toward a mathematical model of computer security gina duncanson kevin jonas ben lange john...
TRANSCRIPT
![Page 1: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/1.jpg)
Toward A Mathematical Model of Computer Security
• Gina Duncanson
• Kevin Jonas
• Ben Lange
• John Loff-Peterson
• Ben Neigebauer
![Page 2: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/2.jpg)
Introduction
• Computer security issues are a part of our daily life
• Model a secure computer system
![Page 3: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/3.jpg)
Scope
• Define a secure system
• Use a practical example
• State Unwinding Theorem
![Page 4: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/4.jpg)
Modeling a Computer System
A system M can consist of:
• a set S of STATES, where s0 is an initial state
• a set D of domains
• a set A of actions
• a set O of outputs
![Page 5: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/5.jpg)
And Now...
![Page 6: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/6.jpg)
Practical Example
• Today I will be talking about how one can apply the model of security that is explained in the paper we researched.
![Page 7: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/7.jpg)
Defining M
World Wide Web sites consists of three basic components:– Web Server
– TCP/IP Connection
– Web Browser Client
![Page 8: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/8.jpg)
Defining S
• Web Servers always have a finite state. Generally a server travels through a cycle of states.
• s0 is wait mode on a web server.
![Page 9: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/9.jpg)
Defining D
• A domain is a defined section of a system. All the actions of a system occur within specified domains.
• This means that we can talk about actions as they relate to a client or web server’s computer.
![Page 10: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/10.jpg)
Defining A
• An action is similar to a verb. Two example actions include:– A Client Inserting a
URL
– A Server Processing one Code Statement
![Page 11: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/11.jpg)
Defining O
• Outputs are the immediate result of an action. When looking at a web site an output is:– A web server sending
back a confirmation message that it exists.
– The result of one code statement.
![Page 12: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/12.jpg)
Putting it all together
• In order for all of these events to fit together, there are several dependencies between S, D, A, & O.
![Page 13: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/13.jpg)
Modeling a Computer System
A system M can consist of:
• function step: S A S, where
step(sn , a) denotes the next state of the system after applying action a
![Page 14: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/14.jpg)
Modeling a Computer System
A system M can consist of:
• function output: S A O, where
output(s,a) denotes the result returned by
the action a
• Example: “write” command to file
![Page 15: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/15.jpg)
Modeling a Computer System
A system M can consist of:
• function run: S A* S
• Example:run(s,) = s, where is an empty sequence of actions
![Page 16: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/16.jpg)
Terminology
STATES: use the letters s,t
ACTIONS:use the letters a,b
SEQUENCES OF ACTIONS: use Greek letters ,DOMAIN:
use the letters u,v,w
![Page 17: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/17.jpg)
Communication
Two domains u,v communicate if there is an information flow channel between them.
![Page 18: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/18.jpg)
Definition
• Security Policy:
A set of rules defining what domains can communicate.
Specified by a reflexive relation:
on a domain D
![Page 19: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/19.jpg)
Definition
• Security:
A system is secure if the given security policy of the system completely defines all possible communication channels.
![Page 20: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/20.jpg)
Security
• 2 ASSUMPTIONS:– set of security domains {u,v}– policy that restricts allowable flow of
information among the domains above
![Page 21: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/21.jpg)
And Now...
![Page 22: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/22.jpg)
Noninterference
• The idea of noninterference is really rather simple: a security domain u is non-interfering with domain v if no action performed by u can influence subsequent outputs seen by v.
![Page 23: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/23.jpg)
Intransitive Noninterference
• Let u not see v but u see x and x see v where u,v, and x are domains. This is an example of intransitive noninterference.
• In short, intransitive noninterference means there is no direct communication between u and v.
![Page 24: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/24.jpg)
Intransitive Noninterference
![Page 25: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/25.jpg)
And Now...
![Page 26: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/26.jpg)
Definition ~ purge
purge v( , )purge a v( , )
if dom(a) interferes with v
otherwise
),( vpurge purge v( , )
purge a v a purge v( , ) ( , )
purge a v purge v( , ) ( , )
![Page 27: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/27.jpg)
Security
• Security is identified by:
output run s a
output run s purge dom a a
( ( , ), )
( ( , ( , ( ))), )0
0
![Page 28: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/28.jpg)
Restating the Expressions
)),,(( 0 asrunoutput
SAdo *:
OAAtest *:
),()( 0 srundo
)),((),( adooutputatest
![Page 29: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/29.jpg)
Security
• Security is now identified by:
))),(,((),( aadompurgetestatest
![Page 30: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/30.jpg)
View-Partitioned
• View -Partitioned
• Equivalence Relation
• Output Consistent
![Page 31: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/31.jpg)
And Now...
![Page 32: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/32.jpg)
Test and Do
Test and do are abbreviations of frequently used expressions
Then we say that a system is secure for policy
),()( 0 srundo
)),((),( adooutputatest
))),(,((),( aadompurgetestatest
![Page 33: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/33.jpg)
Output Consistency
A system M is view-partitioned if, for each domain,
there is an equivalence relation on S
These equivalence relations are said to be output
consistent if
Du u
~
),(),(~)(
atoutputasoutputtsadom
The output after executing action a is the for the states s and t, so s and t are equivalent views
![Page 34: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/34.jpg)
Views
For an output consistent system, securityis achieved if “views" are unaffected.Let be a policy and M a view partitioned, output consistent system such that,
This means that if you perform sequence it is equivalent to executing the purged version
Then M is secure for
)),((~)( upurgedodou
![Page 35: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/35.jpg)
Views
Proof:
Setting u = dom(a) in the statement of the lemma gives
and now substituting the u=dom(a) in for s and t, output consistency provides
)))(,((~)()(
adompurgedodoadom
)))),(,((()),(( aadompurgedooutputadooutput
![Page 36: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/36.jpg)
Views
But this is simply
Which is the definition of security for
Listed before
))),(,((),( aadompurgetestatest
![Page 37: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/37.jpg)
Unwinding Theorem
Why is the unwinding theorem important?
• It provides a basis for practical methods for verifying systems that enforce noninterference policies
• Serves to relate noninterference policies to access control mechanisms.
![Page 38: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/38.jpg)
Unwinding Theorem
What is the Unwinding Theorem?
It is hard to work with sequences of actions. The unwinding theorem states that if the security policy holds for each action, then it holds for the sequence.
![Page 39: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/39.jpg)
Unwinding Theorem
More Formally
Let be a policy and M a view partitioned system that is:
• output consistent
• step consistent
• locally respects
Then M is secure for
![Page 40: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/40.jpg)
Questions
Any Questions??
![Page 41: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/41.jpg)
References
• “Noninterference, Transitivity, and Channel-Control Security Policies” by John Rushby
• “Problems in Computer Security” by Auerbach, Kerbel, Megraw, Osburn, Shetty with mentor John Hoffman
![Page 42: Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer](https://reader035.vdocument.in/reader035/viewer/2022081519/56649dc75503460f94abbc56/html5/thumbnails/42.jpg)
Thank You
• Dr. Steve Decklemen