Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Prochain SlideShare
Chargement dans…5
×

# Take-Grant Protection Model

1 944 vues

Publié le

Theft and Conspiracy in the Take-Grant Protection Model

Publié dans : Formation
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Soyez le premier à commenter

### Take-Grant Protection Model

1. 1. Theft and Conspiracy in the Take-Grant Protection Model Lawrence Snyder Department of Computer Sciences Purdue University West Lafayette. IN 47907 Presented by: Raj Kumar Ranabhat M.E in Computer Engineering(I/I) Kathmandu University 2/14/2017 1
2. 2. Take-Grant Protection Model • A specific (not generic) system • Set of rules for state transitions • Safety decidable, and in time linear with the size of the system • Goal: find conditions under which rights can be transferred from one entity to another in the system 2/14/2017 2
3. 3. System objects (passive entities like files, . . . ) 2/14/2017 3 o subjects (active entities like users, processes . . . ) • don’t care (either a subject or an object)⊗ set of rights apply a sequence of rewriting rules (witness) to G to get G’ R = {t , g , . . .} apply rewriting rule x (witness) to G to get G′G ⊢x G′ G ⊢* G′
4. 4. Take-Grant Protection Model Let x,y and z be distinct vertices in a protection graph G such that x is a subject. Let there be an edge from x to y labeled ϒ such that "t" ϵ ϒ, an edge from y to z labeled β and α ⊆ β. Then the take rule defines a new graph G' by adding an edge to the protection graph from x to z labeled α. Graphically, 2/14/2017 4 Take: The rule can be read: "x takes (α to z) from y."
5. 5. Let x,y and z be distinct vertices in a protection graph G such that x is a subject. Let there be an edge from x to y labeled ϒ such that "g"ϵ ϒ, an edge from x to z labeled β, and α ⊆ β. The grant rule defines a new graph G' by adding an edge from y to z labeled α. Graphically, 2/14/2017 5 Grant: The rule can be read: "x grants (α to z) to y."
6. 6. Let x be any subject vertex in a protection graph G and let α be a non empty subset of R. Create defines a new graph G‘ by adding a new vertex n to the graph and an edge from x to n labeled α. Graphically, 2/14/2017 6 Create: The rule can be read: "x creates (α to) new {subject/object}n."
7. 7. Let x and y be any distinct vertices in a protection graph G such that x is a subject. Let there be an edge from x to y labeled β, and let a be any subset of rights. Then remove defines a new graph G' by deleting the α labels from β. If β becomes empty as a result, the edge itself is deleted. Graphically 2/14/2017 7 Remove: The rule can be read: "x removes (α to) y."
8. 8. Take-Grant Definable Graphs 2/14/2017 8
9. 9. Take-Grant Definable Graphs 2/14/2017 9 x creates (tg to) new v
10. 10. Take-Grant Definable Graphs 2/14/2017 10 x creates (tg to) new v x grants (g to v) to y
11. 11. Take-Grant Definable Graphs 2/14/2017 11 x creates (tg to) new v x grants (g to v) to y y grants (β to z) to v
12. 12. Take-Grant Definable Graphs 2/14/2017 12 x creates (tg to) new v x grants (g to v) to y y grants (β to z) to v x takes (β to z) from v
13. 13. Let 𝐺0 be a protection graph containing exactly one subject vertex and no edges. Then 𝐺0 ⊢* 𝐺 if and only if 2/14/2017 13 Theorem: • 𝐺 is a finite, directed, loop-free, two color graph • the edges are labeled from non empty subsets of R • At least one subject in 𝐺 has no incoming edges.
14. 14. Let v be the initial subject, and 𝐺0 ⊢*𝐺. 2/14/2017 14 ⇐: • 𝐺 is obviously finite • 𝐺 is a directed graph • 𝐺 is loop-free • two colored with the indicated labelling • After reviewing the rule definition, it gives: • Limits of rules: • since vertices cannot be destroyed, v persists in any graph derived from 𝐺0 • edges cannot be directed to a vertex that has no in- coming edges so none can be assigned to v
15. 15. let G satisfy the requirements and be the final graph in the theorem 2/14/2017 15 ⇐: • Let G have vertices x1,x2 . . . , xn • Identify v with some subject x1 with no incoming edges Construct G′ as follows: • Perform “v creates (α ∪ {g } to) new subject xi” • For all (xi, xj) where xi has a right over xj, do“x1 grants (α to xj) to xi” • Let β be the rights xi has over xj in G ; then do“v removes ((α ∪ {g }) − β) to xi)” Now G′ is the desired G
16. 16. Predicates and earlier results • tg-path: Vertices p and q of G are tg-connected if there is a path p=xo,….xn=q and the label alpha on the edge between xi and xi+1 contains t or g • island : An island of G is a maximal, tg-connected subject-only subgraph of G. • A path xo,x1,…xn is an initial span if it has an associated word in {𝑡∗ 𝑔 } • it is a terminal span if n>0 and it has associated word in {𝑡∗} • it is a bridge if 2/14/2017 16 1. n>1 and xo and xn are subjects 2. an associated word is in {𝑡∗, 𝑡∗, 𝑡∗ 𝑔 𝑡∗, 𝑡∗ 𝑔 𝑡∗ } 3. the xi are objects (0<i<n)
17. 17. 2/14/2017 17 • islands: {p, u}, {w}, {y, s′} • bridges: u, v, w; w, x, y • initial span: p (associated word ν ) • terminal span: s′s (associated word 𝑡 )
18. 18. can·share (α, p, q, 𝐺0 ) holds if, and only if, there is a sequence of protection graphs 𝐺0 , . . ., 𝐺 𝑛 such that 𝐺0 ⊢* 𝐺 and in 𝐺 𝑛 there is an edge from p to q labeled α 2/14/2017 18 can·share Predicate :
19. 19. Theft 2/14/2017 19 for two distinct vertices p and q in a protection graph 𝐺0 , and right α, define can·steal Predicate : can·steal (α, p, q, 𝐺0 ) <=> ~ 𝑝 α 𝐺0 𝑞 and there exist protection graph 𝐺1,…,𝐺 𝑛 such that 𝐺0⊢ 𝜌1 𝐺1 ⊢ 𝜌2 … ⊢ 𝜌 𝑛 𝐺 𝑛 , 𝑝 α 𝐺 𝑛 𝑞, and If 𝑠 α 𝐺0 𝑞 then no 𝜌𝑗 has the form “s grants (α to q) to 𝑥𝑖” for any 𝑥𝑖 ϵ 𝐺𝑗−1, 1 ≤ 𝑗 < 𝑛.
20. 20. Example of Stealing 2/14/2017 20 can·steal (α, s, w, 𝐺0 )
21. 21. Example of Stealing 2/14/2017 21 can·steal (α, s, w, 𝐺0 ) • u grants (t to v) to s
22. 22. Example of Stealing 2/14/2017 22 can·steal (α, s, w, 𝐺0 ) • u grants (t to v) to s • s takes (t to x) from v
23. 23. Example of Stealing 2/14/2017 23 • u grants (t to v) to s • s takes (t to x) from v • s takes (t to u) from x can·steal (α, s, w, 𝐺0 )
24. 24. Example of Stealing 2/14/2017 24 • u grants (t to v) to s • s takes (t to x) from v • s takes (t to u) from x • s takes (α to w) from u can·steal (α, s, w, 𝐺0 )
25. 25. can·steal (α, p, q, 𝐺0 ) holds if, and only if, the following hold simultaneously: 2/14/2017 25 can·steal Theorem : • there is no edge from x-to-y labeled α in 𝐺0 • there is a subject x′= x or x′ initially spans to x • there is a vertex s with an edge to y labeled α in 𝐺0 • can·share (α, p, q, 𝐺0 ) holds
