![Page 1: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/1.jpg)
April 6, 2004 ECS 235 Slide #1
Chapter 13: Design Principles
• Overview• Principles
– Least Privilege– Fail-Safe Defaults– Economy of Mechanism– Complete Mediation– Open Design – Separation of Privilege– Least Common Mechanism– Psychological Acceptability
![Page 2: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/2.jpg)
April 6, 2004 ECS 235 Slide #2
Overview
• Simplicity– Less to go wrong– Fewer possible inconsistencies– Easy to understand
• Restriction– Minimize access– Inhibit communication
![Page 3: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/3.jpg)
April 6, 2004 ECS 235 Slide #3
Least Privilege
• A subject should be given only those privileges necessary to complete its task– Function, not identity, controls– Rights added as needed, discarded after use– Minimal protection domain
![Page 4: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/4.jpg)
April 6, 2004 ECS 235 Slide #4
Fail-Safe Defaults
• Default action is to deny access
• If action fails, system as secure as when action began
![Page 5: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/5.jpg)
April 6, 2004 ECS 235 Slide #5
Economy of Mechanism
• Keep it as simple as possible– KISS Principle
• Simpler means less can go wrong– And when errors occur, they are easier to
understand and fix
• Interfaces and interactions
![Page 6: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/6.jpg)
April 6, 2004 ECS 235 Slide #6
Complete Mediation
• Check every access
• Usually done once, on first action– UNIX: Access checked on open, not checked
thereafter
• If permissions change after, may get unauthorized access
![Page 7: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/7.jpg)
April 6, 2004 ECS 235 Slide #7
Open Design
• Security should not depend on secrecy of design or implementation– Popularly misunderstood to mean that source
code should be public– “Security through obscurity” – Does not apply to information such as
passwords or cryptographic keys
![Page 8: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/8.jpg)
April 6, 2004 ECS 235 Slide #8
Separation of Privilege
• Require multiple conditions to grant privilege– Separation of duty– Defense in depth
![Page 9: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/9.jpg)
April 6, 2004 ECS 235 Slide #9
Least Common Mechanism
• Mechanisms should not be shared– Information can flow along shared channels– Covert channels
• Isolation– Virtual machines– Sandboxes
![Page 10: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/10.jpg)
April 6, 2004 ECS 235 Slide #10
Psychological Acceptability
• Security mechanisms should not add to difficulty of accessing resource– Hide complexity introduced by security
mechanisms– Ease of installation, configuration, use– Human factors critical here
![Page 11: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/11.jpg)
April 6, 2004 ECS 235 Slide #11
Key Points
• Principles of secure design underlie all security-related mechanisms
• Require:– Good understanding of goal of mechanism and
environment in which it is to be used– Careful analysis and design– Careful implementation
![Page 12: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/12.jpg)
April 6, 2004 ECS 235 Slide #12
Chapter 2: Access Control Matrix
• Overview• Access Control Matrix Model
– Boolean Expression Evaluation– History
• Protection State Transitions– Commands– Conditional Commands
• Special Rights– Principle of Attenuation of Privilege
![Page 13: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/13.jpg)
April 6, 2004 ECS 235 Slide #13
Overview
• Protection state of system– Describes current settings, values of system
relevant to protection
• Access control matrix– Describes protection state precisely– Matrix describing rights of subjects– State transitions change elements of matrix
![Page 14: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/14.jpg)
April 6, 2004 ECS 235 Slide #14
Description
objects (entities)
subj
ects
s1
s2
…
sn
o1 … om s1 … sn
• Subjects S = { s1,…,sn }
• Objects O = { o1,…,om }
• Rights R = { r1,…,rk }
• Entries A[si, oj] R
• A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj
![Page 15: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/15.jpg)
April 6, 2004 ECS 235 Slide #15
Example 1
• Processes p, q
• Files f, g
• Rights r, w, x, a, o
f g p q
p rwo r rwxo w
q a ro r rwxo
![Page 16: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/16.jpg)
April 6, 2004 ECS 235 Slide #16
Example 2
• Procedures inc_ctr, dec_ctr, manage
• Variable counter
