Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Artificial Intelligence

! ""# $ %

advertisement 
!
""#
&
$%
'
%
Computer security is an issue that surrounds all of us on a daily basis. Whether
we realize it or not, computer security affects all of us. Computer security is an issue
that we, as consumers, should be very concerned about. The purpose of this research
paper is to figure out how computer security can be defined in mathematical terminology.
There will be a mathematical modeling of the security behind a generic computer system.
Through the course of this paper, security, interference, and the ideas of view-partitioned,
output consistency, and equivalence relationships will be defined and the unwinding
theorem will be addressed and proved.
What does it mean to say that a system is secure? In order to explain security, we
must first define the possible componenets of a computer system. Let M be a computer
system. M consists of a set S of states {s0, s1, s2, …} where s0
S is an initial state. M
can also have a set D of domains {u,v,w}, a set A of actions {a,b}, and a set O of outputs.
To understand this better lets take a look at the practical side of M. For the sake
of example we will define M as the Internet. The Internet is based on three basic
sections, the web server, a tcp/ip connection, and a client’s web browser.
In order to translate the first aspect of M, which is S we must define the M’s
different states. There are four basic states Wait State, Accept Request State, Process
Request State, and Return Request State for the web server. These states create a natural
cycle through which a client’s request travels. Since the web server spends a majority of
its time in wait mode this is also s0 for M.
The next aspect of M as it relates to the Internet is D, which stands for domain. A
domain is a defined section of a system. All the actions of a system occur within
specified domains. This means that we can talk about actions as they occur within a
client’s or web server’s computer.
The third element of M is A for action. An example is similar to a verb. Two
examples of actions include entering a URL in a client’s web browser or the web server
processing one code statement such as <B>Bold Text</B>.
The last component of M is O which means Output. An output is defined as the
result of an action. Within the web site example the results of the two previous actions
are the client producing a confirmation that it has found the web server and the text being
bolded to appear like Bold Text.
In order for all of these events to fit together, there are several dependencies
between S, D, A, & O all of which are within M. The rest of this paper will discuss these
relationships. While most of the examples that will be discussed are solid theoretical
statements they are difficult to translate to the real world. Keep in mind the example M
defined as the internet.
The system M does not only contain components such as actions, domains, and
outputs. The system M may consist of functions. We will first look at the function step.
M can consist of a function step: S
A
S, where step(sn, a) = sn+1 denotes the next
state of the sytem after applying action a. M also can have a function output:
S
A
O, where ouputs(s, a) denotes the result when returned by the action a. An
example of the output command is the “write” command to the file. Further, system M
can consist of a function run: S
S. An example of the run function is
run(s, φ ) = s, where φ is an empty sequence of actions.
The expressions used in the following paragraphs can be easily understood when
the terminology is defined. When we refer to states, we will use the letters s,t.
When
we are talking about actions the letters a,b will be used. The greek letters α , β will
define a sequence of actions. And finally, the letters u,v,w will define a domain.
We must understand what it means to communicate. Communication happens
when two domains have an information flow channel between them. What this means is
that the two domains are able to share information, communicating to each other.
In order to understand the idea behind computer security, we must turn to what a
security policy is. A security policy is a set of rules defining what domains can
communicate. This policy is typically specified by a reflexive relation:
on domain D.
Therefore, when we want to define security, we say that a system is secure if the given
security policy of the system completely defines all possible communication channels.
In order to discuss computer security, we must assume some set of security
domains and a policy that restricts the allowable flow of information among those
domains. We say that two domains u,v communicate if there is an information flow
channel between them.
We say that a system is secure if the given security policy of the system defines
all possible communication channels. What this means is, we know of all possible
communication channels. So in order for the system to be deemed secure, the security
policy must define all possible communication channels.
The idea of noninterference is really rather simple: a security domain u is
noninterfering with domain v if no action performed by u can influence
subsequent outputs seen by v. Noninterference has been quite successful in
providing formal underpinnings for military multilevel security policies and
for the methods of verifying their implementations. All this is saying that
whatever u does v doesn’t know it happened.
Intransitive noninterference is a term expanding the definition of
noninterference. Intransitive noninterference refers to information flow
properties required of systems containing down graders, in which it may be
legitimate for information to flow indirectly between two users but not
directly. The concept is illustrated by a secure file system, with a
process that can downgrade files from high-security to low-security.
Using this example, they show that the standard definition of intransitive
non-interference in terms of a purge function is undesirably permissive: it
allows the effects of "too many" high-level actions to become visible in the
low-level view after a downgrading action. As a remedy, a definition based
on determinism is proposed. Roughly, the determinism-based notion of
non-interference is as follows: high-level actions are turned into
non-deterministic choices, and if the low-level view is deterministic, then
there is no information flow from the high level to the low level. This
definition can be extended to yield a definition of intransitive
non-interference that is not overly permissive.
