November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.

Slides:



Advertisements
Similar presentations
Variants of Turing machines
Advertisements

1 1 -Access Control Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine.
Decidable A problem P is decidable if it can be solved by a Turing machine T that always halt. (We say that P has an effective algorithm.) Note that the.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Fall 2004COMP 3351 Undecidable problems for Recursively enumerable languages continued…
Prof. Busch - LSU1 Decidable Languages. Prof. Busch - LSU2 Recall that: A language is Turing-Acceptable if there is a Turing machine that accepts Also.
P, NP, PS, and NPS By Muhannad Harrim. Class P P is the complexity class containing decision problems which can be solved by a Deterministic Turing machine.
Reducibility A reduction is a way of converting one problem into another problem in such a way that a solution to the second problem can be used to solve.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result.
April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.
Fall 2004COMP 3351 Reducibility. Fall 2004COMP 3352 Problem is reduced to problem If we can solve problem then we can solve problem.
Homework #9 Solutions.
1 Decidability continued. 2 Undecidable Problems Halting Problem: Does machine halt on input ? State-entry Problem: Does machine enter state halt on input.
Courtesy Costas Busch - RPI1 Reducibility. Courtesy Costas Busch - RPI2 Problem is reduced to problem If we can solve problem then we can solve problem.
1 Reducibility. 2 Problem is reduced to problem If we can solve problem then we can solve problem.
1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.
Complexity and Computability Theory I Lecture #13 Instructor: Rina Zviel-Girshin Lea Epstein Yael Moses.
IS-2150/TEL-2810: Introduction of Computer Security1 September 7, 2005 Introduction to Computer Security Access Control Matrix Take-grant model.
Chapter 2: Access Control Matrix
Full FOPL is undecidable sketch of proof by reduction to Halting problem s CS3518 Buchi, J.R. (1962) “Turing machines and the Entscheidungsproblem,” Boolos,
Review Byron Gao. Overview Theory of computation: central areas: Automata, Computability, Complexity Computability: Is the problem solvable? –solvable.
Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model Protection State Transitions –Commands –Conditional Commands.
Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.
Slide #2-1 Access Control Matrix and Safety Results CS461/ECE422 Computer Security I, Fall 2009 Based on slides provided by Matt Bishop for use with Computer.
BUSY BEAVER PROBLEM by Alejandro Mendoza Rigoberto Fernandez School of Computer Science 04/18/2005.
1 Turing’s Thesis. 2 Turing’s thesis: Any computation carried out by mechanical means can be performed by a Turing Machine (1930)
Fundamentals of Informatics Lecture 13 Reduction Bas Luttik.
2/1/20161 Computer Security Foundational Results.
Recursively Enumerable Languages
Lecture 17 Undecidability Topics:  TM variations  Undecidability June 25, 2015 CSCE 355 Foundations of Computation.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 4 September 18, 2012 Access Control Model Foundational Results.
Overview of the theory of computation Episode 3 0 Turing machines The traditional concepts of computability, decidability and recursive enumerability.
1 Turing Machines - Chap 8 Turing Machines Recursive and Recursively Enumerable Languages.
1 Chapter 9 Undecidability  Turing Machines Coded as Binary Strings  Universal Turing machine  Diagonalizing over Turing Machines  Problems as Languages.
April 8, 2004ECS 235Slide #1 Overview Safety Question HRU Model Take-Grant Protection Model SPM, ESPM –Multiparent joint creation Expressive power Typed.
INFSCI 2935: Introduction of Computer Security1 September 13, 2005 Introduction to Computer Security Lecture 3 Take Grant Model (Cont) HRU Schematic Protection.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result.
November 1, 2004Introduction to Computer Security © 2004 Matt Bishop Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model Protection.
Donghyun (David) Kim Department of Mathematics and Computer Science North Carolina Central University 1 Chapter 5 Reducibility Some slides are in courtesy.
Undecidability and The Halting Problem
1 8.4 Extensions to the Basic TM Extended TM’s to be studied: Multitape Turing machine Nondeterministic Turing machine The above extensions make no increase.
September 10, 2012Introduction to Computer Security © 2004 Matt Bishop Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model.
Chapters 11 and 12 Decision Problems and Undecidability.
8. Introduction to Turing Machines
IS 2150 / TEL 2810 Introduction to Security
IS 2150 / TEL 2810 Introduction to Security
Reductions Costas Busch - LSU.
LIMITS OF ALGORITHMIC COMPUTATION
Introduction to Computer Security Lecture 2
Intro to Theory of Computation
IS 2150 / TEL 2810 Information Security & Privacy
Chapter 13: Design Principles
Intro to Theory of Computation
IS 2150 / TEL 2810 Introduction to Security
Decidable Languages Costas Busch - LSU.
8. Introduction to Turing Machines
Decidability Turing Machines Coded as Binary Strings
Decidability Turing Machines Coded as Binary Strings
Overview Safety Question HRU Model Take-Grant Protection Model
Computer Security Foundations
Advanced System Security
IS 2150 / TEL 2810 Information Security & Privacy
Chapter 3: Foundational Results
Chapter 2: Access Control Matrix
Decidability continued….
Variants of Turing machines
IS 2150 / TEL 2810 Introduction to Security
IS 2150 / TEL 2810 Introduction to Security
Turing Machines Everything is an Integer
IS 2150 / TEL 2810 Introduction to Security
Presentation transcript:

