Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 6 September 27, 2011 Take Grant Model.

Published byHannah Quinn Modified over 8 years ago

Similar presentations

Presentation on theme: "1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 6 September 27, 2011 Take Grant Model."— Presentation transcript:

1 1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 6 September 27, 2011 Take Grant Model

2 Objective Understand Take-Grant model Specific, restricted Analyze Right Sharing Stealing/Theft conspiracy 2

3 3 Take-Grant Protection Model System is represented as a directed graph Subject: Object: Labeled edge indicate the rights that the source object has on the destination object Four graph rewriting rules (“de jure”, “by law”, “by rights”) The graph changes as the protection state changes according to Take rule 1. Take rule: if t  γ, the take rule produces another graph with a transitive edge   β added. Either : γ  βγβ ├ x zy x zy x takes (  to y ) from z

4 4 Take-Grant Protection Model 2. Grant rule: if g  γ, the take rule produces another graph with a transitive edge α  β added. γ  βγβ ├ x zy x zy 3. Create rule: ├  x xy 4. Remove rule: ├ β - β -  xy β xy z grants (  to y ) to x x creates (  to new vertex) y x removes (  to) y

5 5 Take-Grant Protection Model: Sharing Given G 0, can vertex x obtain  rights over y? Can_share( , x, y,G 0 ) is true iff G 0 ├ * G n using the four rules, & There is an  edge from x to y in G n tg-path: v 0,…,v n with t or g edge between any pair of vertices v i, v i+1 Vertices tg-connected if tg-path between them Theorem: Any two subjects with tg-path of length 1 can share rights

6 6 Any two subjects with tg-path of length 1 can share rights Four possible length 1 tg-paths 1. Take rule 2. Grant rule 3. Lemma 3.1 4. Lemma 3.2 {t}{t} β   {g}{g} {t}{t} {g}{g} x, y Can_share(α, x, y,G 0 ) xyz

7 7 Any two subjects with tg-path of length 1 can share rights Lemma 3.1 Sequence: Create Take Grant Take β    {t} x, y Can_share( , x, y,G 0 ) g tg  x y β   {t}{t} z Prove Lemma 3.2 Prove Lemma 3.2

8 Island: Maximal tg-connected subject- only subgraph Can_share all rights in island Proof: Induction from previous theorem Bridge: tg-path between subjects v 0 and v n with edges of the following form: t → *, t ← * t → * g → t ← * t → * g ← t ← * 8 Other definitions gtt v0v0 vnvn

9 9 Bridge -- example gtt v0v0 vnvn  By grantBy take    By lemma 3.1

10 10 Theorem: Can_share(α,x,y,G 0 ) (for subjects) Subject_can_share( , x, y,G 0 ) is true iff if x and y are subjects and there is an  edge from x to y in G 0 OR if: s-y  a subject s  G 0 with an s- to- y  edge, and x  islands I 1, …, I n such that x  I 1, s  I n, and there is a bridge from I j to I j+1 x s  α α α y I1I1I1I1 I2I2I2I2 InInInIn

11 11 What about objects? Initial, terminal spans x initially spans to y if x is a subject and there is a tg-path between them with t edges ending in a g edge (i.e., t → *g → ) xy x can grant a right to y x terminally spans to y if x is a subject and there is a tg-path between them with t edges (i.e., t → *) xy x can take a right from y

12 12 Theorem: Can_share( ,x,y,G 0 ) Can_share( , x, y, G 0 ) iff there is an  edge from x to y in G 0 or if: ssy  a vertex s  G 0 with an s to y  edge, x’x’=xx’x  a subject x’ such that x’=x or x’ initially spans to x, s’s’=ss’s  a subject s’ such that s’=s or s’ terminally spans to s, and IIx’Is’I  islands I 1, …, I n such that x’  I 1, s’  I n, and there is a bridge from I j to I j +1 x’ s’  α α α y I1I1I1I1 I2I2I2I2 InInInIn s x x’ can grant a right to x s’ can take a right from s

13 13 Theorem: Can_share(α,x,y,G 0 ) Corollary: There is an O(|V|+|E|) algorithm to test can_share: Decidable in linear time!! Theorem: Let G 0 contain exactly one vertex and no edges, R a set of rights. G 0 ├ * G iff G is a finite directed acyclic graph, with edges labeled from R, and at least one subject with no incoming edge. Only if part: v is initial subject and G 0 ├ * G; No rule allows the deletion of a vertex No rule allows an incoming edge to be added to a vertex without any incoming edges. Hence, as v has no incoming edges, it cannot be assigned any

