Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Theft and Conspiracy in the Take-Grant Protection
Model
Lawrence Snyder
Department of Computer Sciences
Purdue University
...
Take-Grant Protection Model
• A specific (not generic) system
• Set of rules for state transitions
• Safety decidable, and...
System
objects (passive entities like files, . . . )
2/14/2017 3
o
subjects (active entities like users, processes . . . )...
Take-Grant Protection Model
Let x,y and z be distinct vertices in a protection graph G
such that x is a subject. Let there...
Let x,y and z be distinct vertices in a protection graph G
such that x is a subject. Let there be an edge from x to y
labe...
Let x be any subject vertex in a protection graph G and let α
be a non empty subset of R. Create defines a new graph G‘
by...
Let x and y be any distinct vertices in a protection graph G
such that x is a subject. Let there be an edge from x to y
la...
Take-Grant Definable Graphs
2/14/2017 8
Take-Grant Definable Graphs
2/14/2017 9
x creates (tg to) new v
Take-Grant Definable Graphs
2/14/2017 10
x creates (tg to) new v
x grants (g to v) to y
Take-Grant Definable Graphs
2/14/2017 11
x creates (tg to) new v
x grants (g to v) to y
y grants (β to z) to v
Take-Grant Definable Graphs
2/14/2017 12
x creates (tg to) new v
x grants (g to v) to y
y grants (β to z) to v
x takes (β ...
Let 𝐺0 be a protection graph containing exactly one
subject vertex and no edges. Then 𝐺0 ⊢* 𝐺 if and only
if
2/14/2017 13
...
Let v be the initial subject, and 𝐺0 ⊢*𝐺.
2/14/2017 14
⇐:
• 𝐺 is obviously finite
• 𝐺 is a directed graph
• 𝐺 is loop-free...
let G satisfy the requirements and be the final graph in the theorem
2/14/2017 15
⇐:
• Let G have vertices x1,x2 . . . , x...
Predicates and earlier results
• tg-path: Vertices p and q of G are tg-connected if there is a path
p=xo,….xn=q and the la...
2/14/2017 17
• islands: {p, u}, {w}, {y, s′}
• bridges: u, v, w; w, x, y
• initial span: p (associated word ν )
• terminal...
can·share (α, p, q, 𝐺0 ) holds if, and only if, there is a sequence
of protection graphs 𝐺0 , . . ., 𝐺 𝑛 such that 𝐺0 ⊢* 𝐺...
Theft
2/14/2017 19
for two distinct vertices p and q in a protection
graph 𝐺0 , and right α, define
can·steal Predicate :
...
Example of Stealing
2/14/2017 20
can·steal (α, s, w, 𝐺0 )
Example of Stealing
2/14/2017 21
can·steal (α, s, w, 𝐺0 )
• u grants (t to v) to s
Example of Stealing
2/14/2017 22
can·steal (α, s, w, 𝐺0 )
• u grants (t to v) to s
• s takes (t to x) from v
Example of Stealing
2/14/2017 23
• u grants (t to v) to s
• s takes (t to x) from v
• s takes (t to u) from x
can·steal (α...
Example of Stealing
2/14/2017 24
• u grants (t to v) to s
• s takes (t to x) from v
• s takes (t to u) from x
• s takes (α...
can·steal (α, p, q, 𝐺0 ) holds if, and only if, the
following hold simultaneously:
2/14/2017 25
can·steal Theorem :
• ther...
Assume all four conditions hold
2/14/2017 26
⇒:
• If x a subject:
• x gets t rights to s (last condition); then takes α to...
Assume can·steal (α, x, y, 𝐺0 ) holds
2/14/2017 27
⇐:
• First two conditions are immediate from definition of
can·share, c...
2/14/2017 28
• Not remove or create rule
• y exists already
• Not grant rule
• 𝐺𝑖 is the first graph in which an edge labe...
2/14/2017 29
• If s object, s′≠ s
• If s′, p in same island, take p = s′; the can·share (t, x, s, 𝐺0 )
holds
• If they are...
2/14/2017 30
If s subject, p ∈ 𝑙 𝑛
• If p ∉ 𝐺0, there is a subject q such that can·share (t, q, s,
𝐺0) holds
• s ∈ 𝐺 𝑜and ...
Conspiracy
2/14/2017 31
If s subject, p ∈ 𝑙 𝑛
Conspiracy in general graphs
2/14/2017 32
Given a protection graph G with subject vertices 𝑋1 ,….,𝑋 𝑛 , we
will define a n...
2/14/2017 33
2/14/2017 34
• Lemma 7.1: Can·share(a,p,q,G) is true if and only if some
𝑌𝑢 ∈ 𝑌𝑝 is connected so some 𝑌𝑣 ∈ 𝑌𝑠
• Theorem 7....
Concluding Remarks
2/14/2017 35
• how sharing is accomplished in the Take-Grant Model
• there is the question of algorithm...
Upcoming SlideShare
Loading in …5
×

