1 / 33

Access Control - 2 - Foundational Results

Access Control - 2 - Foundational Results. Preliminaries. Undecidability The Halting Problem The Turing Machine. Timing a Program  Can you write a program that tells you how long another program will run before completing? The Halting Problem

Download Presentation

Access Control - 2 - Foundational Results

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Access Control - 2 - Foundational Results

  2. Preliminaries Undecidability The Halting Problem The Turing Machine

  3. Timing a Program  Can you write a program that tells you how long another program will run before completing? The Halting Problem If you can tell me how long, it must stop in a finite time! No program can give a decisive answer for all legitimate inputs A program may give correct answers for some cases but run forever for others Undecidability

  4. An infinite-to-the-right tape divided into cells A cell C can store any symbol in M={A,B,C,D,F,Blank} A read/write head The head can have any state in K={happy,unhappy} The head reads, then writes and moves What it writes, and whether it moves to left or right are both decided by a set of rules [M and K are both finite] Originally tape is all blank A A D … … The Turing Machine Þ (happy,Blank) (unhappy,A,Right) happy Þ (unhappy,A) (happy,b\B,Left) happy unhappy Þ (happy,F) (happy,A,Left) 4 … …

  5. With any initial tape and state (of the head), will any given Turing machinereach a specific state? This is undecidable The Halting Problem input output “OK” and halt program 5

  6. Suppose you have a machine that you are sure will always tell you if an input program will halt: Input the following program: If this program halts, go into an endless loop Otherwise print out “OK” It never stops A Proof by Contradiction

  7. Access and Control of Memory

  8. A model of protection systems Describes who (subject) can do what (rights) to what/whom (object/subject) Example An instructor can assign and gradehomework and exams A TA can grade homework A Student can evaluate the instructor and TA The Access Control Matrix (ACM) 8

  9. Allowed Operations (Rights): r,x,w,o file1 file2 file3 Ann rx r rwx Bob rwxo r -- Charlie rx rwo w An Access Control Matrix

  10. Primitive Commands create/destroy a subject s or object o enter/delete r into/from A[s,o] Rights/Commands

  11. Command If an instructor can grade an exam and a TA can grade h.w. Then revoke TA’s rights in grading the h.w. and let him grade the exam Mono-conditional/mono-operational Condition can neither be negative nor contain ‘or’ “if instructor can grade exam or TA can grade exam then TA cannot grade h.w.” State Transition Commands

  12. Primitive commands Create /delete subjects, objects Enter, delete permissions acm(s,o) A command may use more than one primitive command  a mono-operational command. Limitation:Cannot test for a negative fact Further: Don’t have Owner and Copy commands Commands for ACM 12

  13. Subjects: (processes p, q etc) Objects: (files f, g etc) Access rights (operations r, w, x, a, o etc) f g p q P rwo r rwxo w q a ro r rwxo ACM and protection States 13

  14. State:Variables taking values in a domain Protection domain: the space defined by an ACM Mathematically: Variables for subjects: Xs∈ S /** The set of all subject names **/ Variables for objects: Xo∈ O /** The set of all object names **/ Constants for permission names: P Assignment: ACL: S x O  P (P)  power set = Set of all subsets Maps every (subject,object) pair to a subset of permissions. Example state f g p q p ow r rxo w q r o r wx Protection States 14

  15. Safe States • Any subset that is consistent with the ACM • Mathematically: • If myState: S x O  P (P), then x,y myState(x,y) ACM(x,y) 15

  16. Giving a right r to someone who initially does not possess r is called leaking If system begins in some initial safe state and can never leak r, then the system is secure with respect tor Subtleties Leaking is not necessarily bad, legitimate transfer of rights can be proper if owners say so or by delegation But we must be sure that: With all authorized leaking ignored, is the system stillsecurewrt r? An abstract system (specification) is secure but its implementationmay not be secure What Does it mean to be Secure? 16

  17. Is there an algorithm for determining whether any protection system with a given initial state is secure with respect to a generic right r? Using terms of ACM, the question is Given any ACM, is there a program that halts with the answer to “Is there a sequence of commands that will enter r into some a[s,o]that does not initially have r”? There are trivial cases where this is obviously true, but how about the general case? Safety Question 17

  18. Theorem: There is an algorithm that determines if a given mono-operational protection system with initial state S0 is safe with respect to a generic right. Proof: Suppose the command sequence is [c0,c1,…cn]: Can identify [c0,c1,…,cn] as a sequence of primitive operations. Can assume that i Ci ≠ delete, destroy because delete and destroy do not add rights. The (Special) Positive Result 18