• Rights +, –, call
counter inc_ctr dec_ctr manage
inc_ctr +
dec_ctr –
manage call call call
![Page 17: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/17.jpg)
April 6, 2004 ECS 235 Slide #17
Boolean Expression Evaluation
• ACM controls access to database fields– Subjects have attributes– Verbs define type of access– Rules associated with objects, verb pair
• Subject attempts to access object– Rule for object, verb evaluated, grants or denies
access
![Page 18: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/18.jpg)
April 6, 2004 ECS 235 Slide #18
Example
• Subject annie– Attributes role (artist), groups (creative)
• Verb paint– Default 0 (deny unless explicitly granted)
• Object picture– Rule:
paint: ‘artist’ in subject.role and‘creative’ in subject.groups andtime.hour >= 0 and time.hour < 5
![Page 19: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/19.jpg)
April 6, 2004 ECS 235 Slide #19
ACM at 3AM and 10AM
… picture …
… a
nnie
…
paint
At 3AM, time conditionmet; ACM is:
… picture …
… a
nnie
…
At 10AM, time conditionnot met; ACM is:
![Page 20: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/20.jpg)
April 6, 2004 ECS 235 Slide #20
History
Database:name position age salaryAlice teacher 45 $40,000Bob aide 20 $20,000Cathy principal 37 $60,000Dilbert teacher 50 $50,000Eve teacher 33 $50,000
Queries:1.sum(salary, “position = teacher”) = 140,0002.sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Eve’s salary)
![Page 21: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/21.jpg)
April 6, 2004 ECS 235 Slide #21
ACM of Database Queries
Oi = { objects referenced in query i }
f(oi) = { read } for oj Oi, if |j = 1,…,iOj| < 2
f(oi) = for oj Oi, otherwise
1. O1 = { Alice, Dilbert, Eve } and no previous query set, so:
A[asker, Alice] = f(Alice) = { read }
A[asker, Dilbert] = f(Dilbert) = { read }
A[asker, Eve] = f(Eve) = { read }
and query can be answered
![Page 22: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/22.jpg)
April 6, 2004 ECS 235 Slide #22
But Query 2
From last slide:
f(oi) = { read } for oj Oi, if |j = 1,…,iOj| < 2
f(oi) = for oj Oi, otherwise
2. O2 = { Alice, Dilbert } but | O2 O1 | = 2 so
A[asker, Alice] = f(Alice) =
A[asker, Dilbert] = f(Dilbert) =
and query cannot be answered
![Page 23: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/23.jpg)
April 6, 2004 ECS 235 Slide #23
State Transitions
• Change the protection state of system• H represents transition
– Xi H Xi+1: command moves system from state Xi to Xi+1
– Xi H* Xi+1: a sequence of commands moves system from state Xi to Xi+1
• Commands often called transformation procedures
![Page 24: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/24.jpg)
April 6, 2004 ECS 235 Slide #24
Primitive Operations
• create subject s; create object o– Creates new row, column in ACM; creates new column in ACM
• destroy subject s; destroy object o– Deletes row, column from ACM; deletes column from ACM
• enter r into A[s,o]– Adds r rights for subject s over object o
• delete r from A[s,o]– Removes r rights from subject s over object o
![Page 25: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/25.jpg)
April 6, 2004 ECS 235 Slide #25
Create Subject
• Precondition: s S
• Primitive command: create subject s
• Postconditions:– S´ = S { s }, O´ = O { s }– (y O´)[a´[s, y] = ], (x S´)[a´[x, s] = ]– (x S)(y O)[a´[x, y] = a[x, y]]
![Page 26: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/26.jpg)
April 6, 2004 ECS 235 Slide #26
Create Object
• Precondition: o O
• Primitive command: create object o
• Postconditions:– S´ = S, O´ = O { o }– (x S´)[a´[x, o] = ]– (x S)(y O)[a´[x, y] = a[x, y]]
![Page 27: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/27.jpg)
April 6, 2004 ECS 235 Slide #27
Add Right
• Precondition: s S, o O
• Primitive command: enter r into a[s, o]
• Postconditions:– S´ = S, O´ = O– a´[s, o] = a[s, o] { r }– (x S´)(y O´ – { o }) [a´[x, y] = a[x, y]]– (x S´ – { s })(y O´) [a´[x, y] = a[x, y]]
![Page 28: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/28.jpg)
April 6, 2004 ECS 235 Slide #28
Delete Right
• Precondition: s S, o O
• Primitive command: delete r from a[s, o]
• Postconditions:– S´ = S, O´ = O– a´[s, o] = a[s, o] – { r }– (x S´)(y O´ – { o }) [a´[x, y] = a[x, y]]– (x S´ – { s })(y O´) [a´[x, y] = a[x, y]]
![Page 29: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/29.jpg)
April 6, 2004 ECS 235 Slide #29
Destroy Subject
• Precondition: s S
• Primitive command: destroy subject s
• Postconditions:– S´ = S – { s }, O´ = O – { s }– (y O´)[a´[s, y] = ], (x S´)[a´[x, s] = ]– (x S´)(y O´) [a´[x, y] = a[x, y]]
