July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries Take-Grant Protection Model SPM and successors
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-2 Overview Safety Question HRU Model Take-Grant Protection Model SPM, ESPM –Multiparent joint creation Expressive power Typed Access Matrix Model
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-3 What Is “Secure”? Adding a generic right r where there was not one is “leaking” If a system S, beginning in initial state s 0, cannot leak right r, it is safe with respect to the right r.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-4 Safety Question Does there exist an algorithm for determining whether a protection system S with initial state s 0 is safe with respect to a generic right r? –Here, “safe” = “secure” for an abstract model
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-5 Mono-Operational Commands Answer: yes Sketch of proof: Consider minimal sequence of commands c 1, …, c k to leak the right. – Can omit delete, destroy – Can merge all creates into one Worst case: insert every right into every entry; with s subjects and o objects initially, and n rights, upper bound is k ≤ n(s+1)(o+1)
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-6 General Case Answer: no Sketch of proof: Reduce halting problem to safety problem Turing Machine review: –Infinite tape in one direction –States K, symbols M; distinguished blank b –Transition function (k, m) = (k, m, L) means in state k, symbol m on tape location replaced by symbol m, head moves to left one square, and enters state k –Halting state is q f ; TM halts when it enters this state
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-7 Mapping A BCD… 1234 head s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B C k D end own Current state is k
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-8 Mapping A BXD… 1234 head s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B X D k 1 end own After (k, C) = (k 1, X, R) where k is the current state and k 1 the next state
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-9 Command Mapping (k, C) = (k 1, X, R) at intermediate becomes command c k,C (s 3,s 4 ) if own in A[s 3,s 4 ] and k in A[s 3,s 3 ] and C in A[s 3,s 3 ] then delete k from A[s 3,s 3 ]; delete C from A[s 3,s 3 ]; enter X into A[s 3,s 3 ]; enter k 1 into A[s 4,s 4 ]; end
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-10 Mapping A BXD… 1234 head s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B X D k 1 end own After (k, C) = (k 1, X, R) where k is the current state and k 1 the next state
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-11 Mapping A BXY 1234 head s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B X Y own After (k 1, D) = (k 2, Y, R) where k 1 is the current state and k 2 the next state s5s5 s5s5 own b k 2 end 5 b
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-12 Command Mapping (k 1, D) = (k 2, Y, R) at end becomes command crightmost k,C (s 4,s 5 ) if end in A[s 4,s 4 ] and k 1 in A[s 4,s 4 ] and D in A[s 4,s 4 ] then delete end from A[s 4,s 4 ]; create subject s 5 ; enter own into A[s 4,s 5 ]; enter end into A[s 5,s 5 ]; delete k 1 from A[s 4,s 4 ]; delete D from A[s 4,s 4 ]; enter Y into A[s 4,s 4 ]; enter k 2 into A[s 5,s 5 ]; end
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-13 Rest of Proof Protection system exactly simulates a TM –Exactly 1 end right in ACM –1 right in entries corresponds to state –Thus, at most 1 applicable command If TM enters state q f, then right has leaked If safety question decidable, then represent TM as above and determine if q f leaks –Implies halting problem decidable Conclusion: safety question undecidable
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-14 Other Results Set of unsafe systems is recursively enumerable Delete create primitive; then safety question is complete in P-SPACE Delete destroy, delete primitives; then safety question is undecidable –Systems are monotonic Safety question for monoconditional, monotonic protection systems is decidable Safety question for monoconditional protection systems with create, enter, delete (and no destroy) is decidable.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-15 Take-Grant Protection Model A specific (not generic) system –Set of rules for state transitions Safety decidable, and in time linear with the size of the system Goal: find conditions under which rights can be transferred from one entity to another in the system
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-16 System objects (files, …) subjects (users, processes, …) don't care (either a subject or an object) G |– x G'apply a rewriting rule x (witness) to G to get G' G |– * G'apply a sequence of rewriting rules (witness) to G to get G' R = { t, g, r, w, … } set of rights t and g are special rights
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-17 System Digraph G = V = O S, O = set of objects, S = set of subjects E = directed edges, E V x V L = label function, L: E → 2 R, subset of rights
