Courtesy of Professors Prasant Krisnamurthy, Chris Clifton & Matt Bishop INFSCI 2935: Introduction...

Courtesy of Professors Prasant Krisnamurthy, Chris Clifton & Matt Bishop

INFSCI 2935: Introduction of Computer Security

1

Sunday, October 17, 2004Sunday, October 17, 2004

Introduction to Introduction to Computer SecurityComputer Security

ReviewReview

IS 2935 / TEL 2810: Introduction to Computer Security 2

Mathematical InductionMathematical Induction

Proof technique - to prove some mathematical Proof technique - to prove some mathematical propertyproperty

E.g. want to prove that M(n) holds for all natural E.g. want to prove that M(n) holds for all natural numbersnumbers Base case:

Prove that M(1) holds – called Induction Hypothesis:

Assert that M(n) holds for n = 1 to k Induction Step:

Prove that if M(k) holds then M(k+1) holds Exercise: prove that sum of first n natural Exercise: prove that sum of first n natural

numbers is numbers is 1 + … + n = n(n + 1)/2


LatticeLattice

Let S, a setLet S, a set Cartesian product: S x SCartesian product: S x S Binary relation R on S is a subset of S x SBinary relation R on S is a subset of S x S IF (a, b) IF (a, b) R we write aRb R we write aRb

Example, R is “less than equal to” () If S = {1, 2, 3} then R is {(1, 1), (1, 2), (1, 3), ????) (1, 2) R is another way of writing 1 2

Properties of relationsProperties of relations Reflexive: is aRa for all a S Antis-symmetric: if aRb and bRa implies a = b for all a, b S Transitive: if aRb and bRc imply that aRc for all a, b, c S Which properties hold for “less than equal to” ()?


LatticeLattice

Total ordering: when the relation orders all elementsTotal ordering: when the relation orders all elements E.g., “less than equal to” () on natural numbers

Partial ordering (poset): when the relation orders only Partial ordering (poset): when the relation orders only some elements not allsome elements not all E.g. “less than equal to” () on complex numbers; Consider (2 +

4i) and (3 + 2i) Upper bound (u, a, b Upper bound (u, a, b S S))

u is an upper bound of a and b means aRu and bRu Least upper bound : lub(a, b) closest upper bound

Lower bound (u, a, b Lower bound (u, a, b S S)) l is a lower bound of a and b means lRa and lRb Greatest lower bound : glb(a, b) closest lower bound


LatticeLattice

A lattice is the combination of a set of elements A lattice is the combination of a set of elements S and a relation R meeting the following criteriaS and a relation R meeting the following criteria R is reflexive, antisymmetric, and transitive on the

elements of S For every s, t S, there exists a greatest lower bound For every s, t S, there exists a lowest upper bound

What about S = {1, 2, 3} and R = What about S = {1, 2, 3} and R = ?? What about S = {2+4i; 1+2i; 3+2i, 3+4i} and R = What about S = {2+4i; 1+2i; 3+2i, 3+4i} and R =

??


Take-Grant Protection ModelTake-Grant Protection Model

System is represented as a directed graphSystem is represented as a directed graph Subject: Object: Labeled edge indicate the rights that the source object has on the

destination object FourFour graph rewriting rules (“de jure”, “by law”, “by rights”)graph rewriting rules (“de jure”, “by law”, “by rights”)

The graph changes as the protection state changes according to

1. Take rule: if 1. Take rule: if t t γγ, the take rule produces another graph with a , the take rule produces another graph with a transitive edge transitive edge αα ββ addedadded..

Either:

γ

α

βγ β├├

x z y x z y

x takes (α to y) from z


Take-Grant Protection ModelTake-Grant Protection Model

2. Grant rule: if 2. Grant rule: if g g γγ, the take rule produces another graph with a , the take rule produces another graph with a transitive edge transitive edge αα ββ added. added.

γ

α

βγ β├├

x z y x z y

3. Create rule:3. Create rule: ├├α

x x y

4. Remove rule:4. Remove rule: ├├β -α

x y

β

x y

z grants (α to y) to x

x creates (α to new vertex) y

x removes (α to) y


Take-Grant Protection Model:Take-Grant Protection Model:SharingSharing

Given Given GG00, can vertex , can vertex xx obtain obtain αα rights over rights over yy?? Can_share(α,x, y,G0) is true iff

