Upload
austin-ramsey
View
217
Download
0
Embed Size (px)
Citation preview
© 2004 Ravi Sandhuwww.list.gmu.edu
The Schematic Protection Model(SPM)
Ravi SandhuLaboratory for Information Security Technology
George Mason [email protected]
2
© 2004 Ravi Sandhuwww.list.gmu.edu
The Access Matrix Model, Lampson 1971
• In SPM objects only have columns• SPM subjects can be active or passive• Subjects and objects are collectively called entities
entities
objects
3
© 2004 Ravi Sandhuwww.list.gmu.edu
SPM Protection Scheme
1. A finite set of entity types T partitioned into subject types TS and object types TO.
2. A finite set of right symbols R partitioned into inert rights RI and control rights RC.Ticket types are thereby T X R
3. A finite collection of local link predicates {linki | i = 1 . . . N}.
4. A filter function fi: TS X TS → 2T X R corresponding to each linki.
5. The demand function d: TS → 2T X R.6. The can-create relation cc TS X T.
Equivalently, cc: TS → 2T.7. A local create-rule for each pair in cc.
4
© 2004 Ravi Sandhuwww.list.gmu.edu
SPM links, filter functions and copy flag
A B
linki
t(A) t(B)fi
Y/x dom(A) cannot be copied
Y/xc dom(A) Y/xc or Y/x can be copied provided- some linki exists - fi authorizes flow of Y/xc or Y/x respectively
principle of discretionary propagationor principle of attenuationyou can propagate what you have but no more
copy flag turns out to be unnecessary and circumventable
5
© 2004 Ravi Sandhuwww.list.gmu.edu
Examples of link predicates
1. link(X, Y) Y/g dom(X) X/t dom(Y)2. link(X, Y) X/t dom(Y)3. link(X, Y) Y/g dom(X)4. link(X, Y) Y/s dom(X) X/g dom(Y)5. link(X, Y) X/b dom(X),6. link(X, Y) Y/p dom(Y),7. link(X, Y) X/b dom(X) Y/p dom(Y)8. link(X, Y) true
6
© 2004 Ravi Sandhuwww.list.gmu.edu
Examples of filter functions
1. f(a,b) = T X R
2. f(a,b) = TO X RI
3. f(a,b) = 4. f(a,b) = T X {r| r R}, i.e. no copy flag
7
© 2004 Ravi Sandhuwww.list.gmu.edu
SPM demand operation
Ad(t(A))
certain types of tickets can be obtained simply by demanding them
8
© 2004 Ravi Sandhuwww.list.gmu.edu
SPM create operation
• object creation
cr(a.parent, b.child) {b.child/x:c | x RI}
• subject creation
cr(a.parent,b.child) = LEFT | RIGHT
LEFT {a.parent/x:c, b.child/x:c | x R}
RIGHT {a.parent/x:c, b.child/x:c | x R}
LEFT goes to parent
RIGHT goes to child
A
A’
9
© 2004 Ravi Sandhuwww.list.gmu.edu
SPM create operation: attenuating loops
• subject creation of same type as parent
cr(a.parent, a.child) = LEFT | RIGHT
LEFT {a.parent/x:c, a.child/x:c | x R}
RIGHT {a.parent/x:c, a.child/x:c | x R}
• attenuating loops requires
RIGHT LEFT
a.child/x:c LEFT a.parent/x:c LEFT
A
A’
10
© 2004 Ravi Sandhuwww.list.gmu.edu
SPM Scheme I: Basic owner-based policy
1) TS = {user}, TO = {file}2) RI = {x:c}, RC = 3) linku(X,Y) true
4) fu(user, user) = {file/xc}5) d(user) = 6) cc(user) = {file}7) cr(user,file) = {file/xc}
11
© 2004 Ravi Sandhuwww.list.gmu.edu
SPM Scheme II: Owner-based policy with owner-defined groups
