ECS 289M Lecture 6 April 12, 2006 Safety Result If the scheme is - PDF document

ECS 289M Lecture 6 April 12, 2006 Safety Result • If the scheme is acyclic and attenuating, the safety question is decidable April 12, 2006 ECS 289M, Foundations of Computer Slide 2 and Information Security

Expressive Power • How do the sets of systems that models can describe compare? – If HRU equivalent to SPM, SPM provides more specific answer to safety question – If HRU describes more systems, SPM applies only to the systems it can describe April 12, 2006 ECS 289M, Foundations of Computer Slide 3 and Information Security HRU vs . SPM • SPM more abstract – Analyses focus on limits of model, not details of representation • HRU allows revocation – SPM has no equivalent to delete, destroy • HRU allows multiparent creates – SPM cannot express multiparent creates easily, and not at all if the parents are of different types because can • create allows for only one type of creator April 12, 2006 ECS 289M, Foundations of Computer Slide 4 and Information Security

Multiparent Create • Solves mutual suspicion problem – Create proxy jointly, each gives it needed rights • In HRU: command multicreate ( s 0 , s 1 , o ) if r in a [ s 0 , s 1 ] and r in a [ s 1 , s 0 ] then create object o ; enter r into a [ s 0 , o ]; enter r into a [ s 1 , o ]; end April 12, 2006 ECS 289M, Foundations of Computer Slide 5 and Information Security SPM and Multiparent Create • cc extended in obvious way – cc � TS � … � TS � T • Symbols – X 1 , …, X n parents, Y created – R 1, i , R 2, i , R 3 , R 4, i � R • Rules – cr P, i ( � ( X 1 ), …, � ( X n )) = Y / R 1,1 � X i / R 2, i – cr C ( � ( X 1 ), …, � ( X n )) = Y / R 3 � X 1 / R 4,1 � … � X n / R 4, n April 12, 2006 ECS 289M, Foundations of Computer Slide 6 and Information Security

Example • Anna, Bill must do something cooperatively – But they don’t trust each other • Jointly create a proxy – Each gives proxy only necessary rights • In ESPM: – Anna, Bill type a ; proxy type p ; right x � R – cc ( a , a ) = p – cr Anna ( a , a , p ) = cr Bill ( a , a , p ) = � – cr proxy ( a , a , p ) = { Anna/ x , Bill// x } April 12, 2006 ECS 289M, Foundations of Computer Slide 7 and Information Security 2-Parent Joint Create Suffices • Goal: emulate 3-parent joint create with 2-parent joint create • Definition of 3-parent joint create (subjects P 1 , P 2 , P 3 ; child C ): – cc ( � ( P 1 ), � ( P 2 ), � ( P 3 )) = Z � T – cr P 1 ( � ( P 1 ), � ( P 2 ), � ( P 3 )) = C / R 1,1 � P 1 / R 2,1 – cr P 2 ( � ( P 1 ), � ( P 2 ), � ( P 3 )) = C / R 2,1 � P 2 / R 2,2 – cr P 3 ( � ( P 1 ), � ( P 2 ), � ( P 3 )) = C / R 3,1 � P 3 / R 2,3 April 12, 2006 ECS 289M, Foundations of Computer Slide 8 and Information Security

General Approach • Define agents for parents and child – Agents act as surrogates for parents – If create fails, parents have no extra rights – If create succeeds, parents, child have exactly same rights as in 3-parent creates • Only extra rights are to agents (which are never used again, and so these rights are irrelevant) April 12, 2006 ECS 289M, Foundations of Computer Slide 9 and Information Security Entities and Types • Parents P 1 , P 2 , P 3 have types p 1 , p 2 , p 3 • Child C of type c • Parent agents A 1 , A 2 , A 3 of types a 1 , a 2 , a 3 • Child agent S of type s • Type t is parentage – if X / t � dom ( Y ), X is Y ’s parent • Types t , a 1 , a 2 , a 3 , s are new types April 12, 2006 ECS 289M, Foundations of Computer Slide 10 and Information Security

Can•Create • Following added to can•create: – cc( p 1 ) = a 1 – cc( p 2 , a 1 ) = a 2 – cc( p 3 , a 2 ) = a 3 • Parents creating their agents; note agents have maximum of 2 parents – cc( a 3 ) = s • Agent of all parents creates agent of child – cc( s ) = c • Agent of child creates child April 12, 2006 ECS 289M, Foundations of Computer Slide 11 and Information Security Creation Rules • Following added to create rule: – cr P ( p 1 , a 1 ) = � – cr C ( p 1 , a 1 ) = p 1 / Rtc • Agent’s parent set to creating parent; agent has all rights over parent – cr Pfirst ( p 2 , a 1 , a 2 ) = � – cr Psecond ( p 2 , a 1 , a 2 ) = � – cr C ( p 2 , a 1 , a 2 ) = p 2 / Rtc � a 1 / tc • Agent’s parent set to creating parent and agent; agent has all rights over parent (but not over agent) April 12, 2006 ECS 289M, Foundations of Computer Slide 12 and Information Security

