Chapter 3: Foundational Results

July 1, 2004 Computer Security: Art and Science
2002-2004 Matt Bishop

Slide #3-1
Chapter 3: Foundational Results
Overview
Harrison-Ruzzo-Ullman result
Corollaries
Take-Grant Protection Model
SPM and successors
Slide #3-2
Overview
Safety Question
HRU Model
SPM, ESPM
Multiparent joint creation
Expressive power
Typed Access Matrix Model
Slide #3-3
What Is Secure?
Adding a generic right r where there was
not one is leaking
If a system S, beginning in initial state s
0
,
cannot leak right r, it is safe with respect to
the right r.
Slide #3-4
Safety Question
Does there exist an algorithm for
determining whether a protection system S
with initial state s
0
is safe with respect to a
generic right r?
Here, safe = secure for an abstract model
Slide #3-5
Mono-Operational Commands
Answer: yes
Sketch of proof:
Consider minimal sequence of commands c
1
, ,
c
k
to leak the right.
Can omit delete, destroy
Can merge all creates into one
Worst case: insert every right into every entry;
with s subjects and o objects initially, and n
rights, upper bound is k n(s+1)(o+1)
Slide #3-6
General Case
Answer: no
Sketch of proof:
Reduce halting problem to safety problem
Turing Machine review:
Infinite tape in one direction
States K, symbols M; distinguished blank b
Transition function o(k, m) = (k', m', L) means in state
k, symbol m on tape location replaced by symbol m',
head moves to left one square, and enters state k'
Halting state is q
f
; TM halts when it enters this state
Slide #3-7
Mapping
A
B C D
1 2 3 4
head
s
1
s
2
s
3
s
4

s
4

s
3

s
2

s
1
A
B
C k
D end
own
own
own
Current state is k
Slide #3-8
Mapping
A
B X D
1 2 3 4
head
s
1
s
2
s
3
s
4

s
4

s
3

s
2

s
1
A
B
X
D k
1
end
own
own
own
After o(k, C) = (k
1
, X, R)
where k is the current
state and k
1
the next state
Slide #3-9
Command Mapping
o(k, C) = (k
1
, X, R) at intermediate becomes
command c
k,C
(s
3
,s
4
)
if own in A[s
3
,s
4
] and k in A[s
3
,s
3
]
and C in A[s
3
,s
3
]
then
delete k from A[s
3
,s
3
];
delete C from A[s
3
,s
3
];
enter X into A[s
3
,s
3
];
enter k
1
into A[s
4
,s
4
];
end
Slide #3-10
Mapping
A
B X Y
1 2 3 4
head
s
1
s
2
s
3
s
4

s
4

s
3

s
2

s
1
A
B
X
Y
own
own
own
After o(k
1
, D) = (k
2
, Y, R)
where k
1
is the current
state and k
2
the next state
s
5

s
5

own
b k
2
end
5
b
Slide #3-11
Command Mapping
o(k
1
, D) = (k
2
, Y, R) at end becomes
command crightmost
k,C
(s
4
,s
5
)
if end in A[s
4
,s
4
] and k
1
in A[s
4
,s
4
]
and D in A[s
4
,s
4
]
then
delete end from A[s
4
,s
4
];
create subject s
5
;
enter own into A[s
4
,s
5
];
enter end into A[s
5
,s
5
];
delete k
1
from A[s
4
,s
4
];
delete D from A[s
4
,s
4
];
enter Y into A[s
4
,s
4
];
enter k
2
into A[s
5
,s
5
];
end
Slide #3-12
Rest of Proof
Protection system exactly simulates a TM
Exactly 1 end right in ACM
1 right in entries corresponds to state
Thus, at most 1 applicable command
If TM enters state q
f
, then right has leaked
If safety question decidable, then represent TM as
above and determine if q
f
leaks
Implies halting problem decidable
Conclusion: safety question undecidable
Slide #3-13
Other Results
Set of unsafe systems is recursively enumerable
Delete create primitive; then safety question is complete in
P-SPACE
Delete destroy, delete primitives; then safety question is
undecidable
Systems are monotonic
Safety question for monoconditional, monotonic protection
systems is decidable
Safety question for monoconditional protection systems
with create, enter, delete (and no destroy) is decidable.
Slide #3-14
A specific (not generic) system
Set of rules for state transitions
Safety decidable, and in time linear with the
size of the system
Goal: find conditions under which rights
can be transferred from one entity to
another in the system
Slide #3-15
System
objects (files, )
l subjects (users, processes, )
don't care (either a subject or an object)
G |
x
G' apply a rewriting rule x (witness) to
G to get G'
G |
*
G' apply a sequence of rewriting rules
(witness) to G to get G'
R = { t, g, r, w, } set of rights

