January 5, 2022 Outline

Reading: text, §2, 3.1–3.3
Due: Homework #1, due January 19; Project Selection, due January 21

Module 5

  1. Attribute-Based Access Control Matrix [1]
    1. Attributes
    2. Predicates
    3. Modified primitive operations
    4. Commands
Module 6
  1. What is the safety question?
    1. An unauthorized state is one in which a generic right r could be leaked into an entry in the ACM that did not previously contain r. An initial state is safe for r if it cannot lead to a state in which r could be leaked.
    2. Question: in a given arbitrary protection system, is safety decidable?
  2. Mono-operational case: there is an algorithm that decides whether a given mono-operational system and initial state is safe for a given generic right.
  3. General case: It is undecidable whether a given state of a given protection system is safe for a given generic right. [2]
    1. Approach: represent Turing machine tape as access control matrix, transitions as commands
    2. Reduce halting problem to it
  4. Related results
    1. The set of unsafe systems is recursively enumerable
    2. Monotonicity: no delete or destroy primitive operations
    3. The safety question for biconditional monotonic protection systems is undecidable.
    4. The safety question for monoconditional monotonic protection systems is decidable.
    5. The safety question for monoconditional protection systems without the destroy primitive operation is decidable.
Module 7
  1. Take-Grant Protection Model
    1. Counterpoint to HRU result
    2. Symmetry of take and grant rights
    3. Islands (maximal subject-only tg-connected subgraphs)
    4. Bridges (as a combination of terminal and initial spans)
Module 8
  1. Sharing
    1. Definition: can•share(α, x, y, G0) true iff there exists a sequence of protection graphs G0, …, Gn such that G0* Gn using only take, grant, create, remove rules and in Gn, there is an edge from x to y labeled α
    2. Theorem: can•share(r, x, y, G0) iff there is an edge from x to y labeled r in G0, or all of the following hold:
      1. there is a vertex y′ with an edge from y′ to y labeled r;
      2. there is a subject y′′ which terminally spans to y′, or y′′ = y′;
      3. there is a subject x′ which initially spans to x, or x′ = x; and
      4. there is a sequence of islands I1, …, In connected by bridges for which x′I1 and y′In.

References

  1. X. Zhang, Y. Li, and D. Nalla, “An Attribute-Based Access Control Matrix Model,” Proceedings of the 2005 ACM Symposium on Applied Computing pp. 359–363 (Mar. 2005); DOI: 10.1145/1066677.1066760.
  2. M. Tripunitara and N. Li, “The Foundational Work of Harrison-Ruzzo-Ullman Revisited,” IEEE Transactions on Dependable and Secure Computing 10(1) pp. 280–309 (Jan. 2013); DOI: 10.1109/TDSC.2012.77.
UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: mabishop@ucdavis.edu
ECS 235B, Foundations of Computer and Information Security
Version of January 10, 2022 at 11:38PM

 You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh