Toward A Mathematical Model of
Computer Security
•
•
•
•
•
Gina Duncanson
Kevin Jonas
Ben Lange
John Loff-Peterson
Ben Neigebauer
Introduction
• Computer security issues are a part of our
daily life
• Model a secure computer system
Scope
• Define a secure system
• Use a practical example
• State Unwinding Theorem
Modeling a Computer System
A system M can consist of:
• a set S of STATES, where s0  is an initial state
• a set D of domains
• a set A of actions
• a set O of outputs
And Now...
Practical Example
• Today I will be talking
about how one can
apply the model of
security that is
explained in the paper
we researched.
Defining M
World Wide Web sites
consists of three basic
components:
– Web Server
– TCP/IP Connection
– Web Browser Client
Defining S
• Web Servers always
have a finite state.
Generally a server
travels through a cycle
of states.
• s0 is wait mode on a
web server.
Defining D
• A domain is a defined
section of a system. All
the actions of a system
occur within specified
domains.
• This means that we can
talk about actions as they
relate to a client or web
server’s computer.
Defining A
• An action is similar to
a verb. Two example
actions include:
– A Client Inserting a
URL
– A Server Processing
one Code Statement
Defining O
• Outputs are the
immediate result of an
action. When looking
at a web site an output
is:
– A web server sending
back a confirmation
message that it exists.
– The result of one code
statement.
Putting it all together
• In order for all of
these events to fit
together, there are
several dependencies
between S, D, A, & O.
Modeling a Computer System
A system M can consist of:
• function step: S  A  S, where
step(sn , a) denotes the next state of the
system after applying action a
Modeling a Computer System
A system M can consist of:
• function output: S  A  O, where
output(s,a) denotes the result returned by
the action a
• Example: “write” command to file
Modeling a Computer System
A system M can consist of:
• function run: S  A*  S

• Example:
run(s,) = s, where  is an empty
sequence of actions
Terminology
STATES:
use the letters s,t
ACTIONS:
use the letters a,b
SEQUENCES OF ACTIONS:
use Greek letters ,
DOMAIN:
use the letters u,v,w
Communication
Two domains u,v communicate if there is an
information flow channel between them.
Definition
• Security Policy:
A set of rules defining what domains can
communicate.
Specified by a reflexive relation:
 on a domain D
Definition
• Security:
A system is secure if the given security
policy of the system completely defines all
possible communication channels.
Security
• 2 ASSUMPTIONS:
– set of security domains {u,v}
– policy that restricts allowable flow of
information among the domains above
And Now...
Noninterference
• The idea of noninterference is really
rather simple: a security domain u is
non-interfering with domain v if no
action performed by u can influence
subsequent outputs seen by v.
Intransitive Noninterference
• Let u not see v but u see x and x see v
where u,v, and x are domains. This is an
example of intransitive noninterference.
• In short, intransitive noninterference means
there is no direct communication between u
and v.
Intransitive Noninterference
And Now...
Definition ~ purge
purge( , v)
purge( , v)  
a, v)
purge(
purge(a   , v)  a  purge( , v)
if dom(a) interferes with v
purge(a   , v)  purge( , v)
otherwise
Security
• Security is identified by:
output (run( s0 ,  ), a ) 
output (run( s0 , purge( , dom(a ))), a )
Restating the Expressions
output (run(s0 , ), a)
do : A*  S
test : A  A  O
*
do( )  run(s0 , )
test ( , a)  output(do( ), a)
Security
• Security is now identified by:
test ( , a)  test ( purge( , dom(a)), a)
View-Partitioned
• View -Partitioned
• Equivalence Relation
• Output Consistent
And Now...
Test and Do
Test and do are abbreviations of frequently
used expressions
do( )  run(s0 , )
test ( , a)  output (do( ), a)
Then we say that a system is secure for
policy 
test ( , a)  test ( purge( , dom(a)), a)
Output Consistency
A system M is view-partitioned if, for each domain,
u
u  D there is an equivalence relation ~ on S
These equivalence relations are said to be output
consistent if
dom( a )
s ~ t  output( s, a)  output(t , a)
The output after executing action a is the for the
states s and t, so s and t are equivalent views
Views
For an output consistent system, security
is achieved if “views" are unaffected.
Let  be a policy and M a view partitioned,
output consistent system such that,
u
do( ) ~ do( purge( , u ))
This means that if you perform sequence  it is
equivalent to executing the purged version
Then M is secure for

Views
Proof:
Setting u = dom(a) in the statement of the
lemma gives
dom( a )
do( ) ~ do( purge( , dom(a)))
and now substituting the u=dom(a) in for s
and t, output consistency provides
output (do( ), a)  output (do( purge( , dom(a))), a)
Views
But this is simply
test ( , a)  test ( purge( , dom(a)), a)
Which is the definition of security for 
Listed before
Unwinding Theorem
Why is the unwinding theorem
important?
• It provides a basis for practical methods for
verifying systems that enforce
noninterference policies
• Serves to relate noninterference policies to
access control mechanisms.
Unwinding Theorem
What is the Unwinding Theorem?
It is hard to work with sequences of actions.
The unwinding theorem states that if the
security policy holds for each action, then it
holds for the sequence.
Unwinding Theorem
More Formally
Let  be a policy and M a view partitioned
system that is:
• output consistent
• step consistent
• locally respects 
Then M is secure for 
Questions
Any Questions??
References
• “Noninterference, Transitivity, and
Channel-Control Security Policies” by John
Rushby
• “Problems in Computer Security” by
Auerbach, Kerbel, Megraw, Osburn, Shetty
with mentor John Hoffman
Thank You
• Dr. Steve Decklemen