ECS 289M Lecture 3 April 5, 2006 Overview • Safety Question • HRU Model • Take-Grant Protection Model April 5, 2006 ECS 289M, Foundations of Computer Slide 2 and Information Security
What Is “Secure”? • Adding a generic right r where there was not one is “leaking” • If a system S , beginning in initial state s 0 , cannot leak right r , it is safe with respect to the right r . April 5, 2006 ECS 289M, Foundations of Computer Slide 3 and Information Security Safety Question • Does there exist an algorithm for determining whether a protection system S with initial state s 0 is safe with respect to a generic right r ? – Here, “safe” = “secure” for an abstract model April 5, 2006 ECS 289M, Foundations of Computer Slide 4 and Information Security
Mono-Operational Commands • Answer: yes • Sketch of proof: Consider minimal sequence of commands c 1 , …, c k to leak the right. – Can omit delete , destroy – Can merge all create s into one Worst case: insert every right into every entry; with s subjects and o objects initially, and n rights, upper bound is k � n ( s +1)( o +1) April 5, 2006 ECS 289M, Foundations of Computer Slide 5 and Information Security General Case • Answer: no • Sketch of proof: Reduce halting problem to safety problem Turing Machine review: – Infinite tape in one direction – States K , symbols M ; distinguished blank b – Transition function � ( k , m ) = ( k � , m � , L) means in state k , symbol m on tape location replaced by symbol m � , head moves to left one square, and enters state k � – Halting state is q f ; TM halts when it enters this state April 5, 2006 ECS 289M, Foundations of Computer Slide 6 and Information Security
Mapping 1 2 3 4 s 1 s 2 s 3 s 4 A B C D … s 1 A own head s 2 B own s 3 C k own Current state is k s 4 D end April 5, 2006 ECS 289M, Foundations of Computer Slide 7 and Information Security Mapping 1 2 3 4 s 1 s 2 s 3 s 4 A B X D … s 1 A own head s 2 B own s 3 X own After � ( k , C) = ( k 1 , X, R) s 4 where k is the current D k 1 end state and k 1 the next state April 5, 2006 ECS 289M, Foundations of Computer Slide 8 and Information Security
Command Mapping � ( k , C) = ( k 1 , X, R) at intermediate becomes command c k ,C ( s 3 , s 4 ) if own in A [ s 3 , s 4 ] and k in A [ s 3 , s 3 ] and C in A [ s 3 , s 3 ] then delete k from A [ s 3 , s 3 ]; delete C from A [ s 3 , s 3 ]; enter X into A [ s 3 , s 3 ]; enter k 1 into A [ s 4 , s 4 ]; end April 5, 2006 ECS 289M, Foundations of Computer Slide 9 and Information Security Mapping 1 2 3 4 5 s 1 s 2 s 3 s 4 s 5 A B X Y b s 1 A own head s 2 B own s 3 X own After � ( k 1 , D) = ( k 2 , Y, R) s 4 Y own where k 1 is the current state and k 2 the next state s 5 b k 2 end April 5, 2006 ECS 289M, Foundations of Computer Slide 10 and Information Security
Command Mapping � ( k 1 , D) = ( k 2 , Y, R) at end becomes command crightmost k ,C ( s 4 , s 5 ) if end in A [ s 4 , s 4 ] and k 1 in A [ s 4 , s 4 ] and D in A [ s 4 , s 4 ] then delete end from A [ s 4 , s 4 ]; create subject s 5 ; enter own into A [ s 4 , s 5 ]; enter end into A [ s 5 , s 5 ]; delete k 1 from A [ s 4 , s 4 ]; delete D from A [ s 4 , s 4 ]; enter Y into A [ s 4 , s 4 ]; enter k 2 into A [ s 5 , s 5 ]; end April 5, 2006 ECS 289M, Foundations of Computer Slide 11 and Information Security Rest of Proof • Protection system exactly simulates a TM – Exactly 1 end right in ACM – 1 right in entries corresponds to state – Thus, at most 1 applicable command • If TM enters state q f , then right has leaked • If safety question decidable, then represent TM as above and determine if q f leaks – Implies halting problem decidable • Conclusion: safety question undecidable April 5, 2006 ECS 289M, Foundations of Computer Slide 12 and Information Security
Other Results • Set of unsafe systems is recursively enumerable • Delete create primitive; then safety question is complete in P- SPACE • Delete destroy , delete primitives; then safety question is undecidable – Systems are monotonic • Safety question for monoconditional, monotonic protection systems is decidable • Safety question for monoconditional protection systems with create , enter , delete (and no destroy ) is decidable. April 5, 2006 ECS 289M, Foundations of Computer Slide 13 and Information Security Take-Grant Protection Model • A specific (not generic) system – Set of rules for state transitions • Safety decidable, and in time linear with the size of the system • Goal: find conditions under which rights can be transferred from one entity to another in the system April 5, 2006 ECS 289M, Foundations of Computer Slide 14 and Information Security
