1

          

Other Access Control Models

2

          

2

The Take-Grant Protection Model Can the safety be guaranteed with a specific

system? Yes with a specific collection of commands Called the take-grant protection model A graph model where

Subjects represented by Objects represented by Either represented by

Labeled edges represent the rights of a source vertex over the destination vertex taken from a set R with two special rights:

t for Take (t) g for Grant (g)

Use graph-rewrite rules to derive permissions from R

3

          

3

De jure rules - i

–

X X new Y

ii. X removes from Y

i. X creates ( to new vertex) Y

├

├If ( is then empty, the edge is removed

4

          

De jure rules - ii

t t

g

├X

Y

Z

ZYX

iii. X takes ( to Z) from Y

iv. Z grants ( to Y) to X

├g

5

          Protection State

Protection state = graph State transition = rewriting the graph Example:

t

t

├*

1. x creates (t, g to new) v2. z takes (g to v) from x3. z grants ( to y) to v4. x takes ( to y) from v5. V is removed

zv

t,g

x

g

y

6

          Sharing of Rights

Definition: the predicate Can-share(,x,y,G0) is true for a set of rights and two vertices x, y, iff there is a sequence of graphs G1,…,Gn so that G0├* Gn using one of the four de jure rules, and there is an -labeled edge from x to y.

Definition: a tg-path is a sequence v0,…,vn of distinct vertices where every vi is connected to vi+1 in either direction with a t or g label.

Definition: Vertices are tg-connected if there is a tg-path between them

YXGG

nn

can-share(a,x,y,G0)

7

          Lemma: sharing

Statement: Any two subjects with a length 1 t-g path can share some rights.

Proof: Take and Grant rules cover two cases. Following lemmas cover the other two.

Lemma 3-1:

t

Z

YX ├*t Y

Z

X

8

          Proof of Claim 3-1

t

Z

YX ├t

tg

v

XY

Step 1: X creates (tg to new vertex) V

Step 2: Z takes (g to v) from X

t

tg

v

XY

├

g Z

Z

9

          Proof of Claim 3-1

Step 3: Z grants ( to y) to V

Step 4: X takes ( to v) from V

t

tg

v

XY

├g

Z

t

tg

v

Y├

g

Z

X

10

          Lemma 3-2

g

Z

YX ├*g

ObservationObservationTake and grant rules are symmetric if the verticesTake and grant rules are symmetric if the vertices

On the TG path between X and Y are subjectsOn the TG path between X and Y are subjects

11

          More definitions and properties -1

Definition: an island is a maximal tg-connected subject-onlysubject-only sub-graph

Lemma: right processed by any vertex in an island can be shared with any other vertex

Transferring rights between islands: a subject in one island must be able to take it from a subject in another island

Notation: {t̅>, <t̅, g̅>,<̅g} are four basic symbols used to construct a path. A path is constructed using basic symbols * and concatenation as a word

t̅> <̅g

g ̅>t̅< t̅>

12

          More definitions and properties-2

Definition: a bridge is a tg-path between two subject endpointssubject endpoints associated with the path’s word.

Observation: rights can be transferred from one end point to another in a bridge

Theorem: subject-can-share(,x,y,G0) is true iff x and y are subjects with an edge from x to y

There is a subject sG0 with s-to-y edge labeled There are island I1,…,In such that x I1 s In and with a

bridge Ij,…,Ij+1. Observation: because objects cannot act, a right

will begin or end with an object

13

          More Definitions and Properties - 3

Observation: only subjects can act– so transfer begins with an right possessed by an object and ends with that right given to another object!

Definition: A vertex x initially spans to y if x is a subject and there is a tg-path from x to y with a word in {t>*g>}U{v}

Means XX grants a right it possesses to YY

X

t ttt VV

g Y

W

14

          More Definitions and Properties - 4

Definition: A vertex x terminally spans to y if x is a subject and there is a tg-path between x and y with a word in {t>*}U{}

Means X may take any right that Y possesses

X

t ttt YY

WX ends up having on W

15

          More Definitions and Properties - 5

Theorem: can-share(,x,y,G0) is true iff there is an edge from x to y in Go labeled or if the following hold simultaneously:

1. There is a vertex sG0 with s-to-y edge labeled 2. There is a subject vertex x’ so that x=x’ or x’

initially spans to x3. There is a subject vertex s’ so that s’=s or s’

terminally spans to s4. There are islands I1,…In such that x’ I1, s’ In and

there is a bridge from Ij to Ij+1. See next slide..

