Toward A Mathematical Model of Computer Security

• Gina Duncanson

• Kevin Jonas

• Ben Lange

• John Loff-Peterson

• Ben Neigebauer

Introduction

• Computer security issues are a part of our daily life

• Model a secure computer system

Scope

• Define a secure system

• Use a practical example

• State Unwinding Theorem

Modeling a Computer System

A system M can consist of:

• a set S of STATES, where s0 is an initial state

• a set D of domains

• a set A of actions

• a set O of outputs

And Now...

Practical Example

• Today I will be talking about how one can apply the model of security that is explained in the paper we researched.

Defining M

World Wide Web sites consists of three basic components:– Web Server

– TCP/IP Connection

– Web Browser Client

Defining S

• Web Servers always have a finite state. Generally a server travels through a cycle of states.

• s0 is wait mode on a web server.

Defining D

• A domain is a defined section of a system. All the actions of a system occur within specified domains.

• This means that we can talk about actions as they relate to a client or web server’s computer.

Defining A

• An action is similar to a verb. Two example actions include:– A Client Inserting a

URL

– A Server Processing one Code Statement

Defining O

• Outputs are the immediate result of an action. When looking at a web site an output is:– A web server sending

back a confirmation message that it exists.

– The result of one code statement.

Putting it all together

• In order for all of these events to fit together, there are several dependencies between S, D, A, & O.

Modeling a Computer System

A system M can consist of:

• function step: S A S, where

step(sn , a) denotes the next state of the system after applying action a

Modeling a Computer System

A system M can consist of:

• function output: S A O, where

output(s,a) denotes the result returned by

the action a

• Example: “write” command to file

Modeling a Computer System

A system M can consist of:

• function run: S A* S

• Example:run(s,) = s, where is an empty sequence of actions

Terminology

STATES: use the letters s,t

ACTIONS:use the letters a,b

SEQUENCES OF ACTIONS: use Greek letters ,DOMAIN:

use the letters u,v,w

Communication

Two domains u,v communicate if there is an information flow channel between them.

Definition

• Security Policy:

A set of rules defining what domains can communicate.

Specified by a reflexive relation:

on a domain D

Definition

• Security:

A system is secure if the given security policy of the system completely defines all possible communication channels.

Security

• 2 ASSUMPTIONS:– set of security domains {u,v}– policy that restricts allowable flow of

information among the domains above

And Now...

Noninterference

• The idea of noninterference is really rather simple: a security domain u is non-interfering with domain v if no action performed by u can influence subsequent outputs seen by v.

Intransitive Noninterference

• Let u not see v but u see x and x see v where u,v, and x are domains. This is an example of intransitive noninterference.

• In short, intransitive noninterference means there is no direct communication between u and v.

Intransitive Noninterference

And Now...

Definition ~ purge

purge v( , )purge a v( , )

if dom(a) interferes with v

otherwise

),( vpurge purge v( , )

purge a v a purge v( , ) ( , )

purge a v purge v( , ) ( , )

Security

• Security is identified by:

output run s a

output run s purge dom a a

( ( , ), )

( ( , ( , ( ))), )0

0

Restating the Expressions

)),,(( 0 asrunoutput

SAdo *:

OAAtest *:

),()( 0 srundo

)),((),( adooutputatest

Security

• Security is now identified by:

))),(,((),( aadompurgetestatest

View-Partitioned

• View -Partitioned

• Equivalence Relation

• Output Consistent

And Now...

Test and Do

Test and do are abbreviations of frequently used expressions

Then we say that a system is secure for policy

),()( 0 srundo

)),((),( adooutputatest

))),(,((),( aadompurgetestatest

Output Consistency

A system M is view-partitioned if, for each domain,

there is an equivalence relation on S

These equivalence relations are said to be output

consistent if

Du u

~

),(),(~)(

atoutputasoutputtsadom

The output after executing action a is the for the states s and t, so s and t are equivalent views

Views

For an output consistent system, securityis achieved if “views" are unaffected.Let be a policy and M a view partitioned, output consistent system such that,

This means that if you perform sequence it is equivalent to executing the purged version

Then M is secure for

)),((~)( upurgedodou

Views

Proof:

Setting u = dom(a) in the statement of the lemma gives

and now substituting the u=dom(a) in for s and t, output consistency provides

)))(,((~)()(

adompurgedodoadom

)))),(,((()),(( aadompurgedooutputadooutput

Views

But this is simply

Which is the definition of security for

Listed before

))),(,((),( aadompurgetestatest

Unwinding Theorem

Why is the unwinding theorem important?

• It provides a basis for practical methods for verifying systems that enforce noninterference policies

• Serves to relate noninterference policies to access control mechanisms.

Unwinding Theorem

What is the Unwinding Theorem?

It is hard to work with sequences of actions. The unwinding theorem states that if the security policy holds for each action, then it holds for the sequence.

Unwinding Theorem

More Formally

Let be a policy and M a view partitioned system that is:

• output consistent

• step consistent

• locally respects

Then M is secure for

Questions

Any Questions??

References

• “Noninterference, Transitivity, and Channel-Control Security Policies” by John Rushby

• “Problems in Computer Security” by Auerbach, Kerbel, Megraw, Osburn, Shetty with mentor John Hoffman

Thank You

• Dr. Steve Decklemen