Download presentation

Presentation is loading. Please wait.

Published byAustin Ramsey Modified over 4 years ago

1
© 2004 Ravi Sandhu www.list.gmu.edu The Schematic Protection Model (SPM) Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu

2
© 2004 Ravi Sandhu www.list.gmu.edu 2 The Access Matrix Model, Lampson 1971 In SPM objects only have columns SPM subjects can be active or passive Subjects and objects are collectively called entities entities objects

3
© 2004 Ravi Sandhu www.list.gmu.edu 3 SPM Protection Scheme 1.A finite set of entity types T partitioned into subject types TS and object types TO. 2.A finite set of right symbols R partitioned into inert rights RI and control rights RC. Ticket types are thereby T X R 3.A finite collection of local link predicates {link i | i = 1... N}. 4.A filter function f i : TS X TS 2 T X R corresponding to each link i. 5.The demand function d: TS 2 T X R. 6.The can-create relation cc TS X T. Equivalently, cc: TS 2 T. 7.A local create-rule for each pair in cc.

4
© 2004 Ravi Sandhu www.list.gmu.edu 4 SPM links, filter functions and copy flag AB link i t(A)t(B) fifi Y/x dom(A) cannot be copied Y/xc dom(A) Y/xc or Y/x can be copied provided - some link i exists - f i authorizes flow of Y/xc or Y/x respectively principle of discretionary propagation or principle of attenuation you can propagate what you have but no more copy flag turns out to be unnecessary and circumventable

5
© 2004 Ravi Sandhu www.list.gmu.edu 5 Examples of link predicates 1.link(X, Y) Y/g dom(X) X/t dom(Y) 2.link(X, Y) X/t dom(Y) 3.link(X, Y) Y/g dom(X) 4.link(X, Y) Y/s dom(X) X/g dom(Y) 5.link(X, Y) X/b dom(X), 6.link(X, Y) Y/p dom(Y), 7.link(X, Y) X/b dom(X) Y/p dom(Y) 8.link(X, Y) true

6
© 2004 Ravi Sandhu www.list.gmu.edu 6 Examples of filter functions 1.f(a,b) = T X R 2.f(a,b) = TO X RI 3.f(a,b) = 4.f(a,b) = T X {r| r R}, i.e. no copy flag

7
© 2004 Ravi Sandhu www.list.gmu.edu 7 SPM demand operation A d(t(A)) certain types of tickets can be obtained simply by demanding them

8
© 2004 Ravi Sandhu www.list.gmu.edu 8 SPM create operation object creation cr(a.parent, b.child) {b.child/x:c | x RI} subject creation cr(a.parent,b.child) = LEFT | RIGHT LEFT {a.parent/x:c, b.child/x:c | x R} RIGHT {a.parent/x:c, b.child/x:c | x R} LEFT goes to parent RIGHT goes to child A A

9
© 2004 Ravi Sandhu www.list.gmu.edu 9 SPM create operation: attenuating loops subject creation of same type as parent cr(a.parent, a.child) = LEFT | RIGHT LEFT {a.parent/x:c, a.child/x:c | x R} RIGHT {a.parent/x:c, a.child/x:c | x R} attenuating loops requires RIGHT LEFT a.child/x:c LEFT a.parent/x:c LEFT A A

10
© 2004 Ravi Sandhu www.list.gmu.edu 10 SPM Scheme I: Basic owner-based policy 1)TS = {user}, TO = {file} 2)RI = {x:c}, RC = 3)link u (X,Y) true 4)f u (user, user) = {file/xc} 5)d(user) = 6)cc(user) = {file} 7)cr(user,file) = {file/xc}

11
© 2004 Ravi Sandhu www.list.gmu.edu 11 SPM Scheme II: Owner-based policy with owner- defined groups (1) TS = {user, group}, TO = {file} (2) RI = {x:c}, RC = {g:c} (3) link u (X, Y) true link g (X, Y) Y/g dom(X) (4) f u (user, user) = {file/xc} f u (user, group) = f u (group, user) = f u (group, group) = f g (user, user) = f g (group, group) = f g (user, group) = {file/xc, user/g} f g (group, user) = {file/x} (5)d(user) = {user/gc} (6) cc(user) = {file, group} cc(group) = (7) cr(user,file) = {file/xc} cr{user,group) = {group/g} |

