example instantiation multics
play

Example Instantiation: Multics 11 rules affect rights: set to - PowerPoint PPT Presentation

Feb 25, 2024 •637 likes •1.33k views

Example Instantiation: Multics 11 rules affect rights: set to request, release access set to give, remove access to different subject set to create, reclassify objects set to remove objects set to change subject

  1. Example Instantiation: Multics • 11 rules affect rights: – set to request, release access – set to give, remove access to different subject – set to create, reclassify objects – set to remove objects – set to change subject security level • Set of “trusted” subjects S T ⊆ S – *-property not enforced; subjects trusted not to violate • Δ ( ρ ) domain – determines if components of request are valid May 5, 2005 ECS 235, Computer and Information Slide #1 Security

  2. get-read Rule • Request r = ( get , s , o , r) – s gets (requests) the right to read o • Rule is ρ 1 ( r , v ): if ( r ≠ Δ ( ρ 1 )) then ρ 1 ( r , v ) = (i, v ); else if ( f s ( s ) dom f o ( o ) and [ s ∈ S T or f c ( s ) dom f o ( o )] and r ∈ m [ s , o ]) then ρ 1 ( r , v ) = ( y , ( b ∪ { ( s , o , r) }, m , f , h )); else ρ 1 ( r , v ) = (n, v ); May 5, 2005 ECS 235, Computer and Information Slide #2 Security

  3. Security of Rule • The get-read rule preserves the simple security condition, the *-property, and the ds-property – Proof • Let v satisfy all conditions. Let ρ 1 ( r , v ) = ( d , v ′ ). If v ′ = v , result is trivial. So let v ′ = ( b ∪ { ( s 2 , o , r) }, m , f , h ). May 5, 2005 ECS 235, Computer and Information Slide #3 Security

  4. Proof • Consider the simple security condition. – From the choice of v ′ , either b ′ – b = ∅ or { ( s 2 , o , r) } – If b ′ – b = ∅ , then { ( s 2 , o , r) } ∈ b , so v = v ′ , proving that v ′ satisfies the simple security condition. – If b ′ – b = { ( s 2 , o , r) }, because the get-read rule requires that f c ( s ) dom f o ( o ), an earlier result says that v ´ satisfies the simple security condition. May 5, 2005 ECS 235, Computer and Information Slide #4 Security

  5. Proof • Consider the *-property. – Either s 2 ∈ S T or f c ( s ) dom f o ( o ) from the definition of get-read – If s 2 ∈ S T , then s 2 is trusted, so *-property holds by definition of trusted and S T . – If f c ( s ) dom f o ( o ), an earlier result says that v ′ satisfies the simple security condition. May 5, 2005 ECS 235, Computer and Information Slide #5 Security

  6. Proof • Consider the discretionary security property. – Conditions in the get-read rule require r ∈ m [ s , o ] and either b ′ – b = ∅ or { ( s 2 , o , r) } – If b ′ – b = ∅ , then { ( s 2 , o , r) } ∈ b , so v = v ′ , proving that v ´ satisfies the simple security condition. – If b ′ – b = { ( s 2 , o , r) }, then { ( s 2 , o , r) } ∉ b , an earlier result says that v ′ satisfies the ds-property. May 5, 2005 ECS 235, Computer and Information Slide #6 Security

  7. give-read Rule • Request r = ( s 1 , give , s 2 , o , r) – s 1 gives (request to give) s 2 the (discretionary) right to read o – Rule: can be done if giver can alter parent of object • If object or parent is root of hierarchy, special authorization required • Useful definitions – root ( o ): root object of hierarchy h containing o – parent ( o ): parent of o in h (so o ∈ h ( parent ( o ))) – canallow ( s , o , v ): s specially authorized to grant access when object or parent of object is root of hierarchy – m ∧ m [ s , o ] ← r: access control matrix m with r added to m [ s , o ] May 5, 2005 ECS 235, Computer and Information Slide #7 Security

