Courtesy of Professors Prasant Krisnamurthy, Chris Clifton & Matt Bishop INFSCI 2935: Introduction...
-
Upload
justin-wood -
Category
Documents
-
view
213 -
download
0
Transcript of Courtesy of Professors Prasant Krisnamurthy, Chris Clifton & Matt Bishop INFSCI 2935: Introduction...
Courtesy of Professors Prasant Krisnamurthy, Chris Clifton & Matt Bishop
INFSCI 2935: Introduction of Computer Security
1
Sunday, October 17, 2004Sunday, October 17, 2004
Introduction to Introduction to Computer SecurityComputer Security
ReviewReview
IS 2935 / TEL 2810: Introduction to Computer Security 2
Mathematical InductionMathematical Induction
Proof technique - to prove some mathematical Proof technique - to prove some mathematical propertyproperty
E.g. want to prove that M(n) holds for all natural E.g. want to prove that M(n) holds for all natural numbersnumbers Base case:
Prove that M(1) holds – called Induction Hypothesis:
Assert that M(n) holds for n = 1 to k Induction Step:
Prove that if M(k) holds then M(k+1) holds Exercise: prove that sum of first n natural Exercise: prove that sum of first n natural
numbers is numbers is 1 + … + n = n(n + 1)/2
IS 2935 / TEL 2810: Introduction to Computer Security 3
LatticeLattice
Let S, a setLet S, a set Cartesian product: S x SCartesian product: S x S Binary relation R on S is a subset of S x SBinary relation R on S is a subset of S x S IF (a, b) IF (a, b) R we write aRb R we write aRb
Example, R is “less than equal to” () If S = {1, 2, 3} then R is {(1, 1), (1, 2), (1, 3), ????) (1, 2) R is another way of writing 1 2
Properties of relationsProperties of relations Reflexive: is aRa for all a S Antis-symmetric: if aRb and bRa implies a = b for all a, b S Transitive: if aRb and bRc imply that aRc for all a, b, c S Which properties hold for “less than equal to” ()?
IS 2935 / TEL 2810: Introduction to Computer Security 4
LatticeLattice
Total ordering: when the relation orders all elementsTotal ordering: when the relation orders all elements E.g., “less than equal to” () on natural numbers
Partial ordering (poset): when the relation orders only Partial ordering (poset): when the relation orders only some elements not allsome elements not all E.g. “less than equal to” () on complex numbers; Consider (2 +
4i) and (3 + 2i) Upper bound (u, a, b Upper bound (u, a, b S S))
u is an upper bound of a and b means aRu and bRu Least upper bound : lub(a, b) closest upper bound
Lower bound (u, a, b Lower bound (u, a, b S S)) l is a lower bound of a and b means lRa and lRb Greatest lower bound : glb(a, b) closest lower bound
IS 2935 / TEL 2810: Introduction to Computer Security 5
LatticeLattice
A lattice is the combination of a set of elements A lattice is the combination of a set of elements S and a relation R meeting the following criteriaS and a relation R meeting the following criteria R is reflexive, antisymmetric, and transitive on the
elements of S For every s, t S, there exists a greatest lower bound For every s, t S, there exists a lowest upper bound
What about S = {1, 2, 3} and R = What about S = {1, 2, 3} and R = ?? What about S = {2+4i; 1+2i; 3+2i, 3+4i} and R = What about S = {2+4i; 1+2i; 3+2i, 3+4i} and R =
??
IS 2935 / TEL 2810: Introduction to Computer Security 6
Take-Grant Protection ModelTake-Grant Protection Model
System is represented as a directed graphSystem is represented as a directed graph Subject: Object: Labeled edge indicate the rights that the source object has on the
destination object FourFour graph rewriting rules (“de jure”, “by law”, “by rights”)graph rewriting rules (“de jure”, “by law”, “by rights”)
The graph changes as the protection state changes according to
1. Take rule: if 1. Take rule: if t t γγ, the take rule produces another graph with a , the take rule produces another graph with a transitive edge transitive edge αα ββ addedadded..
Either:
γ
α
βγ β├├
x z y x z y
x takes (α to y) from z
IS 2935 / TEL 2810: Introduction to Computer Security 7
Take-Grant Protection ModelTake-Grant Protection Model
2. Grant rule: if 2. Grant rule: if g g γγ, the take rule produces another graph with a , the take rule produces another graph with a transitive edge transitive edge αα ββ added. added.
