370 likes | 487 Views
Other Access Control Models. The Take-Grant Protection Model. Can the safety be guaranteed with a specific system? Yes with a specific collection of commands Called the take-grant protection model A graph model where Subjects represented by Objects represented by Either represented by
E N D
The Take-Grant Protection Model Can the safety be guaranteed with a specific system? Yes with a specific collection of commands Called the take-grant protection model A graph model where Subjects represented by Objects represented by Either represented by Labeled edges represent the rights of a source vertex over the destination vertex taken from a set R with two special rights: t for Take (t) g for Grant (g) Use graph-rewrite rules to derive permissions from R l 2
De jure rules - i i. X creates (a to new vertex) Y ├ l l new Y X X ii. X removesa from Y b–a b ├ l l If (b-a) is then empty, the edge is removed 3
De jure rules - ii iii. X takes (a to Z) from Y l l ├ t g b b X t g Z a b Y iv. Z grants (a to Y) to X ├ g g g b b Y X a b l l Z
Protection state = graph State transition = rewriting the graph Example: t g Protection State x y l l ├* a t t,g l l z ¡ v x creates (t, g to new) v z takes (g to v) from x z grants (a to y) to v x takes (a to y) from v V is removed
Definition: the predicate Can-share(a,x,y,G0) is true for a set of rights a and two vertices x, y, iff there is a sequence of graphs G1,…,Gn so that G0├* Gn using one of the four de jure rules, and there is an a-labelededge from x to y. Definition: a tg-path is a sequencev0,…,vn of distinct vertices where every vi is connected to vi+1 in either direction with a t or g label. Definition: Vertices are tg-connected if there is a tg-path between them l can-share(a,x,y,G0) Gn a Y X Sharing of Rights
Statement: Any two subjects with a length 1 t-g path can share some rights. Proof: Take and Grant rules cover two cases. Following lemmas cover the other two. Lemma 3-1: Lemma: sharing X X Y l l Y ├* t t l l Z Z
tg tg ¡ ¡ Proof of Claim 3-1 Step 1: X creates (tg to new vertex) V X l l ├ t t X Y Y l l Z v Z Step 2: Z takes (g to v) from X X ├ l t Y l v g Z
tg tg ¡ ¡ Proof of Claim 3-1 Step 3: Z grants ( to y) to V X ├ l Z t Y l g v Step 4: X takes ( to v) from V X ├ l Z t Y l g v
Lemma 3-2 Y l l ├* g X g l l Z Observation Take and grant rules are symmetric if the vertices On the TG path between X and Y are subjects
Definition: an island is a maximal tg-connected subject-only sub-graph Lemma: right processed by any vertex in an island can be shared with any other vertex Transferring rights between islands: a subject in one island must be able to take it from a subject in another island Notation: {t̅>, <t̅, g̅>,<̅g} are four basic symbols used to construct a path. A path is constructed using basic symbols * and concatenation as a word More definitions and properties -1 <̅g t̅> l g ̅> t̅> t̅< l l l l l
Definition: a bridge is a tg-path between two subject endpoints associated with the path’s word. Observation: rights can be transferred from one end point to another in a bridge Theorem: subject-can-share(a,x,y,G0) is true iff x and y are subjects with an edge from x to y There is a subject seG0 with s-to-y edge labeled a. There are island I1,…,In such that xeI1 seIn and with a bridge Ij,…,Ij+1. Observation: because objects cannot act, a right will begin or end with an object More definitions and properties-2
Observation: only subjects can act– so transfer begins with an right possessed by an object and ends with that right given to another object! Definition: A vertex xinitially spans to y if x is a subject and there is a tg-path from x to y with a word in {t>*g>}U{v} Means X grants a right it possesses to Y More Definitions and Properties - 3 t t t t V l l l l l l W X g l Y
Definition: A vertex xterminally spans to y if x is a subject and there is a tg-path between x and y with a word in {t>*}U{a} Means X may take any right that Y possesses More Definitions and Properties - 4 t t t t Y l l l l l X a l X ends up having a on W W
Theorem:can-share(a,x,y,G0) is true iff there is an edge from x to y in Go labeled a or if the following hold simultaneously: There is a vertex seG0with s-to-y edge labeled a There is a subject vertex x’ so that x=x’ or x’initially spans to x There is a subject vertex s’ so that s’=s or s’ terminally spans to s There are islands I1,…In such that x’eI1, s’eInand there is a bridge from Ij to Ij+1. See next slide.. More Definitions and Properties - 5
