Presentation is loading. Please wait.

Presentation is loading. Please wait.

Decidability or Impossibility? 02b = a bit of boring theory Nicolas T. Courtois - University College of London.

Published byElijah Wade Modified over 8 years ago

Similar presentations

Presentation on theme: "Decidability or Impossibility? 02b = a bit of boring theory Nicolas T. Courtois - University College of London."— Presentation transcript:

1 Decidability or Impossibility? 02b = a bit of boring theory Nicolas T. Courtois - University College of London

2 CompSec COMPGA01 Nicolas T. Courtois, January 2009 2 Roadmap Pure mathematicians / logic take on computer security: Rice Theorem, HRU vs. Take-Grant

3 CompSec COMPGA01 Nicolas T. Courtois, January 2009 3 Matrix Paradigm – Basis of DAC Example: S={System,Admin,Bob}. O={exe,doc}. A={read,write,exec,delete}. M= exedoc System{e,r,w,d} {r,w,d} Admin{e,w,d}{w,r,d} Bob{e}{r,w} rights Objects SubjectsSubjects

4 CompSec COMPGA01 Nicolas T. Courtois, January 2009 4 HRU Model

5 CompSec COMPGA01 Nicolas T. Courtois, January 2009 5 HRU Model [Harrison-Ruzzo-Ullmann 1976] A particular formalisation of the matrix model + a particular set of commands that allows to build a basic file system…

6 CompSec COMPGA01 Nicolas T. Courtois, January 2009 6 The Commands in the HRU model Imagine a file system with the following operations (requests): create process/file. confer a right to a given cell of the matrix, (Bishop: enter). revoke a right from a given cell, (Bishop: destroy) These 3 commands can be combined to create instructions such as create_file, spawn_process, grant_right, chown, etc.

7 CompSec COMPGA01 Nicolas T. Courtois, January 2009 7 The Safety Problem Imagine a file system implementing this model. given a given configuration, does there exist a sequence of requests that will add the right a  A to a given matrix cell (M so )  A ? Example: given are the access rules for all UCL employees, –can I ever read the UCL payroll file?

8 CompSec COMPGA01 Nicolas T. Courtois, January 2009 8 Theoretical Results [cf. Bishop] Theorem 1: There is no algorithm to solve the safety problem in this model.

9 CompSec COMPGA01 Nicolas T. Courtois, January 2009 9 Rice Theorem

10 CompSec COMPGA01 Nicolas T. Courtois, January 2009 10 Halting problem Q: Does program25.c halt? More generally, we can ask different questions. “expert system” algorithm for Q Y/N program25.c

11 CompSec COMPGA01 Nicolas T. Courtois, January 2009 11 Other Interesting Questions Example Questions: Q1: Does program25.c always return 0? Q2: Does program25.c compute the sum of two 32-bit integers correctly? Q3: Do 2 programs do the same thing? Etc.. Answer [Rice 1953]: there is no algorithm that can solve this problem. decision algorithm Y/N program25.c

12 CompSec COMPGA01 Nicolas T. Courtois, January 2009 12 The Anti-Virus Software Theorem [Rice]: there is no algorithm that decides whether a given program a virus. Such programs are mathematically strictly impossible. But this does not prevent the software security industry from being worth 9,1 G$ in 2007 [Gartner]. Beware, important: It does not prevent the program from detecting all malware, 100 % security is possible, –but then it is also certain that, => such a program will be ”secure” (the exact notion of secure, opposite of broad was defined in a much less general context) it will produce false alarms: programs that are not viruses will be reported as such. This is inevitable.

13 CompSec COMPGA01 Nicolas T. Courtois, January 2009 13 The Anti-Virus Software Theorem [Rice]: there is no algorithm that decides whether a given program a virus. Such programs are mathematically strictly impossible. But this does not prevent the software security industry from being worth 9,1 G$ in 2007 [Gartner]. Beware, important: It does not prevent the program from detecting all malware, 100 % security is possible, –but then it is also certain that, => such a program will be ”secure” (the exact notion of secure, opposite of broad was defined in a much less general context) it will produce false alarms: programs that are not viruses will be reported as such. This is inevitable.

14 CompSec COMPGA01 Nicolas T. Courtois, January 2009 14 Back to Access Control We need a simpler model.

15 CompSec COMPGA01 Nicolas T. Courtois, January 2009 15 Take-Grant Model

16 CompSec COMPGA01 Nicolas T. Courtois, January 2009 16 Take-Grant Model [ Jones, Lipton, Snyder 1976] Was invented to address the safety problem: here it becomes decidable. Based on graphs. x can read y

17 CompSec COMPGA01 Nicolas T. Courtois, January 2009 17 Take-Grant Model A set S of Subjects (e.g. processes) which can execute privileges in the system. A set O of Objects (e.g. files) on which the privileges can be executed. A directed graph G = (S  O,E) of authorizations where E  (S  O)x(S  O). –Vertices in E can be both Subjects and Objects. –Edges are authorizations: they are labelled by r  R (or subset of R) which specifies the rights the source vertex has over the destination vertex. –Where R is a pre-defined set of rights, containing at least two distinguished administrative-type rights: t (take) and g (grant). Example: R= {r,w,t,g}.

18 CompSec COMPGA01 Nicolas T. Courtois, January 2009 18 Graph Rewriting Here the evolution of the permissions with time is represented as rewriting a graph (to create another graph) according to a fixed set of 4 administrative rules called “de jure” (by law) rules: take grant create remove And a safety problem will be formalised as follows: can a certain permission be granted after an (unlimited in time) amount of rewriting according to the rules?

19 CompSec COMPGA01 Nicolas T. Courtois, January 2009 19 Transfer of Privileges between two subjects s,x. take allows subject s to take ANY privilege r of the subject x. grant allows s to grant ANY privilege r it possesses, to subject x

20 CompSec COMPGA01 Nicolas T. Courtois, January 2009 20 Creation of Files/Processes and Creation/Destruction of Rights Here we have a subject s and x that can be either a Subject or an Object. create allows subject s to create a new Subject/Object x with ANY chosen subset of rights A  R remove allows s to remove ANY existing privilege r from the set, from the Subject/Object x, +delete edges that become empty In both cases: voluntary limitation of rights, cf. least privilege principle

21 CompSec COMPGA01 Nicolas T. Courtois, January 2009 21 Take-Grant Model

22 CompSec COMPGA01 Nicolas T. Courtois, January 2009 22 Take-Grant Model Insufficient for many real-life applications. several things are missing here: Lack of selectivity. –take and grant apply to any right, including t and g. Lack of control on propagation: –once I grant a right to a, it can be granted to the next process b, if a he has the right g on the process b. also it can be taken by all subjects c that have the right t on a.

Download ppt "Decidability or Impossibility? 02b = a bit of boring theory Nicolas T. Courtois - University College of London."

Similar presentations

Recognising Languages We will tackle the problem of defining languages by considering how we could recognise them. Problem: Is there a method of recognising.

Recognising Languages We will tackle the problem of defining languages by considering how we could recognise them. Problem: Is there a method of recognising.
Computer Security 1 [COMPGA01] Nicolas T. Courtois - University College London.

Computer Security 1 [COMPGA01] Nicolas T. Courtois - University College London.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
© 2006 Pearson Addison-Wesley. All rights reserved14 A-1 Chapter 14 excerpts Graphs (breadth-first-search)

© 2006 Pearson Addison-Wesley. All rights reserved14 A-1 Chapter 14 excerpts Graphs (breadth-first-search)
1 1 -Access Control - 2 - Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine.

1 1 -Access Control Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine.
CSE115/ENGR160 Discrete Mathematics 02/28/12

CSE115/ENGR160 Discrete Mathematics 02/28/12
Introductory Lecture. What is Discrete Mathematics? Discrete mathematics is the part of mathematics devoted to the study of discrete (as opposed to continuous)

Introductory Lecture. What is Discrete Mathematics? Discrete mathematics is the part of mathematics devoted to the study of discrete (as opposed to continuous)
8.2 Discretionary Access Control Models Weiling Li.

8.2 Discretionary Access Control Models Weiling Li.
Computational problems, algorithms, runtime, hardness

Computational problems, algorithms, runtime, hardness
© 2006 Pearson Addison-Wesley. All rights reserved14 A-1 Chapter 14 Graphs.

© 2006 Pearson Addison-Wesley. All rights reserved14 A-1 Chapter 14 Graphs.
CSE115/ENGR160 Discrete Mathematics 03/03/11 Ming-Hsuan Yang UC Merced 1.

CSE115/ENGR160 Discrete Mathematics 03/03/11 Ming-Hsuan Yang UC Merced 1.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.
Theory of Computation. Computation Computation is a general term for any type of information processing that can be represented as an algorithm precisely.

Theory of Computation. Computation Computation is a general term for any type of information processing that can be represented as an algorithm precisely.
Distributed Computer Security 8.2 Discretionary Access Control Models - Liang Zhao.

Distributed Computer Security 8.2 Discretionary Access Control Models - Liang Zhao.
Lecture 7 Access Control

Lecture 7 Access Control
Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.

Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Security & Protection.

Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Security & Protection.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
The Fundamentals: Algorithms, the Integers & Matrices.

The Fundamentals: Algorithms, the Integers & Matrices.

Similar presentations

Ads by Google