G0├* Gn using the four rules, &

There is an α edge from x to y in Gn

tg-pathtg-path: : vv00,…,,…,vvnn with with t or or g edge between any edge between any

pair of vertices pair of vertices vvii, , vvi+1i+1

Vertices tg-connected if tg-path between them

Theorem: Any two subjects with Theorem: Any two subjects with tg-pathtg-path of of length 1 can share rightslength 1 can share rights


Any two subjects with Any two subjects with tg-pathtg-path of length 1 of length 1 can share rightscan share rights

Four possible length 1 Four possible length 1 tgtg-paths-paths

1. Take rule1. Take rule

2. Grant rule2. Grant rule

3. Lemma 3.13. Lemma 3.1

4. Lemma 3.24. Lemma 3.2

{t} β α

β α{g}

β α{t}

{g} β α

Can_share(α, xx, , yy,G0)

x yz


Any two subjects with Any two subjects with tg-pathtg-path of length 1 of length 1 can share rightscan share rights

Lemma 3.1Lemma 3.1 Sequence:

Create Take Grant Take

β α

α

{t}

Can_share(α, xx, , yy,G0)

x y

gtg

β α{t}

α

z


Other definitionsOther definitions

IslandIsland: Maximal : Maximal tgtg-connected subject-only -connected subject-only subgraphsubgraph Can_share all rights in island Proof: Induction from previous theorem

BridgeBridge: : tgtg-path between subjects v-path between subjects v00 and and vvnn with edges of the following form: with edges of the following form: t→*, t←* t→*, g→, t←* t→*, g←, t←*

g tt

v0 vn


BridgeBridge

g tt

v0 vnα

By lemma 3.1

By grant By take

αα

α


Theorem: Can_share(Theorem: Can_share(αα,,xx,,yy,,GG00))

(for subjects)(for subjects)

Subject_can_shareSubject_can_share((αα, , xx, , yy,,GG00) is true iff if ) is true iff if xx and and yy are are subjects andsubjects and there is an α edge from x to y in G0 OR if: a subject s G0 with an s-s-to-yy α edge, and islands I1, …, In such that xx I1, s In, and there is a bridge

from Ij to Ij+1

x s α

αα

α

yII11

II22

IInn


What about objects?What about objects?Initial, terminal spansInitial, terminal spans

xx initially spansinitially spans to to yy if if xx is a subject and is a subject and there is a there is a tgtg-path between them with -path between them with tt edges ending in a edges ending in a gg edge (i.e., edge (i.e., tt→→*g*g→→))xx can grant a right to yy

xx terminally spansterminally spans to to yy if if xx is a subject and is a subject and there is a there is a tgtg-path between them with -path between them with tt edges (i.e., edges (i.e., tt→→**))xx can take a right from yy



Can_share(Can_share(αα,,xx, , yy,,GG00) iff there is an ) iff there is an αα edge from edge from xx to to yy in in GG00 or if: or if: a vertex ss G0 with an ss to yy α edge, a subject x’x’ such that x’=xx’=x or x’x’ initially spans to xx, a subject s’s’ such that s’=ss’=s or s’s’ terminally spans to ss, and islands II1, …, IIn such that x’x’ II1, s’s’ IIn, and there is a bridge

from Ij to Ij+1

x’ s’ α

αα

α

yII11

II22

IInn

s

x

x’x’ can grant a right to can grant a right to xx s’s’ can take a right from can take a right from ss



(for subjects)(for subjects)

Subject_can_shareSubject_can_share((αα, , xx, , yy,,GG00) is true iff ) is true iff xx and and yy are are subjects andsubjects and there is an α edge from x to y in G0 OR if: a subject s G0 with an s-s-to-yy α edge, and islands I1, …, In such that xx I1, s In, and there is a bridge

from Ij to Ij+1

x s α

αα

α

yII11

II22

IInn


What about objects?What about objects?Initial, terminal spansInitial, terminal spans

xx initially spansinitially spans to to yy if if xx is a subject and is a subject and there is a there is a tgtg-path associated with word -path associated with word {{tt→→*g*g→→} between them} between themxx can grant a right to yy

xx terminally spansterminally spans to to yy if if xx is a subject and is a subject and there is a there is a tgtg-path associated with word -path associated with word {{tt→→**} between them} between themxx can take a right from yy



Can_share(Can_share(αα,,xx, , yy,,GG00) iff there is an ) iff there is an αα edge from edge from xx to to yy in in GG00 or if: or if: a vertex ss G0 with an ss to yy α edge, a subject x’x’ such that x’=xx’=x or x’x’ initially spans to xx, a subject s’s’ such that s’=ss’=s or s’s’ terminally spans to ss, and islands II1, …, IIn such that x’x’ II1, s’s’ IIn, and there is a bridge

from Ij to Ij+1

x’ s’ α

αα

α

yII11

II22

IInn

s

x

x’x’ can grant a right to can grant a right to xx s’s’ can take a right from can take a right from ss

α



Corollary: There is an Corollary: There is an OO(|(|VV|+||+|EE|) algorithm to test |) algorithm to test can_share: can_share: Decidable in linear time!!Decidable in linear time!!

Theorem:Theorem: Let G0 contain exactly one vertex and no edges, R a set of rights. G0 ├* G iff G is a finite directed acyclic graph, with edges labeled

from R, and at least one subject with no incoming edge. Only if part: v is initial subject and G0 ├* G;

No rule allows the deletion of a vertexNo rule allows an incoming edge to be added to a

vertex without any incoming edges. Hence, as v has no incoming edges, it cannot be assigned any



If part : G meets the requirement Assume v is the vertex with no incoming edge

and apply rules

1. Perform “v creates (α {g} to) new xi” for all 2<=i <= n, and α is union of all labels on the incoming edges going into xi in G

2. For all pairs x, y with x α over y in G, perform “v grants (α to y) to x”

3. If β is the set of rights x has over y in G, perform “v removes (α {g} - β) to y”


ExampleExample


Take-Grant Model: Take-Grant Model: Sharing through a Trusted EntitySharing through a Trusted Entity

Let Let pp and and qq be two processes be two processes Let Let bb be a buffer that they share to communicate be a buffer that they share to communicate Let Let ss be third party (e.g. operating system) that be third party (e.g. operating system) that

controls controls bb

g

g

q

bs

rwrw

rw

urw

vrw

g

g

q

s

urw

vrw

Witness• S creates ({r, w}, to new object) b• S grants ({r, w}, b) to p• S grants ({r, w}, b) to q


Theft in Take-Grant ModelTheft in Take-Grant Model

Can_stealCan_steal((αα,,xx,,yy,,GG00) is true if there is no ) is true if there is no αα edge edge from from xx to to yy in in GG00 and and sequence sequence GG11, …, , …, GGnn s. t.: s. t.: α edge from x to y in Gn,, rules ρ1,…, ρn that take Gi-1├ ρi Gi , and v,w Gi, 1≤i<n, if α edge from v to y in G0 then

ρi is not “v grants (α to y) to w”

- Disallows owners of α rights to y from transferring those rights

- Does not disallow them to transfer other rights- This models a Trojan horse


A witness to theftA witness to theft

u grants (t to v) to su grants (t to v) to ss takes (t to u) from vs takes (t to u) from vs takes (s takes (αα to w) from u to w) from u

g

s

w

t

t

ααu

v


ConspiracyConspiracy

Theft indicates cooperation: which subjects are actors in Theft indicates cooperation: which subjects are actors in a transfer of rights, and which are not?a transfer of rights, and which are not?

Next question is Next question is How many subjects are needed to enable Can_share(α,x,y,G0)?

Note that a vertex yNote that a vertex y Can take rights from any vertex to which it terminally spans Can pass rights to any vertex to which it initially spans

Access set A(Access set A(yy) with focus ) with focus yy (y is subject) is union of (y is subject) is union of set of vertices y, vertices to which y initially spans, and vertices to which y terminally spans


ConspiracyConspiracy

Deletion set Deletion set δδ(y,y’): All z (y,y’): All z A(y) A(y) ∩∩ A(y’) for A(y’) for whichwhich y initially spans to z and y’ terminally spans to z y terminally spans to z and y’ initially spans to z z=y & z=y’

Conspiracy graph H of GConspiracy graph H of G00: : Represents the paths along which subjects can

transfer rights For each subject in G0, there is a corresponding

vertex h(x) in H if δ(y,y’) not empty, edge from h(y) to h(y’)


ExampleExample

t g g t

g

tgt gg

a b c d

e

f h i j

x

y

z

r


TheoremsTheorems

I(p) = I(p) = contains the vertex h(p) and the se t of all vertices h(p’)

such that p’ initially spans to p T(q) = T(q) =

contains the vertex h(q) and the se t of all vertices h(q’) such that q’ terminally spans to q

Theorem 3-13: Theorem 3-13: Can_share(α,x,y,G0) iff there is a path from som h(p) in I(x) to

some h(q) in T(y) Theorem 3-14: Theorem 3-14:

Let L be the number of vertices on a shortest path between h(p) and h(q) (as in theorem 3-13), then L conspirators are necessary and sufficient to produce a witness to Can_share(α,x,y,G0)


