山东大学计算机安全课件 Foundational Results
合集下载
相关主题
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Purpose of this section
Discussion on the basic questions of the art and science of computer security
◦ Under what conditions can a generic algorithm determine whether a system is secure? ◦ Whether there exist such an algorithm?
Computer Security -4 2011 fall 11
Symbols and states Mapping
The tape symbols and states in T are mapping (->) to generic rights in ACM
each cell -> a subject and define a distinguished right called own such that si owns si+1 for 1 i < k
What Is “Secure”?
◦ Adding a generic right r where there was not one is “leaking” ◦ If a system S, beginning in initial state s0, cannot leak right r, it is safe with respect to the right r.
From the view of ACM
Computer Security -4
2011 fall
6
Safety Question
Does there exist an algorithm for determining whether a protection system S with initial state s0 is safe with respect to a generic right r?
Computer Security -4
2011 fall
3
Contents
Safety Question Harrison-Ruzzo-Ullman result Take-Grant Protection Model Open problem
Computer Security -4
Computer Security -4
2011 fall
17
Rest of Proof
Protection system exactly simulates a TM
◦ Exactly 1 end right in ACM ◦ 1 right in entries corresponds to state ◦ Thus, at most 1 applicable command
2011 fall
4
Contents
Safety Question Harrison-Ruzzo-Ullman result Take-Grant Protection Model Open problem
Computer Security -4
2011 fall
5
1.Safety Question
Computer Security -4 2011 fall 12
Symbols and states Mapping
1 2 3 4
A
B
C
D
… s1
s1 A
s2 own B
s3
s4
head
s2 s3 s4
own Ck own D end
Current state is k
Computer Security -4
Computer Security -4
2011 fall
15
Transition function Mapping
1 2 3 4 5
A
B
X
Y
b s1 head s2 s3 s4 s5
s1 A
s2 own B
s3
s4
s5
own X own Y own b k2 end
After δ(k1, D) = (k2, Y, R) where k1 is the current state and k2 the next state
Computer Security -4
2011 fall
10
General Case
Answer: no Sketch of proof:
Reduce halting problem to safety problem Turing Machine (T) review: ◦ Infinite tape in one direction ◦ States K, symbols M; distinguished blank b ◦ Transition function δ(k, m) = (k′, m′, L) means in state k, symbol m on tape location replaced by symbol m′, head moves to left one square, and enters state k′ ◦ Halting state is qf; TM halts when it enters this state
◦ Uppercase for symbols and lowercase for states ◦ one right for each symbol and one for each state.
◦ cell i contains A ->a(si, si)=A and a(si, si+1)=own. ◦ The right most cell in ACM a(sk, sk)={symble,end} ◦ if the head is in cell j and T is in state p -> a(si, si)=p
Computer Security -4
2011 fall
9
Mono-Operational Commands
Answer: yes Sketch of proof:
Consider minimal sequence of commands c1, …, ck to leak the right. ◦ Can omit delete, destroy ◦ Can merge all creates into one Worst case: insert every right into every entry; with s subjects and o objects initially, and n rights, upper bound is k ≤ n(s+1)(o+1) Answer: yes
◦ Here, “safe” = “secure” for an abstract model
Computer Security -4
2011 fall
7
Contents
Safety Question Harrison-Ruzzo-Ullman result Take-Grant Protection Model Open problem
Computer Security -4
2011 fall
8
2. The HRU result
In 1976, Harrison, Ruzzo, and Ullman (HRU)proved that in the most general abstract case, the security of computer systems was undecidable and explored some of the limits of this result.
Computer Security -4 2011 fall 2
Purpose of this section
Understanding models and the results derived from them lays the foundations for coping with limits in policy and policy composition as well as applying the theoretical work.
Computer Security -4
wenku.baidu.com
2011 fall
16
Command Mapping
δ(k1, D) = (k2, Y, R) at end becomes command crightmostk,C(s4,s5) if end in A[s4,s4] and k1 in A[s4,s4] and D in A[s4,s4] then delete end from A[s4,s4]; create subject s5; enter own into A[s4,s5]; enter end into A[s5,s5]; delete k1 from A[s4,s4]; delete D from A[s4,s4]; enter Y into A[s4,s4]; enter k2 into A[s5,s5]; end
2011 fall
13
Transition function Mapping
Transition function ->commands in ACM
1 2 3 4
A
B
X
D
… s1
s1 A
s2 own B
s3
s4
head
s2 s3 s4
own X own D k1 end
After δ(k, C) = (k1, X, R) where k is the current state and k1 the next state
If TM enters state qf, then right has leaked If safety question decidable, then represent TM as above and determine if qf leaks Conclusion: safety question undecidable
Basic results:
◦ In the most general abstract case, the security of computer systems is undecidable ◦ In some specific systems, security is decidable in time linear with the size of the system. ◦ examine what made the general, abstract case undecidable but at least one specific case decidable.
◦ Implies halting problem decidable
Computer Security -4
2011 fall
18
Other Results
Delete create primitive; then safety question is complete in P-SPACE Delete destroy, delete primitives; then safety question is undecidable ◦ Systems are monotonic Safety question for mono-conditional, monotonic protection systems is decidable Safety question for monoconditional protection systems with create, enter, delete (and no destroy) is decidable. Set of unsafe systems is recursively enumerable
Computer Security -4
2011 fall
14
Transition function Mapping
δ(k, C) = (k1, X, R) at intermediate becomes command ck,C(s3,s4) if own in A[s3,s4] and k in A[s3,s3] and C in A[s3,s3] then delete k from A[s3,s3]; delete C from A[s3,s3]; enter X into A[s3,s3]; enter k1 into A[s4,s4]; end
Discussion on the basic questions of the art and science of computer security
◦ Under what conditions can a generic algorithm determine whether a system is secure? ◦ Whether there exist such an algorithm?