Take-Grant Protection Model

1,893 views

Published on

Theft and Conspiracy in the Take-Grant Protection Model

Published in: Education
  • Be the first to comment

Take-Grant Protection Model

  1. 1. Theft and Conspiracy in the Take-Grant Protection Model Lawrence Snyder Department of Computer Sciences Purdue University West Lafayette. IN 47907 Presented by: Raj Kumar Ranabhat M.E in Computer Engineering(I/I) Kathmandu University 2/14/2017 1
  2. 2. Take-Grant Protection Model • A specific (not generic) system • Set of rules for state transitions • Safety decidable, and in time linear with the size of the system • Goal: find conditions under which rights can be transferred from one entity to another in the system 2/14/2017 2
  3. 3. System objects (passive entities like files, . . . ) 2/14/2017 3 o subjects (active entities like users, processes . . . ) • don’t care (either a subject or an object)⊗ set of rights apply a sequence of rewriting rules (witness) to G to get G’ R = {t , g , . . .} apply rewriting rule x (witness) to G to get G′G ⊢x G′ G ⊢* G′
  4. 4. Take-Grant Protection Model Let x,y and z be distinct vertices in a protection graph G such that x is a subject. Let there be an edge from x to y labeled ϒ such that "t" ϵ ϒ, an edge from y to z labeled β and α ⊆ β. Then the take rule defines a new graph G' by adding an edge to the protection graph from x to z labeled α. Graphically, 2/14/2017 4 Take: The rule can be read: "x takes (α to z) from y."
  5. 5. Let x,y and z be distinct vertices in a protection graph G such that x is a subject. Let there be an edge from x to y labeled ϒ such that "g"ϵ ϒ, an edge from x to z labeled β, and α ⊆ β. The grant rule defines a new graph G' by adding an edge from y to z labeled α. Graphically, 2/14/2017 5 Grant: The rule can be read: "x grants (α to z) to y."
  6. 6. Let x be any subject vertex in a protection graph G and let α be a non empty subset of R. Create defines a new graph G‘ by adding a new vertex n to the graph and an edge from x to n labeled α. Graphically, 2/14/2017 6 Create: The rule can be read: "x creates (α to) new {subject/object}n."
  7. 7. Let x and y be any distinct vertices in a protection graph G such that x is a subject. Let there be an edge from x to y labeled β, and let a be any subset of rights. Then remove defines a new graph G' by deleting the α labels from β. If β becomes empty as a result, the edge itself is deleted. Graphically 2/14/2017 7 Remove: The rule can be read: "x removes (α to) y."
  8. 8. Take-Grant Definable Graphs 2/14/2017 8
  9. 9. Take-Grant Definable Graphs 2/14/2017 9 x creates (tg to) new v
  10. 10. Take-Grant Definable Graphs 2/14/2017 10 x creates (tg to) new v x grants (g to v) to y
  11. 11. Take-Grant Definable Graphs 2/14/2017 11 x creates (tg to) new v x grants (g to v) to y y grants (β to z) to v
  12. 12. Take-Grant Definable Graphs 2/14/2017 12 x creates (tg to) new v x grants (g to v) to y y grants (β to z) to v x takes (β to z) from v
  13. 13. Let 𝐺0 be a protection graph containing exactly one subject vertex and no edges. Then 𝐺0 ⊢* 𝐺 if and only if 2/14/2017 13 Theorem: • 𝐺 is a finite, directed, loop-free, two color graph • the edges are labeled from non empty subsets of R • At least one subject in 𝐺 has no incoming edges.
  14. 14. Let v be the initial subject, and 𝐺0 ⊢*𝐺. 2/14/2017 14 ⇐: • 𝐺 is obviously finite • 𝐺 is a directed graph • 𝐺 is loop-free • two colored with the indicated labelling • After reviewing the rule definition, it gives: • Limits of rules: • since vertices cannot be destroyed, v persists in any graph derived from 𝐺0 • edges cannot be directed to a vertex that has no in- coming edges so none can be assigned to v
  15. 15. let G satisfy the requirements and be the final graph in the theorem 2/14/2017 15 ⇐: • Let G have vertices x1,x2 . . . , xn • Identify v with some subject x1 with no incoming edges Construct G′ as follows: • Perform “v creates (α ∪ {g } to) new subject xi” • For all (xi, xj) where xi has a right over xj, do“x1 grants (α to xj) to xi” • Let β be the rights xi has over xj in G ; then do“v removes ((α ∪ {g }) − β) to xi)” Now G′ is the desired G
  16. 16. Predicates and earlier results • tg-path: Vertices p and q of G are tg-connected if there is a path p=xo,….xn=q and the label alpha on the edge between xi and xi+1 contains t or g • island : An island of G is a maximal, tg-connected subject-only subgraph of G. • A path xo,x1,…xn is an initial span if it has an associated word in {𝑡∗ 𝑔 } • it is a terminal span if n>0 and it has associated word in {𝑡∗} • it is a bridge if 2/14/2017 16 1. n>1 and xo and xn are subjects 2. an associated word is in {𝑡∗, 𝑡∗, 𝑡∗ 𝑔 𝑡∗, 𝑡∗ 𝑔 𝑡∗ } 3. the xi are objects (0<i<n)
  17. 17. 2/14/2017 17 • islands: {p, u}, {w}, {y, s′} • bridges: u, v, w; w, x, y • initial span: p (associated word ν ) • terminal span: s′s (associated word 𝑡 )
  18. 18. can·share (α, p, q, 𝐺0 ) holds if, and only if, there is a sequence of protection graphs 𝐺0 , . . ., 𝐺 𝑛 such that 𝐺0 ⊢* 𝐺 and in 𝐺 𝑛 there is an edge from p to q labeled α 2/14/2017 18 can·share Predicate :
  19. 19. Theft 2/14/2017 19 for two distinct vertices p and q in a protection graph 𝐺0 , and right α, define can·steal Predicate : can·steal (α, p, q, 𝐺0 ) <=> ~ 𝑝 α 𝐺0 𝑞 and there exist protection graph 𝐺1,…,𝐺 𝑛 such that 𝐺0⊢ 𝜌1 𝐺1 ⊢ 𝜌2 … ⊢ 𝜌 𝑛 𝐺 𝑛 , 𝑝 α 𝐺 𝑛 𝑞, and If 𝑠 α 𝐺0 𝑞 then no 𝜌𝑗 has the form “s grants (α to q) to 𝑥𝑖” for any 𝑥𝑖 ϵ 𝐺𝑗−1, 1 ≤ 𝑗 < 𝑛.
  20. 20. Example of Stealing 2/14/2017 20 can·steal (α, s, w, 𝐺0 )
  21. 21. Example of Stealing 2/14/2017 21 can·steal (α, s, w, 𝐺0 ) • u grants (t to v) to s
  22. 22. Example of Stealing 2/14/2017 22 can·steal (α, s, w, 𝐺0 ) • u grants (t to v) to s • s takes (t to x) from v
  23. 23. Example of Stealing 2/14/2017 23 • u grants (t to v) to s • s takes (t to x) from v • s takes (t to u) from x can·steal (α, s, w, 𝐺0 )
  24. 24. Example of Stealing 2/14/2017 24 • u grants (t to v) to s • s takes (t to x) from v • s takes (t to u) from x • s takes (α to w) from u can·steal (α, s, w, 𝐺0 )
  25. 25. can·steal (α, p, q, 𝐺0 ) holds if, and only if, the following hold simultaneously: 2/14/2017 25 can·steal Theorem : • there is no edge from x-to-y labeled α in 𝐺0 • there is a subject x′= x or x′ initially spans to x • there is a vertex s with an edge to y labeled α in 𝐺0 • can·share (α, p, q, 𝐺0 ) holds