Schematic Protection ModelSchematic Protection Model

Key idea is to use the notion of a protection type Key idea is to use the notion of a protection type Label that determines how control rights affect an entity Take-Grant:

subject and object are different protection types TS and TO represent subject type set and object set (X) is the type of entity X

A A ticket ticket describes a rightdescribes a right Consists of an entity name and a right symbol: X/z

Possessor of the ticket X/z has right r over entity X Y has tickets X/r, X/w -> Y has tickets X/rw

Each entity X has a set dom(X) of tickets Y/z (X/r:c) = (X)/r:c is the type of a ticket


Schematic Protection ModelSchematic Protection Model

Inert right vs. Control rightInert right vs. Control right Inert right doesn’t affect protection state, e.g. read right take right in Take-Grant model is a control right

Copy flag cCopy flag c Every right r has an associated copyable right rc r:c means r or rc

Manipulation of rightsManipulation of rights A link predicate

Determines if a source and target of a transfer are “connected”

A filter function Determines if a transfer is authorized


Transferring RightsTransferring Rights

domdom((XX) : set of tickets that X has) : set of tickets that X has Link predicate: Link predicate: linklinkii((XX,,YY))

conjunction or disjunction of the following terms X/z dom(X); X/z dom(Y); Y/z dom(X); Y/z dom(Y) true

Determines if X and Y “connected” to transfer right Examples:

Take-Grant: link(X, Y) = Y/g dom(X) v X/tdom(Y) Broadcast: link(X, Y) = X/b dom(X) Pull: link(X, Y) = Y/p dom(Y) Universal: link(X, Y) = true

SchemeScheme: a finite set of link predicates is called a scheme: a finite set of link predicates is called a scheme


Filter FunctionFilter Function

Filter function: Filter function: Imposes conditions on when tickets can be transferred fi: TS x TS → 2TxR (range is copyable rights)

XX//r:cr:c can be copied from can be copied from domdom((YY) to ) to domdom((ZZ) iff ) iff ii s. t. the s. t. the following are true:following are true: X/rc dom(Y) linki(Y, Z) (X)/r:c fi((Y), (Z))

Examples:Examples: If fi((Y), (Z)) = T x R then any rights are transferable If fi((Y), (Z)) = T x RI then only inert rights are transferable If fi((Y), (Z)) = Ө then no tickets are transferable

One filter function is defined for each link predicateOne filter function is defined for each link predicate


SPM Example2SPM Example2

Take-Grant Protection ModelTake-Grant Protection Model TS = { subjects }, TO = { objects } RC = {tc, gc}, RI = {rc, wc}

Note that all rights can be copied in T-G model link(p, q) = p/t dom(q) v q/t dom(p) f(subject, subject) = { subject, object } { tc, gc,

rc, wc } Note that any rights can be transferred in T-G model


Create OperationCreate Operation

Need to handle Need to handle type of the created entity, & tickets added by the creation

Relation Relation can•createcan•create((aa, , bb) ) TSTS x x TT A subject of type a can create an entity of type b

Rule of Rule of acyclic createsacyclic creates Limits the membership in can•create(a, b) If a subject of type a can create a subject of type b, then none of the

descendants can create a subject of type a

a b

c d

a b

c d


Create operation Create operation Distinct TypesDistinct Types

create rulecreate rule cr cr((aa, , bb) specifies the) specifies the tickets introduced when a subject of type a creates an

entity of type b

BB object: object: crcr((aa, , bb) ) { { bb//rr::cc RIRI } } Only inert rights can be created A gets B/r:c iff b/r:c cr(a, b)

BB subject: subject: crcr((aa, , bb) has two parts) has two parts crP(a, b) added to A, crC(a, b) added to B

A gets B/r:c if b/r:c in crP(a, b)

B gets A/r:c if a/r:c in crC(a, b)


ExamplesExamples

Owner-based policyOwner-based policy Users can create files: cc(user, file) holds Creator can give itself any inert rights: cr(user, file) = {file/r:c| r

RI} Take-Grant modelTake-Grant model

A subject can create a subject or an object cc(subject, subject) and cc(subject, object) hold

Subject can give itself any rights over the vertices it creates but the subject does not give the created subject any rights (although grant can be used later)

crC(a, b) = Ө; crP(a, b) = {sub/tc, sub/gc, sub/rc, sub/wc}Hence, cr(sub, sub) = {sub/tc, sub/gc, sub/rc, sub/wc} | Ө cr(sub, obj) = {obj/tc, obj/gc, obj/rc, obj/wc} | Ө