Slide #3-16
Rules

t o t o
o
take
g o o
o
grant
l
g

l
l
l
|-
|-
Slide #3-17
More Rules
create
o
o
remove
o |
l
l
l l

|-
|-
These four rules are called the de jure rules
Slide #3-18
Symmetry
t
o
t o
o

l
l
l l
|
1. x creates (tg to new) v
2. z takes (g to v) from x
3. z grants (o to y) to v
4. x takes (o to y) from v

z
v
tg
x
g
y
o
o
Similar result for grant
Slide #3-19
Islands
tg-path: path of distinct vertices connected
by edges labeled t or g
Call them tg-connected
island: maximal tg-connected subject-only
subgraph
Any right one vertex has can be shared with
any other vertex
Slide #3-20
Initial, Terminal Spans
initial span from x to y
x subject
tg-path between x, y with word in { t*g } { v }
Means x can give rights it has to y
terminal span from x to y
x subject
tg-path between x, y with word in { t* } { v }
Means x can acquire any rights y has

Slide #3-21
Bridges
bridge: tg-path between subjects x, y, with
associated word in
{ t*, t*, t*g t*, t*g t* }
rights can be transferred between the two
endpoints
not an island as intermediate vertices are
objects

Slide #3-22
Example
l
p
l
u

v
l
w

x
l
y
l
s'

s

q
t
t t
t r
g g
g
islands { p, u } { w } { y, s' }
bridges u, v, w; w, x, y
initial span p (associated word v)
terminal span s's (associated word t)

Slide #3-23
canshare Predicate
Definition:
canshare(r, x, y, G
0
) if, and only if, there is
a sequence of protection graphs G
0
, , G
n

such that G
0
|* G
n
using only de jure rules
and in G
n
there is an edge from x to y
labeled r.
Slide #3-24
canshare Theorem
canshare(r, x, y, G
0
) if, and only if, there is
an edge from x to y labeled r in G
0
, or the
following hold simultaneously:
There is an s in G
0
with an s-to-y edge labeled r
There is a subject x' = x or initially spans to x
There is a subject s' = s or terminally spans to s
There are islands I
1
,, I
k
connected by bridges,
and x' in I
1
and s' in I
k
Slide #3-25
Outline of Proof
s has r rights over y
s' acquires r rights over y from s
Definition of terminal span
x' acquires r rights over y from s'
Repeated application of sharing among vertices
in islands, passing rights along bridges
x' gives r rights over y to x
Definition of initial span
Slide #3-26
Key Question
Characterize class of models for which
safety is decidable
Existence: Take-Grant Protection Model is a
member of such a class
Universality: In general, question undecidable,
so for some models it is not decidable
What is the dividing line?
Slide #3-27
Schematic Protection Model
Type-based model
Protection type: entity label determining how control
rights affect the entity
Set at creation and cannot be changed
Ticket: description of a single right over an entity
Entity has sets of tickets (called a domain)
Ticket is X/r, where X is entity and r right
Functions determine rights transfer
Link: are source, target connected?
Filter: is transfer of ticket authorized?
Slide #3-28
Link Predicate
Idea: link
i
(X, Y) if X can assert some
control right over Y
Conjunction of disjunction of:
X/z e dom(X)
X/z e dom(Y)
Y/z e dom(X)
Y/z e dom(Y)
true
Slide #3-29
Examples
Take-Grant:
link(X, Y) = Y/g e dom(X) v X/t e dom(Y)
Broadcast:
link(X, Y) = X/b e dom(X)
Pull:
link(X, Y) = Y/p e dom(Y)
Slide #3-30
Filter Function
Range is set of copyable tickets
Entity type, right
Domain is subject pairs
Copy a ticket X/r:c from dom(Y) to dom(Z)
X/rc e dom(Y)
link
i
(Y, Z)
t(Y)/r:c e f
i
(t(Y), t(Z))
One filter function per link function
Slide #3-31
Example
f(t(Y), t(Z)) = T R
Any ticket can be transferred (if other
conditions met)
f(t(Y), t(Z)) = T RI
Only tickets with inert rights can be transferred
(if other conditions met)
f(t(Y), t(Z)) = C
No tickets can be transferred
Slide #3-32
Example
TS = { subjects }, TO = { objects }
RC = { tc, gc }, RI = { rc, wc }
link(p, q) = p/t e dom(q) v q/t e dom(p)
f(subject, subject) = { subject, object } { tc,
gc, rc, wc }
Slide #3-33
Create Operation
Must handle type, tickets of new entity
Relation cancreate(a, b)
Subject of type a can create entity of type b
Rule of acyclic creates:
a b
c
d
a b
c
d
Slide #3-34
Types
cr(a, b): tickets introduced when subject of
type a creates entity of type b
B object: cr(a, b) _ { b/r:c e RI }
B subject: cr(a, b) has two parts
cr
P
(a, b) added to A, cr
C
(a, b) added to B
A gets B/r:c if b/r:c in cr
P
(a, b)
B gets A/r:c if a/r:c in cr
C
(a, b)
Slide #3-35
Non-Distinct Types
cr(a, a): who gets what?
self/r:c are tickets for creator
a/r:c tickets for created
cr(a, a) = { a/r:c, self/r:c | r:c e R}