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-18 de jure Rules t t take g grant g Subject x with take rights to node y can acquire any rights that y already has to node z. x x z y y z Subject x with grant rights to node y can grant any rights that x already has to node z. x x y y z z
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-19 More de jure Rules create remove –– These four rules are called the de jure rules Subject x can create new node y with any rights to y. Subject x can remove any rights it already has to node y.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-20 Symmetry t t |– t and g rights are symmetric for subjects in the sense that the direction of the arc does not matter when it comes to acquiring rights! Nota bene: endpoints must be subjects! z x y z x y
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-21 Symmetry of take t t |– 1. x creates (tg to new) v 2. z takes (g to v) from x 3. z grants ( to y) to v 4. x takes ( to y) from v (Extra arcs are removed for sake of clarity z v tg x g y Similar result for grant Exercise: prove it! (yes, now!) Witness is 4 steps long
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-22 Islands tg-path: path of distinct vertices connected by edges labeled t or g –Call them “tg-connected” island: maximal tg-connected subject-only subgraph –Any right one vertex has can be shared with any other vertex
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-23 Islands island: maximal tg-connected subject-only subgraph –Any right one vertex has can be shared with any other vertex y x g z w t v t u g
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-24 Bridges For a right to be transferred from second island to first island requires that either: –Subject in first island be able to take a right from a vertex in the second island, or –Subject in second island be able to grant a right to an intermediate object, from which a subject in the first island may take the right Word associated with path (ν is null)
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-25 Bridges bridge: tg-path between subjects x, y, with associated word in { t*, t*, t*g t*, t*g t* } –rights can be transferred between the two endpoints –not an island as intermediate vertices are objects
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-26 Bridges bridge: tg-path between subjects x, y, with associated word in { t*, t*, t*g t*, t*g t* } y w t z v t u t x t t t t
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-27 Bridges bridge: tg-path between subjects x, y, with associated word in { t*, t*, t*g t*, t*g t* } y w t z v t u t x t t t t Because… Symmetry of take for subjects Now you try it!
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-28 Bridges bridge: tg-path between subjects x, y, with associated word in { t*, t*, t*g t*, t*g t* } y w t z v g u t x t t g
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-29 Bridges bridge: tg-path between subjects x, y, with associated word in { t*, t*, t*g t*, t*g t* } y w t z v g u t x t t g tg g q g Now you try it!
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-30 Initial, Terminal Spans initial span from x to y –x subject –tg-path between x, y with word in { t*g } { } –Means x can give rights it has to y terminal span from x to y –x subject –tg-path between x, y with word in { t * } { } –Means x can acquire any rights y has
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-31 Initial Span initial span from x to y –x subject –tg-path between x, y with word in { t*g } { } –Means x can give rights it has to y y v g u t x t t g q
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-32 Terminal Span terminal span from x to y –x subject –tg-path between x, y with word in { t * } { } –Means x can acquire any rights y has y w t z v t u t x t t t t
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-33 Example p u v w x y s' s q t tt tr gg g islands{ p, u } { w } { y, s' } bridgesu, v, w; w, x, y initial spanp (associated word ) terminal spans's (associated word t)
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-34 Example p u v w x y s' s q t t t t r g g g islands bridges initial span terminal span ; (associated word ) (associated word t) p gets r right to q r r r r r
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-35 canshare Predicate Definition: canshare(r, x, y, G 0 ) if, and only if, there is a sequence of protection graphs G 0, …, G n such that G 0 |–* G n using only de jure rules and in G n there is an edge from x to y labeled r.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-36 canshare Theorem canshare(r, x, y, G 0 ) if, and only if, there is an edge from x to y labeled r in G 0, or the following hold simultaneously: –There is an s in G 0 with an s-to-y edge labeled r –There is a subject x = x or initially spans to x –There is a subject s = s or terminally spans to s –There are islands I 1,…, I k connected by bridges, and x in I 1 and s in I k