16

          Explanation

Either there is an edge from X to Y or

Y1.1. S has S has label from Y label from Y2.2. 2. S’ can take 2. S’ can take aa from Sfrom S3.3. X’ and S’ are connected through a sequence of X’ and S’ are connected through a sequence of

islandsislands4.4. X’ can grant X’ can grant aa to X to X

SY

X X’

S’

17

          

17

Safety in the take-grant model

Theorem: there is an algorithm of complexity O(|V|+|E|) to test the validity of can-share(,x,y,G0)

By choosing the correct kind of rules we can answer questions like Can my computer access my files?

18

          The One-Subject Case

Theorem: Let G0 be a graph with one subject and no edges, and R a set of rights. G0├*G iff G is a finite directed acyclic graph containing subjects and objects only with

1. edges labeled with non-empty subsets of R2. At least one subject with no incoming edges Proof: () Suppose G satisfy 1 and 2. Let

subjects(G)={x1, ..xn}, and X1 with no incoming edge.Construct G’ as follows:

19

          Proof

Let V=X11. For 2<i<n Perform V creates (⋃{g} to) new Xi where is the

union of all labels to Xi in G2. For all pairs Xi, Xj in G where Xi has rights over Xj, perform V

grants ( to Xj) to Xi.3. Perform V removes (( ⋃{g})- to) Xj where={r: r labels XiXj in G}The resulting graph is G’

V

Xi

1. ⋃{g}

Xi

XjIf

V

Xi

XjIf

Remove⋃{g})-

20

          Proof Continued

Let V be the initial subject and G0├*G. Then by inspection of the rules G is finite Loop-free Directed Consists of subjects and objects only All edges have non-empty labels

Furthermore, No rules to delete V, V G No rules allow incoming edges to V

21

          Theft in the T-G Model

To share, the owner has to cooperate Notion of sharing fails to capture an

owner’s unwillingness to share StealingStealing happens when

The owner does not grant some rights over an object to other subjects, but some subjects can get the right indirectly!

22

          Stealing in the T-G Model

Definition: X, YG and R. can-steal(,X,Y,G0) is true when

1. ∄ an labeled edge from X to Y in G0, sequence of graphs G1, …, Gn so that

a. There is an labeled edge from X to Y in Gn

b. There is a sequence of rules r1, ,,,, rn where applying ri results in Gi-1├Gi

c. For all V,WGi-1, if there is an edge from V to Y, then ri is not of the form V grants ( to Y) to W

Thus: It stops owners from transferring rights to others (but could transfer other rights)

23

          An Example of Stealing

Can-steal(,S,W,G0) U grants (t to V) to S

Owner of to W grants (t to V) to S S takes (t to U) from V S takes ( to W) from U

The owner U of stolen rights grants other rights to another subject (t rights to V are granted to S)

This is the reason for MACThis is the reason for MAC

SU

g

tt

V

W

24

          Characterizing can-steal

Theorem: can-steal(,X,Y,G0) is true iff 1. ∄ an labelededge from X to Y in G0, subject vertex X’= X or X’ initially spanning

to X vertex SG with an label Y in G0 that

satisfy can-share(t,X’,S,G0) Observation: to steal, there must be a

tg-path through which the thief can share!

thief XX

S

can-share

X’X’

initially spans

25

          Proof

If X is a subject: then need to obtain t rights to S and use the take rule to obtain , satisfying can-steal(,X,Y,G)

If X is an object: 1. by the theorem on can-share, subject vertex X’, that initially tg-

spans to X with can-share(t,x’,s,G0) true.2. Assume tg-span length= 1, and X’ has t rights over S in G0.3. If X’ does not have an edge label tp Y, X’ takes a rights to Y and

grants them to X, satisfying the definition.4. If not, then X’ will create a surrogate X” and provides t rights

over S to it.a. X’ creates (g to new subject) X’’b. X’ grants (t to S) to X’’c. X’ grants (g to X) to X’’

Now X’’ has t rights over S and g rights over X. So apply1. X’’ takes (a to Y) from S2. X’’ grants (a to Y) to X.

X:object X’:subject X”:subject

1. g

S: subject 2. s to S

3. g to X

26

          Proof

Assume can-steal(,x,y,G0). Then condition 1 holds from the definition of can-steal

condition 2 of the can-share theorem imply condition 2 of this theorem

condition 3 of the can-share theorem imply that S satisfy condition 3 of this theorem

Need to prove can-share(t,x,s,Go) Consider minimal-length sequence of rule applications

transforming G0 to Gn where Gi-1├i Gi so that ∃ an edge labeled a from some vertex P to Y in G i but not Gi-1.

