1 / 66

463.2 Foundations

463.2 Foundations. UIUC CS463 Computer Security. Based on slides provided by Matt Bishop for use with Computer Security: Art and Science. Overview. Access Control Matrices (ACMs) and state transitions on them Harrison-Ruzzo-Ullman (HRU) result Take-grant protection model ACMs and privacy.

Albert_Lan
Download Presentation

463.2 Foundations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 463.2 Foundations UIUC CS463 Computer Security Based on slides provided by Matt Bishop for use with Computer Security: Art and Science

  2. Overview • Access Control Matrices (ACMs) and state transitions on them • Harrison-Ruzzo-Ullman (HRU) result • Take-grant protection model • ACMs and privacy

  3. Required • Reading • Chapter 2, as needed • Section 3.1 • Section 3.2 through the proof of Theorem 3-2 • All of Section 3.3 through the paragraph after Definition 3-6 • The example in Section 3.3 after Corollary 3-2 • Exercises: From 3.9 do 1, 4.

  4. Access Control • Controlling access is a fundamental security problem • Access control policy expresses who is authorized to do what • Read files • Modify data • Access services • Change access

  5. Subjects S = { s1,…,sn } Objects O = { o1,…,om } Rights R = { r1,…,rk } Entries A[si, oj] R A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj objects (entities) o1 … oms1 … sn s1 s2 … sn subjects Access Control Matrices

  6. Example 1: File System

  7. Example 2: Siebel Center • Unlock - right to unlock a door • Log - request entry logs from a door

  8. State Transitions • Change the protection state of system • |– represents transition • Xi|– Xi+1: command  moves system from state Xi to Xi+1 • Xi|– *Xi+1: a sequence of commands moves system from state Xi to Xi+1 • Commands often called transformation procedures

  9. Primitive Operations • create subjects; create object o • Creates new row, column in ACM; creates new column in ACM • destroy subjects; destroy object o • Deletes row, column from ACM; deletes column from ACM • enterrintoA[s, o] • Adds r rights for subject s over object o • deleterfromA[s, o] • Removes r rights from subject s over object o

  10. Create Subject • Precondition: sS • Primitive command: create subjects

  11. Create Object • Precondition: oO • Primitive command: create objecto

  12. Add Right • Precondition: sS, oO • Primitive command: enterrintoa[p, y]

  13. Delete Right • Precondition: sS, oO • Primitive command: deleterfroma[p, y]

  14. Destroy Subject • Precondition: sS • Primitive command: destroysubjects

  15. Destroy Object • Precondition: oO • Primitive command: destroyobjecto

  16. Creating File • Process p creates file f with r and w permission command create•file(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end

  17. Own Right • Usually allows possessor to change entries in ACM column • So owner of object can add, delete rights for others • May depend on what system allows • Can’t give rights to specific (set of) users • Can’t pass copy right to specific (set of) users

  18. Mono-Operational Commands • Make process p the owner of file g command make•owner(p, g) enter own into A[p, g]; end • Mono-operational command • A command with a single primitive operation in its body

  19. Conditional Commands • Let p give qr rights over f, if p owns f command grant•read•file•1(p, f, q) if own in A[p, f] then enter r into A[q, f]; end

  20. Multiple Conditions • Let p give q the r rights over f, if p has rights r and c over f command grant•read•file•2(p, f, q) if r in A[p, f] and c in A[p, f] then enter r into A[q, f]; end

  21. Copy Right • Allows possessor to give rights to another • Often attached to a right, so only applies to that right • r is read right that cannot be copied • rc (r with copy flag) is read right that can be copied • Is copy flag copied when giving r rights? • Depends on model, instantiation of model

  22. Attenuation of Privilege • Principle says you can’t give rights you do not possess • Restricts addition of rights within a system • Usually ignored for owner • Why? Owner gives herself rights, gives them to others, deletes her rights. • Example: let a friend have a copy of the key to your house • Non-example: let a graduate program have a copy of a letter of reference for you

  23. Key Points • Access control matrix simple abstraction mechanism for representing protection state • Transitions alter protection state • 6 primitive operations alter matrix • Transitions can be expressed as commands composed of these operations and, possibly, conditions

  24. Proving Security • Want to prove system “secure” • What does that mean? • Subjects should only have “authorized” rights • E.g. no one except for me can write to my home directory • Easy to check in any given protection state • What about the dynamic protection system?

  25. Formalizing Security • Adding a generic right r to a subject or object that did not have it before is “leaking r” • If a system S, beginning in initial state s0, cannot leak right r, it is secure with respect to the right r. • General property, can simulate: • Leaking a right r on a specific object o • Leaking r to a subject outside a “trusted” set

  26. Deciding Security • Does there exist an algorithm for determining whether a protection system S with initial state s0 is secure with respect to a generic right r?

