april 7 safety question
play

April 7: Safety Question Protection State Transitions Commands - PowerPoint PPT Presentation

Apr 06, 2023 •253 likes •588 views

April 7: Safety Question Protection State Transitions Commands Conditional Commands Special Rights Principle of Attenuation of Privilege Harrison-Ruzzo-Ullman result Corollaries April 7, 2017 ECS 235B Spring Quarter

  1. April 7: Safety Question • Protection State Transitions – Commands – Conditional Commands • Special Rights – Principle of Attenuation of Privilege • Harrison-Ruzzo-Ullman result – Corollaries April 7, 2017 ECS 235B Spring Quarter 2017 Slide #1

  2. General Case • Answer: no • Sketch of proof: Reduce halting problem to safety problem Turing Machine review: – Infinite tape in one direction – States K , symbols M ; distinguished blank b – Transition function δ ( k , m ) = ( k ʹ , m ʹ , L) means in state k , symbol m on tape location replaced by symbol m ʹ , head moves to left one square, and enters state k ʹ – Halting state is q f ; TM halts when it enters this state April 7, 2017 ECS 235B Spring Quarter 2017 Slide #2

  3. Mapping 1 2 3 4 s 1 s 2 s 3 s 4 A B C D … s 1 A own head s 2 B own s 3 C k own Current state is k s 4 D end April 7, 2017 ECS 235B Spring Quarter 2017 Slide #3

  4. Mapping 1 2 3 4 s 1 s 2 s 3 s 4 A B X D … s 1 A own head s 2 B own s 3 X own After δ ( k , C) = ( k 1 , X, R) s 4 where k is the current D k 1 end state and k 1 the next state April 7, 2017 ECS 235B Spring Quarter 2017 Slide #4

  5. Command Mapping δ ( k , C) = ( k 1 , X, R) at intermediate becomes command c k ,C ( s 3 , s 4 ) if own in A [ s 3 , s 4 ] and k in A [ s 3 , s 3 ] and C in A [ s 3 , s 3 ] then delete k from A [ s 3 , s 3 ]; delete C from A [ s 3 , s 3 ]; enter X into A [ s 3 , s 3 ]; enter k 1 into A [ s 4 , s 4 ]; end April 7, 2017 ECS 235B Spring Quarter 2017 Slide #5

  6. Mapping 1 2 3 4 5 s 1 s 2 s 3 s 4 s 5 A B X Y b s 1 A own head s 2 B own s 3 X own After δ ( k 1 , D) = ( k 2 , Y, R) s 4 Y own where k 1 is the current state and k 2 the next state s 5 b k 2 end April 7, 2017 ECS 235B Spring Quarter 2017 Slide #6

  7. Command Mapping δ ( k 1 , D) = ( k 2 , Y, R) at end becomes command crightmost k ,C ( s 4 , s 5 ) if end in A [ s 4 , s 4 ] and k 1 in A [ s 4 , s 4 ] and D in A [ s 4 , s 4 ] then delete end from A [ s 4 , s 4 ]; delete k 1 from A [ s 4 , s 4 ]; delete D from A [ s 4 , s 4 ]; enter Y into A [ s 4 , s 4 ]; create subject s 5 ; enter own into A [ s 4 , s 5 ]; enter end into A [ s 5 , s 5 ]; enter k 2 into A [ s 5 , s 5 ]; end April 7, 2017 ECS 235B Spring Quarter 2017 Slide #7

  8. Rest of Proof • Protection system exactly simulates a TM – Exactly 1 end right in ACM – 1 right in entries corresponds to state – Thus, at most 1 applicable command • If TM enters state q f , then right has leaked • If safety question decidable, then represent TM as above and determine if q f leaks – Implies halting problem decidable • Conclusion: safety question undecidable April 7, 2017 ECS 235B Spring Quarter 2017 Slide #8

  9. Other Results • Set of unsafe systems is recursively enumerable • Delete create primitive; then safety question is complete in P- SPACE • Delete destroy , delete primitives; then safety question is undecidable – Systems are monotonic • Safety question for biconditional protection systems is decidable • Safety question for monoconditional, monotonic protection systems is decidable • Safety question for monoconditional protection systems with create , enter , delete (and no destroy ) is decidable. April 7, 2017 ECS 235B Spring Quarter 2017 Slide #9

