Upload
oihane
View
40
Download
0
Embed Size (px)
DESCRIPTION
Other Access Control Models. The Take-Grant Protection Model. Can the safety be guaranteed with a specific system? Yes with a specific collection of commands Called the take-grant protection model A graph model where Subjects represented by Objects represented by Either represented by - PowerPoint PPT Presentation
Citation preview
2
2
The Take-Grant Protection Model Can the safety be guaranteed with a specific
system? Yes with a specific collection of commands Called the take-grant protection model A graph model where
Subjects represented by Objects represented by Either represented by
Labeled edges represent the rights of a source vertex over the destination vertex taken from a set R with two special rights:
t for Take (t) g for Grant (g)
Use graph-rewrite rules to derive permissions from R
3
3
De jure rules - i
–
X X new Y
ii. X removes from Y
i. X creates ( to new vertex) Y
├
├If ( is then empty, the edge is removed
4
De jure rules - ii
t t
g
├X
Y
Z
ZYX
iii. X takes ( to Z) from Y
iv. Z grants ( to Y) to X
├g
5
Protection State
Protection state = graph State transition = rewriting the graph Example:
t
t
├*
1. x creates (t, g to new) v2. z takes (g to v) from x3. z grants ( to y) to v4. x takes ( to y) from v5. V is removed
zv
t,g
x
g
y
6
Sharing of Rights
Definition: the predicate Can-share(,x,y,G0) is true for a set of rights and two vertices x, y, iff there is a sequence of graphs G1,…,Gn so that G0├* Gn using one of the four de jure rules, and there is an -labeled edge from x to y.
Definition: a tg-path is a sequence v0,…,vn of distinct vertices where every vi is connected to vi+1 in either direction with a t or g label.
Definition: Vertices are tg-connected if there is a tg-path between them
YXGG
nn
can-share(a,x,y,G0)
7
Lemma: sharing
Statement: Any two subjects with a length 1 t-g path can share some rights.
Proof: Take and Grant rules cover two cases. Following lemmas cover the other two.
Lemma 3-1:
t
Z
YX ├*t Y
Z
X
8
Proof of Claim 3-1
t
Z
YX ├t
tg
v
XY
Step 1: X creates (tg to new vertex) V
Step 2: Z takes (g to v) from X
t
tg
v
XY
├
g Z
Z
9
Proof of Claim 3-1
Step 3: Z grants ( to y) to V
Step 4: X takes ( to v) from V
t
tg
v
XY
├g
Z
t
tg
v
Y├
g
Z
X
10
Lemma 3-2
g
Z
YX ├*g
ObservationObservationTake and grant rules are symmetric if the verticesTake and grant rules are symmetric if the vertices
On the TG path between X and Y are subjectsOn the TG path between X and Y are subjects
11
More definitions and properties -1
Definition: an island is a maximal tg-connected subject-onlysubject-only sub-graph
Lemma: right processed by any vertex in an island can be shared with any other vertex
Transferring rights between islands: a subject in one island must be able to take it from a subject in another island
Notation: {t̅>, <t̅, g̅>,<̅g} are four basic symbols used to construct a path. A path is constructed using basic symbols * and concatenation as a word
t̅> <̅g
g ̅>t̅< t̅>
12
More definitions and properties-2
Definition: a bridge is a tg-path between two subject endpointssubject endpoints associated with the path’s word.
Observation: rights can be transferred from one end point to another in a bridge
Theorem: subject-can-share(,x,y,G0) is true iff x and y are subjects with an edge from x to y
There is a subject sG0 with s-to-y edge labeled There are island I1,…,In such that x I1 s In and with a
bridge Ij,…,Ij+1. Observation: because objects cannot act, a right
will begin or end with an object
13
More Definitions and Properties - 3
Observation: only subjects can act– so transfer begins with an right possessed by an object and ends with that right given to another object!
Definition: A vertex x initially spans to y if x is a subject and there is a tg-path from x to y with a word in {t>*g>}U{v}
Means XX grants a right it possesses to YY
X
t ttt VV
g Y
W
14
More Definitions and Properties - 4
Definition: A vertex x terminally spans to y if x is a subject and there is a tg-path between x and y with a word in {t>*}U{}
Means X may take any right that Y possesses
X
t ttt YY
WX ends up having on W
15
More Definitions and Properties - 5
Theorem: can-share(,x,y,G0) is true iff there is an edge from x to y in Go labeled or if the following hold simultaneously:
1. There is a vertex sG0 with s-to-y edge labeled 2. There is a subject vertex x’ so that x=x’ or x’
initially spans to x3. There is a subject vertex s’ so that s’=s or s’
terminally spans to s4. There are islands I1,…In such that x’ I1, s’ In and
there is a bridge from Ij to Ij+1. See next slide..