  27. General Case • Answer: no • Sketch of proof: Reduce halting problem to security problem Turing Machine review: • Infinite tape in one direction • States K, symbols M; distinguished blank b • Transition function (k, m) = (k, m, L) means in state k, symbol m on tape location replaced by symbol m, head moves to left one square, and enters state k • Halting state is qf; TM halts when it enters this state Harrison Ruzzo Ullman 76

  28. Mapping 1 2 3 4 s1 s2 s3 s4 A B C D … s1 A own head s2 B own s3 C k own Current state is k s4 D end

  29. Mapping 1 2 3 4 s1 s2 s3 s4 A B X D … s1 A own head s2 B own s3 X own After (k, C) = (k1, X, R) where k is the current state and k1 the next state s4 D k1 end

  30. Command Mapping (k, C) = (k1, X, R) at intermediate becomes command ck,C(s3,s4) ifowninA[s3,s4] andkinA[s3,s3] and C inA[s3,s3] then deletekfromA[s3,s3]; delete C fromA[s3,s3]; enter X intoA[s3,s3]; enterk1intoA[s4,s4]; end

  31. Mapping 1 2 3 4 5 s1 s2 s3 s4 s5 A B X Y b s1 A own head s2 B own s3 X own After (k1, D) = (k2, Y, R) where k1 is the current state and k2 the next state s4 Y own s5 bk2 end

  32. Command Mapping (k1, D) = (k2, Y, R) at end becomes command crightmostk,C(s4,s5) ifendinA[s4,s4] andk1inA[s4,s4] and D inA[s4,s4] then deleteendfromA[s4,s4]; create subjects5; enterown into A[s4,s5]; enterendintoA[s5,s5]; deletek1fromA[s4,s4]; delete D fromA[s4,s4]; enter Y intoA[s4,s4]; enterk2intoA[s5,s5]; end

  33. Rest of Proof • Protection system exactly simulates a TM • Exactly 1 end right in ACM • 1 right in entries corresponds to state • Thus, at most 1 applicable command • If TM enters state qf, then right has leaked • If security question decidable, then represent TM as above and determine if qf leaks • Implies halting problem decidable • Conclusion: security question undecidable

  34. Mono-Operational Commands • Is security decidable if we restrict commands to be mono-operational? • Answer: yes • Sketch of proof: Consider minimal sequence of commands c1, …, ck to leak the right. • Has no instances of delete, destroy • Can rewrite to have only one create Worst case: insert every right into every entry; with s subjects and o objects initially, and n rights, upper bound is k ≤ n(|S|+1)(|O|+1)

  35. Has no Destroy or Delete • c1…cn-1 (if B then delete r’ from a[p,o]) leaks rights that are µ those leaked by c1…cn-1 • Suppose ck is the rightmost deletion: c1…ck-1 (if B then delete r’ from a[p,o]) ck+1…cn • Rights leaked by this expression are µ those leaked by c1…ck-1ck+1 (if B then delete r’ from a[p,o]) ck+2…cn • So move the deletion to the right and remove it Example case: if B’ then create s

  36. Consolidate Creates to One • Suppose the expression created s1 and s2 and tested rights in a[s1,o1] and a[s2,o2] • Use the same tests for a[s1,o2] = a[s1,o2] [ a[s2,o2] instead with s1 in place of s2

  37. Take-Grant Protection Model • A specific (not generic) system • Set of rules for state transitions • Safety decidable, and in time linear with the size of the system • Goal: find conditions under which rights can be transferred from one entity to another in the system Jones Lipton Snyder 76

  38. System Оobjects (files, …) l subjects (users, processes, …)  don't care (either a subject or an object) G |–x G' apply a rewriting rule x (witness) to G to get G' G |–* G' apply a sequence of rewriting rules (witness) to G to get G' R = { t, g, r, w, … } set of rights

  39. Rules    l l |-   take t t        |- grant g   g l l

  40. More Rules |-   create l l |-  –   l l remove These four rules are called the de jure rules

  41. Example: Shared Buffer • Initially s has grant rights for processes p and q. • S sets up a shared buffer for p,q with the following steps • s creates ({r,w} to new object) b • s grants ({r,w} to b) to p • s grants ({r,w} to b) to p

  42.  tg g ¡ v Symmetry x  y  l  l |–  t t  l l z x creates (tg to new) v z takes (g to v) from x z grants (a to y) to v x takes (a to y) from v Similar result for grant

  43. Islands • tg-path: path of distinct vertices connected by edges labeled t or g • Call them “tg-connected” • island: maximal tg-connected subject-only subgraph • Any right one vertex has can be shared with any other vertex

  44. Example s q t r p s'     g t t g g t      y u v x w

  45. can•share Predicate Definition: can•share(r, x, y, G0) if, and only if, there is a sequence of protection graphs G0, …, Gn such that G0 |–* Gn using only de jure rules and in Gn there is an edge from x to y labeled r.

  46. can•share Properties • If x and y are subjects in an island, then can•share(r, x, y, G0) • Proof by induction using the properties of tg-connected subjects • General result: can•share(r, x, y, G0) is decidable using an algorithm of complexity O(|V| + |E|) where V and E are the vertices and edges in the graph • Proof omitted. Sketch given at the end of 3.3.1.

  47. Graham-Denning ACM Subject executing the commands is x Transferable rights are denoted r* Non-transferable rights are denoted r Graham Denning 72

  48. Privacy APIs Formal Models May Gunter Lee 06

  49. Approach • Formalize legal texts and use model checking to evaluate their static properties. • Compare to policy in practice to find compliance. Command set Selection Model Full Text Privacy commands English English Promela Reference checking

  50. Privacy Fundamentals • Transfer: What is the right of a principal p to transfer an object x to a principal q where x is about a subject r? • Action: What is the right of a principal p to carry out an action that affects the privacy of a principal q? • Creation: Which principals p are allowed to create objects x whose subject is q? • Right Establishment: How are rights established for a principal p? Gunter May Stubblebine 04

More Related