Other Access Control Models

The Take-Grant Protection Model Can the safety be guaranteed with a specific system? Yes with a specific collection of commands Called the take-grant protection model A graph model where Subjects represented by Objects represented by Either represented by Labeled edges represent the rights of a source vertex over the destination vertex taken from a set R with two special rights: t for Take (t) g for Grant (g) Use graph-rewrite rules to derive permissions from R l  2

├ ├ De jure rules - i l  l   l l i. X creates (a to new vertex) Y   l new Y X X ii. X removes a from Y b– a b ├   l l If (b-a) is then empty, the edge is removed 3

De jure rules - ii ├ ├  l  l       l l iii. X takes (a to Z) from Y   l  l ├ t  g X b t  g b Z  a  b  Y iv. Z grants (a to Y) to X      g  g ├ b Y g b X l a  b l Z

Protection State ├*  l  l l l x creates (t, g to new) v Protection state = graph State transition = rewriting the graph Example: x y  l  l  a ├* t    t t,g g l l ¡ z v x creates (t, g to new) v z takes (g to v) from x z grants (a to y) to v x takes (a to y) from v V is removed

Sharing of Rights Definition: the predicate Can-share(a,x,y,G0) is true for a set of rights a and two vertices x, y, iff there is a sequence of graphs G1,…,Gn so that G0├* Gn using one of the four de jure rules, and there is an a-labeled edge from x to y. Definition: a tg-path is a sequence v0,…,vn of distinct vertices where every vi is connected to vi+1 in either direction with a t or g label. Definition: Vertices are tg-connected if there is a tg-path between them a  l Y X Gn can-share(a,x,y,G0)

Lemma: sharing Statement: Any two subjects with a length 1 t-g path can share some rights. Proof: Take and Grant rules cover two cases. Following lemmas cover the other two. Lemma 3-1: X X  Y   l l Y ├* t  t  l l Z Z

Proof of Claim 3-1 ├ ├   l l l l l l Step 1: X creates (tg to new vertex) V X   l l ├ t  X t  Y ¡ tg Y l l Z Z v Step 2: Z takes (g to v) from X X ├ l t  ¡ tg Y l v g Z

Proof of Claim 3-1 ├ ├ l  l  l l Step 3: Z grants ( to y) to V X Z ¡ tg Y l g  v Step 4: X takes ( to v) from V X   ├ l Z  t ¡ tg Y l g  v

Lemma 3-2 ├*   l l l l Y X Z Observation   l l ├* X g  g  l l Z Observation Take and grant rules are symmetric if the vertices On the TG path between X and Y are subjects

More definitions and properties -1 Definition: an island is a maximal tg-connected subject-only sub-graph Lemma: right processed by any vertex in an island can be shared with any other vertex Transferring rights between islands: a subject in one island must be able to take it from a subject in another island Notation: {t̅>, <t̅, g̅>,<̅g} are four basic symbols used to construct a path. A path is constructed using basic symbols * and concatenation as a word <̅g t̅> l g ̅> t̅> t̅< l l l l l

More definitions and properties-2 Definition: a bridge is a tg-path between two subject endpoints associated with the path’s word. Observation: rights can be transferred from one end point to another in a bridge Theorem: subject-can-share(a,x,y,G0) is true iff x and y are subjects with an edge from x to y There is a subject seG0 with s-to-y edge labeled a. There are island I1,…,In such that xe I1 se In and with a bridge Ij,…,Ij+1. Observation: because objects cannot act, a right will begin or end with an object

More Definitions and Properties - 3 Observation: only subjects can act– so transfer begins with an right possessed by an object and ends with that right given to another object! Definition: A vertex x initially spans to y if x is a subject and there is a tg-path from x to y with a word in {t>*g>}U{v} Means X grants a right it possesses to Y t t t t V l l l l l l W X g l Y

More Definitions and Properties - 4 Definition: A vertex x terminally spans to y if x is a subject and there is a tg-path between x and y with a word in {t>*}U{a} Means X may take any right that Y possesses t t t t Y l l l l l X a l X ends up having a on W W

More Definitions and Properties - 5 Theorem: can-share(a,x,y,G0) is true iff there is an edge from x to y in Go labeled a or if the following hold simultaneously: There is a vertex seG0 with s-to-y edge labeled a There is a subject vertex x’ so that x=x’ or x’ initially spans to x There is a subject vertex s’ so that s’=s or s’ terminally spans to s There are islands I1,…In such that x’ eI1, s’ eIn and there is a bridge from Ij to Ij+1. See next slide..

