© 2004 Ravi Sandhu The Schematic Protection Model (SPM) Ravi Sandhu Laboratory for Information Security Technology George Mason University.

© 2004 Ravi Sandhuwww.list.gmu.edu

The Schematic Protection Model(SPM)

Ravi SandhuLaboratory for Information Security Technology

George Mason [email protected]

2


The Access Matrix Model, Lampson 1971

• In SPM objects only have columns• SPM subjects can be active or passive• Subjects and objects are collectively called entities

entities

objects

3


SPM Protection Scheme

1. A finite set of entity types T partitioned into subject types TS and object types TO.

2. A finite set of right symbols R partitioned into inert rights RI and control rights RC.Ticket types are thereby T X R

3. A finite collection of local link predicates {linki | i = 1 . . . N}.

4. A filter function fi: TS X TS → 2T X R corresponding to each linki.

5. The demand function d: TS → 2T X R.6. The can-create relation cc TS X T.

Equivalently, cc: TS → 2T.7. A local create-rule for each pair in cc.

4


SPM links, filter functions and copy flag

A B

linki

t(A) t(B)fi

Y/x dom(A) cannot be copied

Y/xc dom(A) Y/xc or Y/x can be copied provided- some linki exists - fi authorizes flow of Y/xc or Y/x respectively

principle of discretionary propagationor principle of attenuationyou can propagate what you have but no more

copy flag turns out to be unnecessary and circumventable

5


Examples of link predicates

1. link(X, Y) Y/g dom(X) X/t dom(Y)2. link(X, Y) X/t dom(Y)3. link(X, Y) Y/g dom(X)4. link(X, Y) Y/s dom(X) X/g dom(Y)5. link(X, Y) X/b dom(X),6. link(X, Y) Y/p dom(Y),7. link(X, Y) X/b dom(X) Y/p dom(Y)8. link(X, Y) true

6


Examples of filter functions

1. f(a,b) = T X R

2. f(a,b) = TO X RI

3. f(a,b) = 4. f(a,b) = T X {r| r R}, i.e. no copy flag

7


SPM demand operation

Ad(t(A))

certain types of tickets can be obtained simply by demanding them

8


SPM create operation

• object creation

cr(a.parent, b.child) {b.child/x:c | x RI}

• subject creation

cr(a.parent,b.child) = LEFT | RIGHT

LEFT {a.parent/x:c, b.child/x:c | x R}

RIGHT {a.parent/x:c, b.child/x:c | x R}

LEFT goes to parent

RIGHT goes to child

A

A’

9


SPM create operation: attenuating loops

• subject creation of same type as parent

cr(a.parent, a.child) = LEFT | RIGHT

LEFT {a.parent/x:c, a.child/x:c | x R}

RIGHT {a.parent/x:c, a.child/x:c | x R}

• attenuating loops requires

RIGHT LEFT

a.child/x:c LEFT a.parent/x:c LEFT

A

A’

10


SPM Scheme I: Basic owner-based policy

1) TS = {user}, TO = {file}2) RI = {x:c}, RC = 3) linku(X,Y) true

4) fu(user, user) = {file/xc}5) d(user) = 6) cc(user) = {file}7) cr(user,file) = {file/xc}

11


SPM Scheme II: Owner-based policy with owner-defined groups

(1) TS = {user, group}, TO = {file}(2) RI = {x:c}, RC = {g:c}(3) linku(X, Y) true

linkg(X, Y) Y/g dom(X)(4) fu(user, user) = {file/xc}

fu(user, group) = fu(group, user) = fu(group, group) =

fg(user, user) = fg(group, group) = fg(user, group) = {file/xc, user/g}fg(group, user) = {file/x}

(5) d(user) = {user/gc}(6) cc(user) = {file, group}

cc(group) = (7) cr(user,file) = {file/xc} cr{user,group) = {group/g} |

12


SPM Scheme VI: Basic Take-Grant Model

1. TS = {sub}, TO = {file}2. RI= {x:c}, RC = {t:c, g:c}3. link(X, Y) Y/g dom(X) X/t dom(Y)4. f(sub, sub) = T X R5. d(sub) = 6. cc(sub) = {file, sub}7. cr(sub, file) = {file/xc}

cr(sub, sub) = {sub.child/tgc} |

creation is acyclic with loops but create-rule cr(sub, sub) is not attenuating

13


Creation in Take-Grant

• subjects in initial state: may or may not have self tgc tickets• created subjects without loss of generality will have self tgc tickets (in worst-case)

A

A’

A’/tgc

A’/tgc

14


SPM Scheme VII: Basic Take-Grant Model, acyclic attenuating

1. TS = {isub, csub}, TO = {file}2. RI= {x:c}, RC = {t:c, g:c}3. link(X, Y) Y/g dom(X) X/t dom(Y)4. f(isub, isub) = T X R

f(isub, csub) = T X Rf(csub, isub) = T X Rf(csub, csub) = T X R

5. d(sub) = 6. cc(isub) = {file, csub}

cc(csub) = {file, csub}7. cr(isub, file) = {file/xc}

cr(csub, file) = {file/xc}cr(isub, csub) = {csub.child/tgc} | cr(csub, csub) = {csub.child/tgc, csub.parent/tgc} |

cr(csub, csub) is attenuating

15


flow function

• for a given state h

flowh: SUBh X SUBh 2T X R

• by convention flowh(A,A) = T X R

• flowh can be computed in O(|T X R|*|SUBh|3)

16


flow in take-grant

• initial state

flow0(A,B) = T X R

flow0(B,A) = • derived state h

flowh(A,B) = T X R

flowh(B,A) = T X R

A

A/t

B

A’

A’/tgcA/tcA’/tgc

17


maximal state

• a derived state with maximum flow between all subjects in SUB0

• flow*: SUB0 X SUB0 2T X R is flow function in a maximal state

• because of monotonicity a maximal state is guaranteed to exist• typically there will be an infinite number of

maximal states

18


no-creates maximal state

• a derived state without any create operations with maximum flow between all subjects in SUB0

• flow#: SUB0 X SUB0 T X R is flow function in a no-creates maximal state

• no-creates maximal state can be computed in O(N*|T X R|*|SUB0|5) where N is number of link predicates

19


maximal state for acyclic attenuating schemes

• start with initial state

• perform create operations to get unfolded state

• compute no-creates maximal state

20


The unfolded state

cc(a) = {a,b}cc(b) = {b}

21


Safety is decidable for acyclic attenuating schemes

© 2004 Ravi Sandhu The Schematic Protection Model (SPM) Ravi Sandhu Laboratory for Information Security Technology George Mason University.

Documents

c x ri

t x r fisub

t x r fcsub

ot x r

t x r flow h b

ts x ts

link u x

sub h x sub h