11

-Access Control - 2 - Foundational Results

22

Preliminaries

Undecidability The Halting Problem

The Turing Machine

3

          

Undecidability

Timing a Program Can you write a program that tells you how long another program will run before completing?

The Halting ProblemIf you can tell me how long, it must stop in a

finite time! No program can give a decisive answer for all

legitimate inputs A program may give correct answers for some

cases but run forever for others

4

          

4

The Turing Machine An infinite-to-the-right tape divided into cells

A cell C can store any symbol in M={A,B,C,D,F,Blank} A read/write head

The head can have any state in K={happy,unhappy} The head reads, then writes and moves

What it writes, and whether it moves to left or right are both decided by a set of rules [M and K are both finite]

Originally tape is all blank

F A D … …

unhappy

(happy,Blank) (happy,A,Right) (unhappy,A) (happy,A,Left) (happy,F) (happy,A,Left) … …

F A D … …

happy

(happy,Blank) (happy,A,Right) (unhappy,A) (happy,A,Left) (happy,F) (happy,A,Left) … …

happy

A A D … …

(happy,Blank) (unhappy,A,Right) (unhappy,A) (happy,b\B,Left) (happy,F) (happy,A,Left) … …

happy

unhappy

5

          

5

The Halting Problem

With any initial tape and state (of the head), will any given Turing machine reach a specific state?

This is undecidable

input

program

output “OK” and halt

6

          

A Proof by Contradiction

Suppose you have a machine that you are sure will always tell you if an input program will halt:

Input the following program:If this program halts, go into an endless loop

Otherwise print out “OK”

It never stops

7

          

Access and Control of Memory

8

          

8

The Access Control Matrix (ACM)

A model of protection systems Describes who (subject) can do what

(rights) to what/whom (object/subject) Example

An instructor can assign and grade homework and exams

A TA can grade homework A Student can evaluate the instructor and TA

9

          An Access Control Matrix

Allowed Operations (Rights): r,x,w,o

file1 file2 file3Ann rx r rwxBob rwxo r --Charlierx rwo w

10

          

Rights/Commands

Primitive Commands

create/destroy a subject s or object o

enter/delete r into/from A[s,o]

11

          

State Transition Commands

Command If an instructor can grade an exam and a TA

can grade h.w. Then revoke TA’s rights in grading the h.w. and let him grade the exam

Mono-conditional/mono-operational Condition can neither be negative nor contain

‘or’

“if instructor can grade exam or TA can grade exam then TA cannot grade h.w.”

12

          

12

Commands for ACM Primitive commands

Create /delete subjects, objects Enter, delete permissions acm(s,o)

A command may use more than one primitive command a mono-operational command.

Limitation: Cannot test for a negative fact Further: Don’t have Owner and Copy

commands

13

          

13

ACM and protection States Subjects: (processes p, q etc) Objects: (files f, g etc) Access rights (operations r, w, x, a, o etc)

f g p q P rwo r rwxo wq a ro r rwxo

14

          

14

Protection States State: Variables taking values in a domain Protection domain: the space defined by an ACM

Mathematically: Variables for subjects: Xs ∈ S /** The set of all subject names

**/ Variables for objects: Xo ∈ O /** The set of all object names **/ Constants for permission names: P Assignment: ACL: S x O P (P) power set = Set of all

subsets Maps every (subject,object) pair to a subset of permissions.

Example statef g p q

p ow r rxo wq r o r wx

15

          

15

Safe States Any subset that is consistent with the ACM Mathematically:

If myState: S x O P (P), then x,y myState(x,y) ACM(x,y)

ACM O1 O2 O3 O4

S1 rwx rx rx x

S2 x

myState O1 O2 O3 O4

S1 r rx rx x

S2 x

16

          

16

What Does it mean to be Secure?

Giving a right r to someone who initially does not possess r is called leaking

If system begins in some initial safe state and can never leak r, then the system is secure with respect to rSubtleties Leaking is not necessarily bad, legitimate

transfer of rights can be proper if owners say so or by delegation

But we must be sure that: With all authorized leaking ignored, is the system still secure wrt r?

An abstract system (specification) is secure but its implementation may not be secure

17

          

17

Safety Question Is there an algorithm for determining

whether any protection system with a given initial state is secure with respect to a generic right r?

Using terms of ACM, the question is Given any ACM, is there a program that halts

with the answer to “Is there a sequence of commands that will enter r into some a[s,o] that does not initially have r”?

There are trivial cases where this is obviously true, but how about the general case?

18

          

18

The (Special) Positive Result Theorem: There is an algorithm that

determines if a given mono-operational protection system with initial state S0 is safe with respect to a generic right.

