1 1 -access control - 2 - foundational results. 2 2 preliminaries undecidability the halting problem...
TRANSCRIPT
11
-Access Control - 2 - Foundational Results
22
Preliminaries
Undecidability The Halting Problem
The Turing Machine
3
Undecidability
Timing a Program Can you write a program that tells you how long another program will run before completing?
The Halting ProblemIf you can tell me how long, it must stop in a
finite time! No program can give a decisive answer for all
legitimate inputs A program may give correct answers for some
cases but run forever for others
4
4
The Turing Machine An infinite-to-the-right tape divided into cells
A cell C can store any symbol in M={A,B,C,D,F,Blank} A read/write head
The head can have any state in K={happy,unhappy} The head reads, then writes and moves
What it writes, and whether it moves to left or right are both decided by a set of rules [M and K are both finite]
Originally tape is all blank
F A D … …
unhappy
(happy,Blank) (happy,A,Right) (unhappy,A) (happy,A,Left) (happy,F) (happy,A,Left) … …
F A D … …
happy
(happy,Blank) (happy,A,Right) (unhappy,A) (happy,A,Left) (happy,F) (happy,A,Left) … …
happy
A A D … …
(happy,Blank) (unhappy,A,Right) (unhappy,A) (happy,b\B,Left) (happy,F) (happy,A,Left) … …
happy
unhappy
5
5
The Halting Problem
With any initial tape and state (of the head), will any given Turing machine reach a specific state?
This is undecidable
input
program
output “OK” and halt
6
A Proof by Contradiction
Suppose you have a machine that you are sure will always tell you if an input program will halt:
Input the following program:If this program halts, go into an endless loop
Otherwise print out “OK”
It never stops
7
Access and Control of Memory
8
8
The Access Control Matrix (ACM)
A model of protection systems Describes who (subject) can do what
(rights) to what/whom (object/subject) Example
An instructor can assign and grade homework and exams
A TA can grade homework A Student can evaluate the instructor and TA
9
An Access Control Matrix
Allowed Operations (Rights): r,x,w,o
file1 file2 file3Ann rx r rwxBob rwxo r --Charlierx rwo w
10
Rights/Commands
Primitive Commands
create/destroy a subject s or object o
enter/delete r into/from A[s,o]
11
State Transition Commands
Command If an instructor can grade an exam and a TA
can grade h.w. Then revoke TA’s rights in grading the h.w. and let him grade the exam
Mono-conditional/mono-operational Condition can neither be negative nor contain
‘or’
“if instructor can grade exam or TA can grade exam then TA cannot grade h.w.”
12
12
Commands for ACM Primitive commands
Create /delete subjects, objects Enter, delete permissions acm(s,o)
A command may use more than one primitive command a mono-operational command.
Limitation: Cannot test for a negative fact Further: Don’t have Owner and Copy
commands
13
13
ACM and protection States Subjects: (processes p, q etc) Objects: (files f, g etc) Access rights (operations r, w, x, a, o etc)
f g p q P rwo r rwxo wq a ro r rwxo
14
14
Protection States State: Variables taking values in a domain Protection domain: the space defined by an ACM
Mathematically: Variables for subjects: Xs ∈ S /** The set of all subject names
**/ Variables for objects: Xo ∈ O /** The set of all object names **/ Constants for permission names: P Assignment: ACL: S x O P (P) power set = Set of all
subsets Maps every (subject,object) pair to a subset of permissions.
Example statef g p q
p ow r rxo wq r o r wx
15
15
Safe States Any subset that is consistent with the ACM Mathematically:
If myState: S x O P (P), then x,y myState(x,y) ACM(x,y)
ACM O1 O2 O3 O4
S1 rwx rx rx x
S2 x
myState O1 O2 O3 O4
S1 r rx rx x
S2 x
16
16
What Does it mean to be Secure?
Giving a right r to someone who initially does not possess r is called leaking
If system begins in some initial safe state and can never leak r, then the system is secure with respect to rSubtleties Leaking is not necessarily bad, legitimate
transfer of rights can be proper if owners say so or by delegation
But we must be sure that: With all authorized leaking ignored, is the system still secure wrt r?
An abstract system (specification) is secure but its implementation may not be secure
17
17
Safety Question Is there an algorithm for determining
whether any protection system with a given initial state is secure with respect to a generic right r?
Using terms of ACM, the question is Given any ACM, is there a program that halts
with the answer to “Is there a sequence of commands that will enter r into some a[s,o] that does not initially have r”?
There are trivial cases where this is obviously true, but how about the general case?
18
18
The (Special) Positive Result Theorem: There is an algorithm that
determines if a given mono-operational protection system with initial state S0 is safe with respect to a generic right.