Either there is an a edge from X to Y or S a a S’ Y l l X’ l l X l Explanation • S has a label from Y • 2. S’ can take afrom S • X’ and S’ are connected through a sequence of islands • X’ can grant a to X Y
Safety in the take-grant model • Theorem: there is an algorithm of complexity O(|V|+|E|) to test the validity of can-share(a,x,y,G0) • By choosing the correct kind of rules we can answer questions like Can my computer access my files? 17
Theorem: Let G0 be a graph with one subject and no edges, and R a set of rights. G0├*G iff G is a finite directed acyclic graph containing subjects and objects only with edges labeled with non-empty subsets of R At least one subject with no incoming edges Proof: () Suppose G satisfy 1 and 2. Let subjects(G)={x1, ..xn}, and X1 with no incoming edge. Construct G’ as follows: The One-Subject Case
Let V=X1 For 2<i<n Perform V creates (a⋃{g} to) new Xi where a is the union of all labels to Xi in G For all pairs Xi, Xj in G where Xi has a rights over Xj, perform V grants (a to Xj) to Xi. Perform V removes ((a ⋃{g})- b to) Xj where b ={r: r labels XiXj in G} The resulting graph is G’ Proof 1. a ⋃{g} 3. Remove a⋃{g})- b l Xi l l V V 2. a Xj If b l l If a Xi Xj l l Xi
Let V be the initial subject and G0├*G. Then by inspection of the rules G is finite Loop-free Directed Consists of subjects and objects only All edges have non-empty labels Furthermore, No rules to delete V, V e G No rules allow incoming edges to V Proof Continued
To share, the owner has to cooperate Notion of sharing fails to capture an owner’s unwillingness to share Stealing happens when The owner does not grant some rights over an object to other subjects, but some subjects can get the right indirectly! Theft in the T-G Model
Definition: X, YeG and a eR. can-steal(a,X,Y,G0) is true when ∄ an a labeled edge from X to Y in G0, sequence of graphs G1, …, Gn so that a. There is an a labeled edge from X to Y in Gn b. There is a sequence of rules r1, ,,,, rn where applying ri results in Gi-1├Gi c. For all V,WeGi-1, if there is an a edge from V to Y, then ri is not of the formV grants (a to Y) to W Thus:It stops owners from transferring a rights to others (but could transfer other rights) Stealing in the T-G Model
Can-steal(a,S,W,G0) U grants (t to V) to S Owner of a to W grants (t to V) to S S takes (t to U) from V S takes (a to W) from U The owner U of stolen rights a grants other rights to another subject (t rights to V are granted to S) This is the reason for MAC An Example of Stealing V t l g t S l l W a U
Theorem: can-steal(a,X,Y,G0) is true iff ∄ an a labelededge from X to Y in G0, subject vertex X’= X or X’ initially spanning to X vertex SeG with an a label Y in G0 that satisfy can-share(t,X’,S,G0) Observation: to steal, there must be a tg-path through which the thief can share! a initially spans l l l thief X can-share X’ S Characterizing can-steal
If X is a subject: then need to obtain t rights to S and use the take rule to obtain a, satisfying can-steal(a,X,Y,G) If X is an object: by the theorem on can-share, subject vertex X’, that initially tg-spans to X with can-share(t,x’,s,G0) true. Assume tg-span length= 1, and X’ has t rights over S in G0. If X’ does not have an a edge label tp Y, X’ takes a rights to Y and grants them to X, satisfying the definition. If not, then X’ will create a surrogate X” and provides t rights over S to it. a. X’ creates (g to new subject) X’’ b. X’ grants (t to S) to X’’ c. X’ grants (g to X) to X’’ Now X’’ has t rights over S and g rights over X. So apply 1. X’’ takes (a to Y) from S 2. X’’ grants (a to Y) to X. X:object X’:subject X”:subject 1. g 3. g to X l l l 2. s to S S: subject Proof
Assume can-steal(a,x,y,G0). Then condition 1 holds from the definition of can-steal condition 2 of the can-share theorem imply condition 2 of this theorem condition 3 of the can-share theorem imply that S satisfy condition 3 of this theorem Need to prove can-share(t,x,s,Go) Consider r minimal-length sequence of rule applications transforming G0 to Gn where Gi-1├ri Gi so that ∃ an edge labeled a from some vertex P to Y in Gi but not Gi-1. Then Gi is the first graph where an edge a is added to Y Proof
So ri is neither a remove or create rule. By condition 3 of can-steal, all vertices with a rights to Y in Gi are in G0. ri is not a grant rule. Hence it is of the form: Proof continued -- 2 a a t t a ├ l l p S p y Y S • Hence can-share(t,p,s,G0) holds. • By condition (c) of the can-sharetheorem, ∃ a subject S’ • either S’ terminally spans to S or S’=S • By condition (d) of the can-sharetheorem, ∃islands I1,…In • satisfying x’∈I1 and S’∈In.
