Introduction to Computer Security Review Sunday, October 17, 2004 Courtesy of Professors Prasant Krisnamurthy, Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security
Mathematical Induction Proof technique - to prove some mathematical property E.g. want to prove that M(n) holds for all natural numbers Base case: Prove that M(1) holds – called Induction Hypothesis: Assert that M(n) holds for n = 1 to k Induction Step: Prove that if M(k) holds then M(k+1) holds Exercise: prove that sum of first n natural numbers is 1 + … + n = n(n + 1)/2 IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security Lattice Let S, a set Cartesian product: S x S Binary relation R on S is a subset of S x S IF (a, b) R we write aRb Example, R is “less than equal to” () If S = {1, 2, 3} then R is {(1, 1), (1, 2), (1, 3), ????) (1, 2) R is another way of writing 1 2 Properties of relations Reflexive: is aRa for all a S Antis-symmetric: if aRb and bRa implies a = b for all a, b S Transitive: if aRb and bRc imply that aRc for all a, b, c S Which properties hold for “less than equal to” ()? IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security Lattice Total ordering: when the relation orders all elements E.g., “less than equal to” () on natural numbers Partial ordering (poset): when the relation orders only some elements not all E.g. “less than equal to” () on complex numbers; Consider (2 + 4i) and (3 + 2i) Upper bound (u, a, b S) u is an upper bound of a and b means aRu and bRu Least upper bound : lub(a, b) closest upper bound Lower bound (u, a, b S) l is a lower bound of a and b means lRa and lRb Greatest lower bound : glb(a, b) closest lower bound IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security Lattice A lattice is the combination of a set of elements S and a relation R meeting the following criteria R is reflexive, antisymmetric, and transitive on the elements of S For every s, t S, there exists a greatest lower bound For every s, t S, there exists a lowest upper bound What about S = {1, 2, 3} and R = ? What about S = {2+4i; 1+2i; 3+2i, 3+4i} and R = ? IS 2935 / TEL 2810: Introduction to Computer Security
Take-Grant Protection Model System is represented as a directed graph Subject: Object: Labeled edge indicate the rights that the source object has on the destination object Four graph rewriting rules (“de jure”, “by law”, “by rights”) The graph changes as the protection state changes according to 1. Take rule: if t γ, the take rule produces another graph with a transitive edge α β added. Either: γ α β ├ x z y x takes (α to y) from z IS 2935 / TEL 2810: Introduction to Computer Security
Take-Grant Protection Model 2. Grant rule: if g γ, the take rule produces another graph with a transitive edge α β added. α z grants (α to y) to x γ β γ β ├ x z y x z y x creates (α to new vertex) y α ├ 3. Create rule: x y x x removes (α to) y β β -α ├ 4. Remove rule: x y x y IS 2935 / TEL 2810: Introduction to Computer Security
Take-Grant Protection Model: Sharing Given G0, can vertex x obtain α rights over y? Can_share(α,x, y,G0) is true iff G0├* Gn using the four rules, & There is an α edge from x to y in Gn tg-path: v0,…,vn with t or g edge between any pair of vertices vi, vi+1 Vertices tg-connected if tg-path between them Theorem: Any two subjects with tg-path of length 1 can share rights IS 2935 / TEL 2810: Introduction to Computer Security
Any two subjects with tg-path of length 1 can share rights Can_share(α, x, y,G0) Four possible length 1 tg-paths 1. Take rule 2. Grant rule 3. Lemma 3.1 4. Lemma 3.2 x z y {t} β α {g} β α {t} β α {g} β α IS 2935 / TEL 2810: Introduction to Computer Security
Any two subjects with tg-path of length 1 can share rights Can_share(α, x, y,G0) Lemma 3.1 Sequence: Create Take Grant {t} β α y x z α {t} β α tg g α IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security Other definitions Island: Maximal tg-connected subject-only subgraph Can_share all rights in island Proof: Induction from previous theorem Bridge: tg-path between subjects v0 and vn with edges of the following form: t→*, t←* t→*, g→, t←* t→*, g←, t←* t g t v0 vn IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security Bridge t g t v0 vn α By lemma 3.1 α α By grant By take α IS 2935 / TEL 2810: Introduction to Computer Security
