ISA 562 Internet Security Theory and Practice

1
ISA 562 Internet Security Theory and Practice

• Access Control 2 Foundational Results
• Chapters 3.o to 3.3.1 and 15.1,15.2
• of the Bishops book.

2
Overview

• Review
• The access control matrix model
• Undecidability
• Turing machines and the halting problem
• Safety Questions
• The Harrison-Ruzzo-Ullman (HRU) result

3
Access Control Matrix

• A model of protection systems
• Describes who (subject) can do what (rights) to
  whom (object/subject)
• Example
• An instructor can assign and grade homework and
  exams
• A TA can grade homework
• Students can evaluate the instructor and TA

4
State Transition Commands

• Primitive Command
• create/destroy subject s (or object o)
• enter/delete r into/from As,o
• Command
• If instructor can grade exam and TA can grade
  h.w.
• Then revoke TAs rights in grading the h.w.
• And let him to grade the exam
• Mono-conditional/mono-operational
• Condition cannot be negative or contains or
• if instructor can grade exam or TA can grade
  exam
• if TA cannot grade h.w.

5
Undecidable Problems

• Problems that no algorithm can solve
• No program can give a decisive answer of yes or
  no on any legitimate input
• A program may give correct answer for all yes
  cases but runs forever (w/o an answer) for no
  cases
• Example
• Problem with any input file x, tell me if any
  given program y halts and outputs hello world
• A software engineer claims his hello world
  checker (HWC) program can answer yes or no
  to our problem
• Lets prove him wrong

6
ACM and protection States

• Subjects (processes p, q etc)
• Objects (files f, g etc)
• Access rights (operations r, w, x, a, o etc)
• f g p q
• p rwo r rwxo w
• q a ro r rwxo

7
Protection States

• State Variables taking values in a domain
• Protection domain the space defined by the ACL
• Mathematically
• Variables for subjects Xs e S / The set of all
  subject names /
• Variables for objects Xo e O / The set of all
  object names /
• Constants for permission names P
• Assignment ACL S x O ? P (P) ? power set set
  of all subsets
• Maps every (subject,object) pair to a subset of
  permissions.
• Example state
• f g p q
• p ow r rxo w
• q r o r wx

8
Safe States

• Any subset that is consistent with the ACM
• Mathematically
• If myState S x O ? P (P), then ?x,y myState(x,y)
  ? ACL(x,y)

9
Review commands

• Primitive commands
• Create /delete subjects, objects
• Enter, delete permissions acl(s,o)
• A command may use more than one primitive command
• One that use one, is called a mono-operational
  command.
• Limitation Cannot test for a negative fact
• Further Dont have Owner and Copy commands

10
Overview

• Review
• Access Control Matrix Model
• Undecidable Problem
• Turing Machine and Halting Problem
• Safety Question
• Harrison-Ruzzo-Ullman (HRU) result

11
What Is Secure?

• Giving a generic right r to someone who initially
  does not possess r is leaking
• If a system beginning in some initial state can
  never leak r, then the system is said to be safe
  with respect to r
• Subtleties
• Leaking is not necessarily bad, such as
  legitimate transfer of rights by owners, and
  delegation
• However, we are interested in with all
  authorized leaking ignored, is the system still
  safe w.r.t. r?
• An abstract system (specification) is safe but
  its implementation may not be secure

12
Safety Question

• Does there exist an algorithm for determining
  whether any protection system with a given
  initial state is safe with respect to a generic
  right r?
• Using terms of ACM, the question is
• Given any ACM, is there a program that halts with
  the answer to Does there exists a sequence of
  commands that will enter r into some as,o that
  does not initially have r?
• Trivial cases
• r read, own?as,o, command can-grant-read-to-ow
  ner
• No command includes the enter primitive command
• How about the general case

13
The (special) Positive Result

• Theorem There is an algorithm that determines if
  a given mono-operational protection system with
  initial state S0 is safe with respect to a
  generic right.
• Proof Suppose command sequence is
• c0,c1,cn
• Can identify c0,c1,cn as a sequence of
  primitive operations.
• Can assume that ?i Ci?delete, destroy
• Because delete, destroy does not add rights.

14
Positive Result.. Proof continued

• Only create adds new subjects and objects.
• The others are conditional tests, that can be
  tested
• Suppose a (first) new subject and an object
  (first) created say Snew, Onew.
• Need to check that the given sequence of commands
  did not leak rights
• Need to check the pre-post conditions adherence
  of n(S01)(O01) commands.
• ?

