January 12, 2023 Outline
Reading: text, §2, 3.1–3.4.4, [1,2]
Due: Homework #1, due January 24; Project Selection, due January 26
- Attribute-Based Access Control Matrix [1]
- Attributes
- Predicates
- Modified primitive operations
- Commands
- What is the safety question?
- An unauthorized state is one in which a generic right r could be leaked into an entry in the ACM that did not previously contain r. An initial state is safe for r if it cannot lead to a state in which r could be leaked.
- Question: in a given arbitrary protection system, is safety decidable?
- Mono-operational case: there is an algorithm that decides whether a given mono-operational system and initial state is safe for a given generic right.
- General case: It is undecidable whether a given state of a given protection system is safe for a given generic right. [2]
- Approach: represent Turing machine tape as access control matrix, transitions as commands
- Reduce halting problem to it
- Related results
- The set of unsafe systems is recursively enumerable
- Monotonicity: no delete or destroy primitive operations
- The safety question for biconditional monotonic protection systems is undecidable.
- The safety question for monoconditional monotonic protection systems is decidable.
- The safety question for monoconditional protection systems without the destroy primitive operation is decidable.
- Take-Grant Protection Model
- Counterpoint to HRU result
- Symmetry of take and grant rights
- Islands (maximal subject-only tg-connected subgraphs)
- Bridges (as a combination of terminal and initial spans)
- Sharing
- Definition: can•share(α, x, y, G_{0}) is true iff there exists a sequence of protection graphs G_{0}, …, G_{n} such that G_{0} ⊢^{*} G_{n}, there is an edge from x to y labeled α
- Theorem: can•share(r, x, y, G_{0}) iff there is an edge from x to y labeled r in G_0, or all of the following hold:
- there is a vertex y′ with an edge from y′ to y labeled r;
- there is a subject y′′ which terminally spans to y′, or y′′ = y′;
- there is a subject x′ which initially spans to x, or
x′ = x; and
- there is a sequence of islands I_{0}, …, I_{n} connected by bridges for which x′ ∈ I_{1} and y′′ ∈ I_{n}.
- Model Interpretation
- ACM very general, broadly applicable; Take-Grant more specific, can model fewer situations
- Example: shared buffer managed by trusted third party
- can•steal(r, x, y, G_{0}) definition and theorem
- Conspiracy
- What is of interest?
- Access, deletion sets
- Conspiracy graph
- Number of conspirators
- Schematic Protection Model
- Protection type, ticket, function, link predicate, filter function
- Take-Grant as an instance of SPM
- Create rules and attenuation
References
- X. Zhang, Y. Li, and D. Nalla, “An Attribute-Based Access Control Matrix Model,” Proceedings of the 2005 ACM Symposium on Applied Computing pp. 359–363 (Mar. 2005);
DOI: 10.1145/1066677.1066760.
- M. Tripunitara and N. Li, “The Foundational Work of Harrison-Ruzzo-Ullman Revisited,” IEEE Transactions on Dependable and Secure Computing 10(1) pp. 280–309 (Jan. 2013);
DOI: 10.1109/TDSC.2012.77.