(1) TS = {user, group}, TO = {file}(2) RI = {x:c}, RC = {g:c}(3) linku(X, Y) true
linkg(X, Y) Y/g dom(X)(4) fu(user, user) = {file/xc}
fu(user, group) = fu(group, user) = fu(group, group) =
fg(user, user) = fg(group, group) = fg(user, group) = {file/xc, user/g}fg(group, user) = {file/x}
(5) d(user) = {user/gc}(6) cc(user) = {file, group}
cc(group) = (7) cr(user,file) = {file/xc} cr{user,group) = {group/g} |
12
© 2004 Ravi Sandhuwww.list.gmu.edu
SPM Scheme VI: Basic Take-Grant Model
1. TS = {sub}, TO = {file}2. RI= {x:c}, RC = {t:c, g:c}3. link(X, Y) Y/g dom(X) X/t dom(Y)4. f(sub, sub) = T X R5. d(sub) = 6. cc(sub) = {file, sub}7. cr(sub, file) = {file/xc}
cr(sub, sub) = {sub.child/tgc} |
creation is acyclic with loops but create-rule cr(sub, sub) is not attenuating
13
© 2004 Ravi Sandhuwww.list.gmu.edu
Creation in Take-Grant
• subjects in initial state: may or may not have self tgc tickets• created subjects without loss of generality will have self tgc tickets (in worst-case)
A
A’
A’/tgc
A’/tgc
14
© 2004 Ravi Sandhuwww.list.gmu.edu
SPM Scheme VII: Basic Take-Grant Model, acyclic attenuating
1. TS = {isub, csub}, TO = {file}2. RI= {x:c}, RC = {t:c, g:c}3. link(X, Y) Y/g dom(X) X/t dom(Y)4. f(isub, isub) = T X R
f(isub, csub) = T X Rf(csub, isub) = T X Rf(csub, csub) = T X R
5. d(sub) = 6. cc(isub) = {file, csub}
cc(csub) = {file, csub}7. cr(isub, file) = {file/xc}
cr(csub, file) = {file/xc}cr(isub, csub) = {csub.child/tgc} | cr(csub, csub) = {csub.child/tgc, csub.parent/tgc} |
cr(csub, csub) is attenuating
15
© 2004 Ravi Sandhuwww.list.gmu.edu
flow function
• for a given state h
flowh: SUBh X SUBh 2T X R
• by convention flowh(A,A) = T X R
• flowh can be computed in O(|T X R|*|SUBh|3)
16
© 2004 Ravi Sandhuwww.list.gmu.edu
flow in take-grant
• initial state
flow0(A,B) = T X R
flow0(B,A) = • derived state h
flowh(A,B) = T X R
flowh(B,A) = T X R
A
A/t
B
A’
A’/tgcA/tcA’/tgc
17
© 2004 Ravi Sandhuwww.list.gmu.edu
maximal state
• a derived state with maximum flow between all subjects in SUB0
• flow*: SUB0 X SUB0 2T X R is flow function in a maximal state
• because of monotonicity a maximal state is guaranteed to exist• typically there will be an infinite number of
maximal states
18
© 2004 Ravi Sandhuwww.list.gmu.edu
no-creates maximal state
• a derived state without any create operations with maximum flow between all subjects in SUB0
• flow#: SUB0 X SUB0 T X R is flow function in a no-creates maximal state
• no-creates maximal state can be computed in O(N*|T X R|*|SUB0|5) where N is number of link predicates
19
© 2004 Ravi Sandhuwww.list.gmu.edu
maximal state for acyclic attenuating schemes
• start with initial state
• perform create operations to get unfolded state
• compute no-creates maximal state
20
© 2004 Ravi Sandhuwww.list.gmu.edu
The unfolded state
cc(a) = {a,b}cc(b) = {b}
21
© 2004 Ravi Sandhuwww.list.gmu.edu
Safety is decidable for acyclic attenuating schemes