If S is an object (hence S≠S’): two cases S’ and P in the same island: Take P as S’ If not: Derivation not of minimal length (why?) Choose S’ in same island for shorter proof Conditions of can-share theorem met. can-share(t,x,s,G0) Proof continued -- 3
If S is an subject (i.e. S=S’): then p∈In, must show p∈G0 for the can-share theorem to hold If p∉G0: ∃subject Q in some island with can-share(t,Q,S,G0) Because S is the owner of a rights over Y in G0 must derive witness for this sharing where S does not grant (a to Q) If S≠Q: replace “S grants (a to Y) to Q” with P takes (a to Y) from S P takes (g to Y) from S P grants (a to Y) to Q So ∃witness to can-share(t,Q,S,G0) without S granting (a to Y) Proof continued -- 4
Many actors required to steal in the TG-model Any subject Y can take rights from any X that Y terminally spans give rights to any X that Y initially spans Definition:“access set with focus Y”, A(Y) = {all nodes X that Y terminally spans} U {all nodes X that Y initially spans} Entities from whom one can get and entities to whom one can give, is one’s access set with focus! Conspiracy in the TG-Model Initially spans Terminally spans Y’ l l Y X a Transfers Rights
Definition:“deletion set” d(Y,Y’) = all z satisfying z∈A(Y)∩A(Y’) Y initially spans to Z, Y’ terminally spans to Z Y terminally spans to Z, Y’ initially spans to Z Z = Y Z = y’ Represents nodes that can transfer permissions The Deletion Set Initially spans Terminally spans Y l l Z Y’ a Transfers Rights
A(x) ={x,a,}, A(e)={e,d,i,j}, A(b)={b,a,}, A(y)={y} A(c) ={c,b,d}, A(f)={f,y}, A(d)={d}, A(h)={h,f,i} Z is not on A(e) because the path e-z does not terminally, or initial span e. d(x,b) = {a}, d(c,d) = {d}, d(y,f) = {y}, d(b,c) = {b}, d(d,e) = {d}, d(c,e) = {d} An Example Deletion Set g g t t g l l l l r a d x b c q l t g g g t z e l l l y f i j h
Procedure:“conspiracy graph” H of G0created to satisfy the following conditions For each subject s∈G0, ∃h(x) ∈ H with the same label If d(Y,Y’)≠Ǿ inG0, ∃ line between h(Y) & h(Y’) in H Conspiracy graphs represents paths of transfer Unidirectional because rights can be transferred in either direction Creating conspiracy Graphs
A(x)={x,a,}, A(e)={e,d,I,j}, A(b)={b,a,}, A(y)={y} A(c)={c,b,d}, A(f)={f,y}, A(d)={d}, A(h)={h,f,i} Z is not on A(e) because path e-z is not terminal, initial spans d(x,b)={a}, d(c,d)={d}, d(y,f)={y}, d(b,c)={b}, d(d,e)={d}, d(c,e)={d} An Example Conspiracy Graph g g t t g l l l l r a d x b c q l t g g g t z e l l l y f i j h h(d) l l l l h(x) h(b) h(c) h(e) l l l l h(h) h(y) h(f)
Theorem 1: can-share(a,X,Y,G0) iff there is a path from h(p)∈I(X) to some h(q)∈T(Y) where I(X) = {h(X)} U {X’: h(X’) initially spans to X} T(X) = {h(X)} U {X’: h(X’) terminally spans to X} Theorem 2: L= number of vertices on the shortest path between h(p) and h(q). Then L conspirators are necessary to produce a witness to can-share(a,X,Y,G0) Two Theorems on Conspirators
The shortest path between h(e) and h(x) has 4 vertices <h(x),h(b),h(c) and h(e)> 4 conspirators are necessary and sufficient to witness can-share(r,x,y,Go) How does it work? e grants (r to Y) to d c takes (r to Y) from d c grants (r to Y) to b b grants (r to Y) to a X takes (r to Y) from a Back to the Example h(d) l l l l h(x) h(b) h(c) h(e) l l l l h(h) h(y) h(f)