12
© 2004 Ravi Sandhu www.list.gmu.edu 12 SPM Scheme VI: Basic Take-Grant Model 1.TS = {sub}, TO = {file} 2.RI= {x:c}, RC = {t:c, g:c} 3.link(X, Y) Y/g dom(X) X/t dom(Y) 4.f(sub, sub) = T X R 5.d(sub) = 6.cc(sub) = {file, sub} 7.cr(sub, file) = {file/xc} cr(sub, sub) = {sub.child/tgc} | creation is acyclic with loops but create- rule cr(sub, sub) is not attenuating

13
© 2004 Ravi Sandhu www.list.gmu.edu 13 Creation in Take-Grant subjects in initial state: may or may not have self tgc tickets created subjects without loss of generality will have self tgc tickets (in worst-case) A A A/tgc

14
© 2004 Ravi Sandhu www.list.gmu.edu 14 SPM Scheme VII: Basic Take-Grant Model, acyclic attenuating 1.TS = {isub, csub}, TO = {file} 2.RI= {x:c}, RC = {t:c, g:c} 3.link(X, Y) Y/g dom(X) X/t dom(Y) 4.f(isub, isub) = T X R f(isub, csub) = T X R f(csub, isub) = T X R f(csub, csub) = T X R 5.d(sub) = 6.cc(isub) = {file, csub} cc(csub) = {file, csub} 7.cr(isub, file) = {file/xc} cr(csub, file) = {file/xc} cr(isub, csub) = {csub.child/tgc} | cr(csub, csub) = {csub.child/tgc, csub.parent/tgc} | cr(csub, csub) is attenuating

15
© 2004 Ravi Sandhu www.list.gmu.edu 15 flow function for a given state h flow h : SUB h X SUB h 2 T X R by convention flow h (A,A) = T X R flow h can be computed in O(|T X R|*|SUB h | 3 )

16
© 2004 Ravi Sandhu www.list.gmu.edu 16 flow in take-grant initial state flow 0 (A,B) = T X R flow 0 (B,A) = derived state h flow h (A,B) = T X R flow h (B,A) = T X R A A/t B A A/tgc A/tc A/tgc

17
© 2004 Ravi Sandhu www.list.gmu.edu 17 maximal state a derived state with maximum flow between all subjects in SUB 0 flow * : SUB 0 X SUB 0 2 T X R is flow function in a maximal state because of monotonicity a maximal state is guaranteed to exist typically there will be an infinite number of maximal states

18
© 2004 Ravi Sandhu www.list.gmu.edu 18 no-creates maximal state a derived state without any create operations with maximum flow between all subjects in SUB 0 flow # : SUB 0 X SUB 0 T X R is flow function in a no-creates maximal state no-creates maximal state can be computed in O(N*|T X R|*|SUB 0 | 5 ) where N is number of link predicates

19
© 2004 Ravi Sandhu www.list.gmu.edu 19 maximal state for acyclic attenuating schemes start with initial state perform create operations to get unfolded state compute no-creates maximal state

20
© 2004 Ravi Sandhu www.list.gmu.edu 20 The unfolded state cc(a) = {a,b} cc(b) = {b}

21
© 2004 Ravi Sandhu www.list.gmu.edu 21 Safety is decidable for acyclic attenuating schemes

Similar presentations

OK

© 2004 Ravi Sandhu www.list.gmu.edu The Safety Problem in Access Control HRU Model Ravi Sandhu Laboratory for Information Security Technology George Mason.

© 2004 Ravi Sandhu www.list.gmu.edu The Safety Problem in Access Control HRU Model Ravi Sandhu Laboratory for Information Security Technology George Mason.

© 2018 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Download ppt on indus valley civilization location Ppt on cell the fundamental unit of life Ppt on leverages parker Ppt on viruses and anti viruses software Tcp fast open ppt on mac Ppt on air water and land pollution Ppt on tourism in karnataka Ppt on noise pollution Ppt on methods of data collection Ppt on network topologies and its types