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-37 Proof Sketch (=>) x’ x s' s y t/g t t t r t g terminal span initial span islands bridges There is s in G 0 with an s-to-y edge labeled r There is subject s = s or terminally spans to s There is subject x = x or initially spans to x There are islands I 1,…, I k with x in I 1 and s in I k Each island I j is connected to I j+1 by bridge B j Can x get r right to y? t … t t … g I1I1 IS TS I2I2 IkIk B1B1 B k-1 … t/g … … t … … B2B t/g …
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-38 Proof Sketch (=>) x’ x s' s y t/g t t t r t g s’ takes r to y over TS x’ gets r to y over islands and bridges x’ grants x r to y over IS Can x get r right to y? r r r r r t … t t … g YES! I1I1 IS TS I2I2 IkIk B1B1 B k-1 r … t/g … … t … … B2B t/g … g
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-39 Outline of Proof (=>) s has r rights over y s acquires r rights over y from s –Definition of terminal span x acquires r rights over y from s –Repeated application of sharing among vertices in islands, passing rights along bridges x gives r rights over y to x –Definition of initial span
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-40 Outline of Proof (<=) For x to get r to y, it must be be the case that: There is an s in G 0 with an s-to-y edge labeled r There is a subject x = x or initially spans to x There is a subject s = s or terminally spans to s There are islands I 1,…, I k connected by bridges, and x in I 1 and s in I k
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-41 Outline of Proof (<=) There is an s in G 0 with an s-to-y edge labeled r –If no node s with r rights to y, then there is no way for any node to get r rights to y ever: –Create can’t do it (can only add rights to new node) –x take (r to y) from z requires z to have (r to y) –z grant (r to y) to x requires z to have (r to y) –Remove clearly cannot add any rights –Hence, there must be such a node s in G 0.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-42 Outline of Proof (<=) Either s is a subject or there is a subject s that terminally spans to s –The only way for a node u to acquire (r to y) from s is though the take or grant de jure rule –Grant requires s to be a subject (we’re done!) –If not, then there must be a subject s that either has (t to s) or can acquire (t to s) –If s is a subject that can acquire (t to s) in the fewest steps, then s terminally spans to s
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-43 Outline of Proof (<=) There is a subject x = x or x initially spans to x –If x is not a subject, then it can only acquire (r to y) if some subject x that already has (r to y) uses the grant rule –If x does not have (g to x) then it must either be granted (g to x) by some other subject z (hence they are in the same island and let z be x) or take (g to x) from some object u –Hence there must be a subject x that initially spans to x if x is not a subject
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-44 Outline of Proof (<=) There are islands I 1,…, I k connected by bridges, and x in I 1 and s in I k –If x is not s, then s must be able to share (r to y) with x –If x and s are not in the same island, then let x be in I 1 and s be in I’. I 1 must be able to acquire (r to y) from some other island I 2 that has or can get (r to y) –The only way to transfer rights between islands is through bridges, so there must be a sequence of bridges and islands between I 1 and I’.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-45 cansteal Predicate Definition: cansteal( , x, y, G 0 ) if, and only if, there is no edge in G 0 from x to y labeled , and there is a sequence of protection graphs G 0, …, G n such that –there is an edge from x to y labeled in G n ; –G 0 |–* G n using only de jure rules; and –no subject grants ( rights to y) to another node
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-46 cansteal Predicate The first two stipulations say that x gets rights to y properly The last stipulation says that owners of ( rights to y) don’t give them away Note that a subject can grant other rights Note that ( rights to y) may be taken (in fact, they must be taken!)
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-47 cansteal Example y u g v t x t t 1.u grants (t to v) to x 2.x takes (t to u) from v 3.x takes ( to y) from u t
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-48 cansteal Theorem cansteal( , x, y, G 0 ) if, and only if the following hold simultaneously: –There is no edge from x to y labeled in G 0 –There is a subject x = x or initially spans to x –There is an s in G 0 with an s-to-y edge labeled for which canshare(t, x, s, G 0 ) holds
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-49 Key Question Characterize class of models for which safety is decidable –Existence: Take-Grant Protection Model is a member of such a class –Universality: In general, question undecidable, so for some models it is not decidable What is the dividing line?
