Sunday, October 17, 2004

1
Sunday, October 17, 2004

• Introduction to
• Computer Security
• Review

2
Mathematical Induction

• Proof technique - to prove some mathematical
  property
• E.g. want to prove that M(n) holds for all
  natural numbers
• Base case
• Prove that M(1) holds called
• Induction Hypothesis
• Assert that M(n) holds for n 1 to k
• Induction Step
• Prove that if M(k) holds then M(k1) holds
• Exercise prove that sum of first n natural
  numbers is
• 1 n n(n 1)/2

3
Lattice

• Let S, a set
• Cartesian product S x S
• Binary relation R on S is a subset of S x S
• IF (a, b) ? R we write aRb
• Example, R is less than equal to (?)
• If S 1, 2, 3 then R is (1, 1), (1, 2), (1,
  3), ????)
• (1, 2) ? R is another way of writing 1 ? 2
• Properties of relations
• Reflexive is aRa for all a ? S
• Antis-symmetric if aRb and bRa implies a b for
  all a, b ? S
• Transitive if aRb and bRc imply that aRc for all
  a, b, c ? S
• Which properties hold for less than equal to
  (?)?

4
Lattice

• Total ordering when the relation orders all
  elements
• E.g., less than equal to (?) on natural numbers
• Partial ordering (poset) when the relation
  orders only some elements not all
• E.g. less than equal to (?) on complex numbers
  Consider (2 4i) and (3 2i)
• Upper bound (u, a, b ? S)
• u is an upper bound of a and b means aRu and bRu
• Least upper bound lub(a, b) closest upper bound
• Lower bound (u, a, b ? S)
• l is a lower bound of a and b means lRa and lRb
• Greatest lower bound glb(a, b) closest lower
  bound

5
Lattice

• A lattice is the combination of a set of elements
  S and a relation R meeting the following criteria
• R is reflexive, antisymmetric, and transitive on
  the elements of S
• For every s, t ? S, there exists a greatest lower
  bound
• For every s, t ? S, there exists a lowest upper
  bound
• What about S 1, 2, 3 and R ??
• What about S 24i 12i 32i, 34i and R
  ??

6
Take-Grant Protection Model

• System is represented as a directed graph
• Subject
• Object
• Labeled edge indicate the rights that the source
  object has on the destination object
• Four graph rewriting rules (de jure, by law,
  by rights)
• The graph changes as the protection state changes
  according to
• 1. Take rule if t ??, the take rule produces
  another graph with a transitive edge a ? ß added.

Either
x takes (a to y) from z
7
Take-Grant Protection Model

• 2. Grant rule if g ??, the take rule produces
  another graph with a transitive edge a ? ß added.

a
z grants (a to y) to x
?
ß
?
ß

z
y
z
y
x
x
x creates (a to new vertex) y
a

3. Create rule
x
y
x
x removes (a to) y
ß -a
ß

4. Remove rule
x
y
x
y
8
Take-Grant Protection ModelSharing

• Given G0, can vertex x obtain a rights over y?
• Can_share(a,x, y,G0) is true iff
• G0 Gn using the four rules,
• There is an a edge from x to y in Gn
• tg-path v0,,vn with t or g edge between any
  pair of vertices vi, vi1
• Vertices tg-connected if tg-path between them
• Theorem Any two subjects with tg-path of length
  1 can share rights

9
Any two subjects with tg-path of length 1 can
share rights

• Four possible length 1 tg-paths
• 1. Take rule
• 2. Grant rule
• 3. Lemma 3.1
• 4. Lemma 3.2

Can_share(a, x, y,G0)
x
y
z
ß ? a
t
ß ? a
g
ß ? a
t
g
ß ? a
10
Any two subjects with tg-path of length 1 can
share rights

• Lemma 3.1
• Sequence
• Create
• Take
• Grant
• Take

Can_share(a, x, y,G0)
ß ? a
t
y
x
z
a
ß ? a
t
tg
g
a
11
Other definitions

• Island Maximal tg-connected subject-only
  subgraph
• Can_share all rights in island
• Proof Induction from previous theorem
• Bridge tg-path between subjects v0 and vn with
  edges of the following form
• t?, t?
• t?, g?, t?
• t?, g?, t?

g
t
t
v0
vn
12
Bridge
g
t
t
v0
vn
a
By lemma 3.1
a
a
By grant
By take
a
13
Theorem Can_share(a,x,y,G0)(for subjects)

