Toward A Mathematical Model of Computer Security • • • • • Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer Introduction • Computer security issues are a part of our daily life • Model a secure computer system Scope • Define a secure system • Use a practical example • State Unwinding Theorem Modeling a Computer System A system M can consist of: • a set S of STATES, where s0 is an initial state • a set D of domains • a set A of actions • a set O of outputs And Now... Practical Example • Today I will be talking about how one can apply the model of security that is explained in the paper we researched. Defining M World Wide Web sites consists of three basic components: – Web Server – TCP/IP Connection – Web Browser Client Defining S • Web Servers always have a finite state. Generally a server travels through a cycle of states. • s0 is wait mode on a web server. Defining D • A domain is a defined section of a system. All the actions of a system occur within specified domains. • This means that we can talk about actions as they relate to a client or web server’s computer. Defining A • An action is similar to a verb. Two example actions include: – A Client Inserting a URL – A Server Processing one Code Statement Defining O • Outputs are the immediate result of an action. When looking at a web site an output is: – A web server sending back a confirmation message that it exists. – The result of one code statement. Putting it all together • In order for all of these events to fit together, there are several dependencies between S, D, A, & O. Modeling a Computer System A system M can consist of: • function step: S A S, where step(sn , a) denotes the next state of the system after applying action a Modeling a Computer System A system M can consist of: • function output: S A O, where output(s,a) denotes the result returned by the action a • Example: “write” command to file Modeling a Computer System A system M can consist of: • function run: S A* S • Example: run(s,) = s, where is an empty sequence of actions Terminology STATES: use the letters s,t ACTIONS: use the letters a,b SEQUENCES OF ACTIONS: use Greek letters , DOMAIN: use the letters u,v,w Communication Two domains u,v communicate if there is an information flow channel between them. Definition • Security Policy: A set of rules defining what domains can communicate. Specified by a reflexive relation: on a domain D Definition • Security: A system is secure if the given security policy of the system completely defines all possible communication channels. Security • 2 ASSUMPTIONS: – set of security domains {u,v} – policy that restricts allowable flow of information among the domains above And Now... Noninterference • The idea of noninterference is really rather simple: a security domain u is non-interfering with domain v if no action performed by u can influence subsequent outputs seen by v. Intransitive Noninterference • Let u not see v but u see x and x see v where u,v, and x are domains. This is an example of intransitive noninterference. • In short, intransitive noninterference means there is no direct communication between u and v. Intransitive Noninterference And Now... Definition ~ purge purge( , v) purge( , v) a, v) purge( purge(a , v) a purge( , v) if dom(a) interferes with v purge(a , v) purge( , v) otherwise Security • Security is identified by: output (run( s0 , ), a ) output (run( s0 , purge( , dom(a ))), a ) Restating the Expressions output (run(s0 , ), a) do : A* S test : A A O * do( ) run(s0 , ) test ( , a) output(do( ), a) Security • Security is now identified by: test ( , a) test ( purge( , dom(a)), a) View-Partitioned • View -Partitioned • Equivalence Relation • Output Consistent And Now... Test and Do Test and do are abbreviations of frequently used expressions do( ) run(s0 , ) test ( , a) output (do( ), a) Then we say that a system is secure for policy test ( , a) test ( purge( , dom(a)), a) Output Consistency A system M is view-partitioned if, for each domain, u u D there is an equivalence relation ~ on S These equivalence relations are said to be output consistent if dom( a ) s ~ t output( s, a) output(t , a) The output after executing action a is the for the states s and t, so s and t are equivalent views Views For an output consistent system, security is achieved if “views" are unaffected. Let be a policy and M a view partitioned, output consistent system such that, u do( ) ~ do( purge( , u )) This means that if you perform sequence it is equivalent to executing the purged version Then M is secure for Views Proof: Setting u = dom(a) in the statement of the lemma gives dom( a ) do( ) ~ do( purge( , dom(a))) and now substituting the u=dom(a) in for s and t, output consistency provides output (do( ), a) output (do( purge( , dom(a))), a) Views But this is simply test ( , a) test ( purge( , dom(a)), a) Which is the definition of security for Listed before Unwinding Theorem Why is the unwinding theorem important? • It provides a basis for practical methods for verifying systems that enforce noninterference policies • Serves to relate noninterference policies to access control mechanisms. Unwinding Theorem What is the Unwinding Theorem? It is hard to work with sequences of actions. The unwinding theorem states that if the security policy holds for each action, then it holds for the sequence. Unwinding Theorem More Formally Let be a policy and M a view partitioned system that is: • output consistent • step consistent • locally respects Then M is secure for Questions Any Questions?? References • “Noninterference, Transitivity, and Channel-Control Security Policies” by John Rushby • “Problems in Computer Security” by Auerbach, Kerbel, Megraw, Osburn, Shetty with mentor John Hoffman Thank You • Dr. Steve Decklemen