14 14 Theorem: Can_share(α,x,y,G 0 ) If part : G meets the requirement Assume v is the vertex with no incoming edge and apply rules 1. Perform “v creates (   {g} to) new x i ” for all 2<=i <= n, and  is union of all labels on the incoming edges going into x i in G 2. For all pairs x, y with x having  over y in G, perform “v grants (  to y) to x” 3. If β is the set of rights x has over y in G, perform “v removes ((   {g}) - β) to y”

15 Example 15

16 16 Example V1 V1 is the vertex with no incoming edge 1.Perform “v creates (α  {g} to) new x i ” for all 2<=i <= n, and α is union of all labels on the incoming edges going into x i in G V2 V4 V5 V3  1,  8, {g}  2,  4,  5,  7, {g}  3,  6, {g} {g} 2.For all pairs x, y with x having α over y in G, perform “v grants (α to y) to x” 88 77 66 66 44 3.If β is the set of rights x has over y in G, perform “v removes ((α  {g}) - β) to y”

17 17 Take-Grant Model: Sharing through a Trusted Entity Let p and q be two processes Let b be a buffer that they share to communicate Let s be third party (e.g. operating system) that controls b g g q b s rw u v g g q s u v Witness S creates ({r, w}, to new object) b S grants ({r, w}, b) to p S grants ({r, w}, b) to q pp

18 18 Theft in Take-Grant Model Can_steal( ,x,y,G 0 ) is true if there is no α edge from x to y in G 0 and  sequence G 1, …, G n s. t.:   edge from x to y in G n,,  rules ρ 1,…, ρ n that take G i-1 ├ ρ i G i, and  v,w  G i-1, 1≤i<n, if   edge from v to y in G 0 then ρ i is not “v grants (  to y) to w” - Disallows owners of  rights to y from transferring those rights - Does not disallow them to transfer other rights - This models a Trojan horse

19 19 A witness to theft g s w t t α u v t t α u grants (t to v) to s s takes (t to u) from v s takes (α to w) from u

20 20 Conspiracy Theft indicates cooperation: which subjects are actors in a transfer of rights, and which are not? Next question is How many subjects are needed to enable Can_share(α,x,y,G 0 )? Note that a vertex y Can take rights from any vertex to which it terminally spans Can grant rights to any vertex to which it initially spans Access set A(y) with focus y (y is subject) is union of set of vertices y, vertices to which y initially spans, and vertices to which y terminally spans

21 21 Conspiracy Deletion set δ(y,y’): All z  A(y) ∩ A(y’) for which y initially spans to z and y’ terminally spans to z y terminally spans to z and y’ initially spans to z z=y & z=y’ Conspiracy graph H of G 0 : Represents the paths along which subjects can transfer rights For each subject in G 0, there is a corresponding vertex h(x) in H if δ(y,y’) not empty, edge from h(y) to h(y’)

22 22 Example t ggt g t gtgg abcd e fhij x y z r Find the conspiracy graph!! And the witness!! {x, a} {b, a} {c, b, d} {d} {e, d, i, j} {y} {f, y} {h, f, i}

23 23 Example h(b)h©h©h(d) h(e) h(f)h(h) h(x) h(y) Conspiracy graph H of G 0 : For each subject in G 0, there is a corresponding vertex h(x) in H if δ(y,y’) not empty, edge from h(y) to h(y’)

24 24 Theorems I(p) = contains the vertex h(p) and the set of all vertices h(p’) such that p’ initially spans to p T(q) = contains the vertex h(q) and the set of all vertices h(q’) such that q’ terminally spans to q Theorem 3-13: Can_share( ,x,y,G 0 ) iff there is a path from some h(p) in I(x) to some h(q) in T(y) Theorem 3-14: Let L be the number of vertices on a shortest path between h(p) and h(q) (as in theorem 3-13), then L conspirators are necessary and sufficient to produce a witness to Can_share( ,x,y,G 0 )

25 25 Example h(b)H(c)h(d) h(e) h(f)h(h) h(x) h(y) Conspiracy graph H of G 0 : For each subject in G 0, there is a corresponding vertex h(x) in H if δ(y,y’) not empty, edge from h(y) to h(y’) I(x) = {h(x)} T(x) = {h(e)} Shortest path: h(x), h(b), h(c), h(e)

26 26 Example t ggt g t gtgg abcd e fhij x y z r What is the witness??

