Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 1 -Access Control - 2 - Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine.

Published byShanna Edwards Modified over 9 years ago

Similar presentations

Presentation on theme: "1 1 -Access Control - 2 - Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine."— Presentation transcript:

1 1 1 -Access Control - 2 - Foundational Results

2 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine

3 3 Undecidability Timing a Program  Can you write a program that tells you how long another program will run before completing? The Halting Problem If you can tell me how long, it must stop in a finite time! No program can give a decisive answer for all legitimate inputs A program may give correct answers for some cases but run forever for others

4 44 The Turing Machine An infinite-to-the-right tape divided into cells A cell C can store any symbol in M={A,B,C,D,F,Blank} A read/write head The head can have any state in K={happy,unhappy} The head reads, then writes and moves What it writes, and whether it moves to left or right are both decided by a set of rules [M and K are both finite] Originally tape is all blank happy A A D … … (happy,Blank)  (unhappy,A,Right) (unhappy,A)  (happy,b\B,Left) (happy,F)  (happy,A,Left) … happy unhappy

5 55 The Halting Problem With any initial tape and state (of the head), will any given Turing machine reach a specific state? This is undecidable input program output “ OK ” and halt

6 6 A Proof by Contradiction Suppose you have a machine that you are sure will always tell you if an input program will halt: Input the following program: If this program halts, go into an endless loop Otherwise print out “OK” It never stops

7 7 Access and Control of Memory

8 88 The Access Control Matrix (ACM) A model of protection systems Describes who (subject) can do what (rights) to what/whom (object/subject) Example An instructor can assign and grade homework and exams A TA can grade homework A Student can evaluate the instructor and TA

9 9 An Access Control Matrix Allowed Operations (Rights): r,x,w,o file1file2file3 Annrxrrwx Bobrwxor-- Charlierxrwow

10 10 Rights/Commands Primitive Commands create/destroy a subject s or object o enter/delete r into/from A[s,o]

11 11 State Transition Commands Command If an instructor can grade an exam and a TA can grade h.w. Then revoke TA ’ s rights in grading the h.w. and let him grade the exam Mono-conditional/mono-operational Condition can neither be negative nor contain ‘ or ’ “if instructor can grade exam or TA can grade exam then TA cannot grade h.w. ”

12 12 Commands for ACM Primitive commands Create /delete subjects, objects Enter, delete permissions acm(s,o) A command may use more than one primitive command  a mono-operational command. Limitation: Cannot test for a negative fact Further: Don ’ t have Owner and Copy commands

13 13 ACM and protection States Subjects: (processes p, q etc) Objects: (files f, g etc) Access rights (operations r, w, x, a, o etc) fg pq P rworrwxow qarorrwxo

14 14 Protection States State: Variables taking values in a domain Protection domain: the space defined by an ACM Mathematically: Variables for subjects: X s ∈ S /** The set of all subject names **/ Variables for objects: X o ∈ O /** The set of all object names **/ Constants for permission names: P Assignment: ACL: S x O  P (P)  power set = Set of all subsets Maps every (subject,object) pair to a subset of permissions. Example state fgpq powrrxow qrorwx

15 15 Safe States Any subset that is consistent with the ACM Mathematically:  If myState: S x O  P (P), then  x,y myState(x,y)  ACM(x,y) ACMO1O2O3O4 S1rwxrx x S2x myStateO1O2O3O4 S1rrx x S2x

16 16 What Does it mean to be Secure? Giving a right r to someone who initially does not possess r is called leaking If system begins in some initial safe state and can never leak r, then the system is secure with respect to r Subtleties Leaking is not necessarily bad, legitimate transfer of rights can be proper if owners say so or by delegation But we must be sure that: With all authorized leaking ignored, is the system still secure wrt r? An abstract system (specification) is secure but its implementation may not be secure

17 17 Safety Question Is there an algorithm for determining whether any protection system with a given initial state is secure with respect to a generic right r? Using terms of ACM, the question is Given any ACM, is there a program that halts with the answer to “ Is there a sequence of commands that will enter r into some a[s,o] that does not initially have r”? There are trivial cases where this is obviously true, but how about the general case?

18 18 The (Special) Positive Result Theorem: There is an algorithm that determines if a given mono-operational protection system with initial state S 0 is safe with respect to a generic right. Proof: Suppose the command sequence is [c 0,c 1, … c n ]: 1. Can identify [c 0,c 1, …,c n ] as a sequence of primitive operations. 2. Can assume that  i C i ≠ delete, destroy because delete and destroy do not add rights.

