Chapter 3: Foundational Results • Overview • Harrison-Ruzzo-Ullman result – Corollaries Slide #3-1 Overview • Safety Question • HRU Model Slide #3-2 The general question • How can we determine whether a system is safe? • Is there a generic algorithm that will determine whether a system is safe? Slide #3-3 Reminder: safe vs secure • The term safe is used to refer to the abstract model. • The term secure is used when referring to implementations Slide #3-4 What Is “Safe”? • Adding a generic right r where there was not one is “leaking” • If a system S, beginning in initial state s0, cannot leak right r, it is safe with respect to the right r. Slide #3-5 Safety Question • Does there exist an algorithm for determining whether a protection system S with initial state s0 is safe with respect to a generic right r? Slide #3-6 Mono-Operational Commands • Answer: yes • Theorem There exists an algorithm that will determine whether given mono-operational protection system with initial state s0 is safe with respect to a given generic right r. Slide #3-7 Mono-Operational Commands • Sketch of proof: Consider the minimal sequence of commands to leak the right. – Can omit delete, destroy c1, …, ck needed (no commands can test for the absence of rights in an ACM) – Can merge all creates into one Worst case: insert every right into every entry; with s subjects and o objects initially, and n rights. Then (at worst) there are k ≤ n(s+1)(o+1) commands Slide #3-8 General Case • Answer: no • Theorem It is undecidable whether a given state of a general protection system with is safe for a given right r. Slide #3-9 General Case • Sketch of proof: Reduce the halting problem to safety problem Slide #3-10 Turing Machine review • • • • Infinite tape in one direction States K, Symbols M (alphabet); distinguished blank b Transition function (k, m) = (k, m, L) means in state k, symbol m on tape location replaced by symbol m, head moves to left one square, and enters state k • Halting state is qf; TM halts when it enters this state Slide #3-11 Halting problem • Determine if an arbitrary TM will enter a halting state qf • The Halting problem is known to be undecidable. Slide #3-12 Mapping • First we construct a map from the states and symbols of a Turing machine TM to the rights in the access control matrix A. • The generic rights are taken to be – the symbols in M and – a set of distinct symbols each representing a state in K. • Each cell of TM is a subject. • Define a distinguished right own and such that si owns si+1 Slide #3-13 Mapping 1 2 3 4 A B C D … s1 head Current state is k s2 s3 s4 s1 s2 A own B s3 s4 own Ck own D end Slide #3-14 Mapping 1 2 3 4 A B X D … head After (k, C) = (k1, X, R) where k is the current state and k1 the next state s1 s2 s3 s4 s1 s2 A own B s3 s4 own X own D k1 end Slide #3-15 Command Mapping (k, C) = (k1, X, R) at intermediate becomes command ck,C(s3,s4) if own in A[s3,s4] and k in A[s3,s3] and C in A[s3,s3] then delete k from A[s3,s3]; delete C from A[s3,s3]; enter X into A[s3,s3]; enter k1 into A[s4,s4]; end Slide #3-16 Mapping 1 2 3 4 5 A B X Y b head After (k1, D) = (k2, Y, R) where k1 is the current state and k2 the next state s1 s2 s3 s4 s5 s1 s2 A own B s3 s4 s5 own X own Y own b k2 end Slide #3-17 Command Mapping (k1, D) = (k2, Y, R) at end becomes command crightmostk,C(s4,s5) if end in A[s4,s4] and k1 in A[s4,s4] and D in A[s4,s4] then delete end from A[s4,s4]; create subject s5; enter own into A[s4,s5]; enter end into A[s5,s5]; delete k1 from A[s4,s4]; delete D from A[s4,s4]; enter Y into A[s4,s4]; enter k2 into A[s5,s5]; end Slide #3-18 Rest of Proof • Protection system exactly simulates a TM – Exactly 1 end right in ACM – 1 right in entries corresponds to state – Thus, at most 1 applicable command • If TM enters state qf, then right has leaked • If safety question decidable, then represent TM as above and determine if qf leaks – Implies halting problem decidable • Conclusion: safety question undecidable Slide #3-19 Other Results • Set of unsafe systems is recursively enumerable (there is TM that will enumerate all systems) • Delete create primitive; then safety question is complete in P-SPACE • Delete destroy, delete primitives; then safety question is undecidable – Such systems are called monotonic: the size and complexity only increases. • Safety question for mono-conditional, monotonic protection systems is decidable • Safety question for mono-conditional protection systems with create, enter, delete (and no destroy) is decidable. Slide #3-20 Key Points • Safety problem undecidable • Limiting scope of systems can make problem decidable Slide #3-21