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-50 Schematic Protection Model Type-based model –Protection type: entity label determining how control rights affect the entity Set at creation and cannot be changed –Ticket: description of a single right over an entity Entity has sets of tickets (called a domain) Ticket is X/r, where X is entity and r right Rights have flag set if copyable - r:c is a copyable right –Functions determine rights transfer Link: are source, target “connected”? Filter: is transfer of ticket authorized?
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-51 Link Predicate Idea: link i (X, Y) if X can assert some control right over Y Conjunction of disjunction of: –X/z dom(X) –X/z dom(Y) –Y/z dom(X) –Y/z dom(Y) –true Transfer of rights is subject to filter function! Finite set of link predicates is called a scheme Tickets of X Tickets of Y Some right z
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-52 Examples Take-Grant: link(X, Y) = Y/g dom(X) v X/t dom(Y) X has (g to Y) or Y has (t to X) Broadcast: link(X, Y) = X/b dom(X) X has broadcast rights (still need filter to OK it) Pull: link(X, Y) = Y/p dom(Y) Y has pull rights (still need filter to OK it)
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-53 Filter Function Range is set of copyable ticket prototypes –Entity type, right Domain is subject entity type pairs Copy a ticket X/r:c from dom(Y) to dom(Z) –X/r:c dom(Y) –link i (Y, Z) – (X)/r:c f i ( (Y), (Z)) One filter function per link function Y can’t give what it doesn’t have Predicate i specifies link exists Filter i allows copy for types and right r
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-54 Example f( (Y), (Z)) = T R –Any ticket can be transferred (if other conditions met) f( (Y), (Z)) = T RI –Only tickets with inert rights can be transferred (if other conditions met) f( (Y), (Z)) = –No tickets can be transferred
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-55 Example Take-Grant Protection Model –TS = {subject }, TO = {object } –RC = { tc, gc }, RI = { rc, wc } –link(p, q) = p/t dom(q) q/g dom(p) –f(subject, subject) = {subject, object } { tc, gc, rc, wc } Recall: (T3, r) in f(T1, T2) means entities of type T1 are allowed to transfer (r rights to entities of type T3) to entities of type T2
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-56 Example Take-Grant Protection Model Is this predicate and filter sufficient? –link(p, q) = p/t dom(q) q/g dom(p) –f(subject, subject) = {subject, object } { tc, gc, rc, wc } What does this say? This says that any right to any entity can be copied from any subject p to another subject q as long as p has grant rights to q or q has take rights to p, and p has the right that is to be copied
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-57 Example Take-Grant Protection Model Is this predicate and filter sufficient? –What about transfers of rights to objects? –link(p, q) = q/g dom(p) –f(subject, object ) = {subject, object } { tc, gc, rc, wc } Any subject can give any object any copyable right to any entity, provided that the subject has grant rights to the object, and the subject has the right to be copied
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-58 Example Take-Grant Protection Model Is this predicate and filter sufficient? –What about transfers of rights from objects? –link(p, q) = p/t dom(q) –f(object, subject ) = {subject, object} { tc, gc, rc, wc } Any subject can take from any object any copyable right to any entity, provided that the subject has take rights to the object, and the object has the right to be copied
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-59 Practice Simple Discretionary Access –There are users and files (these will be types) –The owner of a file can give r/w access to that file any other user What are link predicates? –link(p, q) = TRUE Any pair of subjects may possibly transfer rights between them – subject to filter function
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-60 Practice Simple Discretionary Access –There are users and files (these will be types) –The owner of a file can give r/w access to that file any other user What is filter? –f(user, user) = {file} { r:c, w:c } Any user can give any read or write rights it has to a file to any other user
