toward a mathematical model of computer security gina duncanson kevin jonas ben lange john...
Post on 24-Dec-2015
221 Views
Preview:
TRANSCRIPT
Toward A Mathematical Model of Computer Security
• Gina Duncanson
• Kevin Jonas
• Ben Lange
• John Loff-Peterson
• Ben Neigebauer
Introduction
• Computer security issues are a part of our daily life
• Model a secure computer system
Scope
• Define a secure system
• Use a practical example
• State Unwinding Theorem
Modeling a Computer System
A system M can consist of:
• a set S of STATES, where s0 is an initial state
• a set D of domains
• a set A of actions
• a set O of outputs
And Now...
Practical Example
• Today I will be talking about how one can apply the model of security that is explained in the paper we researched.
Defining M
World Wide Web sites consists of three basic components:– Web Server
– TCP/IP Connection
– Web Browser Client
Defining S
• Web Servers always have a finite state. Generally a server travels through a cycle of states.
• s0 is wait mode on a web server.
Defining D
• A domain is a defined section of a system. All the actions of a system occur within specified domains.
• This means that we can talk about actions as they relate to a client or web server’s computer.
Defining A
• An action is similar to a verb. Two example actions include:– A Client Inserting a
URL
– A Server Processing one Code Statement
Defining O
• Outputs are the immediate result of an action. When looking at a web site an output is:– A web server sending
back a confirmation message that it exists.
– The result of one code statement.
Putting it all together
• In order for all of these events to fit together, there are several dependencies between S, D, A, & O.
Modeling a Computer System
A system M can consist of:
• function step: S A S, where
step(sn , a) denotes the next state of the system after applying action a
Modeling a Computer System
A system M can consist of:
• function output: S A O, where
output(s,a) denotes the result returned by
the action a
• Example: “write” command to file
Modeling a Computer System
A system M can consist of:
• function run: S A* S
• Example:run(s,) = s, where is an empty sequence of actions
Terminology
STATES: use the letters s,t
ACTIONS:use the letters a,b
SEQUENCES OF ACTIONS: use Greek letters ,DOMAIN:
use the letters u,v,w
Communication
Two domains u,v communicate if there is an information flow channel between them.
Definition
• Security Policy:
A set of rules defining what domains can communicate.
Specified by a reflexive relation:
on a domain D
Definition
• Security:
A system is secure if the given security policy of the system completely defines all possible communication channels.
Security
• 2 ASSUMPTIONS:– set of security domains {u,v}– policy that restricts allowable flow of
information among the domains above
And Now...
Noninterference
• The idea of noninterference is really rather simple: a security domain u is non-interfering with domain v if no action performed by u can influence subsequent outputs seen by v.
Intransitive Noninterference
• Let u not see v but u see x and x see v where u,v, and x are domains. This is an example of intransitive noninterference.
• In short, intransitive noninterference means there is no direct communication between u and v.
Intransitive Noninterference
And Now...
Definition ~ purge
purge v( , )purge a v( , )
if dom(a) interferes with v
otherwise
),( vpurge purge v( , )
purge a v a purge v( , ) ( , )
purge a v purge v( , ) ( , )
Security
• Security is identified by:
output run s a
output run s purge dom a a
( ( , ), )
( ( , ( , ( ))), )0
0
Restating the Expressions
)),,(( 0 asrunoutput
SAdo *:
OAAtest *:
),()( 0 srundo
)),((),( adooutputatest
Security
• Security is now identified by:
))),(,((),( aadompurgetestatest
View-Partitioned
• View -Partitioned
• Equivalence Relation
• Output Consistent
And Now...
Test and Do
Test and do are abbreviations of frequently used expressions
Then we say that a system is secure for policy
),()( 0 srundo
)),((),( adooutputatest
))),(,((),( aadompurgetestatest
Output Consistency
A system M is view-partitioned if, for each domain,
there is an equivalence relation on S
These equivalence relations are said to be output
consistent if
Du u
~
),(),(~)(
atoutputasoutputtsadom
The output after executing action a is the for the states s and t, so s and t are equivalent views
Views
For an output consistent system, securityis achieved if “views" are unaffected.Let be a policy and M a view partitioned, output consistent system such that,
This means that if you perform sequence it is equivalent to executing the purged version
Then M is secure for
)),((~)( upurgedodou
Views
Proof:
Setting u = dom(a) in the statement of the lemma gives
and now substituting the u=dom(a) in for s and t, output consistency provides
)))(,((~)()(
adompurgedodoadom
)))),(,((()),(( aadompurgedooutputadooutput
Views
But this is simply
Which is the definition of security for
Listed before
))),(,((),( aadompurgetestatest
Unwinding Theorem
Why is the unwinding theorem important?
• It provides a basis for practical methods for verifying systems that enforce noninterference policies
• Serves to relate noninterference policies to access control mechanisms.
Unwinding Theorem
What is the Unwinding Theorem?
It is hard to work with sequences of actions. The unwinding theorem states that if the security policy holds for each action, then it holds for the sequence.
Unwinding Theorem
More Formally
Let be a policy and M a view partitioned system that is:
• output consistent
• step consistent
• locally respects
Then M is secure for
Questions
Any Questions??
References
• “Noninterference, Transitivity, and Channel-Control Security Policies” by John Rushby
• “Problems in Computer Security” by Auerbach, Kerbel, Megraw, Osburn, Shetty with mentor John Hoffman
Thank You
• Dr. Steve Decklemen
top related