1 / 22

Decidability or Impossibility? 02b = a bit of boring theory

Decidability or Impossibility? 02b = a bit of boring theory. Nicolas T. Courtois - U niversity C ollege of L ondon. Roadmap. Pure mathematicians / logic take on computer security: Rice Theorem, HRU vs. Take-Grant. Matrix Paradigm – Basis of DAC. Example: S={ System,Admin,Bob }.

yoshi-acosta
Download Presentation

Decidability or Impossibility? 02b = a bit of boring theory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Decidability or Impossibility?02b = a bit of boring theory Nicolas T. Courtois - University College of London

  2. Roadmap Pure mathematicians / logic take on computer security: • Rice Theorem, • HRU vs. Take-Grant Nicolas T. Courtois, January 2009

  3. Matrix Paradigm – Basis of DAC Example: S={System,Admin,Bob}. O={exe,doc}. A={read,write,exec,delete}. M= exedoc System {e,r,w,d} {r,w,d} Admin {e,w,d} {w,r,d} Bob {e} {r,w} rights Objects S u b j e c t s Nicolas T. Courtois, January 2009

  4. HRU Model Nicolas T. Courtois, January 2009

  5. HRU Model [Harrison-Ruzzo-Ullmann 1976] A particular formalisation of the matrix model + a particular set of commands that allows to build a basic file system… Nicolas T. Courtois, January 2009

  6. The Commands in the HRU model Imagine a file system with the following operations (requests): • create process/file. • confer a right to a given cell of the matrix, (Bishop: enter). • revoke a right from a given cell, (Bishop: destroy) These 3 commands can be combined to create instructions such as create_file, spawn_process, grant_right, chown, etc. Nicolas T. Courtois, January 2009

  7. The Safety Problem Imagine a file system implementing this model. given a given configuration, does there exist a sequence of requests that will add the right a  A to a given matrix cell (Mso)  A ? Example: • given are the access rules for all UCL employees, • can I ever read the UCL payroll file? Nicolas T. Courtois, January 2009

  8. Theoretical Results [cf. Bishop] Theorem 1: There is no algorithm to solve the safety problem in this model. Nicolas T. Courtois, January 2009

  9. Rice Theorem Nicolas T. Courtois, January 2009

  10. Halting problem Q: Does program25.c halt? More generally, we can ask different questions. “expert system”algorithmfor Q program25.c Y/N Nicolas T. Courtois, January 2009

  11. Other Interesting Questions Example Questions: Q1: Does program25.c always return 0? Q2: Does program25.c compute the sum of two 32-bit integers correctly? Q3: Do 2 programs do the same thing? Etc.. Answer [Rice 1953]: there is no algorithm that can solve this problem. decision algorithm program25.c Y/N Nicolas T. Courtois, January 2009

  12. The Anti-Virus Software Theorem [Rice]: there is no algorithm that decides whether a given program a virus. Such programs are mathematically strictly impossible. But this does not prevent the software security industry from being worth 9,1 G$ in 2007 [Gartner]. Beware, important: It does not prevent the program from detecting all malware, 100 % security is possible, • but then it is also certain that, => such a program will be ”secure” (the exact notion of secure, opposite of broad was defined in a much less general context) • it will produce false alarms: programs that are not viruses will be reported as such. This is inevitable. Nicolas T. Courtois, January 2009

  13. The Anti-Virus Software Theorem [Rice]: there is no algorithm that decides whether a given program a virus. Such programs are mathematically strictly impossible. But this does not prevent the software security industry from being worth 9,1 G$ in 2007 [Gartner]. Beware, important: It does not prevent the program from detecting all malware, 100 % security is possible, • but then it is also certain that, => such a program will be ”secure” (the exact notion of secure, opposite of broad was defined in a much less general context) • it will produce false alarms: programs that are not viruses will be reported as such. This is inevitable. Nicolas T. Courtois, January 2009

  14. Back to Access Control We need a simpler model. Nicolas T. Courtois, January 2009

  15. Take-Grant Model Nicolas T. Courtois, January 2009

  16. Take-Grant Model [Jones, Lipton, Snyder 1976] Was invented to address the safety problem: here it becomes decidable. Based on graphs. x can read y Nicolas T. Courtois, January 2009

  17. Take-Grant Model • A set S of Subjects (e.g. processes) which can execute privileges in the system. • A set O of Objects (e.g. files) on which the privileges can be executed. • A directed graph G = (SO,E) of authorizations where E (SO)x(SO). • Vertices in E can be both Subjects and Objects. • Edges are authorizations: they are labelled by rR (or subset of R) which specifies the rights the source vertex has over the destination vertex. • Where R is a pre-defined set of rights, containing at least two distinguished administrative-type rights: t (take) and g (grant). • Example: R= {r,w,t,g}. Nicolas T. Courtois, January 2009

  18. Graph Rewriting Here the evolution of the permissions with time is represented as rewriting a graph (to create another graph) according to a fixed set of 4 administrative rules called “de jure” (by law) rules: • take • grant • create • remove And a safety problem will be formalised as follows: can a certain permission be granted after an (unlimited in time) amount of rewriting according to the rules? Nicolas T. Courtois, January 2009

  19. Transfer of Privileges between two subjectss,x. take allows subject s to take ANY privilege r of the subject x. grant allows s to grant ANY privilege r it possesses, to subject x Nicolas T. Courtois, January 2009

  20. Creation of Files/Processes and Creation/Destruction of Rights Here we have a subject s and x that can be either a Subject or an Object. create allows subject s to create a new Subject/Object x with ANY chosen subset of rights A  R remove allows s to remove ANY existing privilege r from the set, from the Subject/Object x, +delete edges that become empty In both cases: voluntary limitation of rights, cf. least privilege principle Nicolas T. Courtois, January 2009

  21. Take-Grant Model Based on graphs. Theorem: The problem of Safety can be decided in polynomial time in the number vertices in the initial graph. Undecidable in general (no algorithm) for the matrix model. Nicolas T. Courtois, January 2009

  22. Take-Grant Model Insufficient for many real-life applications. several things are missing here: • Lack of selectivity. • take and grant apply to any right, including t and g. • Lack of control on propagation: • once I grant a right to a, it can be granted to the next process b, if a he has the right g on the process b. • also it can be taken by all subjects c that have the right t on a. Nicolas T. Courtois, January 2009

More Related