  19. Only create adds new subjects and objects. The others are conditional tests, that can be tested Suppose we create a new subject (Snew) and a new object (Onew) Need to check that the given sequence of commands did not leak rights Need to check the pre-post conditions of n(|S0|+1)(|O0|+1) commands. The Positive Result.. Proof (cont) 19

  20. Answer: the safety problem is undecidable In terms of ACM Given any ACM, if some sequence of commands will enter r into some a[s,o] that does not initially have r is undecidable Program, like a Input file, or Turing machine Initial tape and state Output or enter a specific state General Safety Problem is Undecidable 20

  21. If an algorithm can solve the safety problem then it can also solve the halting problem But the halting problem is known to be undecidable, so such an algorithm cannot exist How does the reduction work? Simulate a Turing machine where subject Si owns Si+1. and if cell icontains symbol A, then subject Si has rights A over itself. Then let Subject Sk correspond to the right-most cell with end right over itself. Reducing the halting problem to the safety problem 21

  22. 1 1 1 2 2 2 3 3 3 4 4 4 5 s1 s1 s1 s2 s2 s2 s3 s3 s3 s4 s4 s4 s5 A A A B B B C X X D D Y … … b s1 s1 s1 A A A own own own k1 k2 k s2 s2 s2 B B B own own own s3 s3 s3 C k X X own own own (k, C)  (k1, X, R) (k1, D)  (k2, Y, R) s4 s4 s4 Y own D k1 end D end s5 bk2end The Reduction form Tape ACM  22

  23. Commands for left motion (k,C)  (k1, X, L) Corresponds to the command Ck,C(S4,S3) if ownA[si-1,si] and kA[si,si] and CA[si,si] then delete k from A[si,si]; delete C from A[si,si]; enter X into A[si,si]; enter k1 into A[si-1,si-1]; End Note: K is state of the head, C, X are content of the cell 23

  24. Commands for right motion (k,C)  (k1, X, R) Corresponds to the command Ck,C(S3,S4) if ownA[S3,S4] and kA[S3,S3] and CA[S3,S3] then delete k from A[S3,S3]; delete C from A[S3,S3]; enter X into A[S3,S3]; enter k1 into A[S4,S4]; end 24

  25. Command for the rightmost cell (k1, D)  (k2, Y, R) Corresponds to crightmostk,C(s4,s5) if endA[s4,s4] and k1A[s4,s4] and DA[s4,s4] then delete end from A[s4,s4]; create subject s5; enter own into A[s4,s5]; enter end into A[s5,s5]; delete k1 from A[s4,s4]; delete D from A[s4,s4]; enter Y into A[s4,s4]; enter k2 into A[s5,s5]; end 25

  26. This Protection system exactly simulates a Turing Machine end right in ACM corresponds to the end state 1 right in the entry with current state Thus, at most 1 applicable command at any time If TM enters a special state qf then right has leaked the right qf If safety question decidable, then represent TM as above and determine if qf leaks Implies halting problem decidable Conclusion: Safety is undecidable Rest of the proof 26

  27. Special Cases can be Decidable • If all the commands are mono-operational, the safety problem is decidable • Each move of Turing machine corresponds to multiple primitive commands of ACM • If no command includes create, the safety problem is decidable (P-SPACE complete) • If no command includes destroy or delete and all command are mono-conditional, then the safety problem is decidable 27

  28. Main Point In its most general form, the safety problem is undecidable, but by limiting scope of systems the safety problem can be decidable Otherwise we could never build a safe system! 28

  29. Real systems have to be fast and not use excessive space ACMs and ACLs; Capabilities

  30. If we have 1k ‘users’ and 100k ‘files’ and a user should only read/write his or her own files The ACM will have 101k columns and 1k rows Most of the 101M elements are either empty or identical Good for theoretical study but bad for implementation Remove the empty elements? What’s Wrong with an ACM? 30

  31. Order by columns (ACL) or rows (Capability Lists)? file1 file2 file3 A rx r rwx B rwxo r -- C rx rwo w Two ways to cut a table (ACM) ACLs Capability

  32. Columns of access control matrix file1file2file3 Andy rx r rwo Betty rwxo r Charlie rx rwo w ACLs: file1: { (Andy, rx) (Betty, rwxo) (Charlie, rx) } file2: { (Andy, r) (Betty, r) (Charlie, rwo) } file3: { (Andy, rwo) (Charlie, w) } Access Control Lists An ACL stores (non-empty elements of) each column with its object 32

  33. Rows of access control matrix file1file2file3 Andy rx r rwo Betty rwxo r Charlie rx rwo w C-Lists: Andy: { (file1, rx) (file2, r) (file3, rwo) } Betty: { (file1, rwxo) (file2, r) } Charlie: { (file1, rx) (file2, rwo) (file3, w) } Capability Lists 33

More Related