Inf:The site is under developmnet. The complexity of the security graph and/or available methods for it analyses may be subject of the restrictions depends on the available resources (current limit the 50 edges).

Demo content

The service has full-functional demo content which can be accessed without registration at all.
  • Info: In OMOLE's demo mode the CRUD services are blocked. The registration is not required.

The security demo graphs:

  1. LevelsGraph – ladder security hierarchy
  2. RG5.71 – а NPP I&C security architecture from REGULATORY GUIDE 5.71 NRC US The architecture is shown on Figure 1.
    RG5.71 arch
    Figure 1. Simplified cyber security defensive architecture

    The architecture is one that includes the following main characteristics:
    • assets associated with safety, important to safety and security functions, as well as support systems and equipment which, if compromised, would adversely impact safety, important to safety and security functions, are allocated to Level 4 and are protected from all lower levels.
    • Only one-way data flow is allowed from Level 4 to Level 3 and from Level 3 to Level 2.
    • Initiation of communications from digital assets at lower security levels to digital assets at higher security levels is prohibited.
    • Data only flows from one level to other levels through a device or devices that enforce security policy between each level.
Omole's methods
The service has following metods:
  • ISLANDS- Find the islands in security graph.
  • BRIDGES- Find the bridges in security graph.
  • CAN_KNOW - Find the paths of data transfer (see. can_know ).
  • CAN_SHARE - Find the paths of rights transfer (see can_share ).
  • CAN_STEAL- Find the paths of stealing the rights (see can_steal ).
  • SHARE_ZONES, INFO_ZONES - decompose security graph to zones . The zones can be selected by right (method SHARE_ZONES), or by information (data) transfer (method INFO_ZONES).
  • INFO_LEVELS-decompose system to levels (method INFO_LEVELS).
  • RISK_LEVELS-ordering subjects in the system to a risk degree .
  • ACTIVE_INFO_CUT-find an information cut of a security graph. Where cut is a set of edges in security graph whose deletion from the graph disconnects source active(vertex) from the traget(vertex). (Exp.) .

Methods should be used for system analysis (see also Table).

Security graph legend

Symbol Name Security element Comment
O Object Object General security object
Subject Subject General security subject
User Subject Any user in conetxt of the security problem
Program Subject Any software element
Gate Subject ---
Client Subject Any software element performing client functions
Server Subject Any software element performing server functions. All write input relation is treated as W_ONLY
Storage Object General data storage
Data or file Object General type for data or file
Removable media Object General type for any removable data media
Memeory buffer Object --
Data diode Object All read/write outgoing relation will be trated as R\_ONLY or W\_ONLY
Firewall Subject All read/write incoming relation will be trated as R\_ONLY or W\_ONLY

What  is Omole suit for?

Bridges Islands can_share can_know can_steal Zones Levels
System security architecture analyses 
Automatically decompose system to Zones
Decompose system to Security Degrees
Check the legality of procedures

Risk determination

Assign minimal access rights

Computational complexity



Base algorithm




K shortest !




Depth-first search (DFS)




K shortest



O(V4+E2) or   (V+E)!




O(V4+E2) or  (V+E)!

Dijkstra, K shortest , CAN_SHARE




Dijkstra, CAN_KNOW





Dijkstra's algorithm, CAN_KNOW


V - number of vertices in security graph (objects+ subjects )

Vo - number of objects

Vs– - number of subjects

General usage guidelines

  • Summarizes the system architecture and components, and its overall level of security;
  • Includes a list of threats and vulnerabilities, the system's current security controls, and its risk levels;
  • Recommends safeguards, and describes the expected level of risk that would remain if these safeguards were put in place;
  • Shows where an organization needs to concentrate its remedial work;
  • Can be used as input to the agency's business continuity plan;

Analyze and tools 

  • Find islands
  • Find bridges
  • Find paths how information and authority can be transferred between assets of the protection graph
  • Automatically find the zones in a protection graph agree with given right
  • Automatically build the hierarchy of the assets in the  system agree with given right

Examples, Paths

Access the information 1   

How the subject 1 can read information from object 4  (can_know(1,4,Read))?
Answer is Yes and shown the path. 

Access the information 2

Can s1 read q (can_know(s1,q,Read))? Answer is Yes. For the information passing is used T-bridge.

Access the rights 1

Has p right to read q (can_share(p,q,Read))? Answer is Yes. This graph is a single-path graph of the variety we have been discussing, since information flows from q to p along the (sole) path between them. This is demonstrated by the following witness to can_share(p, q, Read): (1) z takes (r to q) from s; (3) p and z use the post rule to add an implicit edge labelled r from p to z; (4) p and z use the spy rule to add an implicit edge labelled r from p to q  [Matt Bishop 1981].

Examples: Basic elements, hierarchy and security degree

Basic security elements

{X,s1} , {s2}, {s3,s4}, {s,s6,s5}- islands,

Linearly  hierarchy

Simple linearly classification scheme L1 (top secret) is top L3  (unclassified) is down

Ladder based hierarchy

Basic security ladder example. The levels are splitted to the several zones.

Tree based hierarchy

Basic tree example

Zones example

Zones extraction

What is zones? Zones are a logical and physical concept for grouping computer systems for administration, communication and application of protective measures. The zone model allows computers with the same or similar importance concerning safe and secure operation of the plant to be grouped together for administration and application of protective measures. The application of a zone model should comply with the following
—Each zone comprises systems that have the same or comparable importance for the facility’s security and safety;
—Systems belonging to one zone have similar demands for protective measures;
—Different computer systems belonging to one zone build a trusted area for internal communication within that zone;
—Zone borders require decoupling mechanisms for data flow built on zone dependent policies;
—Zones can be partitioned into subzones to improve the configuration. 

Symmetrical read/write (video)