15
General Safety Problem is Undecidable

• Answer the safety problem is undecidable
• In terms of ACM
• Given any ACM, if some sequence of commands will
  enter r into some as,o that does not initially
  have r is undecidable

16
Overview

• Review
• Access Control Matrix Model
• Undecidable Problem
• Turing Machine and Halting Problem
• Safety Question
• Harrison-Ruzzo-Ullman (HRU) result

17
Halting Problem

• With any initial tape and state (of the head),
  whether any given Turing machine will reach a
  specific state is undecidable

18
Turing Machine

• An infinite-to-the-right tape divided into cells
• A cell C can store any symbol in
  MA,B,C,D,F,Blank
• A read/write head
• The head can have any state in Khappy,unhappy
• The head reads, then writes and moves
• What it writes, and whether it moves to left or
  right are both decided by a set of rules
• M and K are both finite

19
The Proof

• Proof the halting problem can be reduced to the
  safety problem
• Reduced to means if an algorithm can solve the
  safety problem then it can also solve the halting
  problem
• But the halting problem is known to be
  undecidable, so such an algorithm cannot exist
• How does the reduction work?
• Simulate a Turing machine where subject Si owns
  Si1.
• If cell i contains symbol A, then subject Si has
  rights A over itself.
• Subject Sk corresponds to the right cell has
  end right over itself.

20
The Reduction at a Glance
21
Commands for left motion
(k,C) ? (k1, X, L) Corresponds to the command
Ck,C(s3,s4) if own?Asi-1,si and k?Asi,si and
C?Asi,si then delete k from Asi,si delete
C from Asi,si enter X into Asi,si enter
k1 into Asi-1,si-1 End Note K is state of
the head, C, X content of cell
22
Commands for right motion
(k,C) ? (k1, X, R) Corresponds to the command
Ck,C(s3,s4) if own?As3,s4 and k?As3,s3 and
C?As3,s3 then delete k from As3,s3 delete
C from As3,s3 enter X into As3,s3 enter
k1 into As4,s4 end
23
Command for the rightmost cell
(k1, D) ? (k2, Y, R) Corresponds to the command
crightmostk,C(s4,s5) if end?As4,s4 and
k1?As4,s4 and D?As4,s4 then delete end from
As4,s4 create subject s5 enter own into
As4,s5 enter end into As5,s5 delete k1
from As4,s4 delete D from As4,s4 enter Y
into As4,s4 enter k2 into As5,s5 end
24
Rest of the proof

• Protection system exactly simulates a TM
• Exactly 1 end right in ACM corresponds to the end
  state
• 1 right in the entry with current state
• Thus, at most 1 applicable command at any time
• If TM enters a special state qf, then right has
  leaked the right qf,
• If safety question decidable, then represent TM
  as above and determine if qf leaks
• Implies halting problem decidable
• Conclusion determining safety is undecidable

25
Special Cases May Be Decidable

• If all the commands are mono-operational, the
  safety problem is decidable
• Each move of Turing machine corresponds to
  multiple primitive commands of ACM
• If no command includes create, the safety problem
  is decidable (P-SPACE complete)
• If no command includes destroy or delete and all
  command are mono-conditional, then the safety
  problem is decidable

26
Key Points

• In its most general form, the safety problem is
  undecidable
• Limiting scope of systems can make problem
  decidable

27
Take-Grant Protection Model

• Can the safety be guaranteed with a A specific
  (not generic) system
• Yes with a specific collection of commands
• Called the take-grant protection model
• A graph model where
• Subjects represented by
• Objects represented by
• Either represented by
• Labeled edges represent the sources rights over
  the destination with two operations
• Take (t)
• Grant (g)
• Use graph-rewrite rules to derive permissions
  from a set R

l
?
28
Commands
?
?
?
l
l
-
t
b
b
X
t
take
Z
a ? b
?
?
X takes (a to Y) from Z
Y
?
?
?
?
?
-
grant
g
?
?
Y
g
X
a ? b
l
l
Z
Z grants (a to Y) to X
-
?
?
create
l
l
new Y
X
X
X creates (a to new vertex) Y
-
b? a
b
?
?
l
l
remove
X removes a to Y
29
What Can Happen
?
x
?
y
?
?
l
l

?
t
l
l
z
v

• x creates (tg to new) v
• z takes (g to v) from x
• z grants (a to y) to v
• x takes (a to y) from v

30
The Safety Problem

• The safety problem is not only decidable but with
  a linear time complexity in the size of the
  system

31
ISA 562 Information System Security

• Access Control Mechanisms

32
Overview

• Access control lists (ACL)
• Capability lists (C-List)

33
Whats Wrong with ACM?

• Suppose we have 1k users and 100k files and
  one should only read/write ones own files
• The ACM will have 101k columns and 1k rows
• Most of the 101M elements are either empty or
  identical
• Good for theoretical study but bad for
  implementation
• Why bother with the empty elements?

34
Access Control Lists

• An ACL stores (the non-empty elements of) each
  column with an object

• Columns of access control matrix
• file1 file2 file3
• Andy rx r rwo
• Betty rwxo r
• Charlie rx rwo w
• ACLs
• file1 (Andy, rx) (Betty, rwxo) (Charlie, rx)
• file2 (Andy, r) (Betty, r) (Charlie, rwo)
• file3 (Andy, rwo) (Charlie, w)

35
Default Permission and Abbreviation

• Subject not in ACL has no rights over the file
• An absent subject means empty element in ACM
• If many subjects have similar rights, may use
  groups or wildcards in ACL
• To merge the identical columns
• UNICOS entries are (user, group, rights)
• If user is in group, has rights over file
• is wildcard for user, group
• (holly, , r) holly can read file regardless of
  her group
• (, gleep, w) anyone in group gleep can write
  file

36
Abbreviation (Contd)

• UNIX 3 classes of users owner, group, world

37
ACLs Abbreviations

• Augment abbreviated lists with ACLs
• Intent is to shorten ACL without losing all the
  granularity
• Example IBM AIX
• ACL overrides base permission
• Denial takes precedence

38
Permissions in IBM AIX

• attributes
• base permissions
• owner(bishop) rw-
• group(sys) r--
• others ---
• extended permissions enabled
• specify rw- uholly
• permit -w- uheidi, gsys
• permit rw- umatt
• deny -w- uholly, gfaculty

39
ACL Modification and Privileged Users

• Who can modify ACL?
• Creator is given own right that allows this
• System R provides a grant modifier (like a copy
  flag) allowing a right to be transferred, so
  ownership not needed
• Do ACLs apply to privileged users (root)?
• Solaris abbreviated lists do not, but full-blown
  ACL entries do

40
Revocation Question

• How do you remove subjects rights to a file?
• Owner deletes rights from subjects entry in ACL,
  or the subjects entry if it has no rights left
• What if ownership not involved?
• Depends on system
• System R restore protection state to what it was
  before right was given
• More complicated then it appears to be
• What if Alice gives Bob a right and Bob then
  gives it to Mallory, and now Alice wants to
  revoke Bobs right?

41
Windows NT ACLs

• Different sets of rights
• Basic read, write, execute, delete, change
  permission, take ownership
• Generic no access, read (read/execute), change
  (read/write/execute/delete), full control (all),
  special access (assign any of the basics)
• Directory no access, read (read/execute files in
  directory), list, add, add and read, change
  (create, add, read, execute, write files delete
  subdirectories), full control, special access

42
Windows NT ACLs (Contd)

• User not in files ACL nor in any group named in
  files ACL deny access
• ACL entry denies user access deny access
• Take union of rights of all ACL entries giving
  user access user has this set of rights over file

43
Capability Lists

• Rows of access control matrix
• file1 file2 file3
• Andy rx r rwo
• Betty rwxo r
• Charlie rx rwo w
• C-Lists
• Andy (file1, rx) (file2, r) (file3, rwo)
• Betty (file1, rwxo) (file2, r)
• Charlie (file1, rx) (file2, rwo) (file3, w)

44
Semantics

• Like a bus ticket
• Mere possession indicates rights that subject has
  over object
• Object identified by capability (as part of the
  token)
• Name may be a reference, location, or something
  else
• The key challenge is to prevent process/user from
  altering capabilities
• Otherwise a subject can augment its capabilities
  at will

45
Implementation

• Tagged architecture
• Bits protect individual words
• Paging/segmentation protections
• Like tags, but put capabilities in a read-only
  segment or page
• Cryptography
• Associate with each capability a cryptographic
  checksum enciphered using a key known to OS
• When process presents capability, OS validates
  checksum

46
Revocation

• Scan all C-lists, remove relevant capabilities
• Far too expensive! (return your tickets?)
• Use indirection
• Each object has entry in a global object table
• Names in capabilities name the entry, not the
  object
• To revoke, zap the entry in the table
• Can have multiple entries for a single object to
  allow control of different sets of rights and/or
  groups of users for each object
• Example Amoeba owner requests server change
  random number in server table
• All capabilities for that object now invalid
• Re-issue tickets and invalidate old tickets

47
ACLs vs. Capabilities

• Both theoretically equivalent consider 2
  questions
• Given a subject, what objects can it access, and
  how?
• Given an object, what subjects can access it, and
  how?
• ACLs answer second easily C-Lists, first
• Suggested that the second question, which in the
  past has been of most interest, is the reason
  ACL-based systems more common than
  capability-based systems
• As first question becomes more important (in
  incident response, for example), this may change

48
Key Points

• ACM is not practical
• ACL and C-List store only non-empty elements of
  columns or rows of an ACM
• ACL vs C-List

49
Locks and Keys

• Associate lock with object and key with subject
• Latter controls what the subject can access and
  how
• Subject presents key if it corresponds to any of
  the locks on the object, access granted
• This is more flexible
• Change either locks or keys

ACL
C-List
Locks/Keys
50
Cryptographic Implementation

• Enciphering key is lock deciphering key is key
• Encipher object o store Ek(o)
• Use subjects key k? to compute Dk?(Ek(o))
• Any of n can access o store
• o? (E1(o), , En(o))
• Requires consent of all n to access o store
• o? (E1(E2((En(o))))