19 19 The Positive Result.. Proof (cont ) 1. Only create adds new subjects and objects. 2. The others are conditional tests, that can be tested 3. Suppose we create a new subject ( S new ) and a new object (O new ) 4. Need to check that the given sequence of commands did not leak rights 5. Need to check the pre-post conditions of n(|S 0 |+1)(|O 0 |+1) commands.

20 20 General Safety Problem is Undecidable Answer: the safety problem is undecidable In terms of ACM Given any ACM, if some sequence of commands will enter r into some a[s,o] that does not initially have r is undecidable Input file, or Program, like a Output or enter Initial tape and state Turing machine a specific state

21 21 Reducing the halting problem to the safety problem If an algorithm can solve the safety problem then it can also solve the halting problem But the halting problem is known to be undecidable, so such an algorithm cannot exist How does the reduction work? Simulate a Turing machine where subject S i owns S i+1. and if cell i contains symbol A, then subject S i has rights A over itself. Then let Subject S k correspond to the right-most cell with end right over itself.

22 22 The Reduction form A BCD… 1234 k s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B C k D end own (k, C)  (k 1, X, R) A BXD… 1234 k 1 s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B X D k 1 end own (k 1, D)  (k 2, Y, R) A BXY 1234 k 2 s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B X Y own s5s5 s5s5 b k 2 end 5 b ACM  Tape 

23 23 Commands for left motion (k,C)  (k 1, X, L) Corresponds to the command C k,C (S 4,S 3 )  if own  A[s i-1,s i ] and k  A[s i,s i ] and C  A[s i,s i ] then delete k from A[s i,s i ]; delete C from A[s i,s i ]; enter X into A[s i,s i ]; enter k 1 into A[s i-1,s i-1 ]; End Note: K is state of the head, C, X are content of the cell

24 24 Commands for right motion (k,C)  (k 1, X, R) Corresponds to the command C k,C (S 3,S 4 )  if own  A[S 3,S 4 ] and k  A[S 3,S 3 ] and C  A[S 3,S 3 ] then delete k from A[S 3,S 3 ]; delete C from A[S 3,S 3 ]; enter X into A[S 3,S 3 ]; enter k1 into A[S 4,S 4 ]; end

25 25 Command for the rightmost cell (k1, D)  (k2, Y, R) Corresponds to c rightmostk,C (s 4,s 5 )  if end  A[s 4,s 4 ] and k 1  A[s 4,s 4 ] and D  A[s 4,s 4 ] then delete end from A[s 4,s 4 ]; create subject s 5 ; enter own into A[s 4,s 5 ]; enter end into A[s 5,s 5 ]; delete k1 from A[s 4,s 4 ]; delete D from A[s 4,s 4 ]; enter Y into A[s 4,s 4 ]; enter k 2 into A[s 5,s 5 ]; end

26 26 Rest of the proof This Protection system exactly simulates a Turing Machine end right in ACM corresponds to the end state 1 right in the entry with current state Thus, at most 1 applicable command at any time If TM enters a special state q f then right has leaked the right q f If safety question decidable, then represent TM as above and determine if q f leaks Implies halting problem decidable Conclusion: Safety is undecidable

27 27 Special Cases can be Decidable If all the commands are mono-operational, the safety problem is decidable Each move of Turing machine corresponds to multiple primitive commands of ACM If no command includes create, the safety problem is decidable (P-SPACE complete) If no command includes destroy or delete and all command are mono-conditional, then the safety problem is decidable

28 28 Main Point In its most general form, the safety problem is undecidable, but by limiting scope of systems the safety problem can be decidable Otherwise we could never build a safe system!

29 29 ACMs and ACLs; Capabilities Real systems have to be fast and not use excessive space

30 30 What ’ s Wrong with an ACM? If we have 1k ‘ users ’ and 100k ‘ files ’ and a user should only read/write his or her own files The ACM will have 101k columns and 1k rows Most of the 101M elements are either empty or identical Good for theoretical study but bad for implementation Remove the empty elements?