γ
α
βγ β├├
x z y x z y
3. Create rule:3. Create rule: ├├α
x x y
4. Remove rule:4. Remove rule: ├├β -α
x y
β
x y
z grants (α to y) to x
x creates (α to new vertex) y
x removes (α to) y
IS 2935 / TEL 2810: Introduction to Computer Security 8
Take-Grant Protection Model:Take-Grant Protection Model:SharingSharing
Given Given GG00, can vertex , can vertex xx obtain obtain αα rights over rights over yy?? Can_share(α,x, y,G0) is true iff
G0├* Gn using the four rules, &
There is an α edge from x to y in Gn
tg-pathtg-path: : vv00,…,,…,vvnn with with t or or g edge between any edge between any
pair of vertices pair of vertices vvii, , vvi+1i+1
Vertices tg-connected if tg-path between them
Theorem: Any two subjects with Theorem: Any two subjects with tg-pathtg-path of of length 1 can share rightslength 1 can share rights
IS 2935 / TEL 2810: Introduction to Computer Security 9
Any two subjects with Any two subjects with tg-pathtg-path of length 1 of length 1 can share rightscan share rights
Four possible length 1 Four possible length 1 tgtg-paths-paths
1. Take rule1. Take rule
2. Grant rule2. Grant rule
3. Lemma 3.13. Lemma 3.1
4. Lemma 3.24. Lemma 3.2
{t} β α
β α{g}
β α{t}
{g} β α
Can_share(α, xx, , yy,G0)
x yz
IS 2935 / TEL 2810: Introduction to Computer Security 10
Any two subjects with Any two subjects with tg-pathtg-path of length 1 of length 1 can share rightscan share rights
Lemma 3.1Lemma 3.1 Sequence:
Create Take Grant Take
β α
α
{t}
Can_share(α, xx, , yy,G0)
x y
gtg
β α{t}
α
z
IS 2935 / TEL 2810: Introduction to Computer Security 11
Other definitionsOther definitions
IslandIsland: Maximal : Maximal tgtg-connected subject-only -connected subject-only subgraphsubgraph Can_share all rights in island Proof: Induction from previous theorem
BridgeBridge: : tgtg-path between subjects v-path between subjects v00 and and vvnn with edges of the following form: with edges of the following form: t→*, t←* t→*, g→, t←* t→*, g←, t←*
g tt
v0 vn
IS 2935 / TEL 2810: Introduction to Computer Security 12
BridgeBridge
g tt
v0 vnα
By lemma 3.1
By grant By take
αα
α
IS 2935 / TEL 2810: Introduction to Computer Security 13
Theorem: Can_share(Theorem: Can_share(αα,,xx,,yy,,GG00))
(for subjects)(for subjects)
Subject_can_shareSubject_can_share((αα, , xx, , yy,,GG00) is true iff if ) is true iff if xx and and yy are are subjects andsubjects and there is an α edge from x to y in G0 OR if: a subject s G0 with an s-s-to-yy α edge, and islands I1, …, In such that xx I1, s In, and there is a bridge
from Ij to Ij+1
x s α
αα
α
yII11
II22
IInn
IS 2935 / TEL 2810: Introduction to Computer Security 14
What about objects?What about objects?Initial, terminal spansInitial, terminal spans
xx initially spansinitially spans to to yy if if xx is a subject and is a subject and there is a there is a tgtg-path between them with -path between them with tt edges ending in a edges ending in a gg edge (i.e., edge (i.e., tt→→*g*g→→))xx can grant a right to yy
xx terminally spansterminally spans to to yy if if xx is a subject and is a subject and there is a there is a tgtg-path between them with -path between them with tt edges (i.e., edges (i.e., tt→→**))xx can take a right from yy
IS 2935 / TEL 2810: Introduction to Computer Security 15
Theorem: Can_share(Theorem: Can_share(αα,,xx,,yy,,GG00))
Can_share(Can_share(αα,,xx, , yy,,GG00) iff there is an ) iff there is an αα edge from edge from xx to to yy in in GG00 or if: or if: a vertex ss G0 with an ss to yy α edge, a subject x’x’ such that x’=xx’=x or x’x’ initially spans to xx, a subject s’s’ such that s’=ss’=s or s’s’ terminally spans to ss, and islands II1, …, IIn such that x’x’ II1, s’s’ IIn, and there is a bridge
from Ij to Ij+1
x’ s’ α
αα
α
yII11
II22
IInn
s
x
x’x’ can grant a right to can grant a right to xx s’s’ can take a right from can take a right from ss
IS 2935 / TEL 2810: Introduction to Computer Security 16
Theorem: Can_share(Theorem: Can_share(αα,,xx,,yy,,GG00))
(for subjects)(for subjects)
Subject_can_shareSubject_can_share((αα, , xx, , yy,,GG00) is true iff ) is true iff xx and and yy are are subjects andsubjects and there is an α edge from x to y in G0 OR if: a subject s G0 with an s-s-to-yy α edge, and islands I1, …, In such that xx I1, s In, and there is a bridge
from Ij to Ij+1