• Subject_can_share(a, x, y,G0) is true iff if x
  and y are subjects and
• there is an a edge from x to y in G0
• OR if
• ? a subject s ? G0 with an s-to-y a edge, and
• ? islands I1, , In such that x ? I1, s ? In, and
  there is a bridge from Ij to Ij1

14
What about objects?Initial, terminal spans

• x initially spans to y if x is a subject and
  there is a tg-path between them with t edges
  ending in a g edge (i.e., t?g?)
• x can grant a right to y
• x terminally spans to y if x is a subject and
  there is a tg-path between them with t edges
  (i.e., t?)
• x can take a right from y

15
Theorem Can_share(a,x,y,G0)

• Can_share(a,x, y,G0) iff there is an a edge from
  x to y in G0 or if
• ? a vertex s ? G0 with an s to y a edge,
• ? a subject x such that xx or x initially
  spans to x,
• ? a subject s such that ss or s terminally
  spans to s, and
• ? islands I1, , In such that x ? I1, s ? In,
  and there is a bridge from Ij to Ij1

s
x
s
a
In
a
I2
I1
a
y
x
a
s can take a right from s
x can grant a right to x
16
Theorem Can_share(a,x,y,G0)(for subjects)

• Subject_can_share(a, x, y,G0) is true iff x and y
  are subjects and
• there is an a edge from x to y in G0
• OR if
• ? a subject s ? G0 with an s-to-y a edge, and
• ? islands I1, , In such that x ? I1, s ? In, and
  there is a bridge from Ij to Ij1

17
What about objects?Initial, terminal spans

• x initially spans to y if x is a subject and
  there is a tg-path associated with word t?g?
  between them
• x can grant a right to y
• x terminally spans to y if x is a subject and
  there is a tg-path associated with word t?
  between them
• x can take a right from y

18
Theorem Can_share(a,x,y,G0)

• Can_share(a,x, y,G0) iff there is an a edge from
  x to y in G0 or if
• ? a vertex s ? G0 with an s to y a edge,
• ? a subject x such that xx or x initially
  spans to x,
• ? a subject s such that ss or s terminally
  spans to s, and
• ? islands I1, , In such that x ? I1, s ? In,
  and there is a bridge from Ij to Ij1

s
x
s
a
a
In
a
I2
I1
a
y
x
a
s can take a right from s
x can grant a right to x
19
Theorem Can_share(a,x,y,G0)

• Corollary There is an O(VE) algorithm to
  test can_share Decidable in linear time!!
• Theorem
• Let G0 contain exactly one vertex and no edges,
• R a set of rights.
• G0 G iff G is a finite directed acyclic graph,
  with edges labeled from R, and at least one
  subject with no incoming edge.
• Only if part v is initial subject and G0 G
• No rule allows the deletion of a vertex
• No rule allows an incoming edge to be added to a
  vertex without any incoming edges. Hence, as v
  has no incoming edges, it cannot be assigned any

20
Theorem Can_share(a,x,y,G0)

• If part G meets the requirement
• Assume v is the vertex with no incoming edge and
  apply rules
• Perform v creates (a ? g to) new xi for all
  2lti lt n, and a is union of all labels on the
  incoming edges going into xi in G
• For all pairs x, y with x a over y in G, perform
  v grants (a to y) to x
• If ß is the set of rights x has over y in G,
  perform v removes (a ? g - ß) to y

21
Example
22
Take-Grant Model Sharing through a Trusted
Entity

• Let p and q be two processes
• Let b be a buffer that they share to communicate
• Let s be third party (e.g. operating system)
  that controls b

rw
rw
u
u
g
g
rw

• Witness
• S creates (r, w, to new object) b
• S grants (r, w, b) to p
• S grants (r, w, b) to q

rw
b
s
s
rw
g
g
rw
rw
v
v
q
q
23
Theft in Take-Grant Model

• Can_steal(a,x,y,G0) is true if there is no a edge
  from x to y in G0 and ? sequence G1, , Gn s. t.
• ? a edge from x to y in Gn,,
• ? rules ?1,, ?n that take Gi-1 ?i Gi , and
• ? v,w ? Gi, 1iltn, if ? a edge from v to y in G0
  then ?i is not v grants (a to y) to w
• Disallows owners of a rights to y from
  transferring those rights
• Does not disallow them to transfer other rights
• This models a Trojan horse

