! ""# & $% ' % Computer security is an issue that surrounds all of us on a daily basis. Whether we realize it or not, computer security affects all of us. Computer security is an issue that we, as consumers, should be very concerned about. The purpose of this research paper is to figure out how computer security can be defined in mathematical terminology. There will be a mathematical modeling of the security behind a generic computer system. Through the course of this paper, security, interference, and the ideas of view-partitioned, output consistency, and equivalence relationships will be defined and the unwinding theorem will be addressed and proved. What does it mean to say that a system is secure? In order to explain security, we must first define the possible componenets of a computer system. Let M be a computer system. M consists of a set S of states {s0, s1, s2, …} where s0 S is an initial state. M can also have a set D of domains {u,v,w}, a set A of actions {a,b}, and a set O of outputs. To understand this better lets take a look at the practical side of M. For the sake of example we will define M as the Internet. The Internet is based on three basic sections, the web server, a tcp/ip connection, and a client’s web browser. In order to translate the first aspect of M, which is S we must define the M’s different states. There are four basic states Wait State, Accept Request State, Process Request State, and Return Request State for the web server. These states create a natural cycle through which a client’s request travels. Since the web server spends a majority of its time in wait mode this is also s0 for M. The next aspect of M as it relates to the Internet is D, which stands for domain. A domain is a defined section of a system. All the actions of a system occur within specified domains. This means that we can talk about actions as they occur within a client’s or web server’s computer. The third element of M is A for action. An example is similar to a verb. Two examples of actions include entering a URL in a client’s web browser or the web server processing one code statement such as <B>Bold Text</B>. The last component of M is O which means Output. An output is defined as the result of an action. Within the web site example the results of the two previous actions are the client producing a confirmation that it has found the web server and the text being bolded to appear like Bold Text. In order for all of these events to fit together, there are several dependencies between S, D, A, & O all of which are within M. The rest of this paper will discuss these relationships. While most of the examples that will be discussed are solid theoretical statements they are difficult to translate to the real world. Keep in mind the example M defined as the internet. The system M does not only contain components such as actions, domains, and outputs. The system M may consist of functions. We will first look at the function step. M can consist of a function step: S A S, where step(sn, a) = sn+1 denotes the next state of the sytem after applying action a. M also can have a function output: S A O, where ouputs(s, a) denotes the result when returned by the action a. An example of the output command is the “write” command to the file. Further, system M can consist of a function run: S S. An example of the run function is run(s, φ ) = s, where φ is an empty sequence of actions. The expressions used in the following paragraphs can be easily understood when the terminology is defined. When we refer to states, we will use the letters s,t. When we are talking about actions the letters a,b will be used. The greek letters α , β will define a sequence of actions. And finally, the letters u,v,w will define a domain. We must understand what it means to communicate. Communication happens when two domains have an information flow channel between them. What this means is that the two domains are able to share information, communicating to each other. In order to understand the idea behind computer security, we must turn to what a security policy is. A security policy is a set of rules defining what domains can communicate. This policy is typically specified by a reflexive relation: on domain D. Therefore, when we want to define security, we say that a system is secure if the given security policy of the system completely defines all possible communication channels. In order to discuss computer security, we must assume some set of security domains and a policy that restricts the allowable flow of information among those domains. We say that two domains u,v communicate if there is an information flow channel between them. We say that a system is secure if the given security policy of the system defines all possible communication channels. What this means is, we know of all possible communication channels. So in order for the system to be deemed secure, the security policy must define all possible communication channels. The idea of noninterference is really rather simple: a security domain u is noninterfering with domain v if no action performed by u can influence subsequent outputs seen by v. Noninterference has been quite successful in providing formal underpinnings for military multilevel security policies and for the methods of verifying their implementations. All this is saying that whatever u does v doesn’t know it happened. Intransitive noninterference is a term expanding the definition