434 difference between a directory and a file. The files @{term f} in |
434 difference between a directory and a file. The files @{term f} in |
435 the definition above are simply lists of strings. For example, the |
435 the definition above are simply lists of strings. For example, the |
436 file @{text "/usr/bin/make"} is represented by the list @{text |
436 file @{text "/usr/bin/make"} is represented by the list @{text |
437 "[make, bin, usr]"} and the @{text root}-directory is the @{text |
437 "[make, bin, usr]"} and the @{text root}-directory is the @{text |
438 Nil}-list. Following the presentation in \cite{ottrc}, our model of |
438 Nil}-list. Following the presentation in \cite{ottrc}, our model of |
439 IPCs is rather simple-minded: we only have events for creation and deletion Of IPCs, |
439 IPCs is rather simple-minded: we only have events for creation and deletion of IPCs, |
440 as well as sending and receiving messages. |
440 as well as sending and receiving messages. |
441 |
441 |
442 Events essentially transform one state of the system into |
442 Events essentially transform one state of the system into |
443 another. The system starts with an initial state determining which |
443 another. The system starts with an initial state determining which |
444 processes, files and IPCs are active at the start of the system. We assume the |
444 processes, files and IPCs are active at the start of the system. We assume the |
497 events for cloning a process, respectively killing a process, update this |
497 events for cloning a process, respectively killing a process, update this |
498 set of processes appropriately. Otherwise the set of live |
498 set of processes appropriately. Otherwise the set of live |
499 processes is unchanged. We have similar functions for alive files and |
499 processes is unchanged. We have similar functions for alive files and |
500 IPCs, called @{term "current_files"} and @{term "current_ipcs"}. |
500 IPCs, called @{term "current_files"} and @{term "current_ipcs"}. |
501 |
501 |
502 We can use these function in order to formally model which events are |
502 We can use these functions in order to formally model which events are |
503 \emph{admissible} by the operating system in each state. We show just three |
503 \emph{admissible} by the operating system in each state. We show just three |
504 rules that give the gist of this definition. First the rule for changing |
504 rules that give the gist of this definition. First the rule for changing |
505 an owner of a process: |
505 an owner of a process: |
506 |
506 |
507 \begin{center} |
507 \begin{center} |
534 \noindent |
534 \noindent |
535 Clearly the operating system should only allow to clone a process @{text p} if the |
535 Clearly the operating system should only allow to clone a process @{text p} if the |
536 process is currently alive. The cloned process will get the process |
536 process is currently alive. The cloned process will get the process |
537 ID generated by the function @{term new_proc}. This process ID should |
537 ID generated by the function @{term new_proc}. This process ID should |
538 not already exist. Therefore we define @{term new_proc} as |
538 not already exist. Therefore we define @{term new_proc} as |
|
539 |
|
540 (* HERE ????? chunhan *) |
539 |
541 |
540 \begin{isabelle}\ \ \ \ \ %%% |
542 \begin{isabelle}\ \ \ \ \ %%% |
541 \mbox{\begin{tabular}{l@ {\hspace{2mm}}c@ {\hspace{2mm}}l} |
543 \mbox{\begin{tabular}{l@ {\hspace{2mm}}c@ {\hspace{2mm}}l} |
542 @{term "new_proc s"} & @{text "\<equiv>"} & @{term "Max (current_procs s) + 1"} |
544 @{term "new_proc s"} & @{text "\<equiv>"} & @{term "Max (current_procs s) + 1"} |
543 \end{tabular}} |
545 \end{tabular}} |
568 where we check whether the process @{text p} has currently role @{text r} and |
570 where we check whether the process @{text p} has currently role @{text r} and |
569 whether the RC-policy states that @{text r'} is in the role compatibility |
571 whether the RC-policy states that @{text r'} is in the role compatibility |
570 set of @{text r}. |
572 set of @{text r}. |
571 |
573 |
572 The complication in the RC-Model arises from the |
574 The complication in the RC-Model arises from the |
573 way how the current role of a process in a state @{text s} is |
575 way the current role of a process in a state @{text s} is |