Explanation Either there is an a edge from X to Y or l S has a label from Y 2. S’ can take a from S X’ and S’ are connected through a sequence of islands X’ can grant a to X Y l S Y a X X’ S’

Safety in the take-grant model Theorem: there is an algorithm of complexity O(|V|+|E|) to test the validity of can-share(a,x,y,G0) By choosing the correct kind of rules we can answer questions like Can my computer access my files? 17

The One-Subject Case Theorem: Let G0 be a graph with one subject and no edges, and R a set of rights. G0├*G iff G is a finite directed acyclic graph containing subjects and objects only with edges labeled with non-empty subsets of R At least one subject with no incoming edges Proof: () Suppose G satisfy 1 and 2. Let subjects(G)={x1, ..xn}, and X1 with no incoming edge. Construct G’ as follows:

Proof l l l l l l l 1. a ⋃{g} 3. Remove a ⋃{g})- b Xi V V 2. a Xj If b Let V=X1 For 2<i<n Perform V creates (a⋃{g} to) new Xi where a is the union of all labels to Xi in G For all pairs Xi, Xj in G where Xi has a rights over Xj, perform V grants (a to Xj) to Xi. Perform V removes ((a ⋃{g})- b to) Xj where b ={r: r labels XiXj in G} The resulting graph is G’ 1. a ⋃{g} 3. Remove a ⋃{g})- b l Xi l l V V 2. a Xj l If b l l If a l Xi Xj Xi

Proof Continued Let V be the initial subject and G0├*G. Then by inspection of the rules G is finite Loop-free Directed Consists of subjects and objects only All edges have non-empty labels Furthermore, No rules to delete V, V e G No rules allow incoming edges to V

Theft in the T-G Model To share, the owner has to cooperate Notion of sharing fails to capture an owner’s unwillingness to share Stealing happens when The owner does not grant some rights over an object to other subjects, but some subjects can get the right indirectly!

Stealing in the T-G Model Definition: X, YeG and a eR. can-steal(a,X,Y,G0) is true when ∄ an a labeled edge from X to Y in G0,  sequence of graphs G1, …, Gn so that a. There is an a labeled edge from X to Y in Gn b. There is a sequence of rules r1, ,,,, rn where applying ri results in Gi-1├Gi c. For all V,WeGi-1, if there is an a edge from V to Y, then ri is not of the form V grants (a to Y) to W Thus: It stops owners from transferring a rights to others (but could transfer other rights)

An Example of Stealing l l l Can-steal(a,S,W,G0) U grants (t to V) to S Owner of a to W grants (t to V) to S S takes (t to U) from V S takes (a to W) from U The owner U of stolen rights a grants other rights to another subject (t rights to V are granted to S) This is the reason for MAC V t l g t S l l W U a

Characterizing can-steal Theorem: can-steal(a,X,Y,G0) is true iff ∄ an a labeled edge from X to Y in G0,  subject vertex X’= X or X’ initially spanning to X  vertex SeG with an a label Y in G0 that satisfy can-share(t,X’,S,G0) Observation: to steal, there must be a tg-path through which the thief can share! l thief X S  a can-share X’ initially spans

Proof l X:object X’:subject X”:subject S: subject 3. g to X If X is a subject: then need to obtain t rights to S and use the take rule to obtain a, satisfying can-steal(a,X,Y,G) If X is an object: by the theorem on can-share,  subject vertex X’, that initially tg-spans to X with can-share(t,x’,s,G0) true. Assume tg-span length= 1, and X’ has t rights over S in G0. If X’ does not have an a edge label tp Y, X’ takes a rights to Y and grants them to X, satisfying the definition. If not, then X’ will create a surrogate X” and provides t rights over S to it. a. X’ creates (g to new subject) X’’ b. X’ grants (t to S) to X’’ c. X’ grants (g to X) to X’’ Now X’’ has t rights over S and g rights over X. So apply 1. X’’ takes (a to Y) from S 2. X’’ grants (a to Y) to X. l X:object X’:subject X”:subject 1. g S: subject 2. s to S 3. g to X

Proof Assume can-steal(a,x,y,G0). Then condition 1 holds from the definition of can-steal  condition 2 of the can-share theorem imply condition 2 of this theorem  condition 3 of the can-share theorem imply that S satisfy condition 3 of this theorem Need to prove can-share(t,x,s,Go) Consider r minimal-length sequence of rule applications transforming G0 to Gn where Gi-1├ri Gi so that ∃ an edge labeled a from some vertex P to Y in Gi but not Gi-1. Then Gi is the first graph where an edge a is added to Y

Proof continued -- 2     l l So ri is neither a remove or create rule. By condition 3 of can-steal, all vertices with a rights to Y in Gi are in G0. ri is not a grant rule. Hence it is of the form: a a t t a   ├   l l p p y S Y S Hence can-share(t,p,s,G0) holds. By condition (c) of the can-share theorem, ∃ a subject S’ either S’ terminally spans to S or S’=S By condition (d) of the can-share theorem, ∃islands I1,…In satisfying x’∈I1 and S’ ∈In.

