1 / 23

Computer Security Foundational Results

Computer Security Foundational Results. THE GENERAL QUESTION. What does secure mean? How can one determine when a computer system is secure? Which policies are secure? What does secure mean?. Reminder. In our model a computer system is represented by a family of

lenka
Download Presentation

Computer Security Foundational Results

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Computer SecurityFoundational Results

  2. THE GENERAL QUESTION • What does secure mean? • How can one determine when a computer system is secure? • Which policies are secure? What does secure mean?

  3. Reminder In our model a computer system is represented by a family of states: the set of all protection states P must be a subset of the set of authorized states Q if the system is to be secure. In the previous section we used a primitive, the ACM, to manage a protection system. Protection was in terms or rights and the ACM was the used to relatesubjects to objects (also basic primitives). We also discussed protection state transitions and commands, which correspond to (cause) a sequence of state transitions.

  4. Security If the system dynamically evolves (S,O and A change) how do we guarantee that the system will not enter a state which is not secure (unauthorized). To start with suppose that • the system does not have rights such as copy or own, and that • the principle of attenuation of principle does not apply.

  5. Security – Leaking rights Let R be the set of generic (primitive) rights of the system, r eR and let A be the ACM. Definitions • If r e R is added to an element of A not already containing r, then r is said to be leaked. • Let s0 be the initial protection state. a. If a system can never leak the right re R then the system is safe with respect to r. b. If a system can leak re R then the system is called unsafe with respect to r.

  6. Security – safe vs secure We use the term safe to refer to the (abstract) model. Secure will be used when referring to implementations. So secure implementations must be modeled on a safe system. Example: safevssecure --see textbook

  7. Foundation theorems The model we shall use is based on protecting: • states, • the ACM and • a set of commands essentially the HRU model (discussed in the previous section). Safety question Does there exist an algorithm for determining whether a given protection system (with initial state s0) is safe with respect to a generic right r ?

  8. Theorem 1 There exists an algorithm that will determine whether a given mono-operational protection system with initial protection state s0 is safe with respect to a generic right. Proof: see textbook. A mono-operational command invokes a single primitive operation This whole section is a project topic for anybody who is interested in the foundations aspect of Computer Sercurity.

  9. Theorem 2 It is undecidable whether a given state of a given protection system is safe wrt a generic right. Proof --reduction to the halting problem. The proof is by contradiction. It is shown that an arbitrary Turing Machine can be reduced to the safety problem with the final state corresponding to the leaking of a right. If the safety problem is decidable then one can determine when the Turing machine halts, showing that that the halting problem is decidable, which is false. For details see textbook.

  10. Theorem 3 The set of unsafe systems is recursively enumerable.(accepted by a TM). That is, we can generate a list of all unsafe protection systems.

  11. The Take-Grant protection model Can the safety of a protection system with specific rules be established? Answer: Yes: The Take-Grant protection model. • This model represents the system by a directed graph, called the protection graph. • Vertices are subjects “●” or objects “○”, or both “”. • Edges are labeled by a set of rights, that the source has over the destination. • R contains two distinguished rights: t (take) and g (grant).

  12. Transitions: rewriting rules • Take rule • Grant rule • Create rule • Remove rule

  13. Take rule  t  t   z y x z y x    ( a set of rules) x takes ( to y) from z

  14. Grant rule  g  g   z y x z y x    z grants ( to y) to x

  15. Create rule a  x y x x creates ( to new vertex) y

  16. Remove rule -a   y x y x    x removes ( to) y

  17. Theorem 3.11 Let G0 be a protection graph containing exactly one subject vertex and no edge and let R be a set of rights. Then G0 * G iff G is a finite directed acyclic graph with subjects and objects only, with edges labeled for non-empty subsets of R and at least one subject (a trusted entity) having no incoming edge. Proof in textbook. 

  18. Closing the Gap We can answer the safety question in specific systems, but not for generic systems What is it about the HRU system that makes the safety question undecidable? What characteristics distinguishes a model for which the safety problem is decidable from one in which it is undecidable?

  19. Closing the Gap • The Schematic Protection Model (SPM) • The Extended Schematic Protection Model (ESPM) • Typed Access Matrix Models (TAMS)

  20. The Schematic Protection Model (SPM) This model is based on the notion of a protection type: This is: a label for an entity that determines how control rights affect it. Rights are partitioned into sets of • Inert rights (RI) and • Control rights (RC) Inert rights do not alter the protection state of a system. For example reading a file does not modify which entities have access to the document: so is an RI. However in the Take-Grant model the take rule does, so is in RC.

  21. The Extended Schematic Protection Model (ESPM) Implicit in the SPM is the assumption of a single parent. ESPM allows for more parents. This problem arises distributed systems. Example Anne and Bill must cooperate to perform a certain task, but do not trust each other. Such tasks may be achieved by using proxies: each create a proxy, and grants the other’s proxy only those rights that are needed to perform the task.

  22. Typed Access Matrix models (TAMS) The safety properties of SPM and ESPM are implicitly based on protection types. ESPM and HRU are essentially equivalent, ut the safety properties of ESPM are considerably stronger. The TAM model adds the notion of type to the Access Control Matrix model.

  23. Typed Access Matrix models (TAMS) The type of an entity is fixed when the entity is created. The protection state of a system is defined as: (S, O,t, A) where, S = set of subjects , O = set of objects, A = the Access Control Matrix, T the set of types and t : O →T For details see textbook.

More Related