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-61 Demand Operation Demand function d:TS → 2 T R –Authorizes subject of type a to demand a specific right r from any entity of type b if (b,r) d(a) If (X) = b, and (Y) = a, and Z/r in dom(X) then Y can demand that X give it Z/r provided that (b,r) d(a) Generalizes take rule in Take-Grant Model –Turns out it can be eliminated (Sandhu)
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-62 Create Operation Must handle type, tickets of new entity Relation cancreate(a, b) –Subject of type a can create entity of type b Rule of acyclic creates: acyclic cyclic NB: self-loop allowed
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-63 Create-Rule cr(a, b): specifies tickets introduced when subject of type a creates entity of type b cr(a, b): T T → 2 T R If B is an object, (B)=b, then: cr(a, b) { b/r:c | r:c RI } –i.e., only tickets with inert rights can be created –Tickets prototyped in cr(a, b) are added to dom(A) for entity B that A created
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-64 Create-Rule (2) cr(a, b): specifies tickets introduced when subject of type a creates entity of type b If B is a subject then cr(a, b) has two parts: –Parent part cr P (a, b) for dom(A), and –Child part cr C (a, b) for dom(B) –dom(A) gets B/r:c if b/r:c in cr P (a, b) –dom(B) gets A/r:c if a/r:c in cr C (a, b) Write cr(a, b) = cr P (a, b) cr C (a, b)
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-65 Non-Distinct Types Write cr(a, b) = cr P (a, b) cr C (a, b) –Use types to distinguish parent & child What if a = b? cr(a, a): Who gets what? –Can’t use types to distinguish parent & child! self/r:c are tickets for creator a/r:c tickets for created entity cr(a, a) { a/r:c, self/r:c | r:c R}
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-66 Attenuating Create Rule cr(a, a) is attenuating if: 1. cr C (a, b) cr P (a, b) and 2. a/r:c cr P (a, b) self/r:c cr P (a, b) i.e., the child has no ticket the parent doesn’t have A scheme is attenuating if, for all types such that cc(a,a), then cr(a,a) is attenuating. If the graph for cc has no loops, then it is attenuating
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-67 Safety Result If the scheme is acyclic and attenuating, the safety question is decidable Approach: define derivable states from an initial state in the obvious way Define flow within a protection state for a pair of entities as the rights that can be sent Define a relation based on flow containment Partition states into equivalence classes Maximal states in one EC, define possible flows
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-68 Expressive Power How do the sets of systems that models can describe compare? –If HRU equivalent to SPM, SPM provides more specific answer to safety question –If HRU describes more systems, SPM applies only to the systems it can describe
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-69 HRU vs. SPM SPM more abstract –Analyses focus on limits of model, not details of representation HRU allows revocation –SMP has no equivalent to delete, destroy –Fairer to compare SPM to monotonic HRU HRU allows multiparent creates –SMP cannot express multiparent creates easily, and not at all if the parents are of different types because cancreate allows for only one type of creator
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-70 Multiparent Create Solves mutual suspicion problem –Create proxy jointly, each gives it needed rights In HRU: command multicreate(s 0, s 1, o) if p in a[s 0, s1] and p in a[s 1, s 0 ] then create object o; enter r into a[s 0, o]; enter r into a[s 1, o]; end
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-71 ESPM and Multiparent Create cancreate extended in obvious way –cc TS … TS T Symbols –X 1, …, X n parents, Y created –R 1,i, R 2,i, R 3, R 4,i R Rules –cr P,i ( (X 1 ), …, (X n )) = Y/R 1,i X i /R 2,i –cr C ( (X 1 ), …, (X n )) = Y/R 3 X 1 /R 4,1 … X n /R 4,n So, what does R 1,i represent? What about R 2,i ? What about R 3 ? And why no i? What about R 4,i ?