x s α
αα
α
yII11
II22
IInn
IS 2935 / TEL 2810: Introduction to Computer Security 17
What about objects?What about objects?Initial, terminal spansInitial, terminal spans
xx initially spansinitially spans to to yy if if xx is a subject and is a subject and there is a there is a tgtg-path associated with word -path associated with word {{tt→→*g*g→→} between them} between themxx can grant a right to yy
xx terminally spansterminally spans to to yy if if xx is a subject and is a subject and there is a there is a tgtg-path associated with word -path associated with word {{tt→→**} between them} between themxx can take a right from yy
IS 2935 / TEL 2810: Introduction to Computer Security 18
Theorem: Can_share(Theorem: Can_share(αα,,xx,,yy,,GG00))
Can_share(Can_share(αα,,xx, , yy,,GG00) iff there is an ) iff there is an αα edge from edge from xx to to yy in in GG00 or if: or if: a vertex ss G0 with an ss to yy α edge, a subject x’x’ such that x’=xx’=x or x’x’ initially spans to xx, a subject s’s’ such that s’=ss’=s or s’s’ terminally spans to ss, and islands II1, …, IIn such that x’x’ II1, s’s’ IIn, and there is a bridge
from Ij to Ij+1
x’ s’ α
αα
α
yII11
II22
IInn
s
x
x’x’ can grant a right to can grant a right to xx s’s’ can take a right from can take a right from ss
α
IS 2935 / TEL 2810: Introduction to Computer Security 19
Theorem: Can_share(Theorem: Can_share(αα,,xx,,yy,,GG00))
Corollary: There is an Corollary: There is an OO(|(|VV|+||+|EE|) algorithm to test |) algorithm to test can_share: can_share: Decidable in linear time!!Decidable in linear time!!
Theorem:Theorem: Let G0 contain exactly one vertex and no edges, R a set of rights. G0 ├* G iff G is a finite directed acyclic graph, with edges labeled
from R, and at least one subject with no incoming edge. Only if part: v is initial subject and G0 ├* G;
No rule allows the deletion of a vertexNo rule allows an incoming edge to be added to a
vertex without any incoming edges. Hence, as v has no incoming edges, it cannot be assigned any
IS 2935 / TEL 2810: Introduction to Computer Security 20
Theorem: Can_share(Theorem: Can_share(αα,,xx,,yy,,GG00))
If part : G meets the requirement Assume v is the vertex with no incoming edge
and apply rules
1. Perform “v creates (α {g} to) new xi” for all 2<=i <= n, and α is union of all labels on the incoming edges going into xi in G
2. For all pairs x, y with x α over y in G, perform “v grants (α to y) to x”
3. If β is the set of rights x has over y in G, perform “v removes (α {g} - β) to y”
IS 2935 / TEL 2810: Introduction to Computer Security 21
ExampleExample
IS 2935 / TEL 2810: Introduction to Computer Security 22
Take-Grant Model: Take-Grant Model: Sharing through a Trusted EntitySharing through a Trusted Entity
Let Let pp and and qq be two processes be two processes Let Let bb be a buffer that they share to communicate be a buffer that they share to communicate Let Let ss be third party (e.g. operating system) that be third party (e.g. operating system) that
controls controls bb
g
g
q
bs
rwrw
rw
urw
vrw
g
g
q
s
urw
vrw
Witness• S creates ({r, w}, to new object) b• S grants ({r, w}, b) to p• S grants ({r, w}, b) to q
IS 2935 / TEL 2810: Introduction to Computer Security 23
Theft in Take-Grant ModelTheft in Take-Grant Model
Can_stealCan_steal((αα,,xx,,yy,,GG00) is true if there is no ) is true if there is no αα edge edge from from xx to to yy in in GG00 and and sequence sequence GG11, …, , …, GGnn s. t.: s. t.: α edge from x to y in Gn,, rules ρ1,…, ρn that take Gi-1├ ρi Gi , and v,w Gi, 1≤i<n, if α edge from v to y in G0 then
ρi is not “v grants (α to y) to w”
- Disallows owners of α rights to y from transferring those rights
- Does not disallow them to transfer other rights- This models a Trojan horse
IS 2935 / TEL 2810: Introduction to Computer Security 24
A witness to theftA witness to theft
u grants (t to v) to su grants (t to v) to ss takes (t to u) from vs takes (t to u) from vs takes (s takes (αα to w) from u to w) from u
g
s
w
t
t
ααu
v
IS 2935 / TEL 2810: Introduction to Computer Security 25
ConspiracyConspiracy
Theft indicates cooperation: which subjects are actors in Theft indicates cooperation: which subjects are actors in a transfer of rights, and which are not?a transfer of rights, and which are not?
Next question is Next question is How many subjects are needed to enable Can_share(α,x,y,G0)?
Note that a vertex yNote that a vertex y Can take rights from any vertex to which it terminally spans Can pass rights to any vertex to which it initially spans
Access set A(Access set A(yy) with focus ) with focus yy (y is subject) is union of (y is subject) is union of set of vertices y, vertices to which y initially spans, and vertices to which y terminally spans
IS 2935 / TEL 2810: Introduction to Computer Security 26
ConspiracyConspiracy
Deletion set Deletion set δδ(y,y’): All z (y,y’): All z A(y) A(y) ∩∩ A(y’) for A(y’) for whichwhich y initially spans to z and y’ terminally spans to z y terminally spans to z and y’ initially spans to z z=y & z=y’
Conspiracy graph H of GConspiracy graph H of G00: : Represents the paths along which subjects can
transfer rights For each subject in G0, there is a corresponding
vertex h(x) in H if δ(y,y’) not empty, edge from h(y) to h(y’)
IS 2935 / TEL 2810: Introduction to Computer Security 27
ExampleExample
t g g t
g
tgt gg
a b c d
e
f h i j
x
y
z
r
IS 2935 / TEL 2810: Introduction to Computer Security 28
TheoremsTheorems
I(p) = I(p) = contains the vertex h(p) and the se t of all vertices h(p’)
such that p’ initially spans to p T(q) = T(q) =
contains the vertex h(q) and the se t of all vertices h(q’) such that q’ terminally spans to q
Theorem 3-13: Theorem 3-13: Can_share(α,x,y,G0) iff there is a path from som h(p) in I(x) to
some h(q) in T(y) Theorem 3-14: Theorem 3-14:
Let L be the number of vertices on a shortest path between h(p) and h(q) (as in theorem 3-13), then L conspirators are necessary and sufficient to produce a witness to Can_share(α,x,y,G0)
IS 2935 / TEL 2810: Introduction to Computer Security 29
Schematic Protection ModelSchematic Protection Model
Key idea is to use the notion of a protection type Key idea is to use the notion of a protection type Label that determines how control rights affect an entity Take-Grant:
subject and object are different protection types TS and TO represent subject type set and object set (X) is the type of entity X
A A ticket ticket describes a rightdescribes a right Consists of an entity name and a right symbol: X/z
Possessor of the ticket X/z has right r over entity X Y has tickets X/r, X/w -> Y has tickets X/rw
Each entity X has a set dom(X) of tickets Y/z (X/r:c) = (X)/r:c is the type of a ticket
IS 2935 / TEL 2810: Introduction to Computer Security 30
Schematic Protection ModelSchematic Protection Model
Inert right vs. Control rightInert right vs. Control right Inert right doesn’t affect protection state, e.g. read right take right in Take-Grant model is a control right
Copy flag cCopy flag c Every right r has an associated copyable right rc r:c means r or rc
Manipulation of rightsManipulation of rights A link predicate
Determines if a source and target of a transfer are “connected”
A filter function Determines if a transfer is authorized
IS 2935 / TEL 2810: Introduction to Computer Security 31
Transferring RightsTransferring Rights
domdom((XX) : set of tickets that X has) : set of tickets that X has Link predicate: Link predicate: linklinkii((XX,,YY))
conjunction or disjunction of the following terms X/z dom(X); X/z dom(Y); Y/z dom(X); Y/z dom(Y) true
Determines if X and Y “connected” to transfer right Examples:
Take-Grant: link(X, Y) = Y/g dom(X) v X/tdom(Y) Broadcast: link(X, Y) = X/b dom(X) Pull: link(X, Y) = Y/p dom(Y) Universal: link(X, Y) = true
SchemeScheme: a finite set of link predicates is called a scheme: a finite set of link predicates is called a scheme
IS 2935 / TEL 2810: Introduction to Computer Security 32
Filter FunctionFilter Function
