In the previous sections the access matrix, and state transitions that modify it, was introduced. Now the goal is to determine just how such a transition can be made while ensuring that no rights are leaked in an inconsistent manner, enabling the system to enter an insecure state.
This section starts with a light introduction to whether or not an arbitrary system
may be proved secure. The result of such a proof presents the need for restriction of the transfer of rights in asystem. Such a restricted model for how rights are appropriately transferred within an access matrix, to ensure that thesystemdoes not enter an insecure state, is then presented.
4.5.1
Is a system generally provably secure?
A system’s security is in the general case, unfortunately, proven to be undecidable. Harrison and Ruzzo [Har76] proved this in 1976 by translating the actions of handling rights in an access control matrix to the state transitions of a Turing machine, and setting the fact that a right has been leaked in the access control matrix as the halting state.
Since it has been shown that a Turing machine can not be proven to reach its halting state, the problem is undecidable since it is non–traceable. (See e.g. [Sud97] for information about Turing machines and the halting problem.)
4.5.2
A model for traceable transfer or rights
Even though it has been proved generally impossible to assert security in system, a more controlled environment than the access control matrix most general form will make it possible to guarantee that a system will remain in a secure state. Sandhu demonstrated such a tool with the Schematic Protection Model (SPM) [Rav88], which is proven to be traceable. The non–traceability of the access control matrix is the focus of the problem of that model for general use.
SPM is made up of a few simple elements, which when instantiated properly, are able to emulate other protection models. One such model is the Take grant model
(see [Bis03] for an easy explanation of that model). SPMhas the following components: 1. A finite set of principal types partitioned into two sets, holding subject’s and
object’s type respectively
2. A finite set of rights, which is partitioned into two sets. One holding the inert rights (the rights that do not alter the system’s state) and another holding the control rights
3. A finite collection of links predicates. Used to determine if there is a connection between two subjects, based on their types, that can be used to copy a right 4. A filter function for each link predicate, which will either allow the copying of a
right or deny it
5. The operation for creating new subjects and objects
6. A rule that is associated with all operations that create any type of entity, that control which initial rights the created entity will be associated with
4.5. When is a system secure? 23
Note thatSPMas presented only describe a monotonically growing system.
Using this model, all rights are transfered using a well specified system of rules that are unconditionally applied to all operations by the links predicates and the filter functions. Sandhu demonstrates several models in his paper by instantiating the sets in the model’s component list appropriately, and gives a convincing argument that many models can be emulated bySPM, and as such be traceable [Rav88]. The fact thatSPMis so powerful and proven traceable, makes it clear that models that are either equivalent with or instanciable inSPMwill be secure.
4.5.3
Conclusions concerning secure systems
The above discussion made it clear that an unbound system is provably insecure, which can be proven by mapping the primitive operations for modifying an access matrix to a Turing machine.
The introduction of restrictive rules however, made it possible to limit the problem such that it became traceable and thus provably secure. The proof of concept provided was the Schematic Protection Model (SPM).
SinceSPMis traceable, it must follow that if a system that has a set of rules for access right transfer, which can be formulated with theSPM, its security is traceable. In other words, if you can express the system’s rules in SPM, it is traceable, and hence it can be proven secure; a finite number of operations are needed to ensure that the system never enters an insecure state.
Chapter 5
Access Control
In the discussion aboutsecure statesin Section 4.4.1, the core issue was transfer of rights. What those rights really describe are the rights any principal has to other
principals in a system. The transitions that were described take place as some
subjectaccess some resource in some way. Access controlis about regulating which resources that may be accessed and how.
This chapter will begin by defining the two levels that exist foraccess control. The distinction between them is very important since the implications from their specification create two entirely different models for how rights are controlled on a system. After the theoretical foundation has been presented, a few real world examples of the two models are presented, with the security implications and problems that have arisen in those system.
5.1
Definitions of access control specification levels
The specification level ofaccess controlcan be on either of two levels: The specifica- tion is up to asubjector it is handled by the operating system. The definition of each of these models follow, adapted from [Bis03].
Definition 5.1.1. If an individual subject can control the decision of an access control mechanism so that it allows or denies access to an object, that mechanism is a discretionary access control (DAC), also called an identity based access control(IBAC).
Definition 5.1.2. When a system mechanism controls access to anobjectand an in- dividualsubjectcannot alter that access, the control is amandatory access control
(MAC), occasionally called arule-based access control.
It is important to note that the use of one of these does not prohibit the use of the other. If both MACandDACare used, bothaccess control mechanisms must grant a
subject’sright to access anobject.