January 10, 2024 Outline

Reading: text, §2.3–2.4, 3.1–3.3; [1,2]
Due: Homework #1, due January 19; Project selection, due January 26

Module 4 (Reading: text: §2.3–2.4)

  1. Primitive operations
    1. enter r into A[s, o]
    2. delete r from A[s, o]
    3. create subject s (note that ∀ x [ A[s′, x] = A[x, s′] = ∅ ])
    4. create object o (note that ∀ x [ A[s, o′] = ∅ ])
    5. destroy subject s
    6. destroy object o
  2. Commands and examples
    1. Regular command: create•file
    2. Mono-operational command: make•owner
    3. Conditional command: grant•rights
    4. Biconditional command: grant•read•if•r•and•c
    5. Doing “or” of 2 conditions: grant•read•if•r•or•c
    6. General form
  3. Miscellaneous points
    1. Copy flag and right
    2. Own as a distinguished right
    3. Principle of attenuation of privilege

Module 5 (Reading: [1])

  1. Attribute-Based Access Control Matrix
    1. Attributes
    2. Predicates
    3. Modified primitive operations
    4. Commands

Module 6 (Reading: text: §3.1–3.2; [2])

  1. What is the safety question?
    1. An unauthorized state is one in which a generic right r could be leaked into an entry in the ACM that did not previously contain r. An initial state is safe for r if it cannot lead to a state in which r could be leaked.
    2. Question: in a given arbitrary protection system, is safety decidable?
  2. Mono-operational case: there is an algorithm that decides whether a given mono-operational system and initial state is safe for a given generic right.
  3. General case: It is undecidable whether a given state of a given protection system is safe for a given generic right.
    1. Approach: represent Turing machine tape as access control matrix, transitions as commands
    2. Reduce halting problem to it
  4. Related results
    1. The set of unsafe systems is recursively enumerable
    2. Monotonicity: no delete or destroy primitive operations
    3. The safety question for biconditional monotonic protection systems is undecidable.
    4. The safety question for monoconditional monotonic protection systems is decidable.
    5. The safety question for monoconditional protection systems without the destroy primitive operation is decidable.

Module 7 (Reading: text: §3.3)

  1. Take-Grant Protection Model
    1. Counterpoint to HRU result
    2. Symmetry of take and grant rights
    3. Islands (maximal subject-only tg-connected subgraphs)
    4. Bridges (as a combination of terminal and initial spans)

References

  1. X. Zhang, Y. Li, and D. Nalla, “An Attribute-Based Access Control Matrix Model,” Proceedings of the 2005 ACM Symposium on Applied Computing pp. 359–363 (Mar. 2005);
    doi: 10.1145/1066677.1066760.
  2. M. Tripunitara and N. Li, “The Foundational Work of Harrison-Ruzzo-Ullman Revisited,” IEEE Transactions on Dependable and Secure Computing 10(1) pp. 280–309 (Jan. 2013);
    doi: 10.1109/TDSC.2012.77.

UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: mabishop@ucdavis.edu
ECS 235B, Foundations of Computer and Information Security
Version of January 11, 2024 at 11:53PM

 You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh