Scribd
Upload
62 views

Chapter 3: Foundational Results: - Overview - Harrison-Ruzzo-Ullman Result

Uploaded by

Vicky Malik
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
62 views

Chapter 3: Foundational Results: - Overview - Harrison-Ruzzo-Ullman Result

Uploaded by

Vicky Malik
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 14

Chapter 3: Foundational Results

• Overview
• Harrison-Ruzzo-Ullman result
– Corollaries

November 1, 2004 Introduction to Computer Security Slide #3-1


©2004 Matt Bishop
Overview
• Safety Question
• HRU Model

November 1, 2004 Introduction to Computer Security Slide #3-2


©2004 Matt Bishop
What Is “Secure”?
• Adding a generic right r where there was
not one is “leaking”
• If a system S, beginning in initial state s0,
cannot leak right r, it is safe with respect to
the right r.

November 1, 2004 Introduction to Computer Security Slide #3-3


©2004 Matt Bishop
Safety Question
• Does there exist an algorithm for
determining whether a protection system S
with initial state s0 is safe with respect to a
generic right r?
– Here, “safe” = “secure” for an abstract model

November 1, 2004 Introduction to Computer Security Slide #3-4


©2004 Matt Bishop
Mono-Operational Commands
• Answer: yes
• Sketch of proof:
Consider minimal sequence of commands c1, …,
ck to leak the right.
– Can omit delete, destroy
– Can merge all creates into one
Worst case: insert every right into every entry;
with s subjects and o objects initially, and n
rights, upper bound is k ≤ n(s+1)(o+1)
November 1, 2004 Introduction to Computer Security Slide #3-5
©2004 Matt Bishop
General Case
• Answer: no
• Sketch of proof:
Reduce halting problem to safety problem
Turing Machine review:
– Infinite tape in one direction
– States K, symbols M; distinguished blank b
– Transition function (k, m) = (k, m, L) means in state
k, symbol m on tape location replaced by symbol m,
head moves to left one square, and enters state k
– Halting state is qf; TM halts when it enters this state
November 1, 2004 Introduction to Computer Security Slide #3-6
©2004 Matt Bishop
Mapping
1 2 3 4

A B C D … s1 s2 s3 s4
s1 A own
head s2 B own

Current state is k s3 Ck own


s4 D end

November 1, 2004 Introduction to Computer Security Slide #3-7


©2004 Matt Bishop
Mapping
1 2 3 4

A B X D … s1 s2 s3 s4
s1 A own
head
s2 B own
s3 X own
After (k, C) = (k1, X, R)
where k is the current s4 D k1 end
state and k1 the next state

November 1, 2004 Introduction to Computer Security Slide #3-8


©2004 Matt Bishop
Command Mapping
(k, C) = (k1, X, R) at intermediate becomes
command ck,C(s3,s4)
if own in A[s3,s4] and k in A[s3,s3]
and C in A[s3,s3]
then
delete k from A[s3,s3];
delete C from A[s3,s3];
enter X into A[s3,s3];
enter k1 into A[s4,s4];
end

November 1, 2004 Introduction to Computer Security Slide #3-9


©2004 Matt Bishop
Mapping
1 2 3 4 5

A B X Y b s1 s2 s3 s4 s5
s1 A own
head
s2 B own
s3 X own
After (k1, D) = (k2, Y, R)
where k1 is the current s4 Y own
state and k2 the next state
s5 b k2 end

November 1, 2004 Introduction to Computer Security Slide #3-10


©2004 Matt Bishop
Command Mapping
(k1, D) = (k2, Y, R) at end becomes
command crightmostk,C(s4,s5)
if end in A[s4,s4] and k1 in A[s4,s4]
and D in A[s4,s4]
then
delete end from A[s4,s4];
create subject s5;
enter own into A[s4,s5];
enter end into A[s5,s5];
delete k1 from A[s4,s4];
delete D from A[s4,s4];
enter Y into A[s4,s4];
enter k2 into A[s5,s5];
end
November 1, 2004 Introduction to Computer Security Slide #3-11
©2004 Matt Bishop
Rest of Proof
• Protection system exactly simulates a TM
– Exactly 1 end right in ACM
– 1 right in entries corresponds to state
– Thus, at most 1 applicable command
• If TM enters state qf, then right has leaked
• If safety question decidable, then represent TM as
above and determine if qf leaks
– Implies halting problem decidable
• Conclusion: safety question undecidable
November 1, 2004 Introduction to Computer Security Slide #3-12
©2004 Matt Bishop
Other Results
• Set of unsafe systems is recursively enumerable
• Delete create primitive; then safety question is complete in
P-SPACE
• Delete destroy, delete primitives; then safety question is
undecidable
– Systems are monotonic
• Safety question for monoconditional, monotonic protection
systems is decidable
• Safety question for monoconditional protection systems
with create, enter, delete (and no destroy) is decidable.
November 1, 2004 Introduction to Computer Security Slide #3-13
©2004 Matt Bishop
Key Points
• Safety problem undecidable
• Limiting scope of systems can make
problem decidable

November 1, 2004 Introduction to Computer Security Slide #3-14


©2004 Matt Bishop

You might also like