of noninterference. Intransitive noninterference refers to information flow properties required of systems containing down graders, in which it may be legitimate for information to flow indirectly between two users but not directly. The concept is illustrated by a secure file system, with a process that can downgrade files from high-security to low-security. Using this example, they show that the standard definition of intransitive non-interference in terms of a purge function is undesirably permissive: it allows the effects of "too many" high-level actions to become visible in the low-level view after a downgrading action. As a remedy, a definition based on determinism is proposed. Roughly, the determinism-based notion of non-interference is as follows: high-level actions are turned into non-deterministic choices, and if the low-level view is deterministic, then there is no information flow from the high level to the low level. This definition can be extended to yield a definition of intransitive non-interference that is not overly permissive. We will define purge(alpha, v) with respect to domain v, an element of the set D of security domains, and the action sequence alpha in the set of actions A*. Let purge(Λ, v ) = Λ purge(a α , v) = a purge(α , v) purge(alpha,v) be the subsequence of alpha created by deleting all actions associated with the domain u such that u has a noninterference policy with v. From this we get: if dom(a) interferes with v or purge( a α , v ) = purge(α , v ) otherwise. Security is identified with the requirement of output (run (s0 , α ), a ) = output (run (s0 , purge(α , dom(a ))), a ). This shows that the machine starts out from the initial state and has a sequence of actions performed on it, and then action a is performed on it and the output is observed. If dom(a) can tell the difference between the action sequence alpha and purge(alpha,dom(a)), than an action by domain u which was not to interfere with dom(a) has in fact interfered. Thus the system is not secure in regard to policies that specify that u does not interfere with dom(a). Because we frequently use expressions of the form output (run (s0 , α ), a ) it will be convenient to introduce the functions do and test: do: Α* → S test: Α* × Α → O where do (α ) = run (s0 , α ) test (α , a ) = output (do (α ), a ) From this the system is said to be secure for the policy if test (α , a ) = test ( purge(α , dom(a )), a ). Definitions Test and do are abbreviations of frequently used expressions. do(α ) = run( s0 , α ) test (α , a ) = output ( do (α ), a ) We say that a system is secure for policy test (α , a ) = test ( purge (α , dom ( a )), a ) Output Consistency A system M is view-partitioned if, for each domain, u ∈ D there is an equivalence u relation ~ on S These equivalence relations are said to be output consistent if dom ( a ) s ~ t ⊃ output ( s, a ) = output (t , a ) This means that if s and t are views, and they have an equivalency relation, then an action executed on both views produces the same output. A system M is view-partitioned if, for each domain, u ∈ D there is an u equivalence relation ~ on S These equivalence relations are said to be output consistent if dom ( a ) s ~ t ⊃ output ( s, a ) = output (t , a ) Lemma 1 Let be a policy and M a view partitioned, output consistent system such that, u do(α ) ~ do( purge(α , u )) then M is secure for Proof: Setting u = dom(a) in the statement of the lemma gives dom ( a ) do(α ) ~ do( purge(α , dom(a ))) and output consistency then provides ouput ( do (α ), a ) = output ( do ( purge (α , dom ( a ))), a ) But, this is simply test (α , a ) = test ( purge (α , dom ( a )), a ) Which. is the definition of security for Step Consistency Let M be a view-partitioned system and ~ a policy. We say that M locally respects ~ if u u u dom(a ) ~ u ⊃ s ~ step ( s, a ) and that M is step consistent if s ~ t ⊃ step ( s, a ) ~ step (t , a ) Why is the unwinding theorem important? The unwinding theorem provides a basis for practical methods for verifying systems that enforce noninterference policies. It also serves to relate noninterference policies to access control mechanisms. Let be a policy and M a view-partitioned system that is: •output consistent •step consistent •locally respects Then M is secure for Proof: u u Use induction to establish s ~ t ⊃ run( s, α ) ~ run(t , purge(α , u )). The base is the case α=Λ and is elementary. run( s, a α ) = run( step ( s, a ), α ) There are two cases to consider for run (t , purge ( a α , u )) Case 1: dom ( a ) u run(t , purge(a α , u )) = run(t , a purge(α u )) The right hand side expands to give run (t , purge ( a α , u )) = run ( step (t , a ), purge (α u )) u u Since u ~ t and the system is step consistent, it follows that step( s, a) ~ step(t , a) and the inductive process then gives run (t , purge (a α , u )) = run (t , a purge (α u )) which completes the inductive step. Case 2: dom(a) u the definition of purge provides run (t , purge (a α )) = run (t , purge (α , u )) and the fact that dom (a ) u and that M locally respects ensures u step ( s, a ) ~ t u Then by induction, run( step( s, a),α ) ~ run(t , purge(α , u )) u do(α ) ~ do( purge(α , u )) And then since M is output consistent, invoke Lemma 1 to complete the proof “Noninterference, Transitivity, and Channel-Control Security Policies” by John Rushby “Problems in Computer Security” by Auerbach, Kerbel, Megraw, Osburn, Shetty with mentor John Hoffman