-Access Control - 2 Foundational Results
1
1
Preliminaries

Undecidability


The Halting Problem
The Turing Machine
2
2
Undecidability
Timing a Program  Can you write a program that
tells you how long another program will run
before completing?
The Halting Problem
If you can tell me how long, it must stop in a finite
time!


No program can give a decisive answer for all
legitimate inputs
A program may give correct answers for some cases
but run forever for others
3
The Turing Machine



An infinite-to-the-right tape divided into cells
 A cell C can store any symbol in M={A,B,C,D,F,Blank}
A read/write head
 The head can have any state in K={happy,unhappy}
The head reads, then writes and moves
 What it writes, and whether it moves to left or right are both
decided by a set of rules
[M and K are both finite]
Originally tape is all blank
F
A
A
happy
happy
unhappy
happy
unhappy
D
…
…
…
(happy,Blank)
(happy,Blank)  (happy,A,Right)
(unhappy,A,Right)
(unhappy,A)  (happy,A,Left)
(happy,b\B,Left)
(happy,F)  (happy,A,Left)
(happy,A,Left)
4
The Halting Problem
input

With any initial tape and state (of the head), will any
given Turing machine reach a specific state?
output “OK” and halt
program
This is undecidable
5
A Proof by Contradiction
Suppose you have a machine that you are sure will always
tell you if an input program will halt:
Input the following program:
If this program halts, go into an endless loop
Otherwise print out “OK”
It never stops
6
Access and Control of Memory
7
The Access Control Matrix (ACM)
A model of protection systems

Describes who (subject) can do what (rights)
to what/whom (object/subject)

Example



An instructor can assign and grade homework and
exams
A TA can grade homework
A Student can evaluate the instructor and TA
8
An Access Control Matrix

Allowed Operations (Rights): r,x,w,o
Ann
Bob
Charlie
file1
file2
file3
rx
rwxo
rx
r
r
rwo
rwx
-w
9
Rights/Commands

Primitive Commands

create/destroy a subject s or object o

enter/delete r into/from A[s,o]
10
State Transition Commands

Command


If an instructor can grade an exam and a TA can
grade h.w.
Then revoke TA’s rights in grading the h.w. and let
him grade the exam
Mono-conditional/mono-operational

Condition can neither be negative nor contain ‘or’

“if instructor can grade exam or TA can grade exam
then TA cannot grade h.w.”
11
Commands for ACM

Primitive commands





Create /delete subjects, objects
Enter, delete permissions acm(s,o)
A command may use more than one primitive
command  a mono-operational command.
Limitation: Cannot test for a negative fact
Further: Don’t have Owner and Copy commands
12
ACM and protection States



P
q
Subjects: (processes p, q etc)
Objects: (files f, g etc)
Access rights (operations r, w, x, a, o etc)
f
rwo
a
g
r
ro
p
rwxo
r
q
w
rwxo
13
Protection States


State: Variables taking values in a domain
Protection domain: the space defined by an ACM

Mathematically:




Variables for subjects: Xs ∈ S /** The set of all subject names **/
Variables for objects: Xo ∈ O /** The set of all object names **/
Constants for permission names: P
Assignment: ACL: S x O  P (P)  power set = Set of all subsets


p
q
Maps every (subject,object) pair to a subset of permissions.
Example state
f
ow
r
g
r
o
p
rxo
r
q
w
wx
14
Safe States


Any subset that is consistent with the ACM
Mathematically:

If myState: S x O  P (P), then x,y myState(x,y)  ACM(x,y)
ACM
O1
O2
O3
O4
S1
rwx
rx
rx
x
S2
x
myState
O1
O2
O3
O4
S1
r
rx
rx
x
S2
x
15
What Does it mean to be Secure?


Giving a right r to someone who initially does not
possess r is called leaking
If system begins in some initial safe state and can never
leak r, then the system is secure with respect to r
Subtleties


Leaking is not necessarily bad, legitimate transfer of
rights can be proper if owners say so or by
delegation
But we must be sure that: With all authorized leaking
ignored, is the system still secure wrt r?
An abstract system (specification) is secure but its
implementation may not be secure
16
Safety Question


Is there an algorithm for determining whether
any protection system with a given initial state
is secure with respect to a generic right r?
Using terms of ACM, the question is


Given any ACM, is there a program that halts with
the answer to “Is there a sequence of commands
that will enter r into some a[s,o] that does not
initially have r”?
There are trivial cases where this is obviously true,
but how about the general case?
17
The (Special) Positive Result


