Chapter 1: Introduction

advertisement
Chapter 3: Foundational Results
• Overview
• Harrison-Ruzzo-Ullman result
– Corollaries
Slide #3-1
Overview
• Safety Question
• HRU Model
Slide #3-2
The general question
• How can we determine whether a system is
safe?
• Is there a generic algorithm that will
determine whether a system is safe?
Slide #3-3
Reminder: safe vs secure
• The term safe is used to refer to the abstract
model.
• The term secure is used when referring to
implementations
Slide #3-4
What Is “Safe”?
• Adding a generic right r where there was
not one is “leaking”
• If a system S, beginning in initial state s0,
cannot leak right r, it is safe with respect to
the right r.
Slide #3-5
Safety Question
• Does there exist an algorithm for
determining whether a protection system S
with initial state s0 is safe with respect to a
generic right r?
Slide #3-6
Mono-Operational Commands
• Answer: yes
• Theorem
There exists an algorithm that will determine
whether given mono-operational protection
system with initial state s0 is safe with respect
to a given generic right r.
Slide #3-7
Mono-Operational Commands
• Sketch of proof:
Consider the minimal sequence of commands
to leak the right.
– Can omit delete, destroy
c1, …, ck needed
(no commands can test for the absence of rights in an ACM)
– Can merge all creates into one
Worst case: insert every right into every entry; with s subjects and o
objects initially, and n rights.
Then (at worst) there are k ≤ n(s+1)(o+1) commands
Slide #3-8
General Case
• Answer: no
• Theorem
It is undecidable whether a given state of a
general protection system with is safe for a given
right r.
Slide #3-9
General Case
• Sketch of proof:
Reduce the halting problem to safety problem
Slide #3-10
Turing Machine review
•
•
•
•
Infinite tape in one direction
States K,
Symbols M (alphabet); distinguished blank b
Transition function (k, m) = (k, m, L) means in
state k, symbol m on tape location replaced by
symbol m, head moves to left one square, and
enters state k
• Halting state is qf; TM halts when it enters this
state
Slide #3-11
Halting problem
• Determine if an arbitrary TM will enter a
halting state qf
• The Halting problem is known to be
undecidable.
Slide #3-12
Mapping
• First we construct a map from the states and symbols of a
Turing machine TM to the rights in the access control
matrix A.
• The generic rights are taken to be
– the symbols in M and
– a set of distinct symbols each representing a state in K.
• Each cell of TM is a subject.
• Define a distinguished right own and such that si owns si+1
Slide #3-13
Mapping
1
2
3
4
A
B C D …
s1
head
Current state is k
s2
s3
s4
s1
s2
A
own
B
s3
s4
own
Ck
own
D end
Slide #3-14
Mapping
1
2
3
4
A
B X D …
head
After (k, C) = (k1, X, R)
where k is the current
state and k1 the next state
s1
s2
s3
s4
s1
s2
A
own
B
s3
s4
own
X
own
D k1 end
Slide #3-15
Command Mapping
(k, C) = (k1, X, R) at intermediate becomes
command ck,C(s3,s4)
if own in A[s3,s4] and k in A[s3,s3]
and C in A[s3,s3]
then
delete k from A[s3,s3];
delete C from A[s3,s3];
enter X into A[s3,s3];
enter k1 into A[s4,s4];
end
Slide #3-16
Mapping
1
2
3
4
5
A
B X Y
b
head
After (k1, D) = (k2, Y, R)
where k1 is the current
state and k2 the next state
s1
s2
s3
s4
s5
s1
s2
A
own
B
s3
s4
s5
own
X
own
Y
own
b k2 end
Slide #3-17
Command Mapping
(k1, D) = (k2, Y, R) at end becomes
command crightmostk,C(s4,s5)
if end in A[s4,s4] and k1 in A[s4,s4]
and D in A[s4,s4]
then
delete end from A[s4,s4];
create subject s5;
enter own into A[s4,s5];
enter end into A[s5,s5];
delete k1 from A[s4,s4];
delete D from A[s4,s4];
enter Y into A[s4,s4];
enter k2 into A[s5,s5];
end
Slide #3-18
Rest of Proof
• Protection system exactly simulates a TM
– Exactly 1 end right in ACM
– 1 right in entries corresponds to state
– Thus, at most 1 applicable command
• If TM enters state qf, then right has leaked
• If safety question decidable, then represent TM as above
and determine if qf leaks
– Implies halting problem decidable
• Conclusion: safety question undecidable
Slide #3-19
Other Results
• Set of unsafe systems is recursively enumerable
(there is TM that will enumerate all systems)
• Delete create primitive; then safety question is complete in P-SPACE
• Delete destroy, delete primitives; then safety question is undecidable
– Such systems are called monotonic: the size and complexity only
increases.
• Safety question for mono-conditional, monotonic protection systems is
decidable
• Safety question for mono-conditional protection systems with create, enter,
delete (and no destroy) is decidable.
Slide #3-20
Key Points
• Safety problem undecidable
• Limiting scope of systems can make
problem decidable
Slide #3-21
Download