Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 4 September 18, 2012 Access Control Model Foundational Results.

Published byRandolf Copeland Modified over 8 years ago

Similar presentations

Presentation on theme: "1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 4 September 18, 2012 Access Control Model Foundational Results."— Presentation transcript:

1 1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 4 September 18, 2012 Access Control Model Foundational Results

2 Objective Understand the basic results of the HRU model Saftey issue Turing machine Undecidability 2

3 3 Safety Problem: formally Given Initial state X 0 = (S 0, O 0, A 0 ) Set of primitive commands c r is not in A 0 [s, o] Can we reach a state X n where  s,o such that A n [s,o] includes a right r not in A 0 [s,o]? - If so, the system is not safe - But is “safe” secure?

4 4 Undecidable Problems Decidable Problem A decision problem can be solved by an algorithm that halts on all inputs in a finite number of steps. Undecidable Problem A problem that cannot be solved for all cases by any algorithm whatsoever

5 5 Decidability Results (Harrison, Ruzzo, Ullman) Theorem: Given a system where each command consists of a single primitive command (mono-operational), there exists an algorithm that will determine if a protection system with initial state X 0 is safe with respect to right r.

6 6 Decidability Results (Harrison, Ruzzo, Ullman) Proof: determine minimum commands k to leak Delete/destroy: Can’t leak Create/enter: new subjects/objects “equal”, so treat all new subjects as one No test for absence of right Tests on A[s 1, o 1 ] and A[s 2, o 2 ] have same result as the same tests on A[s 1, o 1 ] and A[s 1, o 2 ] = A[s 1, o 2 ]  A[s 2, o 2 ] If n rights leak possible, must be able to leak k= n(|S 0 |+1)(|O 0 |+1)+1 commands Enumerate all possible states to decide

7 7 c1c1 c2c2 cici cjcj cmcm cncn cxcx cycy cici cncn cycy Delete/destroy REMOVE these caca cbcb c2c2 cjcj cbcb Initial A Create Statements Create s 1 ; Create s 2 s1s1 s2s2 s1s1 s2s2 After execution of c b Discard these s1s1 s1s1 …… But the condition of c m needs to be changed

8 c1c1 c2c2 cici cjcj cmcm cncn cxcx cycy cici cncn cycy Delete/destroy REMOVE these caca cbcb c2c2 cjcj cbcb Initial A Create Statements Create s 1 s1s1 s2s2 s1s1 s2s2 Just use first create s1s1 s1s1 After two creates o1o1o1o1 o2o2o2o2 XY Z YZY  ZYZY  Z X o1o1o1o1 o2o2o2o2 Condition If Condition Enter statement r  A[s 1, o 1 ] r  A[s 2, o 2 ] r  A[s 1, o 1 ] r  A[s 1, o 2 ] where A[s 1, o 2 ] = A[s 1, o 2 ]  A[s 2, o 2 ]

9 9 Decidability Results (Harrison, Ruzzo, Ullman) Proof: determine minimum commands k to leak Delete/destroy: Can’t leak Create/enter: new subjects/objects “equal”, so treat all new subjects as one No test for absence of right Tests on A[s 1, o 1 ] and A[s 2, o 2 ] have same result as the same tests on A[s 1, o 1 ] and A[s 1, o 2 ] = A[s 1, o 2 ]  A[s 2, o 2 ] If n rights leak possible, must be able to leak k= n(|S 0 |+1)(|O 0 |+1)+1 commands Enumerate all possible states to decide

10 10 Decidability Results (Harrison, Ruzzo, Ullman) It is undecidable if a given state of a given protection system is safe for a given generic right For proof – need to know Turing machines and halting problem

11 11 Turing Machine & halting problem The halting problem: Given a description of an algorithm and a description of its initial arguments, determine whether the algorithm, when executed with these arguments, ever halts (the alternative is that it runs forever without halting).

12 12 Turing Machine & Safety problem Theorem: It is undecidable if a given state of a given protection system is safe for a given generic right Reduce TM to Safety problem If Safety problem is decidable then it implies that TM halts (for all inputs) – showing that the halting problem is decidable (contradiction) TM is an abstract model of computer Alan Turing in 1936

13 13 Turing Machine TM consists of A tape divided into cells; infinite in one direction A set of tape symbols M M contains a special blank symbol b A set of states K A head that can read and write symbols An action table that tells the machine how to transition What symbol to write How to move the head (‘L’ for left and ‘R’ for right) What is the next state A BC … head Current state is k Current symbol is C D

14 14 Turing Machine Transition function  (k, m) = (k, m, L): In state k, symbol m on tape location is replaced by symbol m, Head moves one cell to the left, and TM enters state k Halting state is q f TM halts when it enters this state A BC … head Current state is k Current symbol is C D Let  (k, C) = (k 1, X, R) where k 1 is the next state Let  (k, C) = (k 1, X, R) where k 1 is the next state

15 15 Turing Machine 1234 Let  (k, C) = (k 1, X, R) where k 1 is the next state A BC … head Current state is k Current symbol is C D A B? … 1234 head ? A B? … 1234 ? Let  (k 1, D) = (k 2, Y, L) where k 2 is the next state ? ?

16 16 TM2Safety Reduction Proof: Reduce TM to safety problem Symbols, States  rights Tape cell  subject Cell s i has A  s i has A rights on itself Cell s k  s k has end rights on itself State p, head at s i  s i has p rights on itself Distinguished Right own: s i owns s i +1 for 1 ≤ i < k s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B C k D end own A BC … 124 head Current state is k Current symbol is C D 1 234

17 17 Command Mapping (Left move)  (k, C) = (k 1, X, L) If head is not in leftmost command c k,C (s i, s i-1 ) if own in a[s i-1, s i ] and k in a[s i, s i ] and C in a[s i, s i ] then delete k from A[s i,s i ]; delete C from A[s i,s i ]; enter X into A[s i,s i ]; enter k 1 into A[s i-1, s i-1 ]; End s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B C k D end own A BC … 124 head Current state is k Current symbol is C D 1 234  (k, C) = (k 1, X, L)

18 18 Command Mapping (Left move)  (k, C) = (k 1, X, L) If head is not in leftmost command c k,C (s i, s i-1 ) if own in a[s i-1, s i ] and k in a[s i, s i ] and C in a[s i, s i ] then delete k from A[s i,s i ]; delete C from A[s i,s i ]; enter X into A[s i,s i ]; enter k 1 into A[s i-1, s i-1 ]; End s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B k 1 X D end own A BX … 124 head Current state is k 1 Current symbol is D D 1 234  (k, C) = (k 1, X, L) If head is in leftmost both s i and s i-1 are s 1

19 19 Command Mapping (Right move)  (k, C) = (k 1, X, R) command c k,C (s i, s i+1 ) if own in a[s i, s i+1 ] and k in a[s i, s i ] and C in a[s i, s i ] then delete k from A[s i,s i ]; delete C from A[s i,s i ]; enter X into A[s i,s i ]; enter k 1 into A[s i+1, s i+1 ]; end s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B C k D end own A BC … 124 head Current state is k Current symbol is C D 1 234  (k, C) = (k 1, X, R)

20 20 Command Mapping (Right move)  (k, C) = (k 1, X, R) command c k,C (s i, s i+1 ) if own in a[s i, s i+1 ] and k in a[s i, s i ] and C in a[s i, s i ] then delete k from A[s i,s i ]; delete C from A[s i,s i ]; enter X into A[s i,s i ]; enter k 1 into A[s i+1, s i+1 ]; end s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B X D k 1 end own A BC … 124 head Current state is k 1 Current symbol is C D 1 234  (k, C) = (k 1, X, R)

21 21 Command Mapping (Rightmost move)  (k 1, D) = (k 2, Y, R) at end becomes command crightmost k,C (s i,s i+1 ) if end in a[s i,s i ] and k 1 in a[s i,s i ] and D in a[s i,s i ] then delete end from a[s i,s i ]; create subject s i+1 ; enter own into a[s i,s i+1 ]; enter end into a[s i+1, s i+1 ]; delete k 1 from a[s i,s i ]; delete D from a[s i,s i ]; enter Y into a[s i,s i ]; enter k 2 into A[s i,s i ]; end s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B X D k 1 end own A BX … 124 head Current state is k 1 Current symbol is C D 1 234  (k 1, C) = (k 2, Y, R)

22 22 Command Mapping (Rightmost move)  (k 1, D) = (k 2, Y, R) at end becomes command crightmost k,C (s i,s i+1 ) if end in a[s i,s i ] and k 1 in a[s i,s i ] and D in a[s i,s i ] then delete end from a[s i,s i ]; create subject s i+1 ; enter own into a[s i,s i+1 ]; enter end into a[s i+1, s i+1 ]; delete k 1 from a[s i,s i ]; delete D from a[s i,s i ]; enter Y into a[s i,s i ]; enter k 2 into A[s i,s i ]; end s1s1 s2s2 s3s3 s4s4 s4s4 s3s3 s2s2 s1s1 A B X Y own A BX … 124 head Current state is k 1 Current symbol is D D 1 234  (k 1, D) = (k 2, Y, R) b k 2 end own s5s5 s5s5

23 23 Rest of Proof Protection system exactly simulates a TM Exactly 1 end right in ACM Only 1 right corresponds to a state Thus, at most 1 applicable command in each configuration of the TM If TM enters state q f, then right has leaked If safety question decidable, then represent TM as above and determine if q f leaks Leaks halting state  halting state in the matrix  Halting state reached Conclusion: safety question undecidable

24 24 Other results For protection system without the create primitives, (i.e., delete create primitive); the safety question is complete in P-SPACE It is undecidable whether a given configuration of a given monotonic protection system is safe for a given generic right Delete destroy, delete primitives; The system becomes monotonic as they only increase in size and complexity The safety question for biconditional monotonic protection systems is undecidable The safety question for monoconditional, monotonic protection systems is decidable The safety question for monoconditional protection systems with create, enter, delete (and no destroy) is decidable.

Download ppt "1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 4 September 18, 2012 Access Control Model Foundational Results."

Similar presentations

Variants of Turing machines

Variants of Turing machines
1 1 -Access Control - 2 - Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine.

1 1 -Access Control Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine.
Simulating a modern computer by a Turing machine and vice versa CS 6800 Instructor: Dr. Elise de Doncker By Shweta Gowda Saikiran Ponnam.

Simulating a modern computer by a Turing machine and vice versa CS 6800 Instructor: Dr. Elise de Doncker By Shweta Gowda Saikiran Ponnam.
Complexity 7-1 Complexity Andrei Bulatov Complexity of Problems.

Complexity 7-1 Complexity Andrei Bulatov Complexity of Problems.
1 Introduction to Computability Theory Lecture11: Variants of Turing Machines Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture11: Variants of Turing Machines Prof. Amos Israeli.
The Halting Problem Sipser 4.2 (pages 173-182).

The Halting Problem Sipser 4.2 (pages ).
Prof. Busch - LSU1 Decidable Languages. Prof. Busch - LSU2 Recall that: A language is Turing-Acceptable if there is a Turing machine that accepts Also.

Prof. Busch - LSU1 Decidable Languages. Prof. Busch - LSU2 Recall that: A language is Turing-Acceptable if there is a Turing machine that accepts Also.
P, NP, PS, and NPS By Muhannad Harrim. Class P P is the complexity class containing decision problems which can be solved by a Deterministic Turing machine.

P, NP, PS, and NPS By Muhannad Harrim. Class P P is the complexity class containing decision problems which can be solved by a Deterministic Turing machine.
Complexity ©D.Moshkovitz 1 Turing Machines. Complexity ©D.Moshkovitz 2 Motivation Our main goal in this course is to analyze problems and categorize them.

Complexity ©D.Moshkovitz 1 Turing Machines. Complexity ©D.Moshkovitz 2 Motivation Our main goal in this course is to analyze problems and categorize them.
Fall 2003Costas Busch - RPI1 Decidability. Fall 2003Costas Busch - RPI2 Recall: A language is decidable (recursive), if there is a Turing machine (decider)

Fall 2003Costas Busch - RPI1 Decidability. Fall 2003Costas Busch - RPI2 Recall: A language is decidable (recursive), if there is a Turing machine (decider)
CS5371 Theory of Computation Lecture 11: Computability Theory II (TM Variants, Church-Turing Thesis)

CS5371 Theory of Computation Lecture 11: Computability Theory II (TM Variants, Church-Turing Thesis)
Complexity 5-1 Complexity Andrei Bulatov Complexity of Problems.

Complexity 5-1 Complexity Andrei Bulatov Complexity of Problems.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.
Fall 2004COMP 3351 Reducibility. Fall 2004COMP 3352 Problem is reduced to problem If we can solve problem then we can solve problem.

Fall 2004COMP 3351 Reducibility. Fall 2004COMP 3352 Problem is reduced to problem If we can solve problem then we can solve problem.
CS5371 Theory of Computation Lecture 10: Computability Theory I (Turing Machine)

CS5371 Theory of Computation Lecture 10: Computability Theory I (Turing Machine)
1 Foundations of Software Design Fall 2002 Marti Hearst Lecture 29: Computability, Turing Machines, Can Computers Think?

1 Foundations of Software Design Fall 2002 Marti Hearst Lecture 29: Computability, Turing Machines, Can Computers Think?
Courtesy Costas Busch - RPI1 Reducibility. Courtesy Costas Busch - RPI2 Problem is reduced to problem If we can solve problem then we can solve problem.

Courtesy Costas Busch - RPI1 Reducibility. Courtesy Costas Busch - RPI2 Problem is reduced to problem If we can solve problem then we can solve problem.
Finite State Machines 3 95-771 Data Structures and Algorithms for Information Processing 1.

Finite State Machines Data Structures and Algorithms for Information Processing 1.
1 Reducibility. 2 Problem is reduced to problem If we can solve problem then we can solve problem.

1 Reducibility. 2 Problem is reduced to problem If we can solve problem then we can solve problem.
1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.

1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.

Similar presentations

Ads by Google