27 Summary Take-Grant model – specific system Restricted Safety question is not undecidable Linear to the size of the graph Theft and conspiracy issues 27

Download ppt "1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 6 September 27, 2011 Take Grant Model."

Similar presentations

15-251 Great Theoretical Ideas in Computer Science for Some.

Great Theoretical Ideas in Computer Science for Some.
Chapter 8 Topics in Graph Theory

Chapter 8 Topics in Graph Theory
Lecture 24 MAS 714 Hartmut Klauck

Lecture 24 MAS 714 Hartmut Klauck
Lecture 5 Graph Theory. Graphs Graphs are the most useful model with computer science such as logical design, formal languages, communication network,

Lecture 5 Graph Theory. Graphs Graphs are the most useful model with computer science such as logical design, formal languages, communication network,
Walks, Paths and Circuits Walks, Paths and Circuits Sanjay Jain, Lecturer, School of Computing.

Walks, Paths and Circuits Walks, Paths and Circuits Sanjay Jain, Lecturer, School of Computing.
Bayesian Networks, Winter 2009-2010 Yoav Haimovitch & Ariel Raviv 1.

Bayesian Networks, Winter Yoav Haimovitch & Ariel Raviv 1.
Introduction to Graphs

Introduction to Graphs
CompSci 102 Discrete Math for Computer Science April 19, 2012 Prof. Rodger Lecture adapted from Bruce Maggs/Lecture developed at Carnegie Mellon, primarily.

CompSci 102 Discrete Math for Computer Science April 19, 2012 Prof. Rodger Lecture adapted from Bruce Maggs/Lecture developed at Carnegie Mellon, primarily.
Graphs III (Trees, MSTs) (Chp 11.5, 11.6)

Graphs III (Trees, MSTs) (Chp 11.5, 11.6)
1 Lecture 5 (part 2) Graphs II Euler and Hamiltonian Path / Circuit Reading: Epp Chp 11.2, 11.3.

1 Lecture 5 (part 2) Graphs II Euler and Hamiltonian Path / Circuit Reading: Epp Chp 11.2, 11.3.
1 Chapter 22: Elementary Graph Algorithms IV. 2 About this lecture Review of Strongly Connected Components (SCC) in a directed graph Finding all SCC (i.e.,

1 Chapter 22: Elementary Graph Algorithms IV. 2 About this lecture Review of Strongly Connected Components (SCC) in a directed graph Finding all SCC (i.e.,
Representing Relations Using Matrices

Representing Relations Using Matrices
Data Structures, Spring 2004 © L. Joskowicz 1 Data Structures – LECTURE 14 Strongly connected components Definition and motivation Algorithm Chapter 22.5.

Data Structures, Spring 2004 © L. Joskowicz 1 Data Structures – LECTURE 14 Strongly connected components Definition and motivation Algorithm Chapter 22.5.
Graph. Undirected Graph Directed Graph Simple Graph.

Graph. Undirected Graph Directed Graph Simple Graph.
July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result.

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result.
1 On a question of Leiss regarding the Towers of Hanoi problem.

1 On a question of Leiss regarding the Towers of Hanoi problem.
What is the next line of the proof? a). Let G be a graph with k vertices. b). Assume the theorem holds for all graphs with k+1 vertices. c). Let G be a.

What is the next line of the proof? a). Let G be a graph with k vertices. b). Assume the theorem holds for all graphs with k+1 vertices. c). Let G be a.
Computational Geometry Seminar Lecture 1

Computational Geometry Seminar Lecture 1
Greedy Algorithms Reading Material: Chapter 8 (Except Section 8.5)

Greedy Algorithms Reading Material: Chapter 8 (Except Section 8.5)
Is the following graph Hamiltonian- connected from vertex v? a). Yes b). No c). I have absolutely no idea v.

Is the following graph Hamiltonian- connected from vertex v? a). Yes b). No c). I have absolutely no idea v.

Similar presentations

Ads by Google