Slide #3-36
Attenuating Create Rule
cr(a, b) attenuating if:
1. cr
C
(a, b) _ cr
P
(a, b) and
2. a/r:c e cr
P
(a, b) self/r:c e cr
P
(a, b)
Slide #3-37
Safety Result
If the scheme is acyclic and attenuating, the
safety question is decidable
Slide #3-38
Expressive Power
How do the sets of systems that models can
describe compare?
If HRU equivalent to SPM, SPM provides more
specific answer to safety question
If HRU describes more systems, SPM applies
only to the systems it can describe
Slide #3-39
HRU vs. SPM
SPM more abstract
Analyses focus on limits of model, not details of
representation
HRU allows revocation
SMP has no equivalent to delete, destroy
HRU allows multiparent creates
SMP cannot express multiparent creates easily, and not
at all if the parents are of different types because
cancreate allows for only one type of creator
Slide #3-40
Multiparent Create
Solves mutual suspicion problem
Create proxy jointly, each gives it needed rights
In HRU:
command multicreate(s
0
, s
1
, o)
if r in a[s
0
, s1] and r in a[s
1
, s
0
]
then
create object o;
enter r into a[s
0
, o];
enter r into a[s
1
, o];
end
Slide #3-41
SPM and Multiparent Create
cancreate extended in obvious way
cc _ TS TS T
Symbols
X
1
, , X
n
parents, Y created
R
1,i
, R
2,i
, R
3
, R
4,i
_ R
Rules
cr
P,i
(t(X
1
), , t(X
n
)) = Y/R
1,1
X
i
/R
2,i

cr
C
(t(X
1
), , t(X
n
)) = Y/R
3
X
1
/R
4,1
X
n
/R
4,n

Slide #3-42
Example
Anna, Bill must do something cooperatively
But they dont trust each other
Jointly create a proxy
Each gives proxy only necessary rights
In ESPM:
Anna, Bill type a; proxy type p; right x e R
cc(a, a) = p
cr
Anna
(a, a, p) = cr
Bill
(a, a, p) = C
cr
proxy
(a, a, p) = { Anna/x, Bill//x }
Slide #3-43
2-Parent Joint Create Suffices
Goal: emulate 3-parent joint create with 2-
parent joint create
Definition of 3-parent joint create (subjects
P
1
, P
2
, P
3
; child C):
cc(t(P
1
), t(P
2
), t(P
3
)) = Z _ T
cr
P1
(t(P
1
), t(P
2
), t(P
3
)) = C/R
1,1
P
1
/R
2,1