1.
2.
Theorem: There is an algorithm that
determines if a given mono-operational
protection system with initial state S0 is safe
with respect to a generic right.
Proof: Suppose the command sequence is
[c0,c1,…cn]:
Can identify [c0,c1,…,cn] as a sequence of
primitive operations.
Can assume that i Ci ≠ delete, destroy
because delete and destroy do not add rights.
18
The Positive Result.. Proof (cont)
1.
2.
3.
4.
5.
Only create adds new subjects and objects.
The others are conditional tests, that can be
tested
Suppose we create a new subject (Snew) and a
new object (Onew)
Need to check that the given sequence of
commands did not leak rights
Need to check the pre-post conditions of
n(|S0|+1)(|O0|+1) commands.
19
General Safety Problem is Undecidable
Answer: the safety problem is undecidable

In terms of ACM

Given any ACM, if some sequence of commands will
enter r into some a[s,o] that does not initially have
r is undecidable
Input file, or
Initial tape and
state
Program, like a
Turing machine
Output or enter
a specific state
20
Reducing the halting problem to the safety problem
If an algorithm can solve the safety problem then it
can also solve the halting problem



But the halting problem is known to be undecidable, so
such an algorithm cannot exist
How does the reduction work?
Simulate a Turing machine where subject Si owns Si+1.
and if cell i contains symbol A, then subject Si has rights
A over itself. Then let Subject Sk correspond to the
right-most cell with end right over itself.
21
The Reduction form
Tape
3
ACM 
1
2
4
5
A
B X
C Y
D …
b
k k1 k2
, X,
R)
1
(k1(k,
, D)C)(k(k
,
Y,
R)
2
s1
s2
s3
s4
s5
s1
s2
A
own
B
s3
s4s4s4 s5
own
CXk own
own
own
own
DYend
k1 end
b k2 end
22
Commands for left motion
(k,C)  (k1, X, L) Corresponds to the command Ck,C(S4,S3)
if ownA[si-1,si] and kA[si,si] and CA[si,si] then
delete k from A[si,si];
delete C from A[si,si];
enter X into A[si,si];
enter k1 into A[si-1,si-1];
End
Note: K is state of the head, C, X are content of the cell
23
Commands for right motion
(k,C)  (k1, X, R) Corresponds to the command Ck,C(S3,S4)
if ownA[S3,S4] and kA[S3,S3] and CA[S3,S3] then
delete k from A[S3,S3];
delete C from A[S3,S3];
enter X into A[S3,S3];
enter k1 into A[S4,S4];
end
24
Command for the rightmost cell
(k1, D)  (k2, Y, R) Corresponds to crightmostk,C(s4,s5)
if endA[s4,s4] and k1A[s4,s4] and DA[s4,s4]
then
delete end from A[s4,s4];
create subject s5;
enter own into A[s4,s5];
enter end into A[s5,s5];
delete k1 from A[s4,s4];
delete D from A[s4,s4];
enter Y into A[s4,s4];
enter k2 into A[s5,s5];
end
25
Rest of the proof
This Protection system exactly simulates a Turing
Machine





If TM enters a special state qf then right has
leaked the right qf
If safety question decidable, then represent TM
as above and determine if qf leaks


end right in ACM corresponds to the end state
1 right in the entry with current state
Thus, at most 1 applicable command at any time
Implies halting problem decidable
Conclusion: Safety is undecidable
26
Special Cases can be Decidable

If all the commands are mono-operational, the
safety problem is decidable



Each move of Turing machine corresponds to multiple
primitive commands of ACM
If no command includes create, the safety
problem is decidable (P-SPACE complete)
If no command includes destroy or delete and
all command are mono-conditional, then the
safety problem is decidable
27
Main Point
In its most general form, the safety problem is
undecidable, but by limiting scope of systems
the safety problem can be decidable
Otherwise we could never build a safe system!
28
ACMs and ACLs; Capabilities
Real systems have to be fast and not use excessive space
29
What’s Wrong with an ACM?

If we have 1k ‘users’ and 100k ‘files’ and a
user should only read/write his or her own files



The ACM will have 101k columns and 1k rows
Most of the 101M elements are either empty or
identical
Good for theoretical study but bad for
implementation

Remove the empty elements?
30
Two ways to cut a table (ACM)
Order by columns (ACL) or rows (Capability Lists)?
file1
A
B
C
rx
rwxo
rx
file2
file3
r
r
rwo
rwx
-w
ACLs
Capability
31
Access Control Lists
An ACL stores (non-empty elements of) each
column with its object

Columns of access control matrix
Andy
Betty
Charlie
file1
file2
file3
rx
rwxo
rx
r
r
rwo
rwo
w
ACLs:

file1: { (Andy, rx) (Betty, rwxo) (Charlie, rx) }

file2: { (Andy, r) (Betty, r) (Charlie, rwo) }

file3: { (Andy, rwo) (Charlie, w) }
32
Capability Lists

Rows of access control matrix
Andy
Betty
Charlie
file1
file2
file3
rx
rwxo
rx
r
r
rwo
rwo
w
C-Lists:

Andy: { (file1, rx) (file2, r) (file3, rwo) }

Betty: { (file1, rwxo) (file2, r) }

Charlie: { (file1, rx) (file2, rwo) (file3, w) }
33