochastic Petri net ans its marking graph is derived. Based on this structure, the measures are evaluated and their mathematical properties are proofed. The author gives an illustration of the usefullness of the model by analyzing some results obtained with a prototype developped to study the operational security of a Unix system.
Complete list of metadatas
Contributor : Anne Bergez <>
Submitted on : Thursday, March 23, 2006 - 2:31:15 PM
Last modification on : Thursday, March 5, 2020 - 2:44:34 PM
Long-term archiving on: : Wednesday, September 8, 2010 - 3:39:28 PM


  • HAL Id : tel-00012022, version 1


Marc Dacier. Vers une évaluation quantitative de la sécurité informatique. Réseaux et télécommunications [cs.NI]. Institut National Polytechnique de Toulouse - INPT, 1994. Français. ⟨tel-00012022⟩



Record views


Files downloads