31 31 Two ways to cut a table (ACM) Order by columns (ACL) or rows (Capability Lists)? file1file2file3 Arxrrwx Brwxor-- Crxrwow ACLs Capability

32 32 Access Control Lists Columns of access control matrix file1file2file3 Andyrxrrwo Bettyrwxor Charlierxrwow ACLs: file1: { (Andy, rx) (Betty, rwxo) (Charlie, rx) } file2: { (Andy, r) (Betty, r) (Charlie, rwo) } file3: { (Andy, rwo) (Charlie, w) } An ACL stores (non-empty elements of) each column with its object

33 33 Capability Lists Rows of access control matrix file1file2file3 Andyrxrrwo Bettyrwxor Charlierxrwow C-Lists: Andy: { (file1, rx) (file2, r) (file3, rwo) } Betty: { (file1, rwxo) (file2, r) } Charlie: { (file1, rx) (file2, rwo) (file3, w) }

Download ppt "1 1 -Access Control - 2 - Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine."

Similar presentations

Lecture 19. Reduction: More Undecidable problems

Lecture 19. Reduction: More Undecidable problems
CS 461 – Nov. 9 Chomsky hierarchy of language classes –Review –Let’s find a language outside the TM world! –Hints: languages and TM are countable, but.

CS 461 – Nov. 9 Chomsky hierarchy of language classes –Review –Let’s find a language outside the TM world! –Hints: languages and TM are countable, but.
THE CHURCH-TURING T H E S I S “ TURING MACHINES” Pages 136 - 150 1 COMPUTABILITY THEORY.

THE CHURCH-TURING T H E S I S “ TURING MACHINES” Pages COMPUTABILITY THEORY.
Cook’s Theorem The Foundation of NP-Completeness.

Cook’s Theorem The Foundation of NP-Completeness.
Comparing Sets Size without Counting 2 sets A and B have the same size if there is a function f: A  B such that: For every x  A there is one and only.

Comparing Sets Size without Counting 2 sets A and B have the same size if there is a function f: A  B such that: For every x  A there is one and only.
Copyright © Cengage Learning. All rights reserved.

Copyright © Cengage Learning. All rights reserved.
1 COMP 382: Reasoning about algorithms Unit 9: Undecidability [Slides adapted from Amos Israeli’s]

1 COMP 382: Reasoning about algorithms Unit 9: Undecidability [Slides adapted from Amos Israeli’s]
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Prof. Busch - LSU1 Decidable Languages. Prof. Busch - LSU2 Recall that: A language is Turing-Acceptable if there is a Turing machine that accepts Also.

Prof. Busch - LSU1 Decidable Languages. Prof. Busch - LSU2 Recall that: A language is Turing-Acceptable if there is a Turing machine that accepts Also.
Fall 2003Costas Busch - RPI1 Decidability. Fall 2003Costas Busch - RPI2 Recall: A language is decidable (recursive), if there is a Turing machine (decider)

Fall 2003Costas Busch - RPI1 Decidability. Fall 2003Costas Busch - RPI2 Recall: A language is decidable (recursive), if there is a Turing machine (decider)
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.
CHAPTER 4 Decidability Contents Decidable Languages

CHAPTER 4 Decidability Contents Decidable Languages
Fall 2004COMP 3351 Reducibility. Fall 2004COMP 3352 Problem is reduced to problem If we can solve problem then we can solve problem.

Fall 2004COMP 3351 Reducibility. Fall 2004COMP 3352 Problem is reduced to problem If we can solve problem then we can solve problem.
Courtesy Costas Busch - RPI1 Reducibility. Courtesy Costas Busch - RPI2 Problem is reduced to problem If we can solve problem then we can solve problem.

Courtesy Costas Busch - RPI1 Reducibility. Courtesy Costas Busch - RPI2 Problem is reduced to problem If we can solve problem then we can solve problem.
1 Introduction to Computability Theory Lecture11: The Halting Problem Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture11: The Halting Problem Prof. Amos Israeli.
1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.

1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.
1 Reducibility. 2 Problem is reduced to problem If we can solve problem then we can solve problem.

1 Reducibility. 2 Problem is reduced to problem If we can solve problem then we can solve problem.
Section 11.4 Language Classes Based On Randomization

Section 11.4 Language Classes Based On Randomization
1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.

1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.
Complexity and Computability Theory I Lecture #13 Instructor: Rina Zviel-Girshin Lea Epstein Yael Moses.

Complexity and Computability Theory I Lecture #13 Instructor: Rina Zviel-Girshin Lea Epstein Yael Moses.

Similar presentations

Ads by Google