Computer Security -4 2011 fall 11
Symbols and states Mapping
The tape symbols and states in T are mapping (->) to generic rights in ACM
each cell -> a subject and define a distinguished right called own such that si owns si+1 for 1 i < k
What Is “Secure”?
◦ Adding a generic right r where there was not one is “leaking” ◦ If a system S, beginning in initial state s0, cannot leak right r, it is safe with respect to the right r.
From the view of ACM
Computer Security -4
2011 fall
6
Safety Question
Does there exist an algorithm for determining whether a protection system S with initial state s0 is safe with respect to a generic right r?
Computer Security -4
2011 fall
3
Contents
Safety Question Harrison-Ruzzo-Ullman result Take-Grant Protection Model Open problem
Computer Security -4
Computer Security -4
2011 fall
17
Rest of Proof
Protection system exactly simulates a TM
◦ Exactly 1 end right in ACM ◦ 1 right in entries corresponds to state ◦ Thus, at most 1 applicable command
2011 fall
4
Contents
Safety Question Harrison-Ruzzo-Ullman result Take-Grant Protection Model Open problem
Computer Security -4
2011 fall
5
1.Safety Question
Computer Security -4 2011 fall 12
Symbols and states Mapping
1 2 3 4
A
B
C
D
… s1
s1 A
s2 own B
s3
s4
head
s2 s3 s4
own Ck own D end
Current state is k
Computer Security -4
Computer Security -4
2011 fall
15
Transition function Mapping
1 2 3 4 5
A
B
X
Y
b s1 head s2 s3 s4 s5
s1 A
s2 own B
s3
s4
s5
own X own Y own b k2 end
After δ(k1, D) = (k2, Y, R) where k1 is the current state and k2 the next state
Computer Security -4
2011 fall
10
General Case
Answer: no Sketch of proof:
Reduce halting problem to safety problem Turing Machine (T) review: ◦ Infinite tape in one direction ◦ States K, symbols M; distinguished blank b ◦ Transition function δ(k, m) = (k′, m′, L) means in state k, symbol m on tape location replaced by symbol m′, head moves to left one square, and enters state k′ ◦ Halting state is qf; TM halts when it enters this state
◦ Uppercase for symbols and lowercase for states ◦ one right for each symbol and one for each state.
◦ cell i contains A ->a(si, si)=A and a(si, si+1)=own. ◦ The right most cell in ACM a(sk, sk)={symble,end} ◦ if the head is in cell j and T is in state p -> a(si, si)=p
Computer Security -4
2011 fall
9
Mono-Operational Commands
Answer: yes Sketch of proof:
Consider minimal sequence of commands c1, …, ck to leak the right. ◦ Can omit delete, destroy ◦ Can merge all creates into one Worst case: insert every right into every entry; with s subjects and o objects initially, and n rights, upper bound is k ≤ n(s+1)(o+1) Answer: yes
◦ Here, “safe” = “secure” for an abstract model
Computer Security -4
2011 fall
7
Contents
Safety Question Harrison-Ruzzo-Ullman result Take-Grant Protection Model Open problem
Computer Security -4
2011 fall
8
2. The HRU result
In 1976, Harrison, Ruzzo, and Ullman (HRU)proved that in the most general abstract case, the security of computer systems was undecidable and explored some of the limits of this result.
Computer Security -4 2011 fall 2
Purpose of this section
Understanding models and the results derived from them lays the foundations for coping with limits in policy and policy composition as well as applying the theoretical work.
Computer Security -4
wenku.baidu.com
2011 fall
16
Command Mapping
δ(k1, D) = (k2, Y, R) at end becomes command crightmostk,C(s4,s5) if end in A[s4,s4] and k1 in A[s4,s4] and D in A[s4,s4] then delete end from A[s4,s4]; create subject s5; enter own into A[s4,s5]; enter end into A[s5,s5]; delete k1 from A[s4,s4]; delete D from A[s4,s4]; enter Y into A[s4,s4]; enter k2 into A[s5,s5]; end
2011 fall
13
Transition function Mapping
Transition function ->commands in ACM
1 2 3 4
A
B
X
D
… s1
s1 A
s2 own B
s3
s4
head
s2 s3 s4
own X own D k1 end
After δ(k, C) = (k1, X, R) where k is the current state and k1 the next state
If TM enters state qf, then right has leaked If safety question decidable, then represent TM as above and determine if qf leaks Conclusion: safety question undecidable
Basic results:
◦ In the most general abstract case, the security of computer systems is undecidable ◦ In some specific systems, security is decidable in time linear with the size of the system. ◦ examine what made the general, abstract case undecidable but at least one specific case decidable.
◦ Implies halting problem decidable
Computer Security -4
2011 fall
18
Other Results
Delete create primitive; then safety question is complete in P-SPACE Delete destroy, delete primitives; then safety question is undecidable ◦ Systems are monotonic Safety question for mono-conditional, monotonic protection systems is decidable Safety question for monoconditional protection systems with create, enter, delete (and no destroy) is decidable. Set of unsafe systems is recursively enumerable
Computer Security -4
2011 fall
14
Transition function Mapping
δ(k, C) = (k1, X, R) at intermediate becomes command ck,C(s3,s4) if own in A[s3,s4] and k in A[s3,s3] and C in A[s3,s3] then delete k from A[s3,s3]; delete C from A[s3,s3]; enter X into A[s3,s3]; enter k1 into A[s4,s4]; end