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-72 Example Anna, Bill must do something cooperatively –But they don’t trust each other Jointly create a proxy –Each gives proxy only necessary rights In ESPM: –Anna, Bill type a; proxy type p; right x R –cc(a, a) = p –cr Anna (a, a, p) = cr Bill (a, a, p) = –cr proxy (a, a, p) = { Anna/x, Bill//x }
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide # Parent Joint Create Suffices Goal: emulate 3-parent joint create with 2- parent joint create Definition of 3-parent joint create (subjects P 1, P 2, P 3 ; child C): –cc( (P 1 ), (P 2 ), (P 3 ), (C)) = TRUE –cr P1 ( (P 1 ), (P 2 ), (P 3 ), (C)) = C/R 1,1 P 1 /R 2,1 –cr P2 ( (P 1 ), (P 2 ), (P 3 ), (C)) = C/R 2,1 P 2 /R 2,2 –cr P3 ( (P 1 ), (P 2 ), (P 3 ), (C)) = C/R 3,1 P 3 /R 2,3 –cr C ( (P 1 ), (P 2 ), (P 3 ), (C)) = Y/R 3 P 1 /R 4,1 P 2 /R 4,2 P 3 /R 4,3
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-74 General 2-Parent Approach Define agents for parents and child Chain creations through agents –Agents act as surrogates for parents –If create fails, parents have no extra rights –If create succeeds, parents, child have exactly same rights as in 3-parent creates Only extra rights are to agents (which are never used again, and so these rights are irrelevant)
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-75 Entities and Types Parents P 1, P 2, P 3 have types p 1, p 2, p 3 Child C of type c Parent agents A 1, A 2, A 3 of types a 1, a 2, a 3 Child agent S of type s Type t is parentage –if X/t dom(Y), X is Y’s parent Types t, a 1, a 2, a 3, s are new types
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-76 CanCreate Following added to cancreate: –cc(p 1 ) = a 1 –cc(p 2, a 1 ) = a 2 –cc(p 3, a 2 ) = a 3 Parents creating their agents; note agents have maximum of 2 parents –cc(a 3 ) = s Agent of all parents creates agent of child –cc(s) = c Agent of child creates child Inconsistent use of cc Should be cc(p 1, a 1 )=True
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-77 Creation Rules Following added to create rule: –cr P (p 1, a 1 ) = –cr C (p 1, a 1 ) = p 1 /Rtc Agent’s parent set to creating parent; agent has all rights over parent –cr Pfirst (p 2, a 1, a 2 ) = –cr Psecond (p 2, a 1, a 2 ) = –cr C (p 2, a 1, a 2 ) = p 2 /Rtc a 1 /tc Agent’s parent set to creating parent and agent; agent has all rights over parent (but not over agent)
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-78 Creation Rules –cr Pfirst (p 3, a 2, a 3 ) = –cr Psecond (p 3, a 2, a 3 ) = –cr C (p 3, a 2, a 3 ) = p 3 /Rtc a 2 /tc Agent’s parent set to creating parent and agent; agent has all rights over parent (but not over agent) –cr P (a 3, s) = –cr C (a 3, s) = a 3 /tc Child’s agent has third agent as parent cr P (a 3, s) = –cr P (s, c) = C/Rtc –cr C (s, c) = c/R 3 t Child’s agent gets full rights over child; child gets R 3 rights over agent
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-79 Link Predicates Idea: no tickets to parents until child created –Done by requiring each agent to have its own parent rights –link 1 (A 1, A 2 ) = A 1 /t dom(A 2 ) A 2 /t dom(A 2 ) –link 1 (A 2, A 3 ) = A 2 /t dom(A 3 ) A 3 /t dom(A 3 ) –link 2 (S, A 3 ) = A 3 /t dom(S) C/t dom(C) –link 3 (A 1, C) = C/t dom(A 1 ) –link 3 (A 2, C) = C/t dom(A 2 ) –link 3 (A 3, C) = C/t dom(A 3 ) –link 4 (A 1, P 1 ) = P 1 /t dom(A 1 ) A 1 /t dom(A 1 ) –link 4 (A 2, P 2 ) = P 2 /t dom(A 2 ) A 2 /t dom(A 2 ) –link 4 (A 3, P 3 ) = P 3 /t dom(A 3 ) A 3 /t dom(A 3 )
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-80 Filter Functions f 1 (a 2, a 1 ) = a 1 /t c/Rtc f 1 (a 3, a 2 ) = a 2 /t c/Rtc f 2 (s, a 3 ) = a 3 /t c/Rtc f 3 (a 1, c) = p 1 /R 4,1 f 3 (a 2, c) = p 2 /R 4,2 f 3 (a 3, c) = p 3 /R 4,3 f 4 (a 1, p 1 ) = c/R 1,1 p 1 /R 2,1 f 4 (a 2, p 2 ) = c/R 1,2 p 2 /R 2,2 f 4 (a 3, p 3 ) = c/R 1,3 p 3 /R 2,3
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-81 Construction Create A 1, A 2, A 3, S, C; then P 1 has no relevant tickets P 2 has no relevant tickets P 3 has no relevant tickets A 1 has P 1 /Rtc A 2 has P 2 /Rtc A 1 /tc A 3 has P 3 /Rtc A 2 /tc S has A 3 /tc C/Rtc C has C/tR 3