Then Gi is the first graph where an edge is added to Y

27

          Proof continued -- 2

So i is neither a remove or create rule. By condition 3 of can-steal, all vertices with a rights

to Y in Gi are in G0. i is not a grant rule. Hence it is of the form:

pt

S

y pt

S

Y

├

•Hence can-share(t,p,s,G0) holds.•By condition (c) of the can-share theorem, ∃ a subject S’ either S’ terminally spans to S or S’=S•By condition (d) of the can-share theorem, ∃islands I1,…In satisfying x’∈I1 and S’ ∈In.

28

          Proof continued -- 3

If S is an object (hence S≠S’): two cases1. S’ and P in the same island:

1. Take P as S’2. If not: Derivation not of minimal length

(why?)Choose S’ in same island for shorter proofConditions of can-share theorem met.

can-share(t,x,s,G0)

29

          Proof continued -- 4

If S is an subject (i.e. S=S’): then p∈In, must show p∈G0 for the can-share theorem to hold

If p∉G0: ∃subject Q in some island with can-share(t,Q,S,G0) Because S is the owner of rights over Y in G0 must derive

witness for this sharing where S does not grant ( to Q) If S≠Q: replace “S grants ( to Y) to Q” with

P takes ( to Y) from S P takes (g to Y) from S P grants ( to Y) to Q

So ∃witness to can-share(t,Q,S,G0) without S granting ( to Y)

30

          Conspiracy in the TG-Model

Many actors required to steal in the TG-model Any subject YY can

take rights from any X that Y terminallyterminally spans give rights to any X that Y initiallyinitially spans

Definition: “access set with focus Y”, A(Y) =“access set with focus Y”, A(Y) = {all nodes X that Y terminally spans} U{all nodes X that Y initially spans}

Entities from whom one can get and entities to whom one can give, is one’s access set with focus!

Terminally spans Initially spans

Transfers Rights Transfers Rights X

Y’Y

31

          The Deletion Set

Definition: “deletion set” (Y,Y’) = all z satisfyingz∈A(Y)∩A(Y’)

Y initially spans to Z, Y’ terminally spans to Z Y terminally spans to Z, Y’ initially spans to Z Z = Y Z = y’ Represents nodes that can transfer permissions

Terminally spans Initially spans

Transfers Rights Transfers Rights Y’

YZ

32

          An Example Deletion Set

A(x) ={x,a,}, A(e)={e,d,i,j}, A(b)={b,a,}, A(y)={y}A(c) ={c,b,d}, A(f)={f,y}, A(d)={d}, A(h)={h,f,i}Z is not on A(e) because the path e-z does not

terminally, or initial span e.(x,b)(x,b) = {a}, (c,d)(c,d) = {d}, (y,f)(y,f) = {y}, (b,c)(b,c) = {b}, (d,e)(d,e) = {d}, (c,e)(c,e) = {d}

t g g t g rt g g g t

x a b c de z

y f h i j

q

33

          Creating conspiracy Graphs

Procedure: “conspiracy graph” H of G0 created to satisfy the following conditions

A. For each subject s∈G0, ∃h(x) ∈ H with the same label

B. If (Y,Y’)≠Ǿ in G0, ∃ line between h(Y) & h(Y’) in H Conspiracy graphs represents paths of transfer Unidirectional because rights can be transferred

in either direction

34

          An Example Conspiracy Graph

A(x)={x,a,}, A(e)={e,d,I,j}, A(b)={b,a,}, A(y)={y}A(c)={c,b,d}, A(f)={f,y}, A(d)={d}, A(h)={h,f,i}Z is not on A(e) because path e-z is not terminal, initial spans(x,b)={a}, (c,d)={d}, (y,f)={y}, (b,c)={b}, (d,e)={d}, (c,e)={d}

t g g t g rt g g g t

x a b c de z

y f h i j

q

h(x) h(b) h(c)h(d)

h(e)h(y) h(f) h(h)

35

          Two Theorems on Conspirators

Theorem 1: can-share(a,X,Y,G0) iff there is a path from h(p)∈I(X) to some h(q)∈T(Y) where I(X) = {h(X)} U {X’: h(X’) initially spans to X} T(X) = {h(X)} U {X’: h(X’) terminally spans to X}

Theorem 2: L= number of vertices on the shortest path between h(p) and h(q). Then L conspirators are necessary to produce a witness to can-share(a,X,Y,G0)

36

          Back to the Example

The shortest path between h(e) and h(x) has 4 vertices<h(x),h(b),h(c) and h(e)>4 conspirators are necessary and sufficient to witness can-

share(r,x,y,Go)How does it work?1. e grants (r to Y) to d2. c takes (r to Y) from d3. c grants (r to Y) to b4. b grants (r to Y) to a5. X takes (r to Y) from a

h(x) h(b) h(c)h(d)

h(e)h(y) h(f) h(h)