decidability or impossibility? 02b = a bit of boring theory
DESCRIPTION
Decidability or Impossibility? 02b = a bit of boring theory. Nicolas T. Courtois - U niversity C ollege of L ondon. Roadmap. Pure mathematicians / logic take on computer security: Rice Theorem, HRU vs. Take-Grant. Matrix Paradigm – Basis of DAC. Example: S={ System,Admin,Bob }. - PowerPoint PPT PresentationTRANSCRIPT
Decidability or Impossibility?02b = a bit of boring theory
Nicolas T. Courtois - University College of
London
CompSec COMPGA01
Nicolas T. Courtois, January 20092
RoadmapPure mathematicians / logic take on computer security:• Rice Theorem, • HRU vs. Take-Grant
CompSec COMPGA01
Nicolas T. Courtois, January 20093
Matrix Paradigm – Basis of DACExample:
S={System,Admin,Bob}.
O={exe,doc}.
A={read,write,exec,delete}.
M=
exe doc
System {e,r,w,d} {r,w,d}
Admin {e,w,d} {w,r,d}
Bob {e} {r,w}
rights
Objects
Subjects
CompSec COMPGA01
Nicolas T. Courtois, January 20094
HRU Model
CompSec COMPGA01
Nicolas T. Courtois, January 20095
HRU Model[Harrison-Ruzzo-Ullmann 1976]
A particular formalisation of the matrix model + a particular set of commands that allows to build a basic file system…
CompSec COMPGA01
Nicolas T. Courtois, January 20096
The Commands in the HRU modelImagine a file system with the following operations
(requests): • create process/file.• confer a right to a given cell of the matrix, (Bishop:
enter).• revoke a right from a given cell, (Bishop: destroy)
These 3 commands can be combined to create instructions such as create_file, spawn_process, grant_right, chown, etc.
CompSec COMPGA01
Nicolas T. Courtois, January 20097
The Safety ProblemImagine a file system implementing this model.
given a given configuration, does there exist a sequence of requests that will add the right a A to a given matrix cell (Mso) A ?
Example: • given are the access rules for all UCL employees,
– can I ever read the UCL payroll file?
CompSec COMPGA01
Nicolas T. Courtois, January 20098
Theoretical Results [cf. Bishop]Theorem 1:
There is no algorithm to solve the safety problem in this model.
CompSec COMPGA01
Nicolas T. Courtois, January 20099
Rice Theorem
CompSec COMPGA01
Nicolas T. Courtois, January 200910
Halting problem
Q: Does program25.c halt?
More generally, we can ask different questions.
“expert system”
algorithmfor Q
Y/Nprogram25.c
CompSec COMPGA01
Nicolas T. Courtois, January 200911
Other Interesting QuestionsExample Questions: Q1: Does program25.c always return 0? Q2: Does program25.c compute the sum of two 32-bit integers
correctly?Q3: Do 2 programs do the same thing?Etc..
Answer [Rice 1953]: there is no algorithm that can solve this problem.
decision algorithm Y/Nprogram25.c
CompSec COMPGA01
Nicolas T. Courtois, January 200912
The Anti-Virus SoftwareTheorem [Rice]: there is no algorithm that decides whether a
given program a virus.
Such programs are mathematically strictly impossible.
But this does not prevent the software security industry from being worth 9,1 G$ in 2007 [Gartner].
Beware, important: It does not prevent the program from detecting all malware, 100 % security is possible, – but then it is also certain that, => such a program will be ”secure”
(the exact notion of secure, opposite of broad was defined in a much less general context)
• it will produce false alarms: programs that are not viruses will be reported as such. This is inevitable.
CompSec COMPGA01
Nicolas T. Courtois, January 200913
The Anti-Virus SoftwareTheorem [Rice]: there is no algorithm that decides whether a
given program a virus.
Such programs are mathematically strictly impossible.
But this does not prevent the software security industry from being worth 9,1 G$ in 2007 [Gartner].
Beware, important: It does not prevent the program from detecting all malware, 100 % security is possible, – but then it is also certain that, => such a program will be ”secure”
(the exact notion of secure, opposite of broad was defined in a much less general context)
• it will produce false alarms: programs that are not viruses will be reported as such. This is inevitable.
CompSec COMPGA01
Nicolas T. Courtois, January 200914
Back to Access ControlWe need a simpler model.
CompSec COMPGA01
Nicolas T. Courtois, January 200915
Take-Grant Model
CompSec COMPGA01
Nicolas T. Courtois, January 200916
Take-Grant Model[Jones, Lipton, Snyder 1976]
Was invented to address the safety problem: here it becomes decidable.
Based on graphs.x can read y
CompSec COMPGA01
Nicolas T. Courtois, January 200917
Take-Grant Model• A set S of Subjects (e.g. processes) which can execute
privileges in the system.• A set O of Objects (e.g. files) on which the privileges can be
executed.• A directed graph G = (SO,E) of authorizations where E
(SO)x(SO). – Vertices in E can be both Subjects and Objects.– Edges are authorizations: they are labelled by rR (or subset of R)
which specifies the rights the source vertex has over the destination vertex.
– Where R is a pre-defined set of rights, containing at least two distinguished administrative-type rights: t (take) and g (grant).
• Example: R= {r,w,t,g}.
CompSec COMPGA01
Nicolas T. Courtois, January 200918
Graph RewritingHere the evolution of the permissions with time is represented
as rewriting a graph (to create another graph) according to a fixed set of 4 administrative rules
called “de jure” (by law) rules:• take• grant• create• remove
And a safety problem will be formalised as follows: can a certain permission be granted after an (unlimited in time) amount of rewriting according to the rules?
CompSec COMPGA01
Nicolas T. Courtois, January 200919
Transfer of Privileges
between two subjects s,x.
take allows subject s to take ANY privilege r of the subject x.
grant allows s to grant ANY privilege r it possesses, to subject x
CompSec COMPGA01
Nicolas T. Courtois, January 200920
Creation of Files/Processes and Creation/Destruction of Rights
Here we have a subject s and x that can be either a Subject or an Object.
create allows subject s to create a new Subject/Object x with ANY chosen subset of rights A R
remove allows s to remove ANY existing privilege r from the set, from the Subject/Object x, +delete edges that become empty
In both cases: voluntary limitation of rights, cf. least privilege principle
CompSec COMPGA01
Nicolas T. Courtois, January 200921
Take-Grant ModelBased on graphs.
Theorem:
The problem of Safety can be decided in polynomial time in the number vertices in the initial graph.
Undecidable in general (no algorithm) for the matrix Undecidable in general (no algorithm) for the matrix model.model.
CompSec COMPGA01
Nicolas T. Courtois, January 200922
Take-Grant ModelInsufficient for many real-life applications.
several things are missing here:• Lack of selectivity.
– take and grant apply to any right, including t and g.
• Lack of control on propagation: – once I grant a right to a, it can be granted to the next process b, if a
he has the right g on the process b. • also it can be taken by all subjects c that have the right t on a.