Toward A Mathematical Model of Computer Security

sweetlipscasteΑσφάλεια

2 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

62 εμφανίσεις

Toward A Mathematical Model
of Computer Security





Gina Duncanson


Kevin Jonas


Ben Lange


John Loff
-
Peterson


Ben Neigebauer

Introduction


Computer security issues are a part of our
daily life



Model a secure computer system

Scope



Define a secure system



Use a practical example



State Unwinding Theorem

Modeling a Computer System

A system M can consist of:





a set S of STATES, where
s
0


is an initial state



• a set D of domains





a set A of actions





a set O of outputs



And Now...








Practical Example


Today I will be talking
about how one can
apply the model of
security that is
explained in the paper
we researched.

Defining M

World Wide Web sites
consists of three basic
components:


Web Server


TCP/IP Connection


Web Browser Client

Defining S


Web Servers always
have a finite state.
Generally a server
travels through a cycle
of states.


s
0

is wait mode on a
web server.

Defining D


A domain is a defined
section of a system. All
the actions of a system
occur within specified
domains.


This means that we can
talk about actions as they
relate to a client or web
server’s computer.

Defining A


An action is similar to
a verb. Two example
actions include:


A Client Inserting a
URL


A Server Processing
one Code Statement

Defining O


Outputs are the
immediate result of an
action. When looking
at a web site an output
is:


A web server sending
back a confirmation
message that it exists.


The result of one code
statement.

Putting it all together


In order for all of
these events to fit
together, there are
several dependencies
between S, D, A, & O.


Modeling a Computer System

A system M can consist of:


• function
step
: S


A


S, where


step(s
n

, a)
denotes the next state of the
system after applying action
a

Modeling a Computer System

A system M can consist of:


• function
output
: S


A


O, where


output(s,a)

denotes the result returned by


the action
a



Example:
“write”
command to file

Modeling a Computer System

A system M can consist of:


• function
run
: S


A*


S


• Example:



run(s,

) = s,
where



is an empty

sequence of actions



Terminology

STATES
:


use the letters
s,t

ACTIONS
:


use the letters
a,b

SEQUENCES OF ACTIONS
:



use Greek letters

,


DOMAIN
:


use the letters
u,v,w

Communication




Two domains
u,v communicate
if there is an
information flow channel between them.

Definition


Security Policy:




A set of rules defining what domains can
communicate.



Specified by a reflexive relation:





on a domain D

Definition


Security:



A system is secure if the given security
policy of the system completely defines all
possible communication channels.

Security






2 ASSUMPTIONS:


set of security domains

{u,v}


policy that restricts allowable flow of
information among the domains above

And Now...








Noninterference


The idea of noninterference is really
rather simple: a security domain u is
non
-
interfering with domain v if no
action performed by u can influence
subsequent outputs seen by v.

Intransitive Noninterference



Let u not see v but u see x and x see v
where u,v, and x are domains. This is an
example of intransitive noninterference.


In short, intransitive noninterference means
there is no direct communication between u
and v.

Intransitive Noninterference

And Now...








Definition ~ purge






if dom(a) interferes with v



otherwise

Security


Security is identified by:

Restating the Expressions



Security


Security is now identified by:

View
-
Partitioned


View
-
Partitioned



Equivalence Relation



Output Consistent

And Now...








Test and Do


Test and do are abbreviations of frequently
used expressions





Then we say that a system is secure for
policy



Output Consistency

A system
M

is
view
-
partitioned

if, for each domain,


there is an equivalence relation on
S


These equivalence relations are said to be
output

consistent

if


The output after executing action
a

is the for the
states
s

and
t
, so
s

and
t

are equivalent views

Views


For an output consistent system, security


is achieved if “views" are unaffected.


Let be a policy and
M

a view partitioned,
output consistent system such that,



This means that if you perform sequence it is
equivalent to executing the purged version



Then
M

is secure for




Views


Proof:


Setting
u = dom(a)

in the statement of the
lemma gives



and now substituting the
u=
dom(a)

in for
s

and
t
, output consistency provides





Views

But this is simply



Which is the definition of security for

Listed before

Unwinding Theorem


Why is the unwinding theorem
important?



It provides a basis for practical methods for
verifying systems that enforce
noninterference policies


Serves to relate noninterference policies to
access control mechanisms.

Unwinding Theorem

What is the Unwinding Theorem?



It is hard to work with sequences of actions.
The unwinding theorem states that if the
security policy holds for each action, then it
holds for the sequence.

Unwinding Theorem

More Formally

Let


be a policy and
M

a view partitioned
system that is:


output consistent


step consistent


locally respects

Then
M

is secure for


Questions







Any Questions??

References


“Noninterference, Transitivity, and
Channel
-
Control Security Policies” by John
Rushby


“Problems in Computer Security” by
Auerbach, Kerbel, Megraw, Osburn, Shetty
with mentor John Hoffman

Thank You




Dr. Steve Decklemen