Theorem: Can_share(α,x,y,G0) (for subjects) Subject_can_share(α, x, y,G0) is true iff if x and y are subjects and there is an α edge from x to y in G0 OR if: a subject s G0 with an s-to-y α edge, and islands I1, …, In such that x I1, s In, and there is a bridge from Ij to Ij+1 x s α y I1 I2 In IS 2935 / TEL 2810: Introduction to Computer Security
What about objects? Initial, terminal spans x initially spans to y if x is a subject and there is a tg-path between them with t edges ending in a g edge (i.e., t→*g→) x can grant a right to y x terminally spans to y if x is a subject and there is a tg-path between them with t edges (i.e., t→*) x can take a right from y IS 2935 / TEL 2810: Introduction to Computer Security
Theorem: Can_share(α,x,y,G0) Can_share(α,x, y,G0) iff there is an α edge from x to y in G0 or if: a vertex s G0 with an s to y α edge, a subject x’ such that x’=x or x’ initially spans to x, a subject s’ such that s’=s or s’ terminally spans to s, and islands I1, …, In such that x’ I1, s’ In, and there is a bridge from Ij to Ij+1 s x’ s’ α In α I2 I1 α y x α x’ can grant a right to x s’ can take a right from s IS 2935 / TEL 2810: Introduction to Computer Security
Theorem: Can_share(α,x,y,G0) (for subjects) Subject_can_share(α, x, y,G0) is true iff x and y are subjects and there is an α edge from x to y in G0 OR if: a subject s G0 with an s-to-y α edge, and islands I1, …, In such that x I1, s In, and there is a bridge from Ij to Ij+1 x s α y I1 I2 In IS 2935 / TEL 2810: Introduction to Computer Security
What about objects? Initial, terminal spans x initially spans to y if x is a subject and there is a tg-path associated with word {t→*g→} between them x can grant a right to y x terminally spans to y if x is a subject and there is a tg-path associated with word {t→*} between them x can take a right from y IS 2935 / TEL 2810: Introduction to Computer Security
Theorem: Can_share(α,x,y,G0) Can_share(α,x, y,G0) iff there is an α edge from x to y in G0 or if: a vertex s G0 with an s to y α edge, a subject x’ such that x’=x or x’ initially spans to x, a subject s’ such that s’=s or s’ terminally spans to s, and islands I1, …, In such that x’ I1, s’ In, and there is a bridge from Ij to Ij+1 s x’ s’ α α In α I2 I1 α y x α x’ can grant a right to x s’ can take a right from s IS 2935 / TEL 2810: Introduction to Computer Security
Theorem: Can_share(α,x,y,G0) Corollary: There is an O(|V|+|E|) algorithm to test can_share: Decidable in linear time!! Theorem: Let G0 contain exactly one vertex and no edges, R a set of rights. G0 ├* G iff G is a finite directed acyclic graph, with edges labeled from R, and at least one subject with no incoming edge. Only if part: v is initial subject and G0 ├* G; No rule allows the deletion of a vertex No rule allows an incoming edge to be added to a vertex without any incoming edges. Hence, as v has no incoming edges, it cannot be assigned any IS 2935 / TEL 2810: Introduction to Computer Security
Theorem: Can_share(α,x,y,G0) If part : G meets the requirement Assume v is the vertex with no incoming edge and apply rules Perform “v creates (α {g} to) new xi” for all 2<=i <= n, and α is union of all labels on the incoming edges going into xi in G For all pairs x, y with x α over y in G, perform “v grants (α to y) to x” If β is the set of rights x has over y in G, perform “v removes (α {g} - β) to y” IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security Example IS 2935 / TEL 2810: Introduction to Computer Security
Take-Grant Model: Sharing through a Trusted Entity Let p and q be two processes Let b be a buffer that they share to communicate Let s be third party (e.g. operating system) that controls b rw rw u u g g rw Witness S creates ({r, w}, to new object) b S grants ({r, w}, b) to p S grants ({r, w}, b) to q rw b s s g g rw rw rw v v q q IS 2935 / TEL 2810: Introduction to Computer Security
Theft in Take-Grant Model Can_steal(α,x,y,G0) is true if there is no α edge from x to y in G0 and sequence G1, …, Gn s. t.: α edge from x to y in Gn,, rules ρ1,…, ρn that take Gi-1├ ρi Gi , and v,w Gi, 1≤i<n, if α edge from v to y in G0 then ρi is not “v grants (α to y) to w” Disallows owners of α rights to y from transferring those rights Does not disallow them to transfer other rights This models a Trojan horse IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security A witness to theft u grants (t to v) to s s takes (t to u) from v s takes (α to w) from u t v t g s u α w IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security Conspiracy Theft indicates cooperation: which subjects are actors in a transfer of rights, and which are not? Next question is How many subjects are needed to enable Can_share(α,x,y,G0)? Note that a vertex y Can take rights from any vertex to which it terminally spans Can pass rights to any vertex to which it initially spans Access set A(y) with focus y (y is subject) is union of set of vertices y, vertices to which y initially spans, and vertices to which y terminally spans IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security Conspiracy Deletion set δ(y,y’): All z A(y) ∩ A(y’) for which y initially spans to z and y’ terminally spans to z y terminally spans to z and y’ initially spans to z z=y & z=y’ Conspiracy graph H of G0: Represents the paths along which subjects can transfer rights For each subject in G0, there is a corresponding vertex h(x) in H if δ(y,y’) not empty, edge from h(y) to h(y’) IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security Example t g g t x a b c d g r e z t t g g g y f h i j IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security Theorems I(p) = contains the vertex h(p) and the se t of all vertices h(p’) such that p’ initially spans to p T(q) = contains the vertex h(q) and the se t of all vertices h(q’) such that q’ terminally spans to q Theorem 3-13: Can_share(α,x,y,G0) iff there is a path from som h(p) in I(x) to some h(q) in T(y) Theorem 3-14: Let L be the number of vertices on a shortest path between h(p) and h(q) (as in theorem 3-13), then L conspirators are necessary and sufficient to produce a witness to Can_share(α,x,y,G0) IS 2935 / TEL 2810: Introduction to Computer Security
Schematic Protection Model Key idea is to use the notion of a protection type Label that determines how control rights affect an entity Take-Grant: subject and object are different protection types TS and TO represent subject type set and object set (X) is the type of entity X A ticket describes a right Consists of an entity name and a right symbol: X/z Possessor of the ticket X/z has right r over entity X Y has tickets X/r, X/w -> Y has tickets X/rw Each entity X has a set dom(X) of tickets Y/z (X/r:c) = (X)/r:c is the type of a ticket IS 2935 / TEL 2810: Introduction to Computer Security
Schematic Protection Model Inert right vs. Control right Inert right doesn’t affect protection state, e.g. read right take right in Take-Grant model is a control right Copy flag c Every right r has an associated copyable right rc r:c means r or rc Manipulation of rights A link predicate Determines if a source and target of a transfer are “connected” A filter function Determines if a transfer is authorized IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security Transferring Rights dom(X) : set of tickets that X has Link predicate: linki(X,Y) conjunction or disjunction of the following terms X/z dom(X); X/z dom(Y); Y/z dom(X); Y/z dom(Y) true Determines if X and Y “connected” to transfer right Examples: Take-Grant: link(X, Y) = Y/g dom(X) v X/tdom(Y) Broadcast: link(X, Y) = X/b dom(X) Pull: link(X, Y) = Y/p dom(Y) Universal: link(X, Y) = true Scheme: a finite set of link predicates is called a scheme IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security Filter Function Filter function: Imposes conditions on when tickets can be transferred fi: TS x TS → 2TxR (range is copyable rights) X/r:c can be copied from dom(Y) to dom(Z) iff i s. t. the following are true: X/rc dom(Y) linki(Y, Z) (X)/r:c fi((Y), (Z)) Examples: If fi((Y), (Z)) = T x R then any rights are transferable If fi((Y), (Z)) = T x RI then only inert rights are transferable If fi((Y), (Z)) = Ө then no tickets are transferable One filter function is defined for each link predicate IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security SPM Example2 Take-Grant Protection Model TS = { subjects }, TO = { objects } RC = {tc, gc}, RI = {rc, wc} Note that all rights can be copied in T-G model link(p, q) = p/t dom(q) v q/t dom(p) f(subject, subject) = { subject, object } { tc, gc, rc, wc } Note that any rights can be transferred in T-G model IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security Create Operation Need to handle type of the created entity, & tickets added by the creation Relation can•create(a, b) TS x T A subject of type a can create an entity of type b Rule of acyclic creates Limits the membership in can•create(a, b) If a subject of type a can create a subject of type b, then none of the descendants can create a subject of type a IS 2935 / TEL 2810: Introduction to Computer Security