Proof: Suppose the command sequence is [c0,c1,…cn]:
1. Can identify [c0,c1,…,cn] as a sequence of primitive operations.
2. Can assume that i Ci ≠ delete, destroybecause delete and destroy do not add rights.
19
19
The Positive Result.. Proof (cont)
1. Only create adds new subjects and objects.
2. The others are conditional tests, that can be tested
3. Suppose we create a new subject (Snew) and a new object (Onew)
4. Need to check that the given sequence of commands did not leak rights
5. Need to check the pre-post conditions of n(|S0|+1)(|O0|+1) commands.
20
20
General Safety Problem is Undecidable
Answer: the safety problem is undecidable In terms of ACM
Given any ACM, if some sequence of commands will enter r into some a[s,o] that does not initially have r is undecidable
Input file, orProgram, like a
Output or enter
Initial tape and state
Turing machine
a specific state
21
21
Reducing the halting problem to the safety problem
If an algorithm can solve the safety problem then it can also solve the halting problem But the halting problem is known to be
undecidable, so such an algorithm cannot exist How does the reduction work? Simulate a Turing machine where subject Si owns
Si+1. and if cell i contains symbol A, then subject Si has rights A over itself. Then let Subject Sk correspond to the right-most cell with end right over itself.
22
22
The Reduction form
A B C D …
1 2 3 4
k
s1 s2 s3 s4
s4
s3
s2
s1 A
B
C k
D end
own
own
own(k, C) (k1, X, R)
A B X D …
1 2 3 4
k1
s1 s2 s3 s4
s4
s3
s2
s1 A
B
X
D k1 end
own
own
own(k1, D) (k2, Y, R)
A B X Y
1 2 3 4
k2
s1 s2 s3 s4
s4
s3
s2
s1 A
B
X
Y
own
own
own
s5
s5
own
b k2 end
5
b
ACM Tape
23
23
Commands for left motion
(k,C) (k1, X, L) Corresponds to the command Ck,C(S4,S3)
if ownA[si-1,si] and kA[si,si] and CA[si,si] then
delete k from A[si,si];
delete C from A[si,si];
enter X into A[si,si];
enter k1 into A[si-1,si-1];
End
Note: K is state of the head, C, X are content of the cell
24
24
Commands for right motion
(k,C) (k1, X, R) Corresponds to the command Ck,C(S3,S4)
if ownA[S3,S4] and kA[S3,S3] and CA[S3,S3] then
delete k from A[S3,S3];
delete C from A[S3,S3];
enter X into A[S3,S3];
enter k1 into A[S4,S4];
end
25
25
Command for the rightmost cell
(k1, D) (k2, Y, R) Corresponds to crightmostk,C(s4,s5)if endA[s4,s4] and k1A[s4,s4] and DA[s4,s4]then
delete end from A[s4,s4];create subject s5;enter own into A[s4,s5];enter end into A[s5,s5];delete k1 from A[s4,s4];delete D from A[s4,s4];enter Y into A[s4,s4];enter k2 into A[s5,s5];
end
26
26
Rest of the proofThis Protection system exactly simulates a
Turing Machine end right in ACM corresponds to the end state 1 right in the entry with current state Thus, at most 1 applicable command at any
time If TM enters a special state qf then right
has leaked the right qf If safety question decidable, then represent
TM as above and determine if qf leaks Implies halting problem decidable
Conclusion: Safety is undecidable
27
27
Special Cases can be Decidable
If all the commands are mono-operational, the safety problem is decidable Each move of Turing machine corresponds to
multiple primitive commands of ACM If no command includes create, the
safety problem is decidable (P-SPACE complete)
If no command includes destroy or delete and all command are mono-conditional, then the safety problem is decidable
28
28
Main Point
In its most general form, the safety problem is undecidable, but by limiting scope of systems the safety problem can be decidable
Otherwise we could never build a safe system!
29
ACMs and ACLs; Capabilities
Real systems have to be fast and not use excessive space
30
30
What’s Wrong with an ACM? If we have 1k ‘users’ and 100k ‘files’ and
a user should only read/write his or her own files The ACM will have 101k columns and 1k rows Most of the 101M elements are either empty
or identical Good for theoretical study but bad for
implementation Remove the empty elements?
31
Two ways to cut a table (ACM)
Order by columns (ACL) or rows (Capability Lists)?
file1 file2 file3A rx r rwxB rwxo r --C rx rwo w
ACLs
Capability
32
32
Access Control Lists
Columns of access control matrix file1 file2 file3Andy rx r rwoBetty rwxo rCharlie rx rwo w
ACLs: file1: { (Andy, rx) (Betty, rwxo) (Charlie, rx) } file2: { (Andy, r) (Betty, r) (Charlie, rwo) } file3: { (Andy, rwo) (Charlie, w) }
An ACL stores (non-empty elements of) each column with its object
33
33
Capability Lists Rows of access control matrix
file1 file2 file3Andy rx r rwoBetty rwxo rCharlie rx rwo w
C-Lists: Andy: { (file1, rx) (file2, r) (file3, rwo) } Betty: { (file1, rwxo) (file2, r) } Charlie: { (file1, rx) (file2, rwo) (file3, w) }