Scribd Logo
Upload

Welcome to Scribd!

  • 2 views

    Take Grant Model

    Uploaded by

    Ma va

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Take Grant Model

    Uploaded by

    Ma va
    2 views29 pages

    Original Title

    Take Grant model

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    2 views29 pages

    Take Grant Model

    Uploaded by

    Ma va

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 29

    IT-Security

    Access Control: Take-Grant Model

    Volker Roth

    Institut für Informatik


    Freie Universität Berlin

    Sommersemester 2009
    Initial Remarks

    In 1976, Lipton and Snyder presented a particular access


    control mechanism, the take and grant system, for which
    safety can be decided in linear time.
    R. J. Lipton and L. Snyder.
    “A linear time algorithm for deciding subject security.”
    Journal of the ACM, 24(3):455-464, July 1977.
    Definitions

    A protection graph is a directed graph G with two distinct


    kinds of vertices: subjects and objects. The edges are labeled
    with subsets of a finite set R of rights.
    Subjects are active vertices (they represent e.g., processes or
    users); they can pass authority by invoking graph rewriting
    rules. We write

    G ` G0

    if the graph G 0 is produced from G by a rewriting rule. The


    symbol `∗ represents zero or more rule applications.
    Definitions

    A witness is a sequence of graph rewriting rules which produce


    the predicate or condition being witnessed (e.g., the proof of a
    theorem).
    The set {t, g, r , w } ∈ R of rights has special semantics which
    we describe next.
    Take Rule

    Let x , y, y be distinct vertices with x being a subject. Let


    α ⊆ β be a set of rights. Let there be an edge from x to z
    labeled γ with t ∈ γ. Then

    x takes (α to y) from z

    produces a new graph as shown below


    α

    t β t β
    `
    x z y x z y
    Grant Rule

    Let x , y, y be distinct vertices with z being a subject. Let


    α ⊆ β be a set of rights. Let there be an edge from z to x
    labeled γ with g ∈ γ. Then

    z grants(α to y) to x

    produces a new graph as shown below


    α

    g β g β
    `
    x z y x z y
    Create Rule

    Let x be a subject in the protection graph and let α ∈ R.

    x creates (α to new vertex) y

    defines a new graph with an added vertice y and an edge from


    x to y labeled α, as shown below
    α
    `
    x x y
    Remove Rule

    Let x , y be distinct vertices in a protection graph such that x


    is a subject. Let there be an explicit edge from x to y labeled
    β and let α ∈ β.

    x removes (α to ) y

    defines a new graph by deleting α from β as shown below


    β β−α
    `
    x y x y

    If β − α is empty then the edge is deleted.


    Rules Summary

    The take and grant model has four de jure rules:

    x takes (α to y) from z
    x grants(α to y) to z
    x creates (α to new vertex) y
    x removes (α to ) y

    Remeber that only subjects can act i.e., in all rules, x is a


    subject. We need this later in the proofs.
    Safety

    We are again interested in the question of safety.


    One concrete question to start with is, given a protection
    graph G, can a vertex x obtain α rights over another vertex y?
    Sharing of Rights

    Definition (can • share)


    The predicate can • share(α, x , y, G0 ) is true for rights α and
    vertices x , y in G0 iff there exists a sequence G1 . . . Gn such
    that G0 `∗ Gn using only de jure rules and in Gn there is an
    edge from x to y labeled α.

    To establish the conditions under which this theorem holds we


    need a few definitions and intermediate steps.
    Definitions

    Definition (tg-path)
    A tg-path is a nonempty sequence v0 . . . vn of distinct vertices
    such that vi is connected to vi+1 for 0 ≤ i < n by an edge
    with a label containing t or g.

    Definition (tg-connected)
    Two vertices are tg-connected iff there is a tg-path between
    them.
    Lemma 1

    We can prove that any two subjects with a tg-path of length 1


    can share rights. Four paths are possible and the de jure rules
    cover two of them.
    Here is another one.
    α

    t α t α
    `∗
    x z y x z y

    We prove this as a Lemma, next.