Filter function: Filter function: Imposes conditions on when tickets can be transferred fi: TS x TS → 2TxR (range is copyable rights)
XX//r:cr:c can be copied from can be copied from domdom((YY) to ) to domdom((ZZ) iff ) iff ii s. t. the s. t. the following are true:following are true: X/rc dom(Y) linki(Y, Z) (X)/r:c fi((Y), (Z))
Examples:Examples: If fi((Y), (Z)) = T x R then any rights are transferable If fi((Y), (Z)) = T x RI then only inert rights are transferable If fi((Y), (Z)) = Ө then no tickets are transferable
One filter function is defined for each link predicateOne filter function is defined for each link predicate
IS 2935 / TEL 2810: Introduction to Computer Security 33
SPM Example2SPM Example2
Take-Grant Protection ModelTake-Grant Protection Model TS = { subjects }, TO = { objects } RC = {tc, gc}, RI = {rc, wc}
Note that all rights can be copied in T-G model link(p, q) = p/t dom(q) v q/t dom(p) f(subject, subject) = { subject, object } { tc, gc,
rc, wc } Note that any rights can be transferred in T-G model
IS 2935 / TEL 2810: Introduction to Computer Security 34
Create OperationCreate Operation
Need to handle Need to handle type of the created entity, & tickets added by the creation
Relation Relation can•createcan•create((aa, , bb) ) TSTS x x TT A subject of type a can create an entity of type b
Rule of Rule of acyclic createsacyclic creates Limits the membership in can•create(a, b) If a subject of type a can create a subject of type b, then none of the
descendants can create a subject of type a
a b
c d
a b
c d
IS 2935 / TEL 2810: Introduction to Computer Security 35
Create operation Create operation Distinct TypesDistinct Types
create rulecreate rule cr cr((aa, , bb) specifies the) specifies the tickets introduced when a subject of type a creates an
entity of type b
BB object: object: crcr((aa, , bb) ) { { bb//rr::cc RIRI } } Only inert rights can be created A gets B/r:c iff b/r:c cr(a, b)
BB subject: subject: crcr((aa, , bb) has two parts) has two parts crP(a, b) added to A, crC(a, b) added to B
A gets B/r:c if b/r:c in crP(a, b)
B gets A/r:c if a/r:c in crC(a, b)
IS 2935 / TEL 2810: Introduction to Computer Security 36
ExamplesExamples
Owner-based policyOwner-based policy Users can create files: cc(user, file) holds Creator can give itself any inert rights: cr(user, file) = {file/r:c| r
RI} Take-Grant modelTake-Grant model
A subject can create a subject or an object cc(subject, subject) and cc(subject, object) hold
Subject can give itself any rights over the vertices it creates but the subject does not give the created subject any rights (although grant can be used later)
crC(a, b) = Ө; crP(a, b) = {sub/tc, sub/gc, sub/rc, sub/wc}Hence, cr(sub, sub) = {sub/tc, sub/gc, sub/rc, sub/wc} | Ө cr(sub, obj) = {obj/tc, obj/gc, obj/rc, obj/wc} | Ө
IS 2935 / TEL 2810: Introduction to Computer Security 37
Expressing ConstraintsExpressing Constraints
Entities are classes, methodsEntities are classes, methods Class: set of objects that an access constraint
constrains Method: set of ways an operation can be invoked
OperationsOperations Instantiation: s creates instance of class c: s ├ c Invocation: s1 executes object s2: s1 |→ s2
Access constraintsAccess constraints deny(s op x) when b when b is true, subject s cannot perform op on
(subject or class) x; empty s means all subjects
IS 2935 / TEL 2810: Introduction to Computer Security 38
Sample ConstraintsSample Constraints
Downloaded program cannot access password Downloaded program cannot access password database file on UNIX systemdatabase file on UNIX system
Program’s class and methods for files:Program’s class and methods for files:class File {
public file(String name);public String getfilename();public char read();….