cr
P2
(t(P
1
), t(P
2
), t(P
3
)) = C/R
2,1
P
2
/R
2,2
cr
P3
(t(P
1
), t(P
2
), t(P
3
)) = C/R
3,1
P
3
/R
2,3
Slide #3-44
General Approach
Define agents for parents and child
Agents act as surrogates for parents
If create fails, parents have no extra rights
If create succeeds, parents, child have exactly
same rights as in 3-parent creates
Only extra rights are to agents (which are never used
again, and so these rights are irrelevant)
Slide #3-45
Entities and Types
Parents P
1
, P
2
, P
3
have types p
1
, p
2
, p
3

Child C of type c
Parent agents A
1
, A
2
, A
3
of types a
1
, a
2
, a
3

Child agent S of type s
Type t is parentage
if X/t e dom(Y), X is Ys parent
Types t, a
1
, a
2
, a
3
, s are new types
Slide #3-46
CanCreate
Following added to cancreate:
cc(p
1
) = a
1

cc(p
2
, a
1
) = a
2

cc(p
3
, a
2
) = a
3

Parents creating their agents; note agents have maximum of 2
parents
cc(a
3
) = s
Agent of all parents creates agent of child
cc(s) = c
Agent of child creates child
Slide #3-47
Creation Rules
Following added to create rule:
cr
P
(p
1
, a
1
) = C
cr
C
(p
1
, a
1
) = p
1
/Rtc
Agents parent set to creating parent; agent has all rights over
parent
cr
Pfirst
(p
2
, a
1
, a
2
) = C
cr
Psecond
(p
2
, a
1
, a
2
) = C
cr
C
(p
2
, a
1
, a
2
) = p
2
/Rtc a
1
/tc
Agents parent set to creating parent and agent; agent has all
rights over parent (but not over agent)
Slide #3-48
Creation Rules
cr
Pfirst
(p
3
, a
2
, a
3
) = C
cr
Psecond
(p
3
, a
2
, a
3
) = C
cr
C
(p
3
, a
2
, a
3
) = p
3
/Rtc a
2
/tc
Agents parent set to creating parent and agent; agent has all
rights over parent (but not over agent)
cr
P
(a
3
, s) = C
cr
C
(a
3
, s) = a
3
/tc
Childs agent has third agent as parent cr
P
(a
3
, s) = C
cr
P
(s, c) = C/Rtc
cr
C
(s, c) = c/R
3
t
Childs agent gets full rights over child; child gets R
3
rights
over agent
Slide #3-49
Link Predicates
Idea: no tickets to parents until child created
Done by requiring each agent to have its own parent
rights
link
1
(A
1
, A
2
) = A
1
/t e dom(A
2
) . A
2
/t e dom(A
2
)
link
1
(A
2
, A
3
) = A
2
/t e dom(A
3
) . A
3
/t e dom(A
3
)
link
2
(S, A
3
) = A
3
/t e dom(S) . C/t e dom(C)
link
3
(A
1
, C) = C/t e dom(A
1
)
link
3
(A
2
, C) = C/t e dom(A
2
)
link
3
(A
3
, C) = C/t e dom(A
3
)
link
4
(A
1
, P
1
) = P
1
/t e dom(A
1
) . A
1
/t e dom(A
1
)
link
4
(A
2
, P
2
) = P
2
/t e dom(A
2
) . A
2
/t e dom(A
2
)
link
4
(A
3
, P
3
) = P
3
/t e dom(A
3
) . A
3
/t e dom(A
3
)

Slide #3-50
Filter Functions
f
1
(a
2
, a
1
) = a
1
/t c/Rtc
f
1
(a
3
, a
2
) = a
2
/t c/Rtc
f
2
(s, a
3
) = a
3
/t c/Rtc
f
3
(a
1
, c) = p
1
/R
4,1

f
3
(a
2
, c) = p
2
/R
4,2

f
3
(a
3
, c) = p
3
/R
4,3
f
4
(a
1
, p
1
) = c/R
1,1
p
1
/R
2,1

f
4
(a
2
, p
2
) = c/R
1,2
p
2
/R
2,2
f
4
(a
3
, p
3
) = c/R
1,3
p
3
/R
2,3
Slide #3-51
Construction
Create A
1
, A
2
, A
3
, S, C; then
P
1
has no relevant tickets
P
2
P
3
A
1
has P
1
/Rtc
A
2
has P
2
/Rtc A
1
/tc
A
3
has P
3
/Rtc A
2
/tc
S has A
3
/tc C/Rtc
C has C/R
3