  10. Take-Grant Protection Model • A specific (not generic) system – Set of rules for state transitions • Safety decidable, and in time linear with the size of the system • Goal: find conditions under which rights can be transferred from one entity to another in the system April 7, 2017 ECS 235B Spring Quarter 2017 Slide #10

  11. System ¡ objects (files, …) l subjects (users, processes, …) ⊗ don't care (either a subject or an object) G |– x G ʹ apply a rewriting rule x (witness) to G to get G ʹ G |– * G ʹ apply a sequence of rewriting rules (witness) to G to get G ʹ R = { t , g , r , w , … } set of rights April 7, 2017 ECS 235B Spring Quarter 2017 Slide #11

  12. Rules l α l ⊗ ⊗ ⊢ t t take α α ⊗ ⊗ α ⊗ ⊗ ⊗ ⊗ grant ⊢ g g α α l l April 7, 2017 ECS 235B Spring Quarter 2017 Slide #12

  13. More Rules l create ⊢ l α ⊗ ⊢ α – β α l l ⊗ ⊗ remove These four rules are called the de jure rules April 7, 2017 ECS 235B Spring Quarter 2017 Slide #13

  14. Symmetry x y l α α l ⊗ ⊗ ⊢ t t α α tg α l l g ¡ z v 1. x creates ( tg to new) v 2. z takes ( g to v) from x Similar result for grant 3. z grants ( α to y) to v 4. x takes ( α to y) from v April 7, 2017 ECS 235B Spring Quarter 2017 Slide #14

  15. Islands • tg -path: path of distinct vertices connected by edges labeled t or g – Call them “tg-connected” • island: maximal tg -connected subject-only subgraph – Any right one vertex has can be shared with any other vertex April 7, 2017 ECS 235B Spring Quarter 2017 Slide #15

  16. Initial, Terminal Spans • initial span from x to y – x subject →→ – tg -path between x , y with word in { t * g } ∪ { ν } – Means x can give rights it has to y • terminal span from x to y – x subject → – tg -path between x , y with word in { t * } ∪ { ν } – Means x can acquire any rights y has April 7, 2017 ECS 235B Spring Quarter 2017 Slide #16

  17. Bridges • bridge: tg -path between subjects x , y , with associated word in → ← ← → ← → → → { t*, t*, t*g t*, t*g t* } – rights can be transferred between the two endpoints – not an island as intermediate vertices are objects April 7, 2017 ECS 235B Spring Quarter 2017 Slide #17

  18. Example s q t r p s ʹ ● ● ❍ ❍ g t t g g t ● ❍ ● ❍ ● y v u w x • islands { p, u } { w } { y, s ʹ } • bridges u, v, w; w, x, y • initial span p (associated word ν ) → • terminal span s ʹ s (associated word t ) April 7, 2017 ECS 235B Spring Quarter 2017 Slide #18

  19. can•share Predicate Definition: • can • share ( r , x , y , G 0 ) if, and only if, there is a sequence of protection graphs G 0 , …, G n such that G 0 ⊢ * G n using only de jure rules and in G n there is an edge from x to y labeled r . April 7, 2017 ECS 235B Spring Quarter 2017 Slide #19

  20. can • share Theorem • can • share ( r , x , y , G 0 ) if, and only if, there is an edge from x to y labeled r in G 0 , or the following hold simultaneously: – There is an s in G 0 with an s -to- y edge labeled r – There is a subject x ʹ = x or initially spans to x – There is a subject s ʹ = s or terminally spans to s – There are islands I 1 ,…, I k connected by bridges, and x ʹ in I 1 and s ʹ in I k April 7, 2017 ECS 235B Spring Quarter 2017 Slide #20

  21. Outline of Proof • s has r rights over y • s ʹ acquires r rights over y from s – Definition of terminal span • x ʹ acquires r rights over y from s ʹ – Repeated application of sharing among vertices in islands, passing rights along bridges • x ʹ gives r rights over y to x – Definition of initial span April 7, 2017 ECS 235B Spring Quarter 2017 Slide #21

  22. Example Interpretation • ACM is generic – Can be applied in any situation • Take-Grant has specific rules, rights – Can be applied in situations matching rules, rights • Question: what states can evolve from a system that is modeled using the Take- Grant Model? April 7, 2017 ECS 235B Spring Quarter 2017 Slide #22