Constraint:Constraint:deny(|→ file.read) when
(file.getfilename() == “/etc/passwd”)
IS 2935 / TEL 2810: Introduction to Computer Security 39
Users and LevelsUsers and Levels
SubjectsSubjects Security LevelSecurity Level
(same as before)(same as before)
Integrity LevelIntegrity Level
Ordinary usersOrdinary users (SL, { SP })(SL, { SP }) (ISL, { IP })(ISL, { IP })
Application Application developersdevelopers
(SL, { SD })(SL, { SD }) (ISL, { ID })(ISL, { ID })
System System programmersprogrammers
(SL, { SSD })(SL, { SSD }) (ISL, { ID })(ISL, { ID })
System managers System managers and auditorsand auditors
(AM, { SP, SD, SSD })(AM, { SP, SD, SSD }) ((ISPISP, , ))
System controllersSystem controllers (SL, { SP, SD }) and (SL, { SP, SD }) and downgrade privilegedowngrade privilege
(ISP, {IP, ID})(ISP, {IP, ID})
RepairRepair (SL, { SP })(SL, { SP }) (ISL, { IP })(ISL, { IP })
IS 2935 / TEL 2810: Introduction to Computer Security 40
Objects and ClassificationsObjects and Classifications
ObjectsObjects Security LevelSecurity Level
(earlier category)(earlier category)
Integrity LevelIntegrity Level
Development code/test dataDevelopment code/test data (SL, { SD }) (SL, { SD }) (D, T)(D, T) (ISL, { (ISL, { IDID} )} )
Production codeProduction code (SL, { SP })(SL, { SP }) (PC)(PC) (IO, { IP }) ?(IO, { IP }) ?
Production dataProduction data (SL, { SP })(SL, { SP }) (PC, PD)(PC, PD) (ISL, { IP }) ?(ISL, { IP }) ?
Software toolsSoftware tools (SL, (SL, ) ) (T)(T) (IO, { ID })(IO, { ID })
System programsSystem programs (SL, (SL, ) ) (ISP, { IP, ID })(ISP, { IP, ID })
System programs in System programs in modificationmodification
(SL, { SSD })(SL, { SSD }) (SD, T)(SD, T) (ISL, { ID })(ISL, { ID })
System and application logsSystem and application logs (AM,(AM, { { appropriateappropriate }) }) (ISL, (ISL, ) )
RepairRepair (SL, {SP})(SL, {SP}) ((ISPISP, { IP }), { IP })
IS 2935 / TEL 2810: Introduction to Computer Security 41
S: System ManagersO: Audit Trail
S: System Control
S: RepairS: Production UsersO: Production data
S: Application programmersO: Development Code/Data
S: System programmersO: System code in
Development
O: Repair Code O: Production Code O: Tools
O: System programs
(SL, { SP, SD }) and (SL, { SP, SD }) and downgrade privilegedowngrade privilege
((ISP, {IP, ID})
(AM, { SP, SD, SSD })(AM, { SP, SD, SSD })
(ISL, (ISL, ))
(SL, { SP })(SL, { SP })
((ISL, {IP}) (SL, { SD })(SL, { SD })
((ISL, {ID})
(SL, { SSD})(SL, { SSD})
((ISL, {ID})
(SL, { SP })(SL, { SP })
((ISP, {IP})
(SL, { SP })(SL, { SP })
((IO, {IP})
(SL, (SL, ))
((IO, {ID})
(SL, (SL, ))
(ISP, {IP, ID})
IS 2935 / TEL 2810: Introduction to Computer Security 42
Additional constraintsAdditional constraints
Production users can execute production Production users can execute production users onlyusers only
No individual can be both an application No individual can be both an application programmer and a production usersprogrammer and a production users
In contradiction to the *property- In contradiction to the *property- system system controllerscontrollers are allowed to write down. are allowed to write down.