Slide #3-52
Construction
Only link
2
(S, A
3
) true apply f
2
A
3
has P
3
/Rtc A
2
/t A
3
/t C/Rtc
Now link
1
(A
3
, A
2
) true apply f
1

A
2
has P
2
/Rtc A
1
/tc A
2
/t C/Rtc
Now link
1
(A
2
, A
1
) true apply f
1

A
1
has P
2
/Rtc A
1
/tc A
1
/t C/Rtc
Now all link
3
s true apply f
3

C has C/R
3
P
1
/R
4,1
P
2
/R
4,2
P
3
/R
4,3

Slide #3-53
Finish Construction
Now link
4
s true apply f
4

P
1
has C/R
1,1
P
1
/R
2,1

P
2
has C/R
1,2
P2/R
2,2

P
3
has C/R
1,3
P3/R
2,3

3-parent joint create gives same rights to P
1
,
P
2
, P
3
, C
If create of C fails, link
2
fails, so
construction fails
Slide #3-54
Theorem
The two-parent joint creation operation can
implement an n-parent joint creation
operation with a fixed number of additional
types and rights, and augmentations to the
link predicates and filter functions.
Proof: by construction, as above
Difference is that the two systems need not start
at the same initial state
Slide #3-55
Theorems
Monotonic ESPM and the monotonic HRU
model are equivalent.
Safety question in ESPM also decidable if
acyclic attenuating scheme
Slide #3-56
Expressiveness
Graph-based representation to compare models
Graph
Vertex: represents entity, has static type
Edge: represents right, has static type
Graph rewriting rules:
Initial state operations create graph in a particular state
Node creation operations add nodes, incoming edges
Edge adding operations add new edges between
existing vertices
Slide #3-57
Example: 3-Parent Joint Creation
Simulate with 2-parent
Nodes P
1
, P
2
, P
3
parents
Create node C with type c with edges of type e
Add node A
1
of type a and edge from P
1
to A
1

of type e
P
2

P
3

P
1

A
1

Slide #3-58
Next Step
A
1
, P
2
create A
2
; A
2
, P
3
create A
3

Type of nodes, edges are a and e
P
2

P
3

P
1

A
1

A
2

A
3

Slide #3-59
Next Step
A
3
creates S, of type a
S creates C, of type c
S
C
P
2

P
3

P
1

A
1

A
2

A
3

Slide #3-60
Last Step
Edge adding operations:
P
1
A
1
A
2
A
3
SC: P
1
to C edge type e
P
2
A
2
A
3
SC: P
2
to C edge type e
P
3
A
3
SC: P
3
to C edge type e
S
C
P
2

P
3

P
1

A
1

A
2

A
3

Slide #3-61
Definitions
Scheme: graph representation as above
Model: set of schemes
Schemes A, B correspond if graph for both
is identical when all nodes with types not in
A and edges with types in A are deleted
Slide #3-62
Example
Above 2-parent joint creation simulation in
scheme TWO
Equivalent to 3-parent joint creation scheme
THREE in which P
1
, P
2
, P
3
, C are of same
type as in TWO, and edges from P
1
, P
2
, P
3

to C are of type e, and no types a and e
exist in TWO
Slide #3-63
Simulation
Scheme A simulates scheme B iff
every state B can reach has a corresponding state
in A that A can reach; and
every state that A can reach either corresponds to a
state B can reach, or has a successor state that
corresponds to a state B can reach
The last means that A can have intermediate states not
corresponding to states in B, like the intermediate ones
in TWO in the simulation of THREE
Slide #3-64
Expressive Power
If scheme in MA no scheme in MB can
simulate, MB less expressive than MA
If every scheme in MA can be simulated by
a scheme in MB, MB as expressive as MA
If MA as expressive as MB and vice versa,
MA and MB equivalent