24
A witness to theft

• u grants (t to v) to s
• s takes (t to u) from v
• s takes (a to w) from u

t
v
t
g
s
u
a
w
25
Conspiracy

• Theft indicates cooperation which subjects are
  actors in a transfer of rights, and which are
  not?
• Next question is
• How many subjects are needed to enable
  Can_share(a,x,y,G0)?
• Note that a vertex y
• Can take rights from any vertex to which it
  terminally spans
• Can pass rights to any vertex to which it
  initially spans
• Access set A(y) with focus y (y is subject) is
  union of
• set of vertices y,
• vertices to which y initially spans, and
• vertices to which y terminally spans

26
Conspiracy

• Deletion set d(y,y) All z ? A(y) n A(y) for
  which
• y initially spans to z and y terminally spans to
  z
• y terminally spans to z and y initially spans to
  z
• zy zy
• Conspiracy graph H of G0
• Represents the paths along which subjects can
  transfer rights
• For each subject in G0, there is a corresponding
  vertex h(x) in H
• if d(y,y) not empty, edge from h(y) to h(y)

27
Example
g
g
t
t
g
a
b
c
d
x
r
e
z
t
g
t
g
g
f
h
i
j
y
28
Theorems

• I(p)
• contains the vertex h(p) and the se t of all
  vertices h(p) such that p initially spans to p
• T(q)
• contains the vertex h(q) and the se t of all
  vertices h(q) such that q terminally spans to q
• Theorem 3-13
• Can_share(a,x,y,G0) iff there is a path from som
  h(p) in I(x) to some h(q) in T(y)
• Theorem 3-14
• Let L be the number of vertices on a shortest
  path between h(p) and h(q) (as in theorem 3-13),
  then L conspirators are necessary and sufficient
  to produce a witness to Can_share(a,x,y,G0)

29
Schematic Protection Model

• Key idea is to use the notion of a protection
  type
• Label that determines how control rights affect
  an entity
• Take-Grant
• subject and object are different protection types
• TS and TO represent subject type set and object
  set
• ?(X) is the type of entity X
• A ticket describes a right
• Consists of an entity name and a right symbol
  X/z
• Possessor of the ticket X/z has right r over
  entity X
• Y has tickets X/r, X/w -gt Y has tickets X/rw
• Each entity X has a set dom(X) of tickets Y/z
• ?(X/rc) ?(X)/rc is the type of a ticket

30
Schematic Protection Model

• Inert right vs. Control right
• Inert right doesnt affect protection state, e.g.
  read right
• take right in Take-Grant model is a control right
• Copy flag c
• Every right r has an associated copyable right rc
• rc means r or rc
• Manipulation of rights
• A link predicate
• Determines if a source and target of a transfer
  are connected
• A filter function
• Determines if a transfer is authorized

31
Transferring Rights

• dom(X) set of tickets that X has
• Link predicate linki(X,Y)
• conjunction or disjunction of the following terms
• X/z ? dom(X) X/z ? dom(Y)
• Y/z ? dom(X) Y/z ? dom(Y)
• true
• Determines if X and Y connected to transfer
  right
• Examples
• Take-Grant link(X, Y) Y/g ? dom(X) v
  X/t?dom(Y)
• Broadcast link(X, Y) X/b ?dom(X)
• Pull link(X, Y) Y/p ?dom(Y)
• Universal link(X, Y) true
• Scheme a finite set of link predicates is called
  a scheme

32
Filter Function

• Filter function
• Imposes conditions on when tickets can be
  transferred
• fi TS x TS ? 2TxR (range is copyable rights)
• X/rc can be copied from dom(Y) to dom(Z) iff ?i
  s. t. the following are true
• X/rc ? dom(Y)
• linki(Y, Z)
• ?(X)/rc ?fi(?(Y), ?(Z))
• Examples
• If fi(?(Y), ?(Z)) T x R then any rights are
  transferable
• If fi(?(Y), ?(Z)) T x RI then only inert rights
  are transferable
• If fi(?(Y), ?(Z)) ? then no tickets are
  transferable
• One filter function is defined for each link
  predicate

