The Extended Schematic Protection Model
(ESPM)
Ravi Sandhu
Laboratory for Information Security Technology
George Mason University
www.list.gmu.edu
[email protected]
© 2004 Ravi Sandhu
www.list.gmu.edu
Recap
• HRU has undecidable safety under very weak assumptions
• Bi-conditional monotonic
• Take-Grant and variations
• Efficiently decidable safety
• Unexpected aggregate policy
• Schematic protection model (SPM)
• Useful demarcation of efficiently decidable safety
– Decidable for acyclic attenuating schemes
• polynomial in size of initial state
• exponential in number of types (for dense cc relation)
• open question: acyclic non-attenuating
– Undecidable for cyclic schemes
• Copy flag and demand operation turn out to be redundant
• SPM can simulate Bell LaPadula multilevel security
2
© 2004 Ravi Sandhu
www.list.gmu.edu
SPM creation
© 2004 Ravi Sandhu
www.list.gmu.edu
3
ESPM joint creation
© 2004 Ravi Sandhu
www.list.gmu.edu
4
Monotonic HRU command
© 2004 Ravi Sandhu
www.list.gmu.edu
5
ESPM simulation
1. Parameter list generation
•
Marshall parameter set of size Ji
2. Validating the conditional
3. Simulating the HRU command body
•
Simulating creates
–
•
Unconditional create with alive right, so X/alive  dom(X) is
required for X to participate in any command
Simulating enters
–
straightforward
© 2004 Ravi Sandhu
www.list.gmu.edu
6
ESPM types
•
p: proxy entity type
•
•
{aj | j=1…Jmax}: agent types
•
•
{cm m=1…Mi, i=1…I}: create types
Simulate creates for each HRU command
{eni | n=1…Ni, i=1…I}: enter types
•
7
Simulate truth value of each term in each HRU command
i|
•
•
Represent a collection of Ji entities in instance of HRU commandi
Created by joint creation with agent types as parents
{tki | k=1…Ki, i=1…I}: term types
•
•
Represent ESPM proxy entity in jth parameter of HRU command
{vi | i=1…I}: validator types
•
•
•
Px/r  dom(Py) for Px, Py of type p in ESPM system iff r  [Py,Px] in HRU system
Simulate enters for each HRU command
© 2004 Ravi Sandhu
www.list.gmu.edu
ESPM creation
© 2004 Ravi Sandhu
www.list.gmu.edu
8
ESPM attenuating loops
If type(ui) = type(v)
Except that one such parent can have attenuating rule
crpj(u1, u2, …, uN, v) = pj/R2j  c/R1j
crc(u1 , u2, …, uN, v) = pj/R3j  c/R4j
so
R1j R2j and R3j R2j and R4j R1j
© 2004 Ravi Sandhu
www.list.gmu.edu
9
ESPM unfolded state
© 2004 Ravi Sandhu
www.list.gmu.edu
10
ESPM unfolded state
© 2004 Ravi Sandhu
www.list.gmu.edu
11
ESPM safety analysis
• exponential in types (like SPM)
• exponential in size of initial state (unlike
SPM)
© 2004 Ravi Sandhu
www.list.gmu.edu
12
ESPM safety analysis
© 2004 Ravi Sandhu
www.list.gmu.edu
13
Expressive power of SPM and ESPM
• both are monotonic
• ESPM is equivalent to monotonic HRU
• HRU can simulate ESPM
• ESPM can simulate HRU
• ESPM with double-parent creation is equivalent to ESPM
• ESPM is at least as expressive as SPM
• ESPM can simulate SPM trivially
• it turns out that SPM is less expressive than ESPM (and
thereby less expressive than monotonic) HRU
© 2004 Ravi Sandhu
www.list.gmu.edu
14
Monotonic access graph model
• nodes are strongly typed
• type of a node cannot change
• edges are strongly typed
• type of an edge cannot change
• graph operations
• initial state operations
• node operations
– multi-parent
– creates new edges from each parent to child
• edge operations
– cannot create new nodes
– must be monotonic (edges cannot be removed)
© 2004 Ravi Sandhu
www.list.gmu.edu
15
Simulation: scheme B simulates scheme A
© 2004 Ravi Sandhu
www.list.gmu.edu
16
Scheme A has double-parent creation
© 2004 Ravi Sandhu
www.list.gmu.edu
17
Double-parent creation in scheme A
© 2004 Ravi Sandhu
www.list.gmu.edu
18
Double-parent creation in scheme A
© 2004 Ravi Sandhu
www.list.gmu.edu
19
Failed simulation in scheme B with single-parent creation and
identical initial state
© 2004 Ravi Sandhu
www.list.gmu.edu
20
Failed simulation in scheme B with single-parent creation and
arbitrary initial state
© 2004 Ravi Sandhu
www.list.gmu.edu
21
Failed simulation in scheme B with single-parent creation and
arbitrary initial state
© 2004 Ravi Sandhu
www.list.gmu.edu
22
Failed simulation in scheme B with single-parent creation and
arbitrary initial state
© 2004 Ravi Sandhu
www.list.gmu.edu
23
Multi-parent creation does not add power in nonmonotonic systems
© 2004 Ravi Sandhu
www.list.gmu.edu
24
Multi-parent creation
• Adds power to monotonic models
• Perhaps should be viewed as a non-monotonic
binding operation
© 2004 Ravi Sandhu
www.list.gmu.edu
25