Slide #3-65
Example
Scheme A in model M
Nodes X
1
, X
2
, X
3
2-parent joint create
1 node type, 1 edge type
No edge adding operations
Initial state: X
1
, X
2
, X
3
, no edges
Scheme B in model N
All same as A except no 2-parent joint create
1-parent create
Which is more expressive?
Slide #3-66
Can A Simulate B?
Scheme A simulates 1-parent create: have
both parents be same node
Model M as expressive as model N
Slide #3-67
Can B Simulate A?
Suppose X
1
, X
2
jointly create Y in A
Edges from X
1
, X
2
to Y, no edge from X
3
to Y
Can B simulate this?
Without loss of generality, X
1
creates Y
Must have edge adding operation to add edge
from X
2
to Y
One type of node, one type of edge, so
operation can add edge between any 2 nodes
Slide #3-68
No
All nodes in A have even number of incoming
edges
2-parent create adds 2 incoming edges
Edge adding operation in B that can edge from X
2

to C can add one from X
3
to C
A cannot enter this state
B cannot transition to a state in which Y has even
number of incoming edges
No remove rule
So B cannot simulate A; N less expressive than M
Slide #3-69
Theorem
Monotonic single-parent models are less
expressive than monotonic multiparent
models
ESPM more expressive than SPM
ESPM multiparent and monotonic
SPM monotonic but single parent
Slide #3-70
Typed Access Matrix Model
Like ACM, but with set of types T
All subjects, objects have types
Set of types for subjects TS
Protection state is (S, O, t, A)
t:OT specifies type of each object
If X subject, t(X) in TS
If X object, t(X) in T TS
Slide #3-71
Create Rules
Subject creation
create subject s of type ts
s must not exist as subject or object when operation
executed
ts e TS
Object creation
create object o of type to
o must not exist as subject or object when operation
executed
to e T TS
Slide #3-72
Create Subject
Precondition: s e S
Primitive command: create subject s of
type t
Postconditions:
S = S { s }, O = O { s }
(y e O)[t(y) = t (y)], t(s) = t
(y e O)[a[s, y] = C], (x e S)[a[x, s] = C]
(x e S)(y e O)[a[x, y] = a[x, y]]
Slide #3-73
Create Object
Precondition: o e O
Primitive command: create object o of type
t
Postconditions:
S = S, O = O { o }
(y e O)[t(y) = t (y)], t(o) = t
(x e S)[a[x, o] = C]
(x e S)(y e O)[a[x, y] = a[x, y]]
Slide #3-74
Definitions
MTAM Model: TAM model without delete,
destroy
MTAM is Monotonic TAM
o(x
1
:t
1
, ..., x
n
:t
n
) create command
t
i
child type in o if any of create subject x
i
of
type t
i
or create object x
i
of type t
i
occur in o
t
i
parent type otherwise
Slide #3-75
Cyclic Creates
command havoc(s
1
: u, s
2
: u, o
1
: v, o
2
: v, o
3
: w, o
4
:
w
)
create subject s
1
of type u;
create object o
1
of type v;
create object o
3
of type w;
enter r into a[s
2
, s
1
];
enter r into a[s
2
, o
2
];
enter r into a[s
2
, o
4
]
end
Slide #3-76
Creation Graph
u, v, w child types
u, v, w also parent
types
Graph: lines from
parent types to child
types
This one has cycles
u
v
w
Slide #3-77
Theorems
Safety decidable for systems with acyclic
MTAM schemes
Safety for acyclic ternary MATM decidable
in time polynomial in the size of initial
ACM
ternary means commands have no more than
3 parameters
Equivalent in expressive power to MTAM
Slide #3-78
Key Points
Safety problem undecidable
Limiting scope of systems can make
problem decidable
Types critical to safety problems analysis

Chapter 3: Foundational Results

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Chapter 3: Foundational Results

Transféré par

Droits d'auteur :

Formats disponibles

July 1, 2004 Computer Security: Art and Science

2002-2004 Matt Bishop

Vous aimerez peut-être aussi