  8. give-read Rule • Rule is ρ 6 ( r , v ): if ( r ≠ Δ ( ρ 6 )) then ρ 6 ( r , v ) = (i, v ); else if ([ o ≠ root ( o ) and parent ( o ) ≠ root ( o ) and parent ( o ) ∈ b ( s 1 :w)] or [ parent ( o ) = root ( o ) and canallow ( s 1 , o , v ) ] or [ o = root ( o ) and canallow ( s 1 , o , v ) ]) then ρ 6 ( r , v ) = ( y , ( b , m ∧ m [ s 2 , o ] ← r, f , h )); else ρ 1 ( r , v ) = (n, v ); May 5, 2005 ECS 235, Computer and Information Slide #8 Security

  9. Security of Rule • The give-read rule preserves the simple security condition, the *-property, and the ds-property – Proof: Let v satisfy all conditions. Let ρ 1 ( r , v ) = ( d , v ′ ). If v ´ = v , result is trivial. So let v ′ = ( b , m [ s 2 , o ] ← r, f , h ). So b ′ = b , f ′ = f , m [ x , y ] = m ′ [ x , y ] for all x ∈ S and y ∈ O such that x ≠ s and y ≠ o , and m [ s , o ] ⊆ m ′ [ s , o ]. Then by earlier result, v ′ satisfies the simple security condition, the *-property, and the ds-property. May 5, 2005 ECS 235, Computer and Information Slide #9 Security

  10. Principle of Tranquility • Raising object’s security level – Information once available to some subjects is no longer available – Usually assume information has already been accessed, so this does nothing • Lowering object’s security level – The declassification problem – Essentially, a “write down” violating *-property – Solution: define set of trusted subjects that sanitize or remove sensitive information before security level lowered May 5, 2005 ECS 235, Computer and Information Slide #10 Security

  11. Types of Tranquility • Strong Tranquility – The clearances of subjects, and the classifications of objects, do not change during the lifetime of the system • Weak Tranquility – The clearances of subjects, and the classifications of objects, do not change in a way that violates the simple security condition or the *-property during the lifetime of the system May 5, 2005 ECS 235, Computer and Information Slide #11 Security

  12. Example • DG/UX System – Only a trusted user (security administrator) can lower object’s security level – In general, process MAC labels cannot change • If a user wants a new MAC label, needs to initiate new process • Cumbersome, so user can be designated as able to change process MAC label within a specified range May 5, 2005 ECS 235, Computer and Information Slide #12 Security

  13. Controversy • McLean: – “value of the BST is much overrated since there is a great deal more to security than it captures. Further, what is captured by the BST is so trivial that it is hard to imagine a realistic security model for which it does not hold.” – Basis: given assumptions known to be non- secure, BST can prove a non-secure system to be secure May 5, 2005 ECS 235, Computer and Information Slide #13 Security

  14. †-Property • State ( b , m , f , h ) satisfies the †-property iff for each s ∈ S the following hold: 1. b ( s : a) ≠ ∅ ⇒ [ ∀ o ∈ b ( s : a) [ f c ( s ) dom f o ( o ) ] ] 2. b ( s : w) ≠ ∅ ⇒ [ ∀ o ∈ b ( s : w) [ f o ( o ) = f c ( s ) ] ] 3. b ( s : r) ≠ ∅ ⇒ [ ∀ o ∈ b ( s : r) [ f c ( s ) dom f o ( o ) ] ] • Idea: for writing, subject dominates object; for reading, subject also dominates object • Differs from *-property in that the mandatory condition for writing is reversed – For *-property, it’s object dominates subject May 5, 2005 ECS 235, Computer and Information Slide #14 Security

  15. Analogues The following two theorems can be proved • Σ ( R , D , W , z 0 ) satisfies the †-property relative to S ′ ⊆ S for any secure state z 0 iff for every action ( r , d , ( b , m , f , h ), ( b ′ , m ′ , f ′ , h ′ )), W satisfies the following for every s ∈ Ś – Every ( s , o , p ) ∈ b – b ′ satisfies the †-property relative to S ′ – Every ( s , o , p ) ∈ b ′ that does not satisfy the †-property relative to S ′ is not in b • Σ ( R , D , W , z 0 ) is a secure system if z 0 is a secure state and W satisfies the conditions for the simple security condition, the †-property, and the ds-property. May 5, 2005 ECS 235, Computer and Information Slide #15 Security