Proof: Suppose the command sequence is [c0,c1,…cn]:

1. Can identify [c0,c1,…,cn] as a sequence of primitive operations.

2. Can assume that i Ci ≠ delete, destroybecause delete and destroy do not add rights.

19

          

19

The Positive Result.. Proof (cont)

1. Only create adds new subjects and objects.

2. The others are conditional tests, that can be tested

3. Suppose we create a new subject (Snew) and a new object (Onew)

4. Need to check that the given sequence of commands did not leak rights

5. Need to check the pre-post conditions of n(|S0|+1)(|O0|+1) commands.

20

          

20

General Safety Problem is Undecidable

Answer: the safety problem is undecidable In terms of ACM

Given any ACM, if some sequence of commands will enter r into some a[s,o] that does not initially have r is undecidable

Input file, orProgram, like a

Output or enter

Initial tape and state

Turing machine

a specific state

21

          

21

Reducing the halting problem to the safety problem

If an algorithm can solve the safety problem then it can also solve the halting problem But the halting problem is known to be

undecidable, so such an algorithm cannot exist How does the reduction work? Simulate a Turing machine where subject Si owns

Si+1. and if cell i contains symbol A, then subject Si has rights A over itself. Then let Subject Sk correspond to the right-most cell with end right over itself.

22

          

22

The Reduction form

A B C D …

1 2 3 4

k

s1 s2 s3 s4

s4

s3

s2

s1 A

B

C k

D end

own

own

own(k, C) (k1, X, R)

A B X D …

1 2 3 4

k1

s1 s2 s3 s4

s4

s3

s2

s1 A

B

X

D k1 end

own

own

own(k1, D) (k2, Y, R)

A B X Y

1 2 3 4

k2

s1 s2 s3 s4

s4

s3

s2

s1 A

B

X

Y

own

own

own

s5

s5

own

b k2 end

5

b

ACM Tape

23

          

23

Commands for left motion

(k,C) (k1, X, L) Corresponds to the command Ck,C(S4,S3)

if ownA[si-1,si] and kA[si,si] and CA[si,si] then

delete k from A[si,si];

delete C from A[si,si];

enter X into A[si,si];

enter k1 into A[si-1,si-1];

End

Note: K is state of the head, C, X are content of the cell

24

          

24

Commands for right motion

(k,C) (k1, X, R) Corresponds to the command Ck,C(S3,S4)

if ownA[S3,S4] and kA[S3,S3] and CA[S3,S3] then

delete k from A[S3,S3];

delete C from A[S3,S3];

enter X into A[S3,S3];

enter k1 into A[S4,S4];

end

25

          

25

Command for the rightmost cell

(k1, D) (k2, Y, R) Corresponds to crightmostk,C(s4,s5)if endA[s4,s4] and k1A[s4,s4] and DA[s4,s4]then

delete end from A[s4,s4];create subject s5;enter own into A[s4,s5];enter end into A[s5,s5];delete k1 from A[s4,s4];delete D from A[s4,s4];enter Y into A[s4,s4];enter k2 into A[s5,s5];

end

26

          

26

Rest of the proofThis Protection system exactly simulates a

Turing Machine end right in ACM corresponds to the end state 1 right in the entry with current state Thus, at most 1 applicable command at any

time If TM enters a special state qf then right

has leaked the right qf If safety question decidable, then represent

TM as above and determine if qf leaks Implies halting problem decidable

Conclusion: Safety is undecidable

27

          

27

Special Cases can be Decidable

If all the commands are mono-operational, the safety problem is decidable Each move of Turing machine corresponds to

multiple primitive commands of ACM If no command includes create, the

safety problem is decidable (P-SPACE complete)

If no command includes destroy or delete and all command are mono-conditional, then the safety problem is decidable

28

          

28

Main Point

In its most general form, the safety problem is undecidable, but by limiting scope of systems the safety problem can be decidable

Otherwise we could never build a safe system!

29

          

ACMs and ACLs; Capabilities

Real systems have to be fast and not use excessive space

30

          

30

What’s Wrong with an ACM? If we have 1k ‘users’ and 100k ‘files’ and

a user should only read/write his or her own files The ACM will have 101k columns and 1k rows Most of the 101M elements are either empty

or identical Good for theoretical study but bad for

implementation Remove the empty elements?

31

          

Two ways to cut a table (ACM)

Order by columns (ACL) or rows (Capability Lists)?

file1 file2 file3A rx r rwxB rwxo r --C rx rwo w

ACLs

Capability

32

          

32

Access Control Lists

Columns of access control matrix file1 file2 file3Andy rx r rwoBetty rwxo rCharlie rx rwo w

ACLs: file1: { (Andy, rx) (Betty, rwxo) (Charlie, rx) } file2: { (Andy, r) (Betty, r) (Charlie, rwo) } file3: { (Andy, rwo) (Charlie, w) }

An ACL stores (non-empty elements of) each column with its object

33

          

33

Capability Lists Rows of access control matrix

file1 file2 file3Andy rx r rwoBetty rwxo rCharlie rx rwo w

C-Lists: Andy: { (file1, rx) (file2, r) (file3, rwo) } Betty: { (file1, rwxo) (file2, r) } Charlie: { (file1, rx) (file2, rwo) (file3, w) }