1Courtesy of ProfessorsChris Clifton & Matt BishopINFSCI 2935: Introduction of Computer Security 1September 23, 2004September 23, 2004Introduction to Introduction to Computer SecurityComputer SecurityLecture 4Lecture 4SPM, Security Policies, SPM, Security Policies, Confidentiality and Integrity PoliciesConfidentiality and Integrity PoliciesINFSCI 2935: Introduction to Computer Security 2Schematic Protection ModelSchematic Protection ModelzzKey idea is to use the notion of a protection type Key idea is to use the notion of a protection type { Label that determines how control rights affect an entity{ Take-Grant: z subject and object are different protection types{ TS and TO represent subject type set and object set{ τ(X) is the type of entity XzzA A ticket ticket describes a rightdescribes a right{ Consists of an entity name and a right symbol: X/zz Possessor of the ticket X/z has right r over entity Xz Y has tickets X/r, X/w -> Y has tickets X/rw{ Each entity X has a set dom(X) of tickets Y/z{ τ(X/r:c) = τ(X)/r:c is the type of a ticket2INFSCI 2935: Introduction to Computer Security 3Schematic Protection ModelSchematic Protection ModelzzInert right vs. Control rightInert right vs. Control right{Inert right doesn’t affect protection state, e.g. read right{take right in Take-Grant model is a control rightzzCopy flag cCopy flag c{Every right r has an associated copyable right rc{r:c means r or rczzManipulation of rightsManipulation of rights{A link predicatez Determines if a source and target of a transfer are “connected”{A filter functionz Determines if a transfer is authorizedINFSCI 2935: Introduction to Computer Security 4Transferring RightsTransferring Rightszzdomdom((XX) : set of tickets that X has) : set of tickets that X haszzLink predicate: Link predicate: linklinkii((XX,,YY)){ conjunction or disjunction of the following termsz X/z ∈ dom(X); X/z ∈ dom(Y);z Y/z ∈ dom(X); Y/z ∈ dom(Y)z true{ Determines if X and Y “connected” to transfer right{ Examples:z Take-Grant: link(X, Y) = Y/g ∈ dom(X) v X/t∈dom(Y)z Broadcast: link(X, Y) = X/b ∈dom(X)z Pull: link(X, Y) = Y/p ∈dom(Y)z Universal: link(X, Y) = truezzSchemeScheme: a finite set of link predicates is called a scheme: a finite set of link predicates is called a scheme3INFSCI 2935: Introduction to Computer Security 5Filter FunctionFilter FunctionzzFilter function: Filter function: { Imposes conditions on when tickets can be transferred { fi: TS x TS → 2TxR (range is copyable rights)zzXX//r:cr:ccan be copied from can be copied from domdom((YY))to to domdom((ZZ))iffiff∃∃iis. t. the s. t. the following are true:following are true:{ X/rc ∈ dom(Y){ linki(Y, Z){ τ(X)/r:c ∈fi(τ(Y), τ(Z))zzExamples:Examples:{ If fi(τ(Y), τ(Z)) = T x R then any rights are transferable{ If fi(τ(Y), τ(Z)) = T x RI then only inert rights are transferable{ If fi(τ(Y), τ(Z)) = Ө then no tickets are transferablezzOne filter function is defined for each link predicateOne filter function is defined for each link predicateINFSCI 2935: Introduction to Computer Security 6SCM Example 1SCM Example 1zzOwnerOwner--based policybased policy{ Subject U can authorize subject V to access an object F iff U owns F{ Types: TS= {user}, TO = {file}{ Ownership is viewed as copy attributesz If U owns F, all its tickets for F are copyable{ RI: { r:c, w:c, a:c, x:c }; RC is emptyz read, write, append, execute; copy on each{ ∀ U, V ∈ user, link(U, V) = truez Anyone can grant a right to anyone else if they posses the right to do so (copy){ f(user, user) = { file/r, file/w, file/a, file/x }z Can copy read, write, append, execute4INFSCI 2935: Introduction to Computer Security 7SPM Example 1SPM Example 1zzPeterPeterowns file owns file DoomDoom; can he give ; can he give PaulPaulexecute permission over execute permission over DoomDoom??1.τ(Peter) is user and τ(Paul) is user2.τ(Doom) is file3.Doom/xc ∈ dom(Peter)4.Link(Peter, Paul) = TRUE5.τ(Doom)/x ∈ f(τ(Peter), τ(Paul)) - because of 1 and 2Therefore, Peter can give ticket Doom/xc to PaulINFSCI 2935: Introduction to Computer Security 8SPM Example2SPM Example2zzTakeTake--Grant Protection ModelGrant Protection Model{TS = { subjects }, TO = { objects }{RC = {tc, gc}, RI = {rc, wc}zNote that all rights can be copied in T-G model{link(p, q) = p/t ∈ dom(q) v q/t ∈dom(p){f(subject, subject) = { subject, object } × { tc, gc, rc, wc } zNote that any rights can be transferred in T-G model5INFSCI 2935: Introduction to Computer Security 9DemandDemandzzA subject can demand a right from another A subject can demand a right from another entityentity{Demand function d:TS → 2TxR{Let a and b be types za/r:c ∈d(b) : every subject of type b can demand a ticket X/r:c for all X such that τ(X) = a{A sophisticated construction eliminates the need for the demand operation – hence omittedINFSCI 2935: Introduction to Computer Security 10Create OperationCreate OperationzzNeed to handle Need to handle { type of the created entity, &{ tickets added by the creationzzRelation Relation can•createcan•create((aa, , bb) ) ⊆⊆TSTSx x TT{ A subject of type a can create an entity of type bzzRule of Rule of acyclic createsacyclic creates{ Limits the membership in can•create(a, b){ If a subject of type a can create a subject of type b, then none of the descendants can create a subject of type aabcdabcd6INFSCI 2935: Introduction to Computer Security 11Create operation Create operation Distinct TypesDistinct Typeszzcreate rulecreate rulecrcr((aa, , bb) specifies the) specifies the{tickets introduced when a subject of type a creates an entity of type bzzBBobject: object: crcr((aa, , bb) ) ⊆⊆{ { bb//rr::cc∈∈RIRI}}{Only inert rights can be created{A gets B/r:c iff b/r:c ∈ cr(a, b)zzBBsubject: subject: crcr((aa, , bb) has two parts) has two parts{crP(a, b) added to A, crC(a, b) added to B{A gets B/r:c if b/r:c in crP(a, b){B gets A/r:c if a/r:c in crC(a, b)INFSCI 2935: Introduction to Computer Security 12NonNon--Distinct TypesDistinct Typeszzcrcr((aa, , aa): who gets what?): who gets what?{ self/r:c are tickets for creator{ a/r:c tickets for the createdzzcrcr((aa, , aa) = { ) = { aa//rr::cc, , selfself//rr::cc| | rr::cc∈∈RR}}zzcrcr((aa, , aa) = ) = crcrCC((aa, , bb))||crcrPP((aa, , bb))is attenuating if:is attenuating if:1. crC(a, b) ⊆ crP(a, b) and2. a/r:c ∈ crP(a, b) ⇒ self/r:c ∈ crP(a, b)zzA scheme is attenuating if, A scheme is attenuating if, { For all types a,