chapter 3: foundational results
DESCRIPTION
Chapter 3: Foundational Results. Overview Harrison-Ruzzo-Ullman result Corollaries. Overview. Safety Question HRU Model. The general question. How can we determine whether a system is safe? Is there a generic algorithm that will determine whether a system is safe?. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/1.jpg)
Slide #3-1
Chapter 3: Foundational Results
• Overview
• Harrison-Ruzzo-Ullman result– Corollaries
![Page 2: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/2.jpg)
Slide #3-2
Overview
• Safety Question
• HRU Model
![Page 3: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/3.jpg)
Slide #3-3
The general question
• How can we determine whether a system is safe?
• Is there a generic algorithm that will determine whether a system is safe?
![Page 4: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/4.jpg)
Reminder: safe vs secure
Slide #3-4
• The term safe is used to refer to the abstract model.
• The term secure is used when referring to implementations
![Page 5: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/5.jpg)
Slide #3-5
What Is “Safe”?
• Adding a generic right r where there was not one is “leaking”
• If a system S, beginning in initial state s0, cannot leak right r, it is safe with respect to the right r.
![Page 6: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/6.jpg)
Slide #3-6
Safety Question
• Does there exist an algorithm for determining whether a protection system S with initial state s0 is safe with respect to a generic right r?
![Page 7: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/7.jpg)
Slide #3-7
Mono-Operational Commands
• Answer: yes
• Theorem There exists an algorithm that will determine whether given mono-operational protection system with initial state s0 is safe with respect to a given generic right r.
![Page 8: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/8.jpg)
Slide #3-8
Mono-Operational Commands
• Sketch of proof:Consider the minimal sequence of commands c1, …, ck needed to leak the right.– Can omit delete, destroy (no commands can test for the absence of rights in an ACM)
– Can merge all creates into oneWorst case: insert every right into every entry; with s subjects and o objects initially, and n rights.Then (at worst) there are k ≤ n(s+1)(o+1) commands
![Page 9: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/9.jpg)
Slide #3-9
General Case
• Answer: no
• Theorem It is undecidable whether a given state of a general protection system with is safe for a given right r.
![Page 10: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/10.jpg)
Slide #3-10
General Case
• Sketch of proof:Reduce the halting problem to safety problem
![Page 11: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/11.jpg)
Slide #3-11
Turing Machine review
• Infinite tape in one direction• States K, • Symbols M (alphabet); distinguished blank b• Transition function (k, m) = (k, m, L) means in
state k, symbol m on tape location replaced by symbol m, head moves to left one square, and enters state k
• Halting state is qf; TM halts when it enters this state
![Page 12: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/12.jpg)
Slide #3-12
Halting problem
• Determine if an arbitrary TM will enter a halting state qf
• The Halting problem is known to be undecidable.
![Page 13: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/13.jpg)
Slide #3-13
Mapping
• First we construct a map from the states and symbols of a Turing machine TM to the rights in the access control matrix A.
• The generic rights are taken to be– the symbols in M and– a set of distinct symbols each representing a state in K.
• Each cell of TM is a subject.• Define a distinguished right own and such that si owns si+1
![Page 14: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/14.jpg)
Slide #3-14
Mapping
A B C D …
1 2 3 4
head
s1 s2 s3 s4
s4
s3
s2
s1 A
B
C k
D end
own
own
ownCurrent state is k
![Page 15: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/15.jpg)
Slide #3-15
Mapping
A B X D …
1 2 3 4
head
s1 s2 s3 s4
s4
s3
s2
s1 A
B
X
D k1 end
own
own
ownAfter (k, C) = (k1, X, R)where k is the currentstate and k1 the next state
![Page 16: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/16.jpg)
Slide #3-16
Command Mapping
(k, C) = (k1, X, R) at intermediate becomes
command ck,C(s3,s4)if own in A[s3,s4] and k in A[s3,s3]
and C in A[s3,s3]thendelete k from A[s3,s3];delete C from A[s3,s3];enter X into A[s3,s3];enter k1 into A[s4,s4];
end
![Page 17: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/17.jpg)
Slide #3-17
Mapping
A B X Y
1 2 3 4
head
s1 s2 s3 s4
s4
s3
s2
s1 A
B
X
Y
own
own
ownAfter (k1, D) = (k2, Y, R)where k1 is the currentstate and k2 the next state
s5
s5
own
b k2 end
5
b
![Page 18: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/18.jpg)
Slide #3-18
Command Mapping
(k1, D) = (k2, Y, R) at end becomes
command crightmostk,C(s4,s5)if end in A[s4,s4] and k1 in A[s4,s4]
and D in A[s4,s4]then
delete end from A[s4,s4];create subject s5;enter own into A[s4,s5];enter end into A[s5,s5];delete k1 from A[s4,s4];delete D from A[s4,s4];enter Y into A[s4,s4];enter k2 into A[s5,s5];
end
![Page 19: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/19.jpg)
Slide #3-19
Rest of Proof
• Protection system exactly simulates a TM– Exactly 1 end right in ACM– 1 right in entries corresponds to state– Thus, at most 1 applicable command
• If TM enters state qf, then right has leaked• If safety question decidable, then represent TM as above
and determine if qf leaks– Implies halting problem decidable
• Conclusion: safety question undecidable
![Page 20: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/20.jpg)
Slide #3-20
Other Results
• Set of unsafe systems is recursively enumerable (there is TM that will enumerate all systems)
• Delete create primitive; then safety question is complete in P-SPACE
• Delete destroy, delete primitives; then safety question is undecidable
– Such systems are called monotonic: the size and complexity only increases.
• Safety question for mono-conditional, monotonic protection systems is decidable
• Safety question for mono-conditional protection systems with create, enter, delete (and no destroy) is decidable.
![Page 21: Chapter 3: Foundational Results](https://reader035.vdocument.in/reader035/viewer/2022062221/568137e2550346895d9f8acc/html5/thumbnails/21.jpg)
Slide #3-21
Key Points
• Safety problem undecidable
• Limiting scope of systems can make problem decidable