220 likes | 356 Views
Decidability or Impossibility? 02b = a bit of boring theory. Nicolas T. Courtois - U niversity C ollege of L ondon. Roadmap. Pure mathematicians / logic take on computer security: Rice Theorem, HRU vs. Take-Grant. Matrix Paradigm – Basis of DAC. Example: S={ System,Admin,Bob }.
E N D
Decidability or Impossibility?02b = a bit of boring theory Nicolas T. Courtois - University College of London
Roadmap Pure mathematicians / logic take on computer security: • Rice Theorem, • HRU vs. Take-Grant Nicolas T. Courtois, January 2009
Matrix Paradigm – Basis of DAC Example: S={System,Admin,Bob}. O={exe,doc}. A={read,write,exec,delete}. M= exedoc System {e,r,w,d} {r,w,d} Admin {e,w,d} {w,r,d} Bob {e} {r,w} rights Objects S u b j e c t s Nicolas T. Courtois, January 2009
HRU Model Nicolas T. Courtois, January 2009
HRU Model [Harrison-Ruzzo-Ullmann 1976] A particular formalisation of the matrix model + a particular set of commands that allows to build a basic file system… Nicolas T. Courtois, January 2009
The Commands in the HRU model Imagine a file system with the following operations (requests): • create process/file. • confer a right to a given cell of the matrix, (Bishop: enter). • revoke a right from a given cell, (Bishop: destroy) These 3 commands can be combined to create instructions such as create_file, spawn_process, grant_right, chown, etc. Nicolas T. Courtois, January 2009
The Safety Problem Imagine a file system implementing this model. given a given configuration, does there exist a sequence of requests that will add the right a A to a given matrix cell (Mso) A ? Example: • given are the access rules for all UCL employees, • can I ever read the UCL payroll file? Nicolas T. Courtois, January 2009
Theoretical Results [cf. Bishop] Theorem 1: There is no algorithm to solve the safety problem in this model. Nicolas T. Courtois, January 2009
Rice Theorem Nicolas T. Courtois, January 2009
Halting problem Q: Does program25.c halt? More generally, we can ask different questions. “expert system”algorithmfor Q program25.c Y/N Nicolas T. Courtois, January 2009
Other Interesting Questions Example Questions: Q1: Does program25.c always return 0? Q2: Does program25.c compute the sum of two 32-bit integers correctly? Q3: Do 2 programs do the same thing? Etc.. Answer [Rice 1953]: there is no algorithm that can solve this problem. decision algorithm program25.c Y/N Nicolas T. Courtois, January 2009
The Anti-Virus Software Theorem [Rice]: there is no algorithm that decides whether a given program a virus. Such programs are mathematically strictly impossible. But this does not prevent the software security industry from being worth 9,1 G$ in 2007 [Gartner]. Beware, important: It does not prevent the program from detecting all malware, 100 % security is possible, • but then it is also certain that, => such a program will be ”secure” (the exact notion of secure, opposite of broad was defined in a much less general context) • it will produce false alarms: programs that are not viruses will be reported as such. This is inevitable. Nicolas T. Courtois, January 2009
The Anti-Virus Software Theorem [Rice]: there is no algorithm that decides whether a given program a virus. Such programs are mathematically strictly impossible. But this does not prevent the software security industry from being worth 9,1 G$ in 2007 [Gartner]. Beware, important: It does not prevent the program from detecting all malware, 100 % security is possible, • but then it is also certain that, => such a program will be ”secure” (the exact notion of secure, opposite of broad was defined in a much less general context) • it will produce false alarms: programs that are not viruses will be reported as such. This is inevitable. Nicolas T. Courtois, January 2009
Back to Access Control We need a simpler model. Nicolas T. Courtois, January 2009
Take-Grant Model Nicolas T. Courtois, January 2009
Take-Grant Model [Jones, Lipton, Snyder 1976] Was invented to address the safety problem: here it becomes decidable. Based on graphs. x can read y Nicolas T. Courtois, January 2009
Take-Grant Model • A set S of Subjects (e.g. processes) which can execute privileges in the system. • A set O of Objects (e.g. files) on which the privileges can be executed. • A directed graph G = (SO,E) of authorizations where E (SO)x(SO). • Vertices in E can be both Subjects and Objects. • Edges are authorizations: they are labelled by rR (or subset of R) which specifies the rights the source vertex has over the destination vertex. • Where R is a pre-defined set of rights, containing at least two distinguished administrative-type rights: t (take) and g (grant). • Example: R= {r,w,t,g}. Nicolas T. Courtois, January 2009
Graph Rewriting Here the evolution of the permissions with time is represented as rewriting a graph (to create another graph) according to a fixed set of 4 administrative rules called “de jure” (by law) rules: • take • grant • create • remove And a safety problem will be formalised as follows: can a certain permission be granted after an (unlimited in time) amount of rewriting according to the rules? Nicolas T. Courtois, January 2009
Transfer of Privileges between two subjectss,x. take allows subject s to take ANY privilege r of the subject x. grant allows s to grant ANY privilege r it possesses, to subject x Nicolas T. Courtois, January 2009
Creation of Files/Processes and Creation/Destruction of Rights Here we have a subject s and x that can be either a Subject or an Object. create allows subject s to create a new Subject/Object x with ANY chosen subset of rights A R remove allows s to remove ANY existing privilege r from the set, from the Subject/Object x, +delete edges that become empty In both cases: voluntary limitation of rights, cf. least privilege principle Nicolas T. Courtois, January 2009
Take-Grant Model Based on graphs. Theorem: The problem of Safety can be decided in polynomial time in the number vertices in the initial graph. Undecidable in general (no algorithm) for the matrix model. Nicolas T. Courtois, January 2009
Take-Grant Model Insufficient for many real-life applications. several things are missing here: • Lack of selectivity. • take and grant apply to any right, including t and g. • Lack of control on propagation: • once I grant a right to a, it can be granted to the next process b, if a he has the right g on the process b. • also it can be taken by all subjects c that have the right t on a. Nicolas T. Courtois, January 2009