  23. Take-Grant Generated Systems • Theorem: G 0 protection graph with 1 vertex, no edges; R set of rights. Then G 0 ⊢ * G iff: – G finite directed graph consisting of subjects, objects, edges – Edges labeled from nonempty subsets of R – At least one vertex in G has no incoming edges April 7, 2017 ECS 235B Spring Quarter 2017 Slide #23

  24. Outline of Proof ⇒ : By construction; G final graph in theorem – Let x 1 , …, x n be subjects in G – Let x 1 have no incoming edges • Now construct G ʹ as follows: 1. Do “ x 1 creates ( α ∪ { g } to) new subject x i ” 2. For all ( x i , x j ) where x i has a rights over x j , do “ x 1 grants ( α to x j ) to x i ” 3. Let β be rights x i has over x j in G . Do “ x 1 removes (( α ∪ { g } – β to) x j ” • Now G ʹ is desired G April 7, 2017 ECS 235B Spring Quarter 2017 Slide #24

  25. Outline of Proof ⇐ : Let v be initial subject, and G 0 ⊢ * G • Inspection of rules gives: – G is finite – G is a directed graph – Subjects and objects only – All edges labeled with nonempty subsets of R • Limits of rules: – None allow vertices to be deleted so v in G – None add incoming edges to vertices without incoming edges, so v has no incoming edges April 7, 2017 ECS 235B Spring Quarter 2017 Slide #25

  26. Example: Shared Buffer p u p u r , w r , w ● ❍ g ● ❍ g r , w r , w s b s ❍ ● ● r , w r , w g r , w g ● ❍ ● ❍ q q v v • Goal: p , q to communicate through shared buffer b controlled by trusted entity s 1. s creates ( { r , w } to new object) b 2. s grants ( { r , w } to b ) to p 3. s grants ( { r , w } to b ) to q April 7, 2017 ECS 235B Spring Quarter 2017 Slide #26

  27. Key Question • Characterize class of models for which safety is decidable – Existence: Take-Grant Protection Model is a member of such a class – Universality: In general, question undecidable, so for some models it is not decidable • What is the dividing line? April 7, 2017 ECS 235B Spring Quarter 2017 Slide #27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ECS 289M Lecture 3 April 5, 2006 Overview Safety Question HRU Model Take-Grant

ECS 289M Lecture 3 April 5, 2006 Overview Safety Question HRU Model Take-Grant

ECS 289M Lecture 3 April 5, 2006 Overview Safety Question HRU Model Take-Grant Protection Model April 5, 2006 ECS 289M, Foundations of Computer Slide 2 and Information Security What Is Secure? Adding a generic right r

447 views • 15 slides
ECS 289M Lecture 6 April 12, 2006 Safety Result If the scheme is acyclic and attenuating,

ECS 289M Lecture 6 April 12, 2006 Safety Result If the scheme is acyclic and attenuating,

ECS 289M Lecture 6 April 12, 2006 Safety Result If the scheme is acyclic and attenuating, the safety question is decidable April 12, 2006 ECS 289M, Foundations of Computer Slide 2 and Information Security Expressive Power How do

278 views • 24 slides
T B A C C H A R G E Q U E S T I O N April 2014 Charge question May 2014 Charge question May

T B A C C H A R G E Q U E S T I O N April 2014 Charge question May 2014 Charge question May

T B A C C H A R G E Q U E S T I O N April 2014 Charge question May 2014 Charge question May 2014 A As prudent debt managers, Treasury regularly considers ways to effectively manage potential risks associated with d t d bt T l l id t

514 views • 20 slides
Safety Culture April 15, 2019 | 9:00 a.m. 4:15 p.m. Safety Announcement Safety is our number

Safety Culture April 15, 2019 | 9:00 a.m. 4:15 p.m. Safety Announcement Safety is our number

California Public Utilities Commission Public Discussion on Pacific Gas and Electric Forums on Governance, Management, and Safety Culture April 15, 2019 | 9:00 a.m. 4:15 p.m. Safety Announcement Safety is our number one priority Please

666 views • 42 slides
Invitation to ITU-T SG 12 Question 17 Experts Meeting, Red Bank NJ April 1-3, 2008 AT&T

Invitation to ITU-T SG 12 Question 17 Experts Meeting, Red Bank NJ April 1-3, 2008 AT&T

Invitation to ITU-T SG 12 Question 17 Experts Meeting, Red Bank NJ April 1-3, 2008 AT&T Inc. is pleased to invite Packet Network Performance Experts to the Interim Meeting of Question 17 of ITU-T Study Group 12, which will be held on April

595 views • 7 slides
Vaccine Safety Strategies for Talking With Parents Who Question Vaccines 1 Take time to

Vaccine Safety Strategies for Talking With Parents Who Question Vaccines 1 Take time to

Vaccine Safety Strategies for Talking With Parents Who Question Vaccines 1 Take time to listen Solicit and welcome questions Use science Acknowledge benefits and risks Respect parents authority Follow up 1.

609 views • 41 slides
LITHIUM BATTERY SAFETY A question of information Dubrovnik September 10, 2013 Eucobat:

LITHIUM BATTERY SAFETY A question of information Dubrovnik September 10, 2013 Eucobat:

LITHIUM BATTERY SAFETY A question of information Dubrovnik September 10, 2013 Eucobat: Mission statement and objectives Eucobat is the European association of national industry- driven collection schemes for batteries. They assure that all

505 views • 16 slides
4/20/18 Safety & Security in Chesterfield School Board Safety Task Force - April 24, 2018

4/20/18 Safety & Security in Chesterfield School Board Safety Task Force - April 24, 2018

4/20/18 Safety & Security in Chesterfield School Board Safety Task Force - April 24, 2018 Donald R. Green, CPP Safety & Security Manager Schools are Safe School mass violence attacks are very rare: Extremely Low Probability -

517 views • 4 slides
Question Classification Ling573 NLP Systems and Applications April 22, 2014 Roadmap

Question Classification Ling573 NLP Systems and Applications April 22, 2014 Roadmap

Question Classification Ling573 NLP Systems and Applications April 22, 2014 Roadmap Question classification variations: Classification with diverse features SVM classifiers Sequence classifiers Question Classification:

1.14k views • 96 slides
European Perspective: The West Lothian Question in Voluntary Arrangements March/April 2012

European Perspective: The West Lothian Question in Voluntary Arrangements March/April 2012

European Perspective: The West Lothian Question in Voluntary Arrangements March/April 2012 Michael Rutstein Luke Johnson The Role of Disinterested Creditors in the Approval Process As the question of Scottish independence resurfaces, the West

310 views • 7 slides
Question Answering on Web Data Silei Xu CS294S April 9, 2020 Joint work with Giovanni Campagna,

Question Answering on Web Data Silei Xu CS294S April 9, 2020 Joint work with Giovanni Campagna,

Question Answering on Web Data Silei Xu CS294S April 9, 2020 Joint work with Giovanni Campagna, Sina Semnani, Jian Li, and Monica S. Lam Commercial Assistants Alexa User hand-codes question/code 1 by 1 get me an upscale restaurants What are

1.23k views • 89 slides
God of War or God of Peace? Question Question Various approaches Question Various approaches

God of War or God of Peace? Question Question Various approaches Question Various approaches

God of War or God of Peace? Question Question Various approaches Question Various approaches Suggestions Go strike Amalek and devote to destruction all that they have. Do not spare them, but kill both man and woman, child and infant, ox

749 views • 73 slides
God of War or God of Peace? Question Question Various approaches Question Various approaches

God of War or God of Peace? Question Question Various approaches Question Various approaches

God of War or God of Peace? Question Question Various approaches Question Various approaches Suggestions Go strike Amalek and devote to destruction all that they have. Do not spare them, but kill both man and woman, child and infant, ox

907 views • 64 slides
Question Box An Open Mind Project What is Question Box? Question Box is an elegant shortcut

Question Box An Open Mind Project What is Question Box? Question Box is an elegant shortcut

Question Box An Open Mind Project What is Question Box? Question Box is an elegant shortcut to... wiring people for change: social, economic and political... UK Sunday Telegraph Question Box is a really good example of how the net

113 views • 7 slides
Dam Safety Program Operations Division Tim Eaton, Dam Safety Advisor April 2016 AER AER was

Dam Safety Program Operations Division Tim Eaton, Dam Safety Advisor April 2016 AER AER was

Dam Safety Program Operations Division Tim Eaton, Dam Safety Advisor April 2016 AER AER was created in 2014 as the regulator for energy development in Alberta (oil, gas, coal and oil sands) Responsible for enforcement of all energy

508 views • 12 slides
April 2017 Timothy Grimley - Safety Investigator Federal Motor Carrier Safety Administration

April 2017 Timothy Grimley - Safety Investigator Federal Motor Carrier Safety Administration

April 2017 Timothy Grimley - Safety Investigator Federal Motor Carrier Safety Administration Agenda Provide an overview of the Electronic Logging Device (ELD) Rule and FMCSAs plan for its phased implementation Major components of the ELD

642 views • 45 slides
Why Again Logic Synthesis Giovanni De Micheli Why again logic synthesis? Strong

Why Again Logic Synthesis Giovanni De Micheli Why again logic synthesis? Strong

Why Again Logic Synthesis Giovanni De Micheli Why again logic synthesis? Strong intellectual value associated with logic synthesis and optimization Problems are far from being solved Current methods and tools grew out of control

372 views • 24 slides
ECE 4524 Artificial Intelligence and Engineering Applications Lecture 10: Theorem Proving in

ECE 4524 Artificial Intelligence and Engineering Applications Lecture 10: Theorem Proving in

ECE 4524 Artificial Intelligence and Engineering Applications Lecture 10: Theorem Proving in Propositional Logic Reading: AIAMA 7.5 Todays Schedule: Inference and Proofs Conjunctive Normal Form Resolution Forward and Backward

658 views • 16 slides
Section 1.7 Proofs of Mathematical Statements A proof is a valid argument that establishes the

Section 1.7 Proofs of Mathematical Statements A proof is a valid argument that establishes the

Section 1.7 Proofs of Mathematical Statements A proof is a valid argument that establishes the truth of a statement. In math, CS, and other disciplines, informal proofs which are generally shorter, are generally used. More than one

301 views • 15 slides
Reflecting on truth in a partial setting Martin Fischer MCMP LMU Bristol-M unchen Conference

Reflecting on truth in a partial setting Martin Fischer MCMP LMU Bristol-M unchen Conference

Reflecting on truth in a partial setting Martin Fischer MCMP LMU Bristol-M unchen Conference on Truth and Rationality 10. 6. 2016 Martin Fischer (MCMP LMU) Reflecting on truth in a partial setting Bristol-M unchen 1 / 36 Overview The

714 views • 36 slides
fe You can g fmisa Fdeducetanythin Propositional Equivalence 1.2 IDefI A compound prop that is

fe You can g fmisa Fdeducetanythin Propositional Equivalence 1.2 IDefI A compound prop that is

1 Propositional Logic lDeS A pumposition is a sentence that declares a fact that is either true or false but not both Eg Which of the following are propositions Berkeley is a city in the US true prop 3 It I false prop Read this carefully X not

244 views • 7 slides
Revision on propositional logic: Propositions. Logical Connectives. Truth values and truth

Revision on propositional logic: Propositions. Logical Connectives. Truth values and truth

Revision on propositional logic: Propositions. Logical Connectives. Truth values and truth tables. Propositional formulae. Tautologies. Logical equivalence. Logical consequence. Logical correctness of propositional arguments. Valentin Goranko

600 views • 20 slides
Logical agents Chapter 7 Chapter 7 1 Outline Knowledge-based agents Wumpus world

Logical agents Chapter 7 Chapter 7 1 Outline Knowledge-based agents Wumpus world

Logical agents Chapter 7 Chapter 7 1 Outline Knowledge-based agents Wumpus world Logic in generalmodels and entailment Propositional (Boolean) logic Equivalence, validity, satisfiability Inference rules and theorem

874 views • 70 slides
Deflationism and Axiomatic Theories of Truth Deflationism Peano Proof theoretic and model

Deflationism and Axiomatic Theories of Truth Deflationism Peano Proof theoretic and model

Deflationism and Axiomatic Theories of Truth Stella Moon Deflationism and Axiomatic Theories of Truth Deflationism Peano Proof theoretic and model theoretic conservativities Arithmetic The Compositional Theory of Stella Moon Truth

992 views • 62 slides

More recommend