![Page 30: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/30.jpg)
April 6, 2004 ECS 235 Slide #30
Destroy Object
• Precondition: o o
• Primitive command: destroy object o
• Postconditions:– S´ = S, O´ = O – { o }– (x S´)[a´[x, o] = ]– (x S´)(y O´) [a´[x, y] = a[x, y]]
![Page 31: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/31.jpg)
April 6, 2004 ECS 235 Slide #31
Creating File
• Process p creates file f with r and w permissioncommand create•file(p, f)
create object f;enter own into A[p, f];enter r into A[p, f];enter w into A[p, f];
end
![Page 32: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/32.jpg)
April 6, 2004 ECS 235 Slide #32
Mono-Operational Commands
• Make process p the owner of file gcommand make•owner(p, g)
enter own into A[p, g];end
• Mono-operational command– Single primitive operation in this command
![Page 33: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/33.jpg)
April 6, 2004 ECS 235 Slide #33
Conditional Commands
• Let p give q r rights over f, if p owns fcommand grant•read•file•1(p, f, q)
if own in A[p, f]then
enter r into A[q, f];end
• Mono-conditional command– Single condition in this command
![Page 34: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/34.jpg)
April 6, 2004 ECS 235 Slide #34
Multiple Conditions
• Let p give q r and w rights over f, if p owns f and p has c rights over qcommand grant•read•file•2(p, f, q)
if own in A[p, f] and c in A[p, q]then
enter r into A[q, f];enter w into A[q, f];
end
![Page 35: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/35.jpg)
April 6, 2004 ECS 235 Slide #35
Copy Right
• Allows possessor to give rights to another
• Often attached to a right, so only applies to that right– r is read right that cannot be copied– rc is read right that can be copied
• Is copy flag copied when giving r rights?– Depends on model, instantiation of model
![Page 36: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/36.jpg)
April 6, 2004 ECS 235 Slide #36
Own Right
• Usually allows possessor to change entries in ACM column– So owner of object can add, delete rights for
others– May depend on what system allows
• Can’t give rights to specific (set of) users
• Can’t pass copy flag to specific (set of) users
![Page 37: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/37.jpg)
April 6, 2004 ECS 235 Slide #37
Attenuation of Privilege
• Principle says you can’t give rights you do not possess– Restricts addition of rights within a system– Usually ignored for owner
• Why? Owner gives herself rights, gives them to others, deletes her rights.
![Page 38: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/38.jpg)
April 6, 2004 ECS 235 Slide #38
Key Points
• Access control matrix simplest abstraction mechanism for representing protection state
• Transitions alter protection state
• 6 primitive operations alter matrix– Transitions can be expressed as commands
composed of these operations and, possibly, conditions
![Page 39: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/39.jpg)
April 6, 2004 ECS 235 Slide #39
Chapter 3: Foundational Results
• Overview
• Harrison-Ruzzo-Ullman result– Corollaries
• Take-Grant Protection Model
• SPM and successors
![Page 40: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/40.jpg)
April 6, 2004 ECS 235 Slide #40
Overview
• Safety Question
• HRU Model
• Take-Grant Protection Model
• SPM, ESPM– Multiparent joint creation
• Expressive power
• Typed Access Matrix Model
![Page 41: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/41.jpg)
April 6, 2004 ECS 235 Slide #41
What Is “Secure”?
• Adding a generic right r where there was not one is “leaking”
• If a system S, beginning in initial state s0, cannot leak right r, it is safe with respect to the right r.
![Page 42: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/42.jpg)
April 6, 2004 ECS 235 Slide #42
Safety Question
• Does there exist an algorithm for determining whether a protection system S with initial state s0 is safe with respect to a generic right r?– Here, “safe” = “secure” for an abstract model
![Page 43: April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d405503460f94a198b9/html5/thumbnails/43.jpg)
April 6, 2004 ECS 235 Slide #43
Mono-Operational Commands
• Answer: yes• Sketch of proof:
Consider minimal sequence of commands c1, …, ck to leak the right.–Can omit delete, destroy–Can merge all creates into oneWorst case: insert every right into every entry; with s subjects and o objects initially, and n rights, upper bound is k ≤ n(s+1)(o+1)