Computer Security Foundations - PowerPoint PPT Presentation

About This Presentation
Title:

Computer Security Foundations

Description:

In our model a computer system is represented by a family of ... Protection was in terms or rights and the ACM was the used to ... – PowerPoint PPT presentation

Number of Views:20
Avg rating:3.0/5.0
Slides: 18
Provided by: MikeBur3
Category:

less

Transcript and Presenter's Notes

Title: Computer Security Foundations


1
Computer SecurityFoundations
2
Security
  • How can one determine when a computer system is
  • secure?
  • What does secure mean?

3
Reminder
  • In our model a computer system is represented by
    a family of
  • states the set of all protection states P must
    be a subset of the
  • set of authorized states Q if the system is to
    be secure.
  • In the previous section we used a primitive, the
    ACM, to manage
  • a protection system.
  • Protection was in terms or rights and the ACM was
    the used to
  • relate subjects to objects (also basic
    primitives).
  • We also discussed protection state transitions
    and commands,
  • which correspond to (cause) a sequence of state
    transitions.

4
Security - definitions
  • Let R be the set of (primitive) rights of the
    system, r e R
  • and A be the ACM.
  • If r e R is added to an element of A not already
    containing r, then r is said to be leaked.
  • Let s0 be the initial protection state. If a
    system can never leak r e R then the system is
    safe wrt r.

5
Security safe vs secure
  • We use the term safe to refer to the (abstract)
    model.
  • Secure will be used when referring to
    implementations.
  • So a secure implementations must be modeled on a
    safe
  • system.
  • Example safe vs secure --see textbook

6
Foundation theorems
  • The model used is based on protection sates, the
    ACM
  • and a set of commands essentially the HRU model
  • (discussed in the previous section).

7
Theorem 1
  • There exists an algorithm that will determine
    whether a
  • given mono-operational protection system with
    initial
  • protection state s0 is safe wrt a generic right.
  • Proof see textbook.
  • This whole section is a project topic for anybody
    who is
  • interested in the foundations aspect of Computer
    Sercurity.

8
Theorem 2
  • It is undecidable whether a given state of a
    given
  • protection system is safe wrt a generic right.
  • Proof --reduction to the halting problem.
  • The proof is by contradiction. It is shown that
    an
  • arbitrary Touring Machine can be reduced to the
    safety
  • problem with the final state corresponding to the
    leaking
  • of a right.
  • For details see textbook.

9
Theorem 3
  • The set of unsafe systems is recursively
    enumerable.
  • (accepted by a TM).
  • So we can generate a list of all unsafe
    protection
  • systems.

10
The Take-Grant protection model
  • Can the safety of a protection system with
    specific rules
  • be established?
  • Answer the Take-Grant protection model.
  • This model is represented by a directed graph.
    Vertices
  • are subjects ? or objects ?, or both ?.
    Edges are
  • labeled by a set of rights, that the source has
    over the
  • destination. R contains two distinguished rights
    t (take)
  • g (grant).

11
Transitions rewriting rules
  • Take rule
  • Grant rule
  • Create rule
  • Remove rule
  • Details slides

12
Theorem 1
  • Let G0 be a protection graph containing just one
    subject vertex
  • and no edge and let R be a set of rights. Then
  • G0 G iff G is a finite directed acyclic graph
    with subjects
  • and objects only, with edges labeled for
    non-empty subsets
  • of R and at least one subject (a trusted entity)
    having no
  • incoming edge.
  • Proof in textbook.
  • Discussion in class.

13
Closing the Gap
  • We can answer the safety question in specific
  • systems, but not for generic systems (eg. the HRU
  • system).
  • What characteristics distinguishes a model for
    which
  • the safety problem is decidable from one in which
    it is
  • undecidable?

14
Closing the Gap
  1. The Schematic Protection Model (SPM)
  2. The Extended Schematic Protection Model (ESPM)
  3. Typed Access Matrix Models (TAMS)

15
The Schematic Protection Model (SPM)
  • This model is based on the notion of a protection
    type.
  • This is a label that determines how control
    rights affect
  • an entity.
  • Rights are partitioned into sets of
  • Inert rights (RI) and
  • Control rights (RC)
  • Inert rights do not alter the protection state of
    a system.
  • For example reading a file does not modify which
  • entities have access to the document so is an
    RI.
  • However in the Take-Grant model the take rule
    does, so is in RC.

16
The Extended Schematic Protection Model (ESPM)
  • Implicit in the SPM is the assumption of a single
    parent.
  • ESPM allows for more parents. This problem arises
    in
  • distributed systems.
  • Example
  • Anne and Bill must cooperate to perform a certain
    task,
  • but do not trust each other.
  • Such tasks may be achieved by using proxies each
  • create a proxy, and grants the others proxy only
    those
  • rights that are needed to perform the task.

17
Typed Access Matrix models (TAMS)
  • The safety properties of SPM and ESPM are
    implicitly
  • based on types. The TAM model is adds the notion
    of
  • type explicitly.
  • The type of an entity is fixed when the entity
    is created.
  • A protection state of a system is defined as
  • (S, O,t, A)
  • where, S set of subjects , O set of objects,
    A the
  • Acess Control Matrix, T the set of types and t
    O ?T
  • For details see textbook.
Write a Comment
User Comments (0)
About PowerShow.com