33
SPM Example2

• Take-Grant Protection Model
• TS subjects , TO objects
• RC tc, gc, RI rc, wc
• Note that all rights can be copied in T-G model
• link(p, q) p/t ? dom(q) v q/t ?dom(p)
• f(subject, subject) subject, object ? tc,
  gc, rc, wc
• Note that any rights can be transferred in T-G
  model

34
Create Operation

• Need to handle
• type of the created entity,
• tickets added by the creation
• Relation cancreate(a, b) ? TS x T
• A subject of type a can create an entity of type
  b
• Rule of acyclic creates
• Limits the membership in cancreate(a, b)
• If a subject of type a can create a subject of
  type b, then none of the descendants can create a
  subject of type a

35
Create operation Distinct Types

• create rule cr(a, b) specifies the
• tickets introduced when a subject of type a
  creates an entity of type b
• B object cr(a, b) ? b/rc ? RI
• Only inert rights can be created
• A gets B/rc iff b/rc ? cr(a, b)
• B subject cr(a, b) has two parts
• crP(a, b) added to A, crC(a, b) added to B
• A gets B/rc if b/rc in crP(a, b)
• B gets A/rc if a/rc in crC(a, b)

36
Examples

• Owner-based policy
• Users can create files cc(user, file) holds
• Creator can give itself any inert rights
  cr(user, file) file/rc r ? RI
• Take-Grant model
• A subject can create a subject or an object
• cc(subject, subject) and cc(subject, object) hold
• Subject can give itself any rights over the
  vertices it creates but the subject does not give
  the created subject any rights (although grant
  can be used later)
• crC(a, b) ? crP(a, b) sub/tc, sub/gc,
  sub/rc, sub/wc
• Hence,
• cr(sub, sub) sub/tc, sub/gc, sub/rc, sub/wc
  ?
• cr(sub, obj) obj/tc, obj/gc, obj/rc, obj/wc
  ?

37
Expressing Constraints

• Entities are classes, methods
• Class set of objects that an access constraint
  constrains
• Method set of ways an operation can be invoked
• Operations
• Instantiation s creates instance of class c s
  c
• Invocation s1 executes object s2 s1 ?? s2
• Access constraints
• deny(s op x) when b
• when b is true, subject s cannot perform op on
  (subject or class) x empty s means all subjects

38
Sample Constraints

• Downloaded program cannot access password
  database file on UNIX system
• Programs class and methods for files
• class File
• public file(String name)
• public String getfilename()
• public char read()
• .
• Constraint
• deny(? file.read) when
• (file.getfilename() /etc/passwd)

39
Users and Levels
Subjects Security Level (same as before) Integrity Level
Ordinary users (SL, SP ) (ISL, IP )
Application developers (SL, SD ) (ISL, ID )
System programmers (SL, SSD ) (ISL, ID )
System managers and auditors (AM, SP, SD, SSD ) (ISP, ?)
System controllers (SL, SP, SD ) and downgrade privilege (ISP, IP, ID)
Repair (SL, SP ) (ISL, IP )
40
Objects and Classifications
Objects Security Level (earlier category) Integrity Level
Development code/test data (SL, SD ) (D, T) (ISL, ID )
Production code (SL, SP ) (PC) (IO, IP ) ?
Production data (SL, SP ) (PC, PD) (ISL, IP ) ?
Software tools (SL, ? ) (T) (IO, ID )
System programs (SL, ? ) ? (ISP, IP, ID )
System programs in modification (SL, SSD ) (SD, T) (ISL, ID )
System and application logs (AM, appropriate ) (ISL, ? )
Repair (SL, SP) (ISP, IP )
41
S System Managers O Audit Trail
(AM, SP, SD, SSD )
(ISL, ?)
(SL, SP, SD ) and downgrade privilege
S System Control
(ISP, IP, ID)
(SL, SP )
(SL, SSD)
(SL, SD )
(ISL, IP)
(ISL, ID)
(ISL, ID)
S Repair S Production Users O Production data
S Application programmers O Development
Code/Data
S System programmers O System code
in Development
(SL, SP )
(SL, SP )
(SL, ?)
(ISP, IP)
(IO, IP)
(IO, ID)
O Repair Code
O Production Code
O Tools
(SL, ?)
(ISP, IP, ID)
O System programs
42
Additional constraints

• Production users can execute production users
  only
• No individual can be both an application
  programmer and a production users
• In contradiction to the property- system
  controllers are allowed to write down.