Computer Security Foundations

1
Computer SecurityFoundations
2
Security

• How can one determine when a computer system is
• secure?
• What does secure mean?

3
Reminder

• In our model a computer system is represented by
  a family of
• states the set of all protection states P must
  be a subset of the
• set of authorized states Q if the system is to
  be secure.
• In the previous section we used a primitive, the
  ACM, to manage
• a protection system.
• Protection was in terms or rights and the ACM was
  the used to
• relate subjects to objects (also basic
  primitives).
• We also discussed protection state transitions
  and commands,
• which correspond to (cause) a sequence of state
  transitions.

4
Security - definitions

• Let R be the set of (primitive) rights of the
  system, r e R
• and A be the ACM.
• If r e R is added to an element of A not already
  containing r, then r is said to be leaked.
• Let s0 be the initial protection state. If a
  system can never leak r e R then the system is
  safe wrt r.

5
Security safe vs secure

• We use the term safe to refer to the (abstract)
  model.
• Secure will be used when referring to
  implementations.
• So a secure implementations must be modeled on a
  safe
• system.
• Example safe vs secure --see textbook

6
Foundation theorems

• The model used is based on protection sates, the
  ACM
• and a set of commands essentially the HRU model
• (discussed in the previous section).

7
Theorem 1

• There exists an algorithm that will determine
  whether a
• given mono-operational protection system with
  initial
• protection state s0 is safe wrt a generic right.
• Proof see textbook.
• This whole section is a project topic for anybody
  who is
• interested in the foundations aspect of Computer
  Sercurity.

8
Theorem 2

• It is undecidable whether a given state of a
  given
• protection system is safe wrt a generic right.
• Proof --reduction to the halting problem.
• The proof is by contradiction. It is shown that
  an
• arbitrary Touring Machine can be reduced to the
  safety
• problem with the final state corresponding to the
  leaking
• of a right.
• For details see textbook.

9
Theorem 3

• The set of unsafe systems is recursively
  enumerable.
• (accepted by a TM).
• So we can generate a list of all unsafe
  protection
• systems.

10
The Take-Grant protection model

• Can the safety of a protection system with
  specific rules
• be established?
• Answer the Take-Grant protection model.
• This model is represented by a directed graph.
  Vertices
• are subjects ? or objects ?, or both ?.
  Edges are
• labeled by a set of rights, that the source has
  over the
• destination. R contains two distinguished rights
  t (take)
• g (grant).

11
Transitions rewriting rules

• Take rule
• Grant rule
• Create rule
• Remove rule
• Details slides

12
Theorem 1

• Let G0 be a protection graph containing just one
  subject vertex
• and no edge and let R be a set of rights. Then
• G0 G iff G is a finite directed acyclic graph
  with subjects
• and objects only, with edges labeled for
  non-empty subsets
• of R and at least one subject (a trusted entity)
  having no
• incoming edge.
• Proof in textbook.
• Discussion in class.

13
Closing the Gap

• We can answer the safety question in specific
• systems, but not for generic systems (eg. the HRU
  
• system).
• What characteristics distinguishes a model for
  which
• the safety problem is decidable from one in which
  it is
• undecidable?

14
Closing the Gap

1. The Schematic Protection Model (SPM)
2. The Extended Schematic Protection Model (ESPM)
3. Typed Access Matrix Models (TAMS)

15
The Schematic Protection Model (SPM)

• This model is based on the notion of a protection
  type.
• This is a label that determines how control
  rights affect
• an entity.
• Rights are partitioned into sets of
• Inert rights (RI) and
• Control rights (RC)
• Inert rights do not alter the protection state of
  a system.
• For example reading a file does not modify which
• entities have access to the document so is an
  RI.
• However in the Take-Grant model the take rule
  does, so is in RC.

16
The Extended Schematic Protection Model (ESPM)

• Implicit in the SPM is the assumption of a single
  parent.
• ESPM allows for more parents. This problem arises
  in
• distributed systems.
• Example
• Anne and Bill must cooperate to perform a certain
  task,
• but do not trust each other.
• Such tasks may be achieved by using proxies each
• create a proxy, and grants the others proxy only
  those
• rights that are needed to perform the task.

17
Typed Access Matrix models (TAMS)

• The safety properties of SPM and ESPM are
  implicitly
• based on types. The TAM model is adds the notion
  of
• type explicitly.
• The type of an entity is fixed when the entity
  is created.
• A protection state of a system is defined as
• (S, O,t, A)
• where, S set of subjects , O set of objects,
  A the
• Acess Control Matrix, T the set of types and t
  O ?T
• For details see textbook.