1 / 21

Chapter 3: Foundational Results

Chapter 3: Foundational Results. Overview Harrison-Ruzzo-Ullman result Corollaries. Overview. Safety Question HRU Model. The general question. How can we determine whether a system is safe? Is there a generic algorithm that will determine whether a system is safe?.

elliott-grimes
Download Presentation

Chapter 3: Foundational Results

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 3: Foundational Results • Overview • Harrison-Ruzzo-Ullman result • Corollaries

  2. Overview • Safety Question • HRU Model

  3. The general question • How can we determine whether a system is safe? • Is there a generic algorithm that will determine whether a system is safe?

  4. Reminder: safe vs secure • The term safe is used to refer to the abstract model. • The term secure is used when referring to implementations

  5. What Is “Safe”? • Adding a generic right r where there was not one is “leaking” • If a system S, beginning in initial state s0, cannot leak right r, it is safe with respect to the right r.

  6. Safety Question • Does there exist an algorithm for determining whether a protection system S with initial state s0 is safe with respect to a generic right r?

  7. Mono-Operational Commands • Answer: yes • Theorem There exists an algorithm that will determine whether given mono-operational protection system with initial state s0 is safe with respect to a given generic right r.

  8. Mono-Operational Commands • Sketch of proof: Consider the minimal sequence of commands c1, …, ck needed to leak the right. • Can omit delete, destroy (no commands can test for the absence of rights in an ACM) • Can merge all creates into one Worst case: insert every right into every entry; with s subjects and o objects initially, and n rights. Then (at worst) there are k ≤ n(s+1)(o+1) commands

  9. General Case • Answer: no • Theorem It is undecidable whether a given state of a general protection system with is safe for a given right r.

  10. General Case • Sketch of proof: Reduce the halting problem to safety problem

  11. Turing Machine review • Infinite tape in one direction • States K, • Symbols M (alphabet); distinguished blank b • Transition function (k, m) = (k, m, L) means in state k, symbol m on tape location replaced by symbol m, head moves to left one square, and enters state k • Halting state is qf; TM halts when it enters this state

  12. Halting problem • Determine if an arbitrary TM will enter a halting state qf • The Halting problem is known to be undecidable.

  13. Mapping • First we construct a map from the states and symbols of a Turing machine TM to the rights in the access control matrix A. • The generic rights are taken to be • the symbols in M and • a set of distinct symbols each representing a state in K. • Each cell of TM is a subject. • Define a distinguished right own and such that siownssi+1

  14. Mapping 1 2 3 4 s1 s2 s3 s4 A B C D … s1 A own head s2 B own s3 C k own Current state is k s4 D end

  15. Mapping 1 2 3 4 s1 s2 s3 s4 A B X D … s1 A own head s2 B own s3 X own After (k, C) = (k1, X, R) where k is the current state and k1 the next state s4 D k1 end

  16. Command Mapping (k, C) = (k1, X, R) at intermediate becomes command ck,C(s3,s4) ifowninA[s3,s4] andkinA[s3,s3] and C inA[s3,s3] then deletekfromA[s3,s3]; delete C fromA[s3,s3]; enter X intoA[s3,s3]; enterk1intoA[s4,s4]; end

  17. Mapping 1 2 3 4 5 s1 s2 s3 s4 s5 A B X Y b s1 A own head s2 B own s3 X own After (k1, D) = (k2, Y, R) where k1 is the current state and k2 the next state s4 Y own s5 bk2 end

  18. Command Mapping (k1, D) = (k2, Y, R) at end becomes command crightmostk,C(s4,s5) ifendinA[s4,s4] andk1inA[s4,s4] and D inA[s4,s4] then deleteendfromA[s4,s4]; create subjects5; enterown into A[s4,s5]; enterendintoA[s5,s5]; deletek1fromA[s4,s4]; delete D fromA[s4,s4]; enter Y intoA[s4,s4]; enterk2intoA[s5,s5]; end

  19. Rest of Proof • Protection system exactly simulates a TM • Exactly 1 end right in ACM • 1 right in entries corresponds to state • Thus, at most 1 applicable command • If TM enters state qf, then right has leaked • If safety question decidable, then represent TM as above and determine if qf leaks • Implies halting problem decidable • Conclusion: safety question undecidable

  20. Other Results • Set of unsafe systems is recursively enumerable (there is TM that will enumerate all systems) • Delete create primitive; then safety question is complete in P-SPACE • Delete destroy, delete primitives; then safety question is undecidable • Such systems are called monotonic: the size and complexity only increases. • Safety question for mono-conditional, monotonic protection systems is decidable • Safety question for mono-conditional protection systems with create, enter, delete (and no destroy) is decidable.

  21. Key Points • Safety problem undecidable • Limiting scope of systems can make problem decidable

More Related