    Proof of Lemma 1

    For ease of understanding, new edges are drawn as a dashed


    line when they are introduced.

    x creates (tg to new vertex) v

    tg
    t α t α
    `
    x z y x z y
    Proof of Lemma 1

    z takes (g to v ) from x

    v v
    g
    tg tg
    t α t α
    `
    x z y x z y
    Proof of Lemma 1

    z grants (α to y) to v

    v v
    α
    g g
    tg tg
    t α t α
    `
    x z y x z y
    Proof of Lemma 1

    x takes (α to y) from v

    v
    v α
    α g
    g tg
    tg
    t α
    t α x z y
    `
    x z y α
    Lemma 2

    In a similar fashion, the following Lemma can be shown


    α

    g α g α
    `∗
    x z y x z y

    Can you do it?


    Lemma 2
    Answer

    x creates (tg to new vertex) v


    x grants(g to v ) to z
    z grants(α to y) to v
    x takes (α to y) from v

    v
    α
    g
    tg
    g α
    x z y
    α
    Definitions

    Definition (Island)
    An island is a maximal tg-connected subject-only subgraph.

    Corollary
    Within an island, any right possessed by any vertex can be
    shared with any other vertex in the island.

    Proof sketch: We know this is true for a tg-connected path


    of length 1. An induction can show that it is also true for
    paths of length n > 1.
    Definitions

    What if there are objects in between subjects?

    Definition (Bridge)
    A bridge is a tg-path with endpoints v0 and vn both subjects
    ←− − → → −−→← − − →← −←−
    and the path’s associated word is in { t∗ , t∗ , t∗ g t∗ , t∗ g t∗ }.

    Note: All we need are bridges that are not islands.


    Note: Since v0 and vn are subjects they can transfer rights
    from one endpoint to the other.
    Sharing of Rights

    Theorem (Subjects can share)


    The predicate subject • can • share(α, x , y, G0 ) is true iff x , y
    are subjects and there is an edge from x to y in G0 labeled α,
    or if the following hold simultaneously:
    1. There is a subject s ∈ G0 with an edge to y labeled α;
    2. There exist islands I1 . . . In such that x is in I1 , s is in In ,
    and there is a bridge from Ii to Ii+1 for 1 ≤ i < n.

    Question: If we show this, are we done yet?


    Sharing of Rights

    Because subjects can act and objects cannot, we need to


    cover the case that the transfer begins with a right possessed
    by an object and concludes by giving that right to another
    object.
    Definitions

    Definition
    A vertex x initially spans to y if x is a subject and there is a
    tg-path between x and y with an associated word in
    →−
    − →
    { t∗ g , ν}.

    Definition
    A vertex x terminally spans to y if x is a subject and there is a


    tg-path between x and y with an associated word in { t∗ , ν}.
    Sharing of Rights

    Theorem (Can share)


    The predicate can • share(α, x , y, G0 ) is true iff there is an
    edge from x to y in G0 labeled α, or if all following hold:
    1. There exists s ∈ G0 with an edge to y labeled α;
    2. There is a subject vertex x 0 ∈ G0 such that x 0 = x or x 0
    initially spans to x ;
    3. There is a subject vertex s 0 ∈ G0 such that s 0 = s or s 0
    terminally spans to s;
    4. There exist islands I1 . . . In such that x 0 is in I1 , s 0 is in
    In , and there is a bridge from Ii to Ii+1 for 1 ≤ i < n.
    Sharing of Rights

    The proof is rather straightforward by showing for all four


    conditions that rights can be passed.

    Corollary
    There is an algorithm of complexity O(|V | + |E |) that tests
    the predicate can • share, where V is the set of vertices and E
    is the set of edges, in G0 .

    The algorithm finds a path between x and y and verifies that


    it matches the conditions.
    Example

    Suppose that two processes p and q communicate through a


    buffer b controlled by a trusted entity s. Each process has its
    own private information e.g., files u and v .
    p r, w p r, w

    g g r, w
    r, w
    s s
    g g r, w

    q r, w q r, w
    Example

    Other notions of safety that were explored in this model:


    I Theft (no owner of any right over an object grants that
    right to another)
    I Conspiracy (what is the minimum number of actors
    necessary to transfer a right?)
    I Information flow (Where can information go if no rights
    are transferred?)
    Any questions?

    You might also like

    pFad - Phonifier reborn

    Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy