1 (*<*) |
1 (*<*) |
2 theory Paper |
2 theory Paper |
3 imports rc_theory final_theorems rc_theory os_rc |
3 imports rc_theory final_theorems rc_theory os_rc |
4 begin |
4 begin |
|
5 |
|
6 (* Still to be done |
|
7 |
|
8 - ... which OSes exactly use RBAC? SELinux uses DTE which |
|
9 seems simpler than the RC-Model, but the authors never cite the |
|
10 DTE papers when mentioning SELinux. |
|
11 |
|
12 - Fred Spiessens' work on SCOLLAR |
|
13 |
|
14 - Related work: "Gran: Model Checking Grsecurity RBAC Policies" at CSF 2012 explores |
|
15 similar issues with policies (but does not provide formal proofs); in particular it |
|
16 defines a property similar to tainting, develops an abstraction for dynamic |
|
17 taintability, and report issues with role inheritance rules. |
|
18 |
|
19 [1] Mikhail I. Gofman, Ruiqi Luo, Ayla C. Solomon, Yingbin Zhang, Ping Yang, |
|
20 Scott D. Stoller: RBAC-PAT: A Policy Analysis Tool for Role Based Access |
|
21 Control. TACAS 2009:46--49. |
|
22 |
|
23 [2] Scott D. Stoller, Ping Yang, C. R. Ramakrishnan, Mikhail I. Gofman: |
|
24 Efficient policy analysis for administrative role based access control. ACM |
|
25 Conference on Computer and Communications Security 2007:445--455. |
|
26 |
|
27 [3] Arosha K. Bandara, Emil Lupu, Alessandra Russo: Using Event Calculus to |
|
28 Formalise Policy Specification and Analysis. POLICY 2003. |
|
29 |
|
30 Elisa Bertino, Barbara Catania, Elena Ferrari, and Paolo Perlasca. A logical framework for reasoning about access control models. ACM Trans. Inf. Syst. Secur, 6:71–127, 2003. |
|
31 |
|
32 J. Bryans. Reasoning about XACML policies using CSP. In Proceedings of the 2005 workshop on Secure web services, page 35. ACM, 2005. |
|
33 |
|
34 K. Fisler, S. Krishnamurthi, L.A. Meyerovich, and M.C. Tschantz. Verification and changeimpact analysis of access control policies. In Proceedings of the 27th international conference on Software engineering, pages 196–205. ACM New York, NY, USA, 2005. |
|
35 |
|
36 V. Kolovski, J. Hendler, and B. Parsia. Analyzing web access control policies. In Proceedings of the 16th international conference on World Wide Web, page 686. ACM, 2007. |
|
37 |
|
38 Joseph Y. Halpern and Vicky Weissman. Using first-order logic to reason about policies. ACM Trans. Inf. Syst. Secur., 11(4), 2008. |
|
39 |
|
40 Prathima Rao, Dan Lin, Elisa Bertino, Ninghui Li, Jorge Lobo: EXAM: An Environment for Access Control Policy Analysis and Management. POLICY 2008: 238-240 |
|
41 |
|
42 Alessandro Armando, Enrico Giunchiglia, and Serena Elisa Ponta. Formal specification and automatic analysis of business processes under authorization constraints: an action-based approach. In Proceedings of the 6th International Conference on Trust, Privacy and Security in Digital Business (TrustBus’09), 2009. |
|
43 |
|
44 G. Ahn, Hongxin Hu, Joohyung Lee, and Yunsong Meng. Reasoning about XACML policy descriptions in answer set programming (preliminary report). In Proceedings of International Workshop on Nonmonotonic Reasoning (NMR), 2010. |
|
45 |
|
46 G. Ahn, Hongxin Hu, Joohyung Lee, and Yunsong Meng. Representing and reasoning about web access control policies. In Proc. 34th Annual IEEE Computer Software and Applications Conference (COMPSAC 2010), pages 137–146, 2010. |
|
47 |
|
48 *) |
|
49 |
5 |
50 |
6 (* THEOREMS *) |
51 (* THEOREMS *) |
7 |
52 |
8 |
53 |
9 notation (Rule output) |
54 notation (Rule output) |
262 they write that ``\emph{the feasibility of doing |
307 they write that ``\emph{the feasibility of doing |
263 so is currently an open question}'' \cite[Page 167]{Archer03}. |
308 so is currently an open question}'' \cite[Page 167]{Archer03}. |
264 We improve upon their results by using our sound and complete |
309 We improve upon their results by using our sound and complete |
265 static policy check to make this feasible. |
310 static policy check to make this feasible. |
266 |
311 |
|
312 Our work is also closely related to the work on \emph{grsecurity}, an |
|
313 access control system developed as a patch on top of Linux kernel \cite{gran12}. |
|
314 It installs a reference monitor to restrict access to system resources. |
|
315 They model a dynamic semantics of the operating system with four rules dealing with |
|
316 executing a file, setting a role and setting an UID as well as GID. |
|
317 These rules depend on an arbitrary but fixed access policy. |
|
318 Although, there are only four rules, their state-space is in general |
|
319 infinite, like in our work. They then give an abstracted semantics, |
|
320 which gives them a finite state-space. For example the abstracted |
|
321 semantics dispenses with users and roles by introducing |
|
322 abstract users and abstract roles. They obtain a soundness result |
|
323 for their abstract semantics and under some weak assumptions |
|
324 also a completeness result. Comparing it to our work, we will have a much |
|
325 more fine-grained model of the underlying operating system. We will |
|
326 also obtain a soundness result, but more importantly obtain |
|
327 also a completeness result. But since we have a much more fine-grained |
|
328 model it will depend on some stronger assumptions. The abstract semantics |
|
329 in \cite{gran12} is used for model-checking policies according to |
|
330 whether, for example, information flow properties are ensured. |
|
331 Since there formalism consists of only a few rules, they can get away with |
|
332 `pencil-and-paper proofs', whereas reasoning about our more detailed |
|
333 model containing substantially more rules needs the support of |
|
334 a theorem prover. |
|
335 |
267 Our formal models and correctness proofs are mechanised in the |
336 Our formal models and correctness proofs are mechanised in the |
268 interactive theorem prover Isabelle/HOL. The mechanisation of the models is a |
337 interactive theorem prover Isabelle/HOL. The mechanisation of the models is a |
269 prerequisite for any correctness proof about the RC-Model, since it |
338 prerequisite for any correctness proof about the RC-Model, since it |
270 includes a large number of interdependent concepts and very complex |
339 includes a large number of interdependent concepts and very complex |
271 operations that determine roles and types. In our opinion it is |
340 operations that determine roles and types. In our opinion it is |
462 There are some assumptions we make about the files present in the initial state: we always |
531 There are some assumptions we make about the files present in the initial state: we always |
463 require that the @{text "root"}-directory @{term "[]"} is part of the initial state |
532 require that the @{text "root"}-directory @{term "[]"} is part of the initial state |
464 and for every file in the initial state (excluding @{term "[]"}) we require that its |
533 and for every file in the initial state (excluding @{term "[]"}) we require that its |
465 parent is also part of the |
534 parent is also part of the |
466 initial state. |
535 initial state. |
467 After the initial state, the next states are determined |
536 A state is determined |
468 by a list of events, called the \emph{trace}. We need to define |
537 by a list of events, called the \emph{trace}. The empty trace, or empty list, stands |
|
538 for the initial state. Given a trace $s$, we prepend an event to $s$ to stand for the state in which the |
|
539 event just happened. |
|
540 We need to define |
469 functions that allow us to make some observations about traces. One |
541 functions that allow us to make some observations about traces. One |
470 such function is called @{term "current_procs"} and |
542 such function is called @{term "current_procs"} and |
471 calculates the set of ``alive'' processes in a state: |
543 calculates the set of ``alive'' processes in a state: |
472 |
544 |
473 %initial state: |
545 %initial state: |
490 @{term "current_procs (DUMMY#s)"} & @{text "\<equiv>"} & @{term "current_procs s"} |
562 @{term "current_procs (DUMMY#s)"} & @{text "\<equiv>"} & @{term "current_procs s"} |
491 \end{tabular}} |
563 \end{tabular}} |
492 \end{isabelle} |
564 \end{isabelle} |
493 |
565 |
494 \noindent |
566 \noindent |
495 The first clause states that in the empty trace, that is initial |
567 The first clause states that in the empty trace the processes are given by @{text "init_processes"}. The |
496 state, the processes are given by @{text "init_processes"}. The |
|
497 events for cloning a process, respectively killing a process, update this |
568 events for cloning a process, respectively killing a process, update this |
498 set of processes appropriately. Otherwise the set of live |
569 set of processes appropriately. Otherwise the set of live |
499 processes is unchanged. We have similar functions for alive files and |
570 processes is unchanged. We have similar functions for alive files and |
500 IPCs, called @{term "current_files"} and @{term "current_ipcs"}. |
571 IPCs, called @{term "current_files"} and @{term "current_ipcs"}. |
501 |
572 