Creation Rules – cr Pfirst ( p 3 , a 2 , a 3 ) = � – cr Psecond ( p 3 , a 2 , a 3 ) = � – cr C ( p 3 , a 2 , a 3 ) = p 3 / Rtc � a 2 / tc • Agent’s parent set to creating parent and agent; agent has all rights over parent (but not over agent) – cr P ( a 3 , s ) = � – cr C ( a 3 , s ) = a 3 / tc • Child’s agent has third agent as parent cr P ( a 3 , s ) = � – cr P ( s , c ) = s / Rtc – cr C ( s , c ) = c / R 3 t • Child’s agent gets full rights over child; child gets R 3 rights over agent April 12, 2006 ECS 289M, Foundations of Computer Slide 13 and Information Security Link Predicates • Idea: no tickets to parents until child created – Done by requiring each agent to have its own parent rights – link 1 ( A 1 , A 2 ) = A 1 / t � dom ( A 2 ) � A 2 / t � dom ( A 2 ) – link 1 ( A 2 , A 3 ) = A 2 / t � dom ( A 3 ) � A 3 / t � dom ( A 3 ) – link 2 ( S , A 3 ) = A 3 / t � dom ( S ) � C / t � dom ( C ) – link 3 ( A 1 , C ) = C / t � dom ( A 1 ) – link 3 ( A 2 , C ) = C / t � dom ( A 2 ) – link 3 ( A 3 , C ) = C / t � dom ( A 3 ) – link 4 ( A 1 , P 1 ) = P 1 / t � dom ( A 1 ) � A 1 / t � dom ( A 1 ) – link 4 ( A 2 , P 2 ) = P 2 / t � dom ( A 2 ) � A 2 / t � dom ( A 2 ) – link 4 ( A 3 , P 3 ) = P 3 / t � dom ( A 3 ) � A 3 / t � dom ( A 3 ) April 12, 2006 ECS 289M, Foundations of Computer Slide 14 and Information Security

Filter Functions • f 1 ( a 2 , a 1 ) = a 1 / t � c / Rtc • f 1 ( a 3 , a 2 ) = a 2 / t � c / Rtc • f 2 ( s , a 3 ) = a 3 / t � c / Rtc • f 3 ( a 1 , c ) = p 1 / R 4,1 • f 3 ( a 2 , c ) = p 2 / R 4,2 • f 3 ( a 3 , c ) = p 3 / R 4,3 • f 4 ( a 1 , p 1 ) = c / R 1,1 � p 1 / R 2,1 • f 4 ( a 2 , p 2 ) = c / R 1,2 � p 2 / R 2,2 • f 4 ( a 3 , p 3 ) = c / R 1,3 � p 3 / R 2,3 April 12, 2006 ECS 289M, Foundations of Computer Slide 15 and Information Security Construction Create A 1 , A 2 , A 3 , S , C ; then • P 1 has no relevant tickets • P 2 has no relevant tickets • P 3 has no relevant tickets • A 1 has P 1 / Rtc • A 2 has P 2 / Rtc � A 1 / tc • A 3 has P 3 / Rtc � A 2 / tc • S has A 3 / tc � C / Rtc • C has C / R 3 April 12, 2006 ECS 289M, Foundations of Computer Slide 16 and Information Security

Construction • Only link 2 ( S , A 3 ) true � apply f 2 – A 3 has P 3 / Rtc � A 2 / t � A 3 / t � C / Rtc • Now link 1 ( A 3 , A 2 ) true � apply f 1 – A 2 has P 2 / Rtc � A 1 / tc � A 2 / t � C / Rtc • Now link 1 ( A 2 , A 1 ) true � apply f 1 – A 1 has P 2 / Rtc � A 1 / tc � A 1 / t � C / Rtc • Now all link 3 s true � apply f 3 – C has C / R 3 � P 1 / R 4,1 � P 2 / R 4,2 � P 3 / R 4,3 April 12, 2006 ECS 289M, Foundations of Computer Slide 17 and Information Security Finish Construction • Now link 4 is true � apply f 4 – P 1 has C / R 1,1 � P 1 / R 2,1 – P 2 has C / R 1,2 � P 2 / R 2,2 – P 3 has C / R 1,3 � P 3 / R 2,3 • 3-parent joint create gives same rights to P 1 , P 2 , P 3 , C • If create of C fails, link 2 fails, so construction fails April 12, 2006 ECS 289M, Foundations of Computer Slide 18 and Information Security

Theorem • The two-parent joint creation operation can implement an n -parent joint creation operation with a fixed number of additional types and rights, and augmentations to the link predicates and filter functions. • Proof : by construction, as above – Difference is that the two systems need not start at the same initial state April 12, 2006 ECS 289M, Foundations of Computer Slide 19 and Information Security Theorems • Monotonic ESPM and the monotonic HRU model are equivalent. • Safety question in ESPM also decidable if acyclic attenuating scheme – Proof similar to that for SPM April 12, 2006 ECS 289M, Foundations of Computer Slide 20 and Information Security

Expressiveness • Graph-based representation to compare models • Graph – Vertex: represents entity, has static type – Edge: represents right, has static type • Graph rewriting rules: – Initial state operations create graph in a particular state – Node creation operations add nodes, incoming edges – Edge adding operations add new edges between existing vertices April 12, 2006 ECS 289M, Foundations of Computer Slide 21 and Information Security Example: 3-Parent Joint Creation • Simulate with 2-parent – Nodes P 1 , P 2 , P 3 parents – Create node C with type c with edges of type e – Add node A 1 of type a and edge from P 1 to A 1 of type e ´ P 1 P 2 P 3 A 1 April 12, 2006 ECS 289M, Foundations of Computer Slide 22 and Information Security

Next Step • A 1 , P 2 create A 2 ; A 2 , P 3 create A 3 • Type of nodes, edges are a and e ´ P 3 P 2 P 1 A 3 A 1 A 2 April 12, 2006 ECS 289M, Foundations of Computer Slide 23 and Information Security Next Step • A 3 creates S , of type a • S creates C , of type c P 3 P 2 P 1 A 3 A 1 A 2 S C April 12, 2006 ECS 289M, Foundations of Computer Slide 24 and Information Security