16
Explanation
Either there is an edge from X to Y or
Y1.1. S has S has label from Y label from Y2.2. 2. S’ can take 2. S’ can take aa from Sfrom S3.3. X’ and S’ are connected through a sequence of X’ and S’ are connected through a sequence of
islandsislands4.4. X’ can grant X’ can grant aa to X to X
SY
X X’
S’
17
17
Safety in the take-grant model
Theorem: there is an algorithm of complexity O(|V|+|E|) to test the validity of can-share(,x,y,G0)
By choosing the correct kind of rules we can answer questions like Can my computer access my files?
18
The One-Subject Case
Theorem: Let G0 be a graph with one subject and no edges, and R a set of rights. G0├*G iff G is a finite directed acyclic graph containing subjects and objects only with
1. edges labeled with non-empty subsets of R2. At least one subject with no incoming edges Proof: () Suppose G satisfy 1 and 2. Let
subjects(G)={x1, ..xn}, and X1 with no incoming edge.Construct G’ as follows:
19
Proof
Let V=X11. For 2<i<n Perform V creates (⋃{g} to) new Xi where is the
union of all labels to Xi in G2. For all pairs Xi, Xj in G where Xi has rights over Xj, perform V
grants ( to Xj) to Xi.3. Perform V removes (( ⋃{g})- to) Xj where={r: r labels XiXj in G}The resulting graph is G’
V
Xi
1. ⋃{g}
Xi
XjIf
V
Xi
XjIf
Remove⋃{g})-
20
Proof Continued
Let V be the initial subject and G0├*G. Then by inspection of the rules G is finite Loop-free Directed Consists of subjects and objects only All edges have non-empty labels
Furthermore, No rules to delete V, V G No rules allow incoming edges to V
21
Theft in the T-G Model
To share, the owner has to cooperate Notion of sharing fails to capture an
owner’s unwillingness to share StealingStealing happens when
The owner does not grant some rights over an object to other subjects, but some subjects can get the right indirectly!
22
Stealing in the T-G Model
Definition: X, YG and R. can-steal(,X,Y,G0) is true when
1. ∄ an labeled edge from X to Y in G0, sequence of graphs G1, …, Gn so that
a. There is an labeled edge from X to Y in Gn
b. There is a sequence of rules r1, ,,,, rn where applying ri results in Gi-1├Gi
c. For all V,WGi-1, if there is an edge from V to Y, then ri is not of the form V grants ( to Y) to W
Thus: It stops owners from transferring rights to others (but could transfer other rights)
23
An Example of Stealing
Can-steal(,S,W,G0) U grants (t to V) to S
Owner of to W grants (t to V) to S S takes (t to U) from V S takes ( to W) from U
The owner U of stolen rights grants other rights to another subject (t rights to V are granted to S)
This is the reason for MACThis is the reason for MAC
SU
g
tt
V
W
24
Characterizing can-steal
Theorem: can-steal(,X,Y,G0) is true iff 1. ∄ an labelededge from X to Y in G0, subject vertex X’= X or X’ initially spanning
to X vertex SG with an label Y in G0 that
satisfy can-share(t,X’,S,G0) Observation: to steal, there must be a
tg-path through which the thief can share!
thief XX
S
can-share
X’X’
initially spans
25
Proof
If X is a subject: then need to obtain t rights to S and use the take rule to obtain , satisfying can-steal(,X,Y,G)
If X is an object: 1. by the theorem on can-share, subject vertex X’, that initially tg-
spans to X with can-share(t,x’,s,G0) true.2. Assume tg-span length= 1, and X’ has t rights over S in G0.3. If X’ does not have an edge label tp Y, X’ takes a rights to Y and
grants them to X, satisfying the definition.4. If not, then X’ will create a surrogate X” and provides t rights
over S to it.a. X’ creates (g to new subject) X’’b. X’ grants (t to S) to X’’c. X’ grants (g to X) to X’’
Now X’’ has t rights over S and g rights over X. So apply1. X’’ takes (a to Y) from S2. X’’ grants (a to Y) to X.
X:object X’:subject X”:subject
1. g
S: subject 2. s to S
3. g to X
26
Proof
Assume can-steal(,x,y,G0). Then condition 1 holds from the definition of can-steal
condition 2 of the can-share theorem imply condition 2 of this theorem
condition 3 of the can-share theorem imply that S satisfy condition 3 of this theorem
Need to prove can-share(t,x,s,Go) Consider minimal-length sequence of rule applications
transforming G0 to Gn where Gi-1├i Gi so that ∃ an edge labeled a from some vertex P to Y in G i but not Gi-1.
