Outline for January 11, 2016
Reading: text, §2, 3.1–3.2
Due: Presentation paper selection, Jan. 22; Project selection, Jan. 22; Homework 1, Jan. 25
- Access control matrix and entities
- State is (S, O, A) where S subjects, O objects, A access control matrix
- Entries are rights (represent abstract notions)
- Primitive operations
- enter r into A[s, o]
- delete r from A[s, o]
- create subject s (note that ∀ x [ A[s′, x] = A[x, s′] = ∅ ])
- create object o (note that ∀ x [ A[x, o′] = ∅ ])
- destroy subject s
- destroy object o
- Commands and examples
- Regular command: create•file
- Mono-operational command: make•owner
- Conditional command: grant•rights
- Biconditional command: grant•read•if•r•and•c
- Doing “or” of 2 conditions: grant•read•if•r•or•c
- Miscellaneous points
- Copy flag and right
- Own as a distinguished right
- Principle of attenuation of privilege
- What is the safety question?
- An unauthorized state is one in which a generic right r could be leaked into an entry in the ACM that did not previously contain r. An initial state is safe for r if it cannot lead to a state in which r could be leaked.
- Question: in a given arbitrary protection system, is safety decidable?
- Mono-operational case: there is an algorithm that decides whether a given mono-operational system and initial state is safe for a given generic right.
- General case: It is undecidable whether a given state of a given protection system is safe for a given generic right.
- Approach: represent Turing machine tape as access control matrix, transitions as commands
- Reduce halting problem to it
- Related results
- The set of unsafe systems is recursively enumerable
- Monotonicity: no delete or destroy primitive operations
- The safety question for biconditional monotonic protection systems is undecidable.
- The safety question for monoconditional monotonic protection systems is decidable.
- The safety question for monoconditional protection systems without the destroy primitive operation is decidable.