decidability or impossibility? 02b = a bit of boring theory nicolas t. courtois - university college...

Decidability or Impossibility?02b = a bit of boring theory

Nicolas T. Courtois - University College of

London

CompSec COMPGA01

Nicolas T. Courtois, January 20092

RoadmapPure mathematicians / logic take on computer security:• Rice Theorem, • HRU vs. Take-Grant

CompSec COMPGA01


Matrix Paradigm – Basis of DACExample:

S={System,Admin,Bob}.

O={exe,doc}.

A={read,write,exec,delete}.

M=

exe doc

System {e,r,w,d} {r,w,d}

Admin {e,w,d} {w,r,d}

Bob {e} {r,w}

rights

Objects

Subjects

CompSec COMPGA01


HRU Model

CompSec COMPGA01


HRU Model[Harrison-Ruzzo-Ullmann 1976]

A particular formalisation of the matrix model + a particular set of commands that allows to build a basic file system…

CompSec COMPGA01


The Commands in the HRU modelImagine a file system with the following operations

(requests): • create process/file.• confer a right to a given cell of the matrix, (Bishop:

enter).• revoke a right from a given cell, (Bishop: destroy)

These 3 commands can be combined to create instructions such as create_file, spawn_process, grant_right, chown, etc.

CompSec COMPGA01


The Safety ProblemImagine a file system implementing this model.

given a given configuration, does there exist a sequence of requests that will add the right a A to a given matrix cell (Mso) A ?

Example: • given are the access rules for all UCL employees,

– can I ever read the UCL payroll file?

CompSec COMPGA01


Theoretical Results [cf. Bishop]Theorem 1:

There is no algorithm to solve the safety problem in this model.

CompSec COMPGA01


Rice Theorem

CompSec COMPGA01


Halting problem

Q: Does program25.c halt?

More generally, we can ask different questions.

“expert system”

algorithmfor Q

Y/Nprogram25.c

CompSec COMPGA01


Other Interesting QuestionsExample Questions: Q1: Does program25.c always return 0? Q2: Does program25.c compute the sum of two 32-bit integers

correctly?Q3: Do 2 programs do the same thing?Etc..

Answer [Rice 1953]: there is no algorithm that can solve this problem.

decision algorithm Y/Nprogram25.c

CompSec COMPGA01


The Anti-Virus SoftwareTheorem [Rice]: there is no algorithm that decides whether a

given program a virus.

Such programs are mathematically strictly impossible.

But this does not prevent the software security industry from being worth 9,1 G$ in 2007 [Gartner].

Beware, important: It does not prevent the program from detecting all malware, 100 % security is possible, – but then it is also certain that, => such a program will be ”secure”

(the exact notion of secure, opposite of broad was defined in a much less general context)

• it will produce false alarms: programs that are not viruses will be reported as such. This is inevitable.

CompSec COMPGA01


Back to Access ControlWe need a simpler model.

CompSec COMPGA01


Take-Grant Model

CompSec COMPGA01


Take-Grant Model[Jones, Lipton, Snyder 1976]

Was invented to address the safety problem: here it becomes decidable.

Based on graphs.x can read y

CompSec COMPGA01


Take-Grant Model• A set S of Subjects (e.g. processes) which can execute

privileges in the system.• A set O of Objects (e.g. files) on which the privileges can be

executed.• A directed graph G = (SO,E) of authorizations where E

(SO)x(SO). – Vertices in E can be both Subjects and Objects.– Edges are authorizations: they are labelled by rR (or subset of R)

which specifies the rights the source vertex has over the destination vertex.

– Where R is a pre-defined set of rights, containing at least two distinguished administrative-type rights: t (take) and g (grant).

• Example: R= {r,w,t,g}.

CompSec COMPGA01


Graph RewritingHere the evolution of the permissions with time is represented

as rewriting a graph (to create another graph) according to a fixed set of 4 administrative rules

called “de jure” (by law) rules:• take• grant• create• remove

And a safety problem will be formalised as follows: can a certain permission be granted after an (unlimited in time) amount of rewriting according to the rules?

CompSec COMPGA01


Transfer of Privileges

between two subjects s,x.

take allows subject s to take ANY privilege r of the subject x.

grant allows s to grant ANY privilege r it possesses, to subject x

CompSec COMPGA01


Creation of Files/Processes and Creation/Destruction of Rights

Here we have a subject s and x that can be either a Subject or an Object.

create allows subject s to create a new Subject/Object x with ANY chosen subset of rights A R

remove allows s to remove ANY existing privilege r from the set, from the Subject/Object x, +delete edges that become empty

In both cases: voluntary limitation of rights, cf. least privilege principle

CompSec COMPGA01


Take-Grant ModelBased on graphs.

Theorem:

The problem of Safety can be decided in polynomial time in the number vertices in the initial graph.

Undecidable in general (no algorithm) for the matrix Undecidable in general (no algorithm) for the matrix model.model.

CompSec COMPGA01


Take-Grant ModelInsufficient for many real-life applications.

several things are missing here:• Lack of selectivity.

– take and grant apply to any right, including t and g.

• Lack of control on propagation: – once I grant a right to a, it can be granted to the next process b, if a

he has the right g on the process b. • also it can be taken by all subjects c that have the right t on a.

decidability or impossibility? 02b = a bit of boring theory nicolas t. courtois - university college...

Documents

compsec compga01nicolas

given cell

given program

hru model nicolas

rice theorem nicolas

given configuration

given matrix cell mso

expert system algorithm