574 calculated---represented by the predicate @{term is_current_role} in our formalisation. |
576 calculated---represented by the predicate @{term is_current_role} in our formalisation. |
575 For defining this predicate we need to trace the role of a process from |
577 For defining this predicate we need to trace the role of a process from |
576 the initial state to the current state. In the |
578 the initial state to the current state. In the |
577 initial state all processes have the role given by the function |
579 initial state all processes have the role given by the function |
578 @{term "init_current_role"}. If a @{term Clone} event happens then |
580 @{term "init_current_role"}. If a @{term Clone} event happens then |
620 @{thm[mode=Rule] rcgrant1} |
622 @{thm[mode=Rule] rcgrant1} |
621 \end{center} |
623 \end{center} |
622 |
624 |
623 \noindent |
625 \noindent |
624 We check whether @{term pf} is the parent file (directory) of @{text f} and check |
626 We check whether @{term pf} is the parent file (directory) of @{text f} and check |
625 whether the type of @{term pf} is @{term t}. We also need to fetch the |
627 whether the type of @{term pf} is @{term t}. We also need to fetch |
626 the role @{text r} of the process that seeks to get permission for creating |
628 the role @{text r} of the process that seeks to get permission for creating |
627 the file. If the default type of this role @{text r} states that the |
629 the file. If the default type of this role @{text r} states that the |
628 type of the newly created file will be inherited from the parent file |
630 type of the newly created file will be inherited from the parent file |
629 type, then we only need to check that the policy states that @{text r} |
631 type, then we only need to check that the policy states that @{text r} |
630 has permission to write into the directory @{text pf}. |
632 has permission to write into the directory @{text pf}. |
779 the ones system administrators are typically interested in (for |
781 the ones system administrators are typically interested in (for |
780 example system files). It should be clear, however, that we cannot |
782 example system files). It should be clear, however, that we cannot |
781 hope for a meaningful check by just trying out all possible |
783 hope for a meaningful check by just trying out all possible |
782 valid states in our dynamic model. The reason is that there are |
784 valid states in our dynamic model. The reason is that there are |
783 potentially infinitely many of them and therefore the search space would be |
785 potentially infinitely many of them and therefore the search space would be |
784 infinite. For example staring from an |
786 infinite. For example starting from an |
785 initial state containing a process @{text p} and a file @{text pf}, |
787 initial state containing a process @{text p} and a file @{text pf}, |
786 we can create files @{text "f\<^isub>1"}, @{text "f\<^isub>2"}, @{text "..."} |
788 we can create files @{text "f\<^isub>1"}, @{text "f\<^isub>2"}, @{text "..."} |
787 via @{text "CreateFile"}-events. This can be pictured roughly as follows: |
789 via @{text "CreateFile"}-events. This can be pictured roughly as follows: |
788 |
790 |
789 \begin{center} |
791 \begin{center} |
942 "ReadFile"}-event does not change the set of objects, therefore no |
944 "ReadFile"}-event does not change the set of objects, therefore no |
943 new information needs to be recorded. The problem we are avoiding |
945 new information needs to be recorded. The problem we are avoiding |
944 with this setup of recording the precise information for the initial |
946 with this setup of recording the precise information for the initial |
945 state is where two processes have the same role and type |
947 state is where two processes have the same role and type |
946 information, but only one is tainted in the initial state, but the |
948 information, but only one is tainted in the initial state, but the |
947 other is not. The recorded unique process IDs allows us to |
949 other is not. The recorded unique process ID allows us to |
948 distinguish between both processes. For all newly created objects, |
950 distinguish between both processes. For all newly created objects, |
949 on the other hand, we do not care. This is crucial, because |
951 on the other hand, we do not care. This is crucial, because |
950 otherwise exploring all possible ``reachable'' objects can lead to |
952 otherwise exploring all possible ``reachable'' objects can lead to |
951 the potential infinity like in the dynamic model. |
953 the potential infinity like in the dynamic model. |
952 |
954 |
1120 \end{center} |
1122 \end{center} |
1121 |
1123 |
1122 \noindent |
1124 \noindent |
1123 The function @{text "\<lbrakk>_\<rbrakk>"} extracts the static information from an object. |
1125 The function @{text "\<lbrakk>_\<rbrakk>"} extracts the static information from an object. |
1124 For example for a process it extracts the role, default role, type and |
1126 For example for a process it extracts the role, default role, type and |
1125 user; for a file the type and the anchor. If a process in tainted and creates |
1127 user; for a file the type and the anchor. If a process is tainted and creates |
1126 a file with a normal type @{text "t'"} then also the created file |
1128 a file with a normal type @{text "t'"} then also the created file |
1127 is tainted. The corresponding rule is |
1129 is tainted. The corresponding rule is |
1128 |
1130 |
1129 \begin{center} |
1131 \begin{center} |
1130 @{thm [mode=Rule] ts_cfd[where sd=a and sf="fo" and sp="po" and fr="dr"]} |
1132 @{thm [mode=Rule] ts_cfd[where sd=a and sf="fo" and sp="po" and fr="dr"]} |
1247 weakness of our result, but in practice this seems to cover the |
1249 weakness of our result, but in practice this seems to cover the |
1248 interesting scenarios encountered by system administrators. They |
1250 interesting scenarios encountered by system administrators. They |
1249 want to know whether a virus-infected file introduced by a user can |
1251 want to know whether a virus-infected file introduced by a user can |
1250 affect the core system files. Our test allows the system |
1252 affect the core system files. Our test allows the system |
1251 administrator to find this out provided the RC-policy makes the core |
1253 administrator to find this out provided the RC-policy makes the core |
1252 system files undeletable. We assume that this provisio is already part |
1254 system files undeletable. We assume that this proviso is already part |
1253 of best practice rule for running a system. |
1255 of best practice rule for running a system. |
1254 |
1256 |
1255 We envisage our test to be useful in two kind of situations: First, if |
1257 We envisage our test to be useful in two kind of situations: First, if |
1256 there was a break-in into a system, then, clearly, the system |
1258 there was a break-in into a system, then, clearly, the system |
1257 administrator can find out whether the existing access policy was |
1259 administrator can find out whether the existing access policy was |
1415 We have similar observation functions calculating the current type for processes |
1418 We have similar observation functions calculating the current type for processes |
1416 and IPCs too, only diffence here is that there is no ``effcient'' type here for |
1419 and IPCs too, only diffence here is that there is no ``effcient'' type here for |
1417 processes and IPCs, all types that calculated by @{term "type_of_process"} and |
1420 processes and IPCs, all types that calculated by @{term "type_of_process"} and |
1418 @{term "type_of_ipc"} are alrealdy efficient types. |
1421 @{term "type_of_ipc"} are alrealdy efficient types. |
1419 |
1422 |
1420 *} |
1423 *) |
|
1424 |
|
1425 (* |
1421 |
1426 |
1422 text {* |
1427 text {* |
1423 \begin{isabelle}\ \ \ \ \ %%% |
1428 \begin{isabelle}\ \ \ \ \ %%% |
1424 \mbox{ |
1429 \mbox{ |
1425 \begin{tabular}{r@ {\hspace{1mm}}l@ {\hspace{2mm}}l@ {\hspace{2mm}}l} |
1430 \begin{tabular}{r@ {\hspace{1mm}}l@ {\hspace{2mm}}l@ {\hspace{2mm}}l} |
1484 efficient initial role is using special value @{term |
1489 efficient initial role is using special value @{term |
1485 "UseForcedRole"}, then the new role for the process is then |
1490 "UseForcedRole"}, then the new role for the process is then |
1486 determinated by the efficient forced role of the executable file |
1491 determinated by the efficient forced role of the executable file |
1487 @{term "forcedrole"}. When new process is created, this process' |
1492 @{term "forcedrole"}. When new process is created, this process' |
1488 role is assigned to its creator's role. |
1493 role is assigned to its creator's role. |
|
1494 |
|
1495 *} |
1489 *) |
1496 *) |