26. 26. Assume all four conditions hold 2/14/2017 26 ⇒: • If x a subject: • x gets t rights to s (last condition); then takes α to y from s(third condition) • If x an object: • can·share (t, x′, s, 𝐺0 ) holds • If x′ has no α edge to y in 𝐺0 x′ takes (α to y) from s and grants it to x • If x′ has an edge to y in 𝐺0 , x′ creates surrogate x′′, gives it (t to s) and (g to x′′); then x′′ takes (α to y) and grants it to x
27. 27. Assume can·steal (α, x, y, 𝐺0 ) holds 2/14/2017 27 ⇐: • First two conditions are immediate from definition of can·share, can·steal • Third condition is immediate from theorem of conditions for can·share • Fourth condition: let ρ be a minimal length sequence of rule applications deriving 𝐺 𝑛 from 𝐺0 • Let i be the smallest index such that 𝐺𝑖−1 ⊢ 𝜌𝑖 𝐺𝑖 that adds α from some p to y in 𝐺𝑖 • What rule is ρ𝑖 ?
28. 28. 2/14/2017 28 • Not remove or create rule • y exists already • Not grant rule • 𝐺𝑖 is the first graph in which an edge labeled α to y is added , so by definition of can·share, it cannot be a grant • Therefore ρ𝑖 must be a take rule, so can·share (t, p, s, 𝐺0 ) holds • By earlier theorem, there is a subject s′ such that s′= s or s′ terminally spans to s • Also, sequence of islands 𝑙1,…,𝑙 𝑛 with x′∈ 𝑙1, s′∈ 𝑙 𝑛 • Now consider what s is ?
29. 29. 2/14/2017 29 • If s object, s′≠ s • If s′, p in same island, take p = s′; the can·share (t, x, s, 𝐺0 ) holds • If they are not, the sequence is minimal, contradicting assumption • So choose s′ in same island as p
30. 30. 2/14/2017 30 If s subject, p ∈ 𝑙 𝑛 • If p ∉ 𝐺0, there is a subject q such that can·share (t, q, s, 𝐺0) holds • s ∈ 𝐺 𝑜and none of the rules add new lables to incoming edges on existing vertices • As s owns α rights to y in 𝐺0 , two cases arise: • If s = q, replace “s grants (α to y) to q” with the sequence: p takes (α to y) from s p takes (g to q) from s p grants (α to y) to q • If s = q, you only need the first
31. 31. Conspiracy 2/14/2017 31 If s subject, p ∈ 𝑙 𝑛
32. 32. Conspiracy in general graphs 2/14/2017 32 Given a protection graph G with subject vertices 𝑋1 ,….,𝑋 𝑛 , we will define a new graph, the conspiracy graph, H, determined by G. H has vertices 𝑌1 ,…., 𝑌𝑛 and each 𝑌𝑖 has associated with it the access−set A(𝑋𝑖 ). There is an undirected edge between 𝑌𝑖 and 𝑌𝑗 provided δ(𝑋𝑖 , 𝑋𝑗) ≠ Ø where δ is called the deletion operation δ(x,x') =all elements in A(x) n A(x') except those z for which either (a) the only reason for z ∈ A(x) is that x initially spans to z and the only reason for z ∈ A(x') is that x‘ initially spans to z or (b) the only reason z ∈ A(x) is x terminally spans to z and the only reason z ∈ A(x') is x‘ terminally spans to z. The graph thus constructed is the conspiracy graph for G.
33. 33. 2/14/2017 33
34. 34. 2/14/2017 34 • Lemma 7.1: Can·share(a,p,q,G) is true if and only if some 𝑌𝑢 ∈ 𝑌𝑝 is connected so some 𝑌𝑣 ∈ 𝑌𝑠 • Theorem 7.2: To produce a witness to can.share(α,p,q,G) |s.p.| conspirators are sufficient. • Theorem 7.3: To produce a witness to can.share(α,p,q,G) |s.p.| conspirators are necessary.
35. 35. Concluding Remarks 2/14/2017 35 • how sharing is accomplished in the Take-Grant Model • there is the question of algorithmic complexity of determining the minimum number of conspirators required for a right to be shared • determine for a given graph what set of conspirators. must have participated in the sharing of a right after the fact