  26. 26. Assume all four conditions hold 2/14/2017 26 ⇒: • If x a subject: • x gets t rights to s (last condition); then takes α to y from s(third condition) • If x an object: • can·share (t, x′, s, 𝐺0 ) holds • If x′ has no α edge to y in 𝐺0 x′ takes (α to y) from s and grants it to x • If x′ has an edge to y in 𝐺0 , x′ creates surrogate x′′, gives it (t to s) and (g to x′′); then x′′ takes (α to y) and grants it to x
  27. 27. Assume can·steal (α, x, y, 𝐺0 ) holds 2/14/2017 27 ⇐: • First two conditions are immediate from definition of can·share, can·steal • Third condition is immediate from theorem of conditions for can·share • Fourth condition: let ρ be a minimal length sequence of rule applications deriving 𝐺 𝑛 from 𝐺0 • Let i be the smallest index such that 𝐺𝑖−1 ⊢ 𝜌𝑖 𝐺𝑖 that adds α from some p to y in 𝐺𝑖 • What rule is ρ𝑖 ?
  28. 28. 2/14/2017 28 • Not remove or create rule • y exists already • Not grant rule • 𝐺𝑖 is the first graph in which an edge labeled α to y is added , so by definition of can·share, it cannot be a grant • Therefore ρ𝑖 must be a take rule, so can·share (t, p, s, 𝐺0 ) holds • By earlier theorem, there is a subject s′ such that s′= s or s′ terminally spans to s • Also, sequence of islands 𝑙1,…,𝑙 𝑛 with x′∈ 𝑙1, s′∈ 𝑙 𝑛 • Now consider what s is ?
  29. 29. 2/14/2017 29 • If s object, s′≠ s • If s′, p in same island, take p = s′; the can·share (t, x, s, 𝐺0 ) holds • If they are not, the sequence is minimal, contradicting assumption • So choose s′ in same island as p
  30. 30. 2/14/2017 30 If s subject, p ∈ 𝑙 𝑛 • If p ∉ 𝐺0, there is a subject q such that can·share (t, q, s, 𝐺0) holds • s ∈ 𝐺 𝑜and none of the rules add new lables to incoming edges on existing vertices • As s owns α rights to y in 𝐺0 , two cases arise: • If s = q, replace “s grants (α to y) to q” with the sequence: p takes (α to y) from s p takes (g to q) from s p grants (α to y) to q • If s = q, you only need the first
  31. 31. Conspiracy 2/14/2017 31 If s subject, p ∈ 𝑙 𝑛
  32. 32. Conspiracy in general graphs 2/14/2017 32 Given a protection graph G with subject vertices 𝑋1 ,….,𝑋 𝑛 , we will define a new graph, the conspiracy graph, H, determined by G. H has vertices 𝑌1 ,…., 𝑌𝑛 and each 𝑌𝑖 has associated with it the access−set A(𝑋𝑖 ). There is an undirected edge between 𝑌𝑖 and 𝑌𝑗 provided δ(𝑋𝑖 , 𝑋𝑗) ≠ Ø where δ is called the deletion operation δ(x,x') =all elements in A(x) n A(x') except those z for which either (a) the only reason for z ∈ A(x) is that x initially spans to z and the only reason for z ∈ A(x') is that x‘ initially spans to z or (b) the only reason z ∈ A(x) is x terminally spans to z and the only reason z ∈ A(x') is x‘ terminally spans to z. The graph thus constructed is the conspiracy graph for G.
  33. 33. 2/14/2017 33
  34. 34. 2/14/2017 34 • Lemma 7.1: Can·share(a,p,q,G) is true if and only if some 𝑌𝑢 ∈ 𝑌𝑝 is connected so some 𝑌𝑣 ∈ 𝑌𝑠 • Theorem 7.2: To produce a witness to can.share(α,p,q,G) |s.p.| conspirators are sufficient. • Theorem 7.3: To produce a witness to can.share(α,p,q,G) |s.p.| conspirators are necessary.
  35. 35. Concluding Remarks 2/14/2017 35 • how sharing is accomplished in the Take-Grant Model • there is the question of algorithmic complexity of determining the minimum number of conspirators required for a right to be shared • determine for a given graph what set of conspirators. must have participated in the sharing of a right after the fact

×