We will define purge(alpha, v) with respect to domain v, an element of the set D of
security domains, and the action sequence alpha in the set of actions A*. Let
purge(Λ, v ) = Λ
purge(a α , v) = a purge(α , v)
purge(alpha,v) be the subsequence of alpha created by deleting all actions associated
with the domain u such that u has a noninterference policy with v. From this we get:
if dom(a) interferes with v or
purge( a α , v ) = purge(α , v )
otherwise.
Security is identified with the requirement of
output (run (s0 , α ), a ) = output (run (s0 , purge(α , dom(a ))), a ).
This shows that the machine starts out from the initial state and has a sequence of
actions performed on it, and then action a is performed on it and the output is observed.
If dom(a) can tell the difference between the action sequence alpha and
purge(alpha,dom(a)), than an action by domain u which was not to interfere with dom(a)
has in fact interfered. Thus the system is not secure in regard to policies that specify that
u does not interfere with dom(a).
Because we frequently use expressions of the form
output (run (s0 , α ), a )
it will be convenient to introduce the functions do and test:
do: Α* → S
test: Α* × Α → O
where
do (α ) = run (s0 , α )
test (α , a ) = output (do (α ), a )
From this the system is said to be secure for the policy if
test (α , a ) = test ( purge(α , dom(a )), a ).
Definitions
Test and do are abbreviations of frequently used expressions.
do(α ) = run( s0 , α )
test (α , a ) = output ( do (α ), a )
We say that a system is secure for policy
test (α , a ) = test ( purge (α , dom ( a )), a )
Output Consistency
A system M is view-partitioned if, for each domain, u ∈ D there is an equivalence
u
relation ~ on S
These equivalence relations are said to be output consistent if
dom ( a )
s ~ t ⊃ output ( s, a ) = output (t , a )
This means that if s and t are views, and they have an equivalency relation, then an
action executed on both views produces the same output.
A system M is view-partitioned if, for each domain, u ∈ D there is an
u
equivalence relation ~ on S
These equivalence relations are said to be output consistent if
dom ( a )
s ~ t ⊃ output ( s, a ) = output (t , a )
Lemma 1
Let
be a policy and M a view partitioned, output consistent system such that,
u
do(α ) ~ do( purge(α , u ))
then M is secure for
Proof:
Setting u = dom(a) in the statement of the lemma gives
dom ( a )
do(α ) ~ do( purge(α , dom(a ))) and output consistency then provides
ouput ( do (α ), a ) = output ( do ( purge (α , dom ( a ))), a )
But, this is simply test (α , a ) = test ( purge (α , dom ( a )), a )
Which. is the definition of security for
Step Consistency
Let M be a view-partitioned system and ~ a policy. We say that M locally respects ~ if
u
u
u
dom(a ) ~ u ⊃ s ~ step ( s, a ) and that M is step consistent if s ~ t ⊃ step ( s, a ) ~ step (t , a )
Why is the unwinding theorem important?
The unwinding theorem provides a basis for practical methods for verifying
systems that enforce noninterference policies. It also serves to relate
noninterference policies to access control mechanisms.
Let
be a policy and M a view-partitioned system that is:
•output consistent
•step consistent
•locally respects
Then M is secure for
Proof:
u
u
Use induction to establish s ~ t ⊃ run( s, α ) ~ run(t , purge(α , u )).
The base is the case α=Λ and is elementary.
run( s, a α ) = run( step ( s, a ), α )
There are two cases to consider for run (t , purge ( a α , u ))
Case 1: dom ( a )
u
run(t , purge(a α , u )) = run(t , a purge(α u ))
The right hand side expands to give
run (t , purge ( a α , u )) = run ( step (t , a ), purge (α u ))
u
u
Since u ~ t and the system is step consistent, it follows that step( s, a) ~ step(t , a) and
the inductive process then gives run (t , purge (a α , u )) = run (t , a purge (α u ))
which completes the inductive step.
Case 2: dom(a)
u
the definition of purge provides run (t , purge (a α )) = run (t , purge (α , u )) and the fact
that dom (a )
u and that M locally respects
ensures
u
step ( s, a ) ~ t
u
Then by induction, run( step( s, a),α ) ~ run(t , purge(α , u ))
u
do(α ) ~ do( purge(α , u ))
And then since M is output consistent, invoke Lemma 1 to complete the proof
“Noninterference, Transitivity, and Channel-Control Security Policies” by John Rushby
“Problems in Computer Security” by Auerbach, Kerbel, Megraw, Osburn, Shetty with
mentor John Hoffman
Related documents
Toward A Mathematical Model of Computer Security • Gina Duncanson
Toward A Mathematical Model of Computer Security • Gina Duncanson
Document10467583 10467583
Document10467583 10467583
WORLD HISTORY UNIT X STUDY GUIDE NAME: Chapter 30
WORLD HISTORY UNIT X STUDY GUIDE NAME: Chapter 30
Dionex HPLC Sugar Analysis - North Carolina State University
Dionex HPLC Sugar Analysis - North Carolina State University
Register Number - IndiaStudyChannel.com
Register Number - IndiaStudyChannel.com
ProMix 2KE Purge - Color Change Detail
ProMix 2KE Purge - Color Change Detail
Download
advertisement