Create operation Distinct Types create rule cr(a, b) specifies the tickets introduced when a subject of type a creates an entity of type b B object: cr(a, b) { b/r:c RI } Only inert rights can be created A gets B/r:c iff b/r:c cr(a, b) B subject: cr(a, b) has two parts crP(a, b) added to A, crC(a, b) added to B A gets B/r:c if b/r:c in crP(a, b) B gets A/r:c if a/r:c in crC(a, b) IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security Examples Owner-based policy Users can create files: cc(user, file) holds Creator can give itself any inert rights: cr(user, file) = {file/r:c| r RI} Take-Grant model A subject can create a subject or an object cc(subject, subject) and cc(subject, object) hold Subject can give itself any rights over the vertices it creates but the subject does not give the created subject any rights (although grant can be used later) crC(a, b) = Ө; crP(a, b) = {sub/tc, sub/gc, sub/rc, sub/wc} Hence, cr(sub, sub) = {sub/tc, sub/gc, sub/rc, sub/wc} | Ө cr(sub, obj) = {obj/tc, obj/gc, obj/rc, obj/wc} | Ө IS 2935 / TEL 2810: Introduction to Computer Security
Expressing Constraints Entities are classes, methods Class: set of objects that an access constraint constrains Method: set of ways an operation can be invoked Operations Instantiation: s creates instance of class c: s ├ c Invocation: s1 executes object s2: s1 |→ s2 Access constraints deny(s op x) when b when b is true, subject s cannot perform op on (subject or class) x; empty s means all subjects IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security Sample Constraints Downloaded program cannot access password database file on UNIX system Program’s class and methods for files: class File { public file(String name); public String getfilename(); public char read(); …. Constraint: deny(|→ file.read) when (file.getfilename() == “/etc/passwd”) IS 2935 / TEL 2810: Introduction to Computer Security
IS 2935 / TEL 2810: Introduction to Computer Security Users and Levels Subjects Security Level (same as before) Integrity Level Ordinary users (SL, { SP }) (ISL, { IP }) Application developers (SL, { SD }) (ISL, { ID }) System programmers (SL, { SSD }) System managers and auditors (AM, { SP, SD, SSD }) (ISP, ) System controllers (SL, { SP, SD }) and downgrade privilege (ISP, {IP, ID}) Repair IS 2935 / TEL 2810: Introduction to Computer Security
Objects and Classifications Security Level (earlier category) Integrity Level Development code/test data (SL, { SD }) (D, T) (ISL, { ID} ) Production code (SL, { SP }) (PC) (IO, { IP }) ? Production data (SL, { SP }) (PC, PD) (ISL, { IP }) ? Software tools (SL, ) (T) (IO, { ID }) System programs (SL, ) (ISP, { IP, ID }) System programs in modification (SL, { SSD }) (SD, T) (ISL, { ID }) System and application logs (AM, { appropriate }) (ISL, ) Repair (SL, {SP}) (ISP, { IP }) IS 2935 / TEL 2810: Introduction to Computer Security
S: Application programmers O: Development Code/Data S: System Managers O: Audit Trail (AM, { SP, SD, SSD }) (ISL, ) (SL, { SP, SD }) and downgrade privilege S: System Control (ISP, {IP, ID}) (SL, { SP }) (SL, { SSD}) (SL, { SD }) (ISL, {IP}) (ISL, {ID}) (ISL, {ID}) S: Repair S: Production Users O: Production data S: Application programmers O: Development Code/Data S: System programmers O: System code in Development (SL, { SP }) (SL, { SP }) (SL, ) (ISP, {IP}) (IO, {IP}) (IO, {ID}) O: Repair Code O: Production Code O: Tools (SL, ) (ISP, {IP, ID}) O: System programs IS 2935 / TEL 2810: Introduction to Computer Security
Additional constraints Production users can execute production users only No individual can be both an application programmer and a production users In contradiction to the *property- system controllers are allowed to write down. IS 2935 / TEL 2810: Introduction to Computer Security