  16. Problem • This system is clearly non-secure! – Information flows from higher to lower because of the †-property May 5, 2005 ECS 235, Computer and Information Slide #16 Security

  17. Discussion • Role of Basic Security Theorem is to demonstrate that rules preserve security • Key question: what is security? – Bell-LaPadula defines it in terms of 3 properties (simple security condition, *-property, discretionary security property) – Theorems are assertions about these properties – Rules describe changes to a particular system instantiating the model – Showing system is secure requires proving rules preserve these 3 properties May 5, 2005 ECS 235, Computer and Information Slide #17 Security

  18. Rules and Model • Nature of rules is irrelevant to model • Model treats “security” as axiomatic • Policy defines “security” – This instantiates the model – Policy reflects the requirements of the systems • McLean’s definition differs from Bell-LaPadula – … and is not suitable for a confidentiality policy • Analysts cannot prove “security” definition is appropriate through the model May 5, 2005 ECS 235, Computer and Information Slide #18 Security

  19. System Z • System supporting weak tranquility • On any request, system downgrades all subjects and objects to lowest level and adds the requested access permission – Let initial state satisfy all 3 properties – Successive states also satisfy all 3 properties • Clearly not secure – On first request, everyone can read everything May 5, 2005 ECS 235, Computer and Information Slide #19 Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Multics and More VM and More VM Multics Multics (1965 (1965- -2000) 2000) Multics

Multics and More VM and More VM Multics Multics (1965 (1965- -2000) 2000) Multics

Multics and More VM and More VM Multics Multics (1965 (1965- -2000) 2000) Multics Multiplexed 24x7 computer utility Multi-user time-sharing, interactive and batch Processes, privacy, security, sharing, accounting

513 views • 40 slides
Multics History Project 02/2006 Status Report Revision 1 Olin Sibert 18 February 2006 Slide 1

Multics History Project 02/2006 Status Report Revision 1 Olin Sibert 18 February 2006 Slide 1

Multics History Project 02/2006 Status Report Revision 1 Olin Sibert 18 February 2006 Slide 1 MHP Goals Tactical Goal Preserve the MIT-Multics archives Strategic Goal Collect enough information to allow a Multics emulator

161 views • 14 slides
Instantiation-based Methods and Equality Instantiation-based methods Decision procedure for

Instantiation-based Methods and Equality Instantiation-based methods Decision procedure for

ormal ethods roup iProver-Eq: An Instantiation-based Theorem Prover with Equality Konstantin Korovin and Christoph Sticksel (joint work with Renate Schmidt) The University of Manchester 17th July 2010 1 Konstantin Korovin and

318 views • 18 slides
Policy-Based Instantiation of Norms in MAS Andreea Urzic and Cristian Gratie Policy-Based

Policy-Based Instantiation of Norms in MAS Andreea Urzic and Cristian Gratie Policy-Based

6th International Symposium on Intelligent Distributed Computing IDC 2012 Policy-Based Instantiation of Norms in MAS Andreea Urzic and Cristian Gratie Policy-Based Instantiation of Norms in MAS Paper outline A unified format for

378 views • 10 slides
Labelled Unit Superposition for Instantiation-Based Reasoning Konstantin Korovin joint work with

Labelled Unit Superposition for Instantiation-Based Reasoning Konstantin Korovin joint work with

Labelled Unit Superposition for Instantiation-Based Reasoning Konstantin Korovin joint work with Christoph Sticksel 1 Instantiation, Labelled Superposition SAT/SMT vs First-Order The problem: Show that a given formula is a theorem. Ground

759 views • 60 slides
CLASSIC SYSTEMS: Key developer of the B programming lanuage, Unix, Multics, and Plan 9 UNIX

CLASSIC SYSTEMS: Key developer of the B programming lanuage, Unix, Multics, and Plan 9 UNIX