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-82 Construction Only link 2 (S, A 3 ) true apply f 2 –A 3 has P 3 /Rtc A 2 /t A 3 /t C/Rtc Now link 1 (A 3, A 2 ) true apply f 1 –A 2 has P 2 /Rtc A 1 /tc A 2 /t C/Rtc Now link 1 (A 2, A 1 ) true apply f 1 –A 1 has P 2 /Rtc A 1 /tc A 1 /t C/Rtc Now all link 3 s true apply f 3 –C has C/R 3 P 1 /R 4,1 P 2 /R 4,2 P 3 /R 4,3
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-83 Finish Construction Now link 4 s true apply f 4 –P 1 has C/R 1,1 P 1 /R 2,1 –P 2 has C/R 1,2 P2/R 2,2 –P 3 has C/R 1,3 P3/R 2,3 3-parent joint create gives same rights to P 1, P 2, P 3, C If create of C fails, link 2 fails, so construction fails
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-84 Theorem The two-parent joint creation operation can implement an n-parent joint creation operation with a fixed number of additional types and rights, and augmentations to the link predicates and filter functions. Proof: by construction, as above –Difference is that the two systems need not start at the same initial state
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-85 Theorems Monotonic ESPM and the monotonic HRU model are equivalent. Safety question in ESPM also decidable if acyclic attenuating scheme
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-86 Expressiveness Graph-based representation to compare models Graph –Vertex: represents entity, has static type –Edge: represents right, has static type Graph rewriting rules: –Initial state operations create graph in a particular state –Node creation operations add nodes, incoming edges –Edge adding operations add new edges between existing vertices
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-87 Example: 3-Parent Joint Creation Simulate with 2-parent –Nodes P 1, P 2, P 3 parents –To create node C with type c with edges of type e –First add node A 1 of type a and edge from P 1 to A 1 of type e´ P2P2 P3P3 P1P1 A1A1 e'
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-88 Next Step A 1, P 2 create A 2 ; A 2, P 3 create A 3 Type of nodes, edges are a and e´ P2P2 P3P3 P1P1 A1A1 A2A2 A3A3 e' a a
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-89 Next Step A 3 creates S, of type a S creates C, of type c S C P2P2 P3P3 P1P1 A1A1 A2A2 A3A3 e' a a
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-90 Last Step Edge adding operations: –P 1 A 1 A 2 A 3 S C: P 1 to C edge type e –P 2 A 2 A 3 S C: P 2 to C edge type e –P 3 A 3 S C: P 3 to C edge type e S C P2P2 P3P3 P1P1 A1A1 A2A2 A3A3 e e e
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-91 Definitions Simulation formally requires notion of scheme and correspondence between schemes Scheme: graph representation as above Model: set of schemes Schemes A, B correspond if graph for both is identical when all nodes with types not in A and edges with types not in A are deleted
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-92 Example Above 2-parent joint creation simulation in scheme TWO Equivalent to 3-parent joint creation scheme THREE in which P 1, P 2, P 3, C are of same type as in TWO, and edges from P 1, P 2, P 3 to C are of type e, and no types a and e´ exist in TWO
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-93 Example Remove nodes and edges with types not in original scheme: S C P2P2 P3P3 P1P1 A1A1 A2A2 A3A3 e e e e' a a
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-94 Simulation Scheme A simulates scheme B iff every state B can reach has a corresponding state in A that A can reach; and every state that A can reach either corresponds to a state B can reach, or has a successor state that corresponds to a state B can reach –The last means that A can have intermediate states not corresponding to states in B, like the intermediate ones in TWO in the simulation of THREE
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-95 Expressive Power If scheme in MA no scheme in MB can simulate, MB is less expressive than MA If every scheme in MA can be simulated by a scheme in MB, MB as expressive as MA If MA is as expressive as MB and vice versa, MA and MB are equivalent
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-96 Example Scheme A in model M –Nodes X 1, X 2, X 3 –2-parent joint create –1 node type, 1 edge type –No edge adding operations –Initial state: X 1, X 2, X 3, no edges Scheme B in model N –All same as A except no 2-parent joint create –1-parent create Which is more expressive?
