# Toward A Mathematical Model of Computer Security

Ασφάλεια

2 Νοε 2013 (πριν από 4 χρόνια και 6 μήνες)

72 εμφανίσεις

Toward A Mathematical Model
of Computer Security

Gina Duncanson

Kevin Jonas

Ben Lange

John Loff
-
Peterson

Ben Neigebauer

Introduction

Computer security issues are a part of our
daily life

Model a secure computer system

Scope

Define a secure system

Use a practical example

State Unwinding Theorem

Modeling a Computer System

A system M can consist of:

a set S of STATES, where
s
0

is an initial state

• a set D of domains

a set A of actions

a set O of outputs

And Now...

Practical Example

Today I will be talking
about how one can
apply the model of
security that is
explained in the paper
we researched.

Defining M

World Wide Web sites
consists of three basic
components:

Web Server

TCP/IP Connection

Web Browser Client

Defining S

Web Servers always
have a finite state.
Generally a server
travels through a cycle
of states.

s
0

is wait mode on a
web server.

Defining D

A domain is a defined
section of a system. All
the actions of a system
occur within specified
domains.

This means that we can
talk about actions as they
relate to a client or web
server’s computer.

Defining A

An action is similar to
a verb. Two example
actions include:

A Client Inserting a
URL

A Server Processing
one Code Statement

Defining O

Outputs are the
immediate result of an
action. When looking
at a web site an output
is:

A web server sending
back a confirmation
message that it exists.

The result of one code
statement.

Putting it all together

In order for all of
these events to fit
together, there are
several dependencies
between S, D, A, & O.

Modeling a Computer System

A system M can consist of:

• function
step
: S

A

S, where

step(s
n

, a)
denotes the next state of the
system after applying action
a

Modeling a Computer System

A system M can consist of:

• function
output
: S

A

O, where

output(s,a)

denotes the result returned by

the action
a

Example:
“write”
command to file

Modeling a Computer System

A system M can consist of:

• function
run
: S

A*

S

• Example:

run(s,

) = s,
where

is an empty

sequence of actions

Terminology

STATES
:

use the letters
s,t

ACTIONS
:

use the letters
a,b

SEQUENCES OF ACTIONS
:

use Greek letters

,

DOMAIN
:

use the letters
u,v,w

Communication

Two domains
u,v communicate
if there is an
information flow channel between them.

Definition

Security Policy:

A set of rules defining what domains can
communicate.

Specified by a reflexive relation:

on a domain D

Definition

Security:

A system is secure if the given security
policy of the system completely defines all
possible communication channels.

Security

2 ASSUMPTIONS:

set of security domains

{u,v}

policy that restricts allowable flow of
information among the domains above

And Now...

Noninterference

The idea of noninterference is really
rather simple: a security domain u is
non
-
interfering with domain v if no
action performed by u can influence
subsequent outputs seen by v.

Intransitive Noninterference

Let u not see v but u see x and x see v
where u,v, and x are domains. This is an
example of intransitive noninterference.

In short, intransitive noninterference means
there is no direct communication between u
and v.

Intransitive Noninterference

And Now...

Definition ~ purge

if dom(a) interferes with v

otherwise

Security

Security is identified by:

Restating the Expressions

Security

Security is now identified by:

View
-
Partitioned

View
-
Partitioned

Equivalence Relation

Output Consistent

And Now...

Test and Do

Test and do are abbreviations of frequently
used expressions

Then we say that a system is secure for
policy

Output Consistency

A system
M

is
view
-
partitioned

if, for each domain,

there is an equivalence relation on
S

These equivalence relations are said to be
output

consistent

if

The output after executing action
a

is the for the
states
s

and
t
, so
s

and
t

are equivalent views

Views

For an output consistent system, security

is achieved if “views" are unaffected.

Let be a policy and
M

a view partitioned,
output consistent system such that,

This means that if you perform sequence it is
equivalent to executing the purged version

Then
M

is secure for

Views

Proof:

Setting
u = dom(a)

in the statement of the
lemma gives

and now substituting the
u=
dom(a)

in for
s

and
t
, output consistency provides

Views

But this is simply

Which is the definition of security for

Listed before

Unwinding Theorem

Why is the unwinding theorem
important?

It provides a basis for practical methods for
verifying systems that enforce
noninterference policies

Serves to relate noninterference policies to
access control mechanisms.

Unwinding Theorem

What is the Unwinding Theorem?

It is hard to work with sequences of actions.
The unwinding theorem states that if the
security policy holds for each action, then it
holds for the sequence.

Unwinding Theorem

More Formally

Let

be a policy and
M

a view partitioned
system that is:

output consistent

step consistent

locally respects

Then
M

is secure for

Questions

Any Questions??

References

“Noninterference, Transitivity, and
Channel
-
Control Security Policies” by John
Rushby

“Problems in Computer Security” by
Auerbach, Kerbel, Megraw, Osburn, Shetty
with mentor John Hoffman

Thank You

Dr. Steve Decklemen