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-2 Overview Safety Question HRU Model

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-3 What Is “Secure”? Adding a generic right r where there was not one is “leaking” If a system S, beginning in initial state s 0, cannot leak right r, it is safe with respect to the right r.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-4 Safety Question Does there exist an algorithm for determining whether a protection system S with initial state s 0 is safe with respect to a generic right r? –Here, “safe” = “secure” for an abstract model

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-5 Mono-Operational Commands Answer: yes Sketch of proof: Consider minimal sequence of commands c 1, …, c k to leak the right. – Can omit delete, destroy – Can merge all creates into one Worst case: insert every right into every entry; with s subjects and o objects initially, and n rights, upper bound is k ≤ n(s+1)(o+1)

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-6 General Case Answer: no Sketch of proof: Reduce halting problem to safety problem Turing Machine review: –Infinite tape in one direction –States K, symbols M; distinguished blank b –Transition function  (k, m) = (k, m, L) means in state k, symbol m on tape location replaced by symbol m, head moves to left one square, and enters state k –Halting state is q f ; TM halts when it enters this state

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-7 Mapping A BCD… 1234 head s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B C k D end own Current state is k

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-8 Mapping A BXD… 1234 head s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B X D k 1 end own After  (k, C) = (k 1, X, R) where k is the current state and k 1 the next state

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-9 Command Mapping  (k, C) = (k 1, X, R) at intermediate becomes command c k,C (s 3,s 4 ) if own in A[s 3,s 4 ] and k in A[s 3,s 3 ] and C in A[s 3,s 3 ] then delete k from A[s 3,s 3 ]; delete C from A[s 3,s 3 ]; enter X into A[s 3,s 3 ]; enter k 1 into A[s 4,s 4 ]; end

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-10 Mapping A BXY 1234 head s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B X Y own After  (k 1, D) = (k 2, Y, R) where k 1 is the current state and k 2 the next state s5s5 s5s5 own b k 2 end 5 b

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-11 Command Mapping  (k 1, D) = (k 2, Y, R) at end becomes command crightmost k,C (s 4,s 5 ) if end in A[s 4,s 4 ] and k 1 in A[s 4,s 4 ] and D in A[s 4,s 4 ] then delete end from A[s 4,s 4 ]; create subject s 5 ; enter own into A[s 4,s 5 ]; enter end into A[s 5,s 5 ]; delete k 1 from A[s 4,s 4 ]; delete D from A[s 4,s 4 ]; enter Y into A[s 4,s 4 ]; enter k 2 into A[s 5,s 5 ]; end

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-12 Rest of Proof Protection system exactly simulates a TM –Exactly 1 end right in ACM –1 right in entries corresponds to state –Thus, at most 1 applicable command If TM enters state q f, then right has leaked If safety question decidable, then represent TM as above and determine if q f leaks –Implies halting problem decidable Conclusion: safety question undecidable

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-13 Other Results Set of unsafe systems is recursively enumerable Delete create primitive; then safety question is complete in P-SPACE Delete destroy, delete primitives; then safety question is undecidable –Systems are monotonic Safety question for monoconditional, monotonic protection systems is decidable Safety question for monoconditional protection systems with create, enter, delete (and no destroy) is decidable.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-14 Key Points Safety problem undecidable Limiting scope of systems can make problem decidable