Proof continued -- 3 If S is an object (hence S≠S’): two cases S’ and P in the same island: Take P as S’ If not: Derivation not of minimal length (why?) Choose S’ in same island for shorter proof Conditions of can-share theorem met.  can-share(t,x,s,G0)

Proof continued -- 4 If S is an subject (i.e. S=S’): then p∈In, must show p∈G0 for the can-share theorem to hold If p∉G0: ∃subject Q in some island with can-share(t,Q,S,G0) Because S is the owner of a rights over Y in G0 must derive witness for this sharing where S does not grant (a to Q) If S≠Q: replace “S grants (a to Y) to Q” with P takes (a to Y) from S P takes (g to Y) from S P grants (a to Y) to Q So ∃witness to can-share(t,Q,S,G0) without S granting (a to Y)

Conspiracy in the TG-Model Many actors required to steal in the TG-model Any subject Y can take rights from any X that Y terminally spans give rights to any X that Y initially spans Definition: “access set with focus Y”, A(Y) = {all nodes X that Y terminally spans} U {all nodes X that Y initially spans} Entities from whom one can get and entities to whom one can give, is one’s access set with focus! Initially spans Terminally spans Y’  l l X Y a Transfers Rights 

The Deletion Set Definition: “deletion set” d(Y,Y’) = all z satisfying z∈A(Y)∩A(Y’) Y initially spans to Z, Y’ terminally spans to Z Y terminally spans to Z, Y’ initially spans to Z Z = Y Z = y’ Represents nodes that can transfer permissions Initially spans Terminally spans Y  l l Y’ Z a Transfers Rights 

An Example Deletion Set g g t g l l l l a r x b c d q l t g g g t z e l l l y f h i j A(x) ={x,a,}, A(e)={e,d,i,j}, A(b)={b,a,}, A(y)={y} A(c) ={c,b,d}, A(f)={f,y}, A(d)={d}, A(h)={h,f,i} Z is not on A(e) because the path e-z does not terminally, or initial span e. d(x,b) = {a}, d(c,d) = {d}, d(y,f) = {y}, d(b,c) = {b}, d(d,e) = {d}, d(c,e) = {d}

Creating conspiracy Graphs Procedure: “conspiracy graph” H of G0 created to satisfy the following conditions For each subject s∈G0, ∃h(x) ∈ H with the same label If d(Y,Y’)≠Ǿ in G0, ∃ line between h(Y) & h(Y’) in H Conspiracy graphs represents paths of transfer Unidirectional because rights can be transferred in either direction

An Example Conspiracy Graph t g g t g l l l l a r x b c d q l t g g g t z e l l l y f h i j A(x)={x,a,}, A(e)={e,d,I,j}, A(b)={b,a,}, A(y)={y} A(c)={c,b,d}, A(f)={f,y}, A(d)={d}, A(h)={h,f,i} Z is not on A(e) because path e-z is not terminal, initial spans d(x,b)={a}, d(c,d)={d}, d(y,f)={y}, d(b,c)={b}, d(d,e)={d}, d(c,e)={d} h(d) l l l l h(x) h(b) h(c) h(e) l l l l h(h) h(y) h(f)

Two Theorems on Conspirators Theorem 1: can-share(a,X,Y,G0) iff there is a path from h(p)∈I(X) to some h(q)∈T(Y) where I(X) = {h(X)} U {X’: h(X’) initially spans to X} T(X) = {h(X)} U {X’: h(X’) terminally spans to X} Theorem 2: L= number of vertices on the shortest path between h(p) and h(q). Then L conspirators are necessary to produce a witness to can-share(a,X,Y,G0)

Back to the Example l l l l l l l l h(d) h(x) h(b) h(c) h(e) h(h) h(y) h(f) The shortest path between h(e) and h(x) has 4 vertices <h(x),h(b),h(c) and h(e)> 4 conspirators are necessary and sufficient to witness can-share(r,x,y,Go) How does it work? e grants (r to Y) to d c takes (r to Y) from d c grants (r to Y) to b b grants (r to Y) to a X takes (r to Y) from a