Then Gi is the first graph where an edge is added to Y
27
Proof continued -- 2
So i is neither a remove or create rule. By condition 3 of can-steal, all vertices with a rights
to Y in Gi are in G0. i is not a grant rule. Hence it is of the form:
pt
S
y pt
S
Y
├
•Hence can-share(t,p,s,G0) holds.•By condition (c) of the can-share theorem, ∃ a subject S’ either S’ terminally spans to S or S’=S•By condition (d) of the can-share theorem, ∃islands I1,…In satisfying x’∈I1 and S’ ∈In.
28
Proof continued -- 3
If S is an object (hence S≠S’): two cases1. S’ and P in the same island:
1. Take P as S’2. If not: Derivation not of minimal length
(why?)Choose S’ in same island for shorter proofConditions of can-share theorem met.
can-share(t,x,s,G0)
29
Proof continued -- 4
If S is an subject (i.e. S=S’): then p∈In, must show p∈G0 for the can-share theorem to hold
If p∉G0: ∃subject Q in some island with can-share(t,Q,S,G0) Because S is the owner of rights over Y in G0 must derive
witness for this sharing where S does not grant ( to Q) If S≠Q: replace “S grants ( to Y) to Q” with
P takes ( to Y) from S P takes (g to Y) from S P grants ( to Y) to Q
So ∃witness to can-share(t,Q,S,G0) without S granting ( to Y)
30
Conspiracy in the TG-Model
Many actors required to steal in the TG-model Any subject YY can
take rights from any X that Y terminallyterminally spans give rights to any X that Y initiallyinitially spans
Definition: “access set with focus Y”, A(Y) =“access set with focus Y”, A(Y) = {all nodes X that Y terminally spans} U{all nodes X that Y initially spans}
Entities from whom one can get and entities to whom one can give, is one’s access set with focus!
Terminally spans Initially spans
Transfers Rights Transfers Rights X
Y’Y
31
The Deletion Set
Definition: “deletion set” (Y,Y’) = all z satisfyingz∈A(Y)∩A(Y’)
Y initially spans to Z, Y’ terminally spans to Z Y terminally spans to Z, Y’ initially spans to Z Z = Y Z = y’ Represents nodes that can transfer permissions
Terminally spans Initially spans
Transfers Rights Transfers Rights Y’
YZ
32
An Example Deletion Set
A(x) ={x,a,}, A(e)={e,d,i,j}, A(b)={b,a,}, A(y)={y}A(c) ={c,b,d}, A(f)={f,y}, A(d)={d}, A(h)={h,f,i}Z is not on A(e) because the path e-z does not
terminally, or initial span e.(x,b)(x,b) = {a}, (c,d)(c,d) = {d}, (y,f)(y,f) = {y}, (b,c)(b,c) = {b}, (d,e)(d,e) = {d}, (c,e)(c,e) = {d}
t g g t g rt g g g t
x a b c de z
y f h i j
q
33
Creating conspiracy Graphs
Procedure: “conspiracy graph” H of G0 created to satisfy the following conditions
A. For each subject s∈G0, ∃h(x) ∈ H with the same label
B. If (Y,Y’)≠Ǿ in G0, ∃ line between h(Y) & h(Y’) in H Conspiracy graphs represents paths of transfer Unidirectional because rights can be transferred
in either direction
34
An Example Conspiracy Graph
A(x)={x,a,}, A(e)={e,d,I,j}, A(b)={b,a,}, A(y)={y}A(c)={c,b,d}, A(f)={f,y}, A(d)={d}, A(h)={h,f,i}Z is not on A(e) because path e-z is not terminal, initial spans(x,b)={a}, (c,d)={d}, (y,f)={y}, (b,c)={b}, (d,e)={d}, (c,e)={d}
t g g t g rt g g g t
x a b c de z
y f h i j
q
h(x) h(b) h(c)h(d)
h(e)h(y) h(f) h(h)
35
Two Theorems on Conspirators
Theorem 1: can-share(a,X,Y,G0) iff there is a path from h(p)∈I(X) to some h(q)∈T(Y) where I(X) = {h(X)} U {X’: h(X’) initially spans to X} T(X) = {h(X)} U {X’: h(X’) terminally spans to X}
Theorem 2: L= number of vertices on the shortest path between h(p) and h(q). Then L conspirators are necessary to produce a witness to can-share(a,X,Y,G0)
36
Back to the Example
The shortest path between h(e) and h(x) has 4 vertices<h(x),h(b),h(c) and h(e)>4 conspirators are necessary and sufficient to witness can-
share(r,x,y,Go)How does it work?1. e grants (r to Y) to d2. c takes (r to Y) from d3. c grants (r to Y) to b4. b grants (r to Y) to a5. X takes (r to Y) from a
h(x) h(b) h(c)h(d)
h(e)h(y) h(f) h(h)