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-97 Can A Simulate B? Scheme A simulates 1-parent create: have both parents be same node –Model M as expressive as model N
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-98 Can B Simulate A? Suppose X 1, X 2 jointly create Y in A –Edges from X 1, X 2 to Y, no edge from X 3 to Y Can B simulate this? –Without loss of generality, X 1 creates Y –Must have edge adding operation to add edge from X 2 to Y –One type of node, one type of edge, so operation can add edge between any 2 nodes
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-99 No All nodes in A have even number of incoming edges –2-parent create adds 2 incoming edges Edge adding operation in B that can add edge from X 2 to C can add one from X 3 to C –A cannot enter this state –B cannot transition to a state in which Y has even number of incoming edges No remove rule So B cannot simulate A; N less expressive than M Can B Simulate A?
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-100 Theorem Monotonic single-parent models are less expressive than monotonic multiparent models ESPM more expressive than SPM –ESPM multiparent and monotonic –SPM monotonic but single parent
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-101 Typed Access Matrix Model Like ACM, but with set of types T –All subjects, objects have types –Set of types for subjects TS Protection state is (S, O, , A) – :O T specifies type of each object –If X subject, (X) in TS –If X object, (X) in T – TS
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-102 Create Rules Subject creation –create subject s of type ts –s must not exist as subject or object when operation executed –ts TS Object creation –create object o of type to –o must not exist as subject or object when operation executed –to T – TS
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-103 Create Subject Precondition: s S Primitive command: create subject s of type t Postconditions: –S´ = S { s }, O´ = O { s } –( y O)[ ´(y) = (y)], ´(s) = t –( y O´)[a´[s, y] = ], ( x S´)[a´[x, s] = ] –( x S)( y O)[a´[x, y] = a[x, y]]
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-104 Create Object Precondition: o O Primitive command: create object o of type t Postconditions: –S´ = S, O´ = O { o } –( y O)[ ´(y) = (y)], ´(o) = t –( x S´)[a´[x, o] = ] –( x S)( y O)[a´[x, y] = a[x, y]]
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-105 Definitions MTAM Model: TAM model without delete, destroy –MTAM is Monotonic TAM (x 1 :t 1,..., x n :t n ) create command –t i child type in if any of create subject x i of type t i or create object x i of type t i occur in –t i parent type otherwise
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-106 Definitions Creation Graph of an MTAM scheme –Digraph G= where V corresponds to types of scheme, and in E iff there is a creation command with u as a parent type and v as a child type Example: command (x:user, f:file) create subject f of type file; enter own into a[x,f]; end user file
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-107 Cyclic Creates command havoc(s 1 :u, s 2 :u, o 1 :v, o 2 :v, o 3 :w, o 4 :w) create subject s 1 of type u; create object o 1 of type v; create object o 3 of type w; enter r into a[s 2, s 1 ]; enter r into a[s 2, o 2 ]; enter r into a[s 2, o 4 ] end
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-108 Creation Graph u, v, w child types u, v, w also parent types Graph: lines from parent types to child types This one has cycles u v w
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-109 Theorems Safety decidable for systems with acyclic MTAM schemes Safety for acyclic ternary MTAM decidable in time polynomial in the size of initial ACM –“ternary” means commands have no more than 3 parameters –Equivalent in expressive power to MTAM
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-110 Key Points Safety problem undecidable Limiting scope of systems can make problem decidable Types seem critical to safety problem’s analysis