System � objects (files, …) � subjects (users, processes, …) � don't care (either a subject or an object) G |– x G' apply a rewriting rule x (witness) to G to get G' G |– * G' apply a sequence of rewriting rules (witness) to G to get G' R = { t , g , r , w , … } set of rights April 5, 2006 ECS 289M, Foundations of Computer Slide 15 and Information Security Rules � � � � � |- t t take � � � � � � � � � grant |- g g � � � � April 5, 2006 ECS 289M, Foundations of Computer Slide 16 and Information Security
More Rules � create |- � � � |- � � – � � � � � � remove These four rules are called the de jure rules April 5, 2006 ECS 289M, Foundations of Computer Slide 17 and Information Security Symmetry x � y � � � � � |– � � t t � tg � � � g � z v 1. x creates ( tg to new) v 2. z takes ( g to v ) from x Similar result for grant 3. z grants ( � to y ) to v 4. x takes ( � to y ) from v April 5, 2006 ECS 289M, Foundations of Computer Slide 18 and Information Security
Islands • tg -path: path of distinct vertices connected by edges labeled t or g – Call them “tg-connected” • island: maximal tg -connected subject- only subgraph – Any right one vertex has can be shared with any other vertex April 5, 2006 ECS 289M, Foundations of Computer Slide 19 and Information Security Initial, Terminal Spans • initial span from x to y – x subject – tg -path between x , y with word in { t * g } � { � } � � – Means x can give rights it has to y • terminal span from x to y – x subject – tg -path between x , y with word in { t * } � { � } � – Means x can acquire any rights y has April 5, 2006 ECS 289M, Foundations of Computer Slide 20 and Information Security
Bridges • bridge: tg -path between subjects x , y , with associated word in � � � � � � � � { t*, t*, t*g t*, t*g t* } – rights can be transferred between the two endpoints – not an island as intermediate vertices are objects April 5, 2006 ECS 289M, Foundations of Computer Slide 21 and Information Security Example s q t r p s' � � � � g t t g g t � � � � � y u v x w • islands { p, u } { w } { y, s' } • bridges u, v, w; w, x, y • initial span p (associated word � ) � • terminal span s's (associated word t ) April 5, 2006 ECS 289M, Foundations of Computer Slide 22 and Information Security
can•share Predicate Definition: • can • share ( r , x , y , G 0 ) if, and only if, there is a sequence of protection graphs G 0 , …, G n such that G 0 |–* G n using only de jure rules and in G n there is an edge from x to y labeled r . April 5, 2006 ECS 289M, Foundations of Computer Slide 23 and Information Security can • share Theorem • can • share ( r , x , y , G 0 ) if, and only if, there is an edge from x to y labeled r in G 0 , or the following hold simultaneously: – There is an s in G 0 with an s -to- y edge labeled r – There is a subject x � = x or initially spans to x – There is a subject s � = s or terminally spans to s – There are islands I 1 ,…, I k connected by bridges, and x � in I 1 and s � in I k April 5, 2006 ECS 289M, Foundations of Computer Slide 24 and Information Security
Outline of Proof • s has r rights over y • s � acquires r rights over y from s – Definition of terminal span • x � acquires r rights over y from s � – Repeated application of sharing among vertices in islands, passing rights along bridges • x � gives r rights over y to x – Definition of initial span April 5, 2006 ECS 289M, Foundations of Computer Slide 25 and Information Security Example Interpretation • ACM is generic – Can be applied in any situation • Take-Grant has specific rules, rights – Can be applied in situations matching rules, rights • Question: what states can evolve from a system that is modeled using the Take- Grant Model? April 5, 2006 ECS 289M, Foundations of Computer Slide 26 and Information Security
Recommend
More recommend