Presentation is loading. Please wait.

Presentation is loading. Please wait.

Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer.

Published byAnissa Preston Modified over 9 years ago

Similar presentations

Presentation on theme: "Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer."— Presentation transcript:

1 Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer

2 Introduction Computer security issues are a part of our daily life Model a secure computer system

3 Scope Define a secure system Use a practical example State Unwinding Theorem

4 Modeling a Computer System A system M can consist of: a set S of STATES, where s 0  is an initial state a set D of domains a set A of actions a set O of outputs

5 And Now...

6 Practical Example Today I will be talking about how one can apply the model of security that is explained in the paper we researched.

7 Defining M World Wide Web sites consists of three basic components: –Web Server –TCP/IP Connection –Web Browser Client

8 Defining S Web Servers always have a finite state. Generally a server travels through a cycle of states. s 0 is wait mode on a web server.

9 Defining D A domain is a defined section of a system. All the actions of a system occur within specified domains. This means that we can talk about actions as they relate to a client or web server’s computer.

10 Defining A An action is similar to a verb. Two example actions include: –A Client Inserting a URL –A Server Processing one Code Statement

11 Defining O Outputs are the immediate result of an action. When looking at a web site an output is: –A web server sending back a confirmation message that it exists. –The result of one code statement.

12 Putting it all together In order for all of these events to fit together, there are several dependencies between S, D, A, & O.

13 Modeling a Computer System A system M can consist of: function step: S  A  S, where step(s n, a) denotes the next state of the system after applying action a

14 Modeling a Computer System A system M can consist of: function output: S  A  O, where output(s,a) denotes the result returned by the action a Example: “write” command to file

15 Modeling a Computer System A system M can consist of: function run: S  A*  S Example: run(s,  ) = s, where  is an empty sequence of actions

16 Terminology STATES: use the letters s,t ACTIONS: use the letters a,b SEQUENCES OF ACTIONS: use Greek letters ,  DOMAIN: use the letters u,v,w

17 Communication Two domains u,v communicate if there is an information flow channel between them.

18 Definition Security Policy: A set of rules defining what domains can communicate. Specified by a reflexive relation:  on a domain D

19 Definition Security: A system is secure if the given security policy of the system completely defines all possible communication channels.

20 Security 2 ASSUMPTIONS: –set of security domains {u,v} –policy that restricts allowable flow of information among the domains above

21 And Now...

22 Noninterference The idea of noninterference is really rather simple: a security domain u is non-interfering with domain v if no action performed by u can influence subsequent outputs seen by v.

23 Intransitive Noninterference Let u not see v but u see x and x see v where u,v, and x are domains. This is an example of intransitive noninterference. In short, intransitive noninterference means there is no direct communication between u and v.

24 Intransitive Noninterference

25 And Now...

26 Definition ~ purge if dom(a) interferes with v otherwise

27 Security Security is identified by:

28 Restating the Expressions

29 Security Security is now identified by:

30 View-Partitioned Equivalence Relation Output Consistent

31 And Now...

32 Test and Do Test and do are abbreviations of frequently used expressions Then we say that a system is secure for policy

33 Output Consistency A system M is view-partitioned if, for each domain, there is an equivalence relation on S These equivalence relations are said to be output consistent if The output after executing action a is the for the states s and t, so s and t are equivalent views

34 Views For an output consistent system, security is achieved if “views" are unaffected. Let be a policy and M a view partitioned, output consistent system such that, This means that if you perform sequence it is equivalent to executing the purged version Then M is secure for

35 Views Proof: Setting u = dom(a) in the statement of the lemma gives and now substituting the u=dom(a) in for s and t, output consistency provides

36 Views But this is simply Which is the definition of security for Listed before

37 Unwinding Theorem Why is the unwinding theorem important? It provides a basis for practical methods for verifying systems that enforce noninterference policies Serves to relate noninterference policies to access control mechanisms.

38 Unwinding Theorem What is the Unwinding Theorem? It is hard to work with sequences of actions. The unwinding theorem states that if the security policy holds for each action, then it holds for the sequence.

39 Unwinding Theorem More Formally Let be a policy and M a view partitioned system that is: output consistent step consistent locally respects Then M is secure for

40 Questions Any Questions??

41 References “Noninterference, Transitivity, and Channel-Control Security Policies” by John Rushby “Problems in Computer Security” by Auerbach, Kerbel, Megraw, Osburn, Shetty with mentor John Hoffman

42 Thank You Dr. Steve Decklemen

Download ppt "Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer."

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Global States.

Global States.
Distributed Snapshots: Determining Global States of Distributed Systems Joshua Eberhardt Research Paper: Kanianthra Mani Chandy and Leslie Lamport.

Distributed Snapshots: Determining Global States of Distributed Systems Joshua Eberhardt Research Paper: Kanianthra Mani Chandy and Leslie Lamport.
Impossibility of Distributed Consensus with One Faulty Process

Impossibility of Distributed Consensus with One Faulty Process
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
C O N T E X T - F R E E LANGUAGES ( use a grammar to describe a language) 1.

C O N T E X T - F R E E LANGUAGES ( use a grammar to describe a language) 1.
Copyright © Cengage Learning. All rights reserved.

Copyright © Cengage Learning. All rights reserved.
Software Connectors Software Architecture. Importance of Connectors Complex, distributed, multilingual, modern software system functionality and managing.

Software Connectors Software Architecture. Importance of Connectors Complex, distributed, multilingual, modern software system functionality and managing.
1 Introduction to Computability Theory Lecture4: Regular Expressions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture4: Regular Expressions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture11: Variants of Turing Machines Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture11: Variants of Turing Machines Prof. Amos Israeli.
1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,

1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,
Induction Sections 41. and 4.2 of Rosen Fall 2008 CSCE 235 Introduction to Discrete Structures Course web-page: cse.unl.edu/~cse235 Questions:

Induction Sections 41. and 4.2 of Rosen Fall 2008 CSCE 235 Introduction to Discrete Structures Course web-page: cse.unl.edu/~cse235 Questions:
Slides prepared by Rose Williams, Binghamton University Chapter 1 Getting Started 1.1 Introduction to Java.

Slides prepared by Rose Williams, Binghamton University Chapter 1 Getting Started 1.1 Introduction to Java.
Dynamic adaptation of parallel codes Toward self-adaptable components for the Grid Françoise André, Jérémy Buisson & Jean-Louis Pazat IRISA / INSA de Rennes.

Dynamic adaptation of parallel codes Toward self-adaptable components for the Grid Françoise André, Jérémy Buisson & Jean-Louis Pazat IRISA / INSA de Rennes.
CPSC 668Set 16: Distributed Shared Memory1 CPSC 668 Distributed Algorithms and Systems Fall 2006 Prof. Jennifer Welch.

CPSC 668Set 16: Distributed Shared Memory1 CPSC 668 Distributed Algorithms and Systems Fall 2006 Prof. Jennifer Welch.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Introduction to the Application.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Introduction to the Application.
Layer 7- Application Layer

Layer 7- Application Layer
Robust Declassification Steve Zdancewic Andrew Myers Cornell University.

Robust Declassification Steve Zdancewic Andrew Myers Cornell University.
Copyright © Cengage Learning. All rights reserved.

Copyright © Cengage Learning. All rights reserved.

Similar presentations

Ads by Google