Expressing ConstraintsExpressing Constraints

Entities are classes, methodsEntities are classes, methods Class: set of objects that an access constraint

constrains Method: set of ways an operation can be invoked

OperationsOperations Instantiation: s creates instance of class c: s ├ c Invocation: s1 executes object s2: s1 |→ s2

Access constraintsAccess constraints deny(s op x) when b when b is true, subject s cannot perform op on

(subject or class) x; empty s means all subjects


Sample ConstraintsSample Constraints

Downloaded program cannot access password Downloaded program cannot access password database file on UNIX systemdatabase file on UNIX system

Program’s class and methods for files:Program’s class and methods for files:class File {

public file(String name);public String getfilename();public char read();….

Constraint:Constraint:deny(|→ file.read) when

(file.getfilename() == “/etc/passwd”)


Users and LevelsUsers and Levels

SubjectsSubjects Security LevelSecurity Level

(same as before)(same as before)

Integrity LevelIntegrity Level

Ordinary usersOrdinary users (SL, { SP })(SL, { SP }) (ISL, { IP })(ISL, { IP })

Application Application developersdevelopers

(SL, { SD })(SL, { SD }) (ISL, { ID })(ISL, { ID })

System System programmersprogrammers

(SL, { SSD })(SL, { SSD }) (ISL, { ID })(ISL, { ID })

System managers System managers and auditorsand auditors

(AM, { SP, SD, SSD })(AM, { SP, SD, SSD }) ((ISPISP, , ))

System controllersSystem controllers (SL, { SP, SD }) and (SL, { SP, SD }) and downgrade privilegedowngrade privilege

(ISP, {IP, ID})(ISP, {IP, ID})

RepairRepair (SL, { SP })(SL, { SP }) (ISL, { IP })(ISL, { IP })


Objects and ClassificationsObjects and Classifications

ObjectsObjects Security LevelSecurity Level

(earlier category)(earlier category)

Integrity LevelIntegrity Level

Development code/test dataDevelopment code/test data (SL, { SD }) (SL, { SD }) (D, T)(D, T) (ISL, { (ISL, { IDID} )} )

Production codeProduction code (SL, { SP })(SL, { SP }) (PC)(PC) (IO, { IP }) ?(IO, { IP }) ?

Production dataProduction data (SL, { SP })(SL, { SP }) (PC, PD)(PC, PD) (ISL, { IP }) ?(ISL, { IP }) ?

Software toolsSoftware tools (SL, (SL, ) ) (T)(T) (IO, { ID })(IO, { ID })

System programsSystem programs (SL, (SL, ) ) (ISP, { IP, ID })(ISP, { IP, ID })

System programs in System programs in modificationmodification

(SL, { SSD })(SL, { SSD }) (SD, T)(SD, T) (ISL, { ID })(ISL, { ID })

System and application logsSystem and application logs (AM,(AM, { { appropriateappropriate }) }) (ISL, (ISL, ) )

RepairRepair (SL, {SP})(SL, {SP}) ((ISPISP, { IP }), { IP })


S: System ManagersO: Audit Trail

S: System Control

S: RepairS: Production UsersO: Production data

S: Application programmersO: Development Code/Data

S: System programmersO: System code in

Development

O: Repair Code O: Production Code O: Tools

O: System programs

(SL, { SP, SD }) and (SL, { SP, SD }) and downgrade privilegedowngrade privilege

((ISP, {IP, ID})

(AM, { SP, SD, SSD })(AM, { SP, SD, SSD })

(ISL, (ISL, ))

(SL, { SP })(SL, { SP })

((ISL, {IP}) (SL, { SD })(SL, { SD })

((ISL, {ID})

(SL, { SSD})(SL, { SSD})

((ISL, {ID})

(SL, { SP })(SL, { SP })

((ISP, {IP})

(SL, { SP })(SL, { SP })

((IO, {IP})

(SL, (SL, ))

((IO, {ID})

(SL, (SL, ))

(ISP, {IP, ID})


Additional constraintsAdditional constraints

Production users can execute production Production users can execute production users onlyusers only

No individual can be both an application No individual can be both an application programmer and a production usersprogrammer and a production users

In contradiction to the *property- In contradiction to the *property- system system controllerscontrollers are allowed to write down. are allowed to write down.

Courtesy of Professors Prasant Krisnamurthy, Chris Clifton & Matt Bishop INFSCI 2935: Introduction...

Documents

Transcript of Courtesy of Professors Prasant Krisnamurthy, Chris Clifton & Matt Bishop INFSCI 2935: Introduction...