the extended schematic protection model (espm)

Report

Post on 17-Jan-2016

41 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

DESCRIPTION

The Extended Schematic Protection Model (ESPM). Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu. Recap. HRU has undecidable safety under very weak assumptions Bi-conditional monotonic Take-Grant and variations - PowerPoint PPT Presentation

TRANSCRIPT

© 2004 Ravi Sandhuwww.list.gmu.edu

The Extended Schematic Protection Model(ESPM)

Ravi SandhuLaboratory for Information Security Technology

George Mason Universitywww.list.gmu.edusandhu@gmu.edu

2

© 2004 Ravi Sandhuwww.list.gmu.edu

Recap

• HRU has undecidable safety under very weak assumptions• Bi-conditional monotonic

• Take-Grant and variations• Efficiently decidable safety• Unexpected aggregate policy

• Schematic protection model (SPM)• Useful demarcation of efficiently decidable safety

– Decidable for acyclic attenuating schemes• polynomial in size of initial state• exponential in number of types (for dense cc relation)• open question: acyclic non-attenuating

– Undecidable for cyclic schemes • Copy flag and demand operation turn out to be redundant• SPM can simulate Bell LaPadula multilevel security

3

© 2004 Ravi Sandhuwww.list.gmu.edu

SPM creation

4

© 2004 Ravi Sandhuwww.list.gmu.edu

ESPM joint creation

5

© 2004 Ravi Sandhuwww.list.gmu.edu

Monotonic HRU command

6

© 2004 Ravi Sandhuwww.list.gmu.edu

ESPM simulation

1. Parameter list generation• Marshall parameter set of size Ji

2. Validating the conditional3. Simulating the HRU command body

• Simulating creates– Unconditional create with alive right, so X/alive dom(X) is

required for X to participate in any command

• Simulating enters– straightforward

7

© 2004 Ravi Sandhuwww.list.gmu.edu

ESPM types

• p: proxy entity type• Px/r dom(Py) for Px, Py of type p in ESPM system iff r [Py,Px] in HRU system

• {aj | j=1…Jmax}: agent types• Represent ESPM proxy entity in jth parameter of HRU command

• {vi | i=1…I}: validator types• Represent a collection of Ji entities in instance of HRU commandi

• Created by joint creation with agent types as parents• {tk

i | k=1…Ki, i=1…I}: term types• Simulate truth value of each term in each HRU command

• {cmi | m=1…Mi, i=1…I}: create types

• Simulate creates for each HRU command• {en

i | n=1…Ni, i=1…I}: enter types• Simulate enters for each HRU command

8

© 2004 Ravi Sandhuwww.list.gmu.edu

ESPM creation

9

© 2004 Ravi Sandhuwww.list.gmu.edu

ESPM attenuating loopsIf type(ui) = type(v)

Except that one such parent can have attenuating rulecrpj(u1, u2, …, uN, v) = pj/R2

j c/R1j

crc(u1 , u2, …, uN, v) = pj/R3j c/R4

j

soR1

j R2j and R3

j R2j and R4

j R1j

10

© 2004 Ravi Sandhuwww.list.gmu.edu

ESPM unfolded state

11

© 2004 Ravi Sandhuwww.list.gmu.edu

ESPM unfolded state

12

© 2004 Ravi Sandhuwww.list.gmu.edu

ESPM safety analysis

• exponential in types (like SPM)

• exponential in size of initial state (unlike SPM)

13

© 2004 Ravi Sandhuwww.list.gmu.edu

ESPM safety analysis

14

© 2004 Ravi Sandhuwww.list.gmu.edu

Expressive power of SPM and ESPM

• both are monotonic• ESPM is equivalent to monotonic HRU

• HRU can simulate ESPM• ESPM can simulate HRU

• ESPM with double-parent creation is equivalent to ESPM• ESPM is at least as expressive as SPM

• ESPM can simulate SPM trivially

• it turns out that SPM is less expressive than ESPM (and thereby less expressive than monotonic) HRU

15

© 2004 Ravi Sandhuwww.list.gmu.edu

Monotonic access graph model

• nodes are strongly typed• type of a node cannot change

• edges are strongly typed• type of an edge cannot change

• graph operations• initial state operations• node operations

– multi-parent– creates new edges from each parent to child

• edge operations– cannot create new nodes– must be monotonic (edges cannot be removed)

16

© 2004 Ravi Sandhuwww.list.gmu.edu

Simulation: scheme B simulates scheme A

17

© 2004 Ravi Sandhuwww.list.gmu.edu

Scheme A has double-parent creation

18

© 2004 Ravi Sandhuwww.list.gmu.edu

Double-parent creation in scheme A

19

© 2004 Ravi Sandhuwww.list.gmu.edu

Double-parent creation in scheme A

20

© 2004 Ravi Sandhuwww.list.gmu.edu

Failed simulation in scheme B with single-parent creation and identical initial state

21

© 2004 Ravi Sandhuwww.list.gmu.edu

Failed simulation in scheme B with single-parent creation and arbitrary initial state

22

© 2004 Ravi Sandhuwww.list.gmu.edu

Failed simulation in scheme B with single-parent creation and arbitrary initial state

23

© 2004 Ravi Sandhuwww.list.gmu.edu

Failed simulation in scheme B with single-parent creation and arbitrary initial state

24

© 2004 Ravi Sandhuwww.list.gmu.edu

Multi-parent creation does not add power in non-monotonic systems

25

© 2004 Ravi Sandhuwww.list.gmu.edu

Multi-parent creation

• Adds power to monotonic models

• Perhaps should be viewed as a non-monotonic binding operation

top related

intruction espm(airbus)
Documents
construction of an extended environmental and economic...
Documents
planejamento interativo - luiz felipe barros (espm)
Documents
storytelling para startups | labstartups espm 2013
Marketing
espm 228, advanced topics in biometeorology and
Documents
digital week espm 2013 - métricas online
Business
espm 111 ecosystem climate interactions
Documents
games: escola de criação - espm
Technology
booklet talk - aiesec espm (brazil)
Documents
makro - case espm
Documents
mas/espm - aula03
Education
carbon cycle espm 2 2015
Documents
futures thinking - espm - 2014
Education
espm - aula 2 - marketing digital - conrado adolpho
Education
serc presentation to espm
Documents
espm - aula 1 - marketing digital - conrado adolpho
Education
espm 111 carbon part 2 ecophysiology of...
Documents
lecture 7 notes espm 228 integrating ... -...
Documents
o universo do marketing digital - espm
Education
palestra espm out 2009
Business