8/29/2012 The UNIX Time-Sharing System Dennis Ritchie and Ken Thompson Background of authors at Bell Labs Both won Turing Awards in 1983 Dennis Ritchie Key developer of The C Programming Lanuage , Unix, and Multics Ken

458 views • 8 slides
Background Instantiation-based methods for first-order logic Decision procedure for

Background Instantiation-based methods for first-order logic Decision procedure for

ormal ethods roup Labelled Unit Superposition Calculi for Instantiation-Based Reasoning Konstantin Korovin and Christoph Sticksel (joint work with Renate Schmidt) The University of Manchester 14th October 2010 1 Konstantin Korovin and

851 views • 34 slides
A CSP Approach for Meta Model Instantiation Adel Ferdjoukh , Anne-Elisabeth Baert, Annie Chateau,

A CSP Approach for Meta Model Instantiation Adel Ferdjoukh , Anne-Elisabeth Baert, Annie Chateau,

A CSP Approach for Meta Model Instantiation Adel Ferdjoukh , Anne-Elisabeth Baert, Annie Chateau, R emi Coletta and Cl ementine Nebut Montpellier, France null A CSP Approach for Meta Model Instantiation Summary 1 Model Driven Engineering

1.18k views • 73 slides
Existential instantiation (EI) For any sentence , variable v , and constant symbol k that does

Existential instantiation (EI) For any sentence , variable v , and constant symbol k that does

Existential instantiation (EI) For any sentence , variable v , and constant symbol k that does not appear elsewhere in the knowledge base : v Inference in first-order logic Subst ( { v/k } , ) E.g., x Crown ( x ) OnHead ( x,

113 views • 7 slides
Pretending to be an SMT Solver with Vampire (and How We Do Instantiation) Giles Reger 1 , Martin

Pretending to be an SMT Solver with Vampire (and How We Do Instantiation) Giles Reger 1 , Martin

Pretending to be an SMT Solver with Vampire (and How We Do Instantiation) Giles Reger 1 , Martin Suda 2 , and Andrei Voronkov 1 , 2 1 School of Computer Science, University of Manchester, UK 2 TU Wien, Vienna, Austria SMT 2017 Heidelberg, July

665 views • 45 slides
C LOS Efficiency: Instantiation Experiments C++ L ISP Structures Didier Verna Classes X-Comp

C LOS Efficiency: Instantiation Experiments C++ L ISP Structures Didier Verna Classes X-Comp

Efficiency of Instantiation Didier Verna Introduction C LOS Efficiency: Instantiation Experiments C++ L ISP Structures Didier Verna Classes X-Comp Conclusion didier@lrde.epita.fr http://www.lrde.epita.fr/didier Perspectives Thanks!

594 views • 26 slides
Towards Synthetic Descriptive Set Theory: An instantiation with represented spaces Arno Pauly 1

Towards Synthetic Descriptive Set Theory: An instantiation with represented spaces Arno Pauly 1

Towards Synthetic Descriptive Set Theory: An instantiation with represented spaces Arno Pauly 1 Matthew de Brecht 2 CCA 2013, Nancy 1 University of Cambridge, United Kingdom 2 National Institute of Information and Communications Technology, Japan

269 views • 26 slides
Using Pr otg for Automatic Ontology Instantiation Harith Alani, Sanghee Kim, David Millard,

Using Pr otg for Automatic Ontology Instantiation Harith Alani, Sanghee Kim, David Millard,

Using Pr otg for Automatic Ontology Instantiation Harith Alani, Sanghee Kim, David Millard, Mark Weal, Paul Lewis, Wendy Hall, Nigel Shadbolt 7 th International Protg Conference ArtE quAK T Aims : Use NLT to automatically

270 views • 24 slides
Counterexample-Guided Quantifjer Instantiation for Synthesis in SMT Andrew Reynolds, Morgan

Counterexample-Guided Quantifjer Instantiation for Synthesis in SMT Andrew Reynolds, Morgan

Counterexample-Guided Quantifjer Instantiation for Synthesis in SMT Andrew Reynolds, Morgan Deters, Viktor Kuncak, Cesare Tinelli, and Clark Barrett Kumar Madhukar TCS Research, Pune Formal Methods Update Meet, IIT Mandi, 17-18 July, 2017

490 views • 46 slides
Advanced Systems Security: Multics Trent Jaeger Systems and Internet Infrastructure Security

Advanced Systems Security: Multics Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Multics Trent Jaeger Systems and

569 views • 33 slides
Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for

Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for

Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Genesis: UNIX vs. MULTICS MULTICS (Multiplexed Information and Computing Service) a high-availability, modular, multi-component

480 views • 35 slides
Delft Cooperation on Intelligent Systems SMDS, a top-down approach to Self-Management for Dynamic

Delft Cooperation on Intelligent Systems SMDS, a top-down approach to Self-Management for Dynamic

Delft Cooperation on Intelligent Systems SMDS, a top-down approach to Self-Management for Dynamic Collaboration Systems Bernard van Veelen bernard.vanveelen@decis.nl Delft Cooperation on Intelligent Systems Presentation Overview Context

542 views • 18 slides
Representing Isabelle in LF Florian Rabe Jacobs University Bremen 1 Slogans Type classes

Representing Isabelle in LF Florian Rabe Jacobs University Bremen 1 Slogans Type classes

Representing Isabelle in LF Florian Rabe Jacobs University Bremen 1 Slogans Type classes are wrong: Type classes should be theories, instances should be morphisms. The Isabelle module system is too complicated: You do not need

255 views • 24 slides
Monotonic Inference for Underspecified Episodic Logic Mandar Juvekar University of Rochester

Monotonic Inference for Underspecified Episodic Logic Mandar Juvekar University of Rochester

Monotonic Inference for Underspecified Episodic Logic Mandar Juvekar University of Rochester Natural Logic Meets Machine Learning 17 July 2020 Gene Louis Kim Lenhart K. Schubert UR UR Snchez Valencia Lambek Derivations Tableau-style

746 views • 38 slides
Templight: A Clang Extension for Debugging and Profiling C++ Template Metaprograms Zoltn

Templight: A Clang Extension for Debugging and Profiling C++ Template Metaprograms Zoltn

Templight: A Clang Extension for Debugging and Profiling C++ Template Metaprograms Zoltn Porkolb, Zoltn Bork-Nagy Etvs Lornd University, Budapest Ericsson Hungary Agenda C++ Template Metaprogramming Possible debugging

1.26k views • 61 slides
Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming

Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming

Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming Introduction ACL2 ( r ) is a variant of ACL2 that supports the irrational numbers It is distributed with the ACL2 sources The foundations of ACL2

479 views • 29 slides
Network Virtualization Architecture: Proposal and Initial Prototype G.Schaffrath 1 , C.Werle 2 , P

Network Virtualization Architecture: Proposal and Initial Prototype G.Schaffrath 1 , C.Werle 2 , P

Introduction Architecture Prototype Next Steps Network Virtualization Architecture: Proposal and Initial Prototype G.Schaffrath 1 , C.Werle 2 , P .Papadimitriou 3 , A.Feldmann 1 , R.Bless 2 , A.Greenhalgh 4 , A.Wundsam 1 , M.Kind 1 , O.Maennel

704 views • 29 slides
C Programming for Engineers Object Oriented Programming ICEN 360 Spring 2017 Prof. Dola

C Programming for Engineers Object Oriented Programming ICEN 360 Spring 2017 Prof. Dola

C Programming for Engineers Object Oriented Programming ICEN 360 Spring 2017 Prof. Dola Saha 1 Evolution of computers Early computers were far less complex than todays computers Modern computers are smaller, but more complex 2

891 views • 22 slides
Program Correctness Literatuur Verification of Sequential and Concurrent Programs. Krzysztof R.

Program Correctness Literatuur Verification of Sequential and Concurrent Programs. Krzysztof R.

Program Correctness Literatuur Verification of Sequential and Concurrent Programs. Krzysztof R. Apt, Frank S. de Boer, Ernst-R udiger Olderog. Series: Texts in Computer Science. Springer. 3rd ed. 2nd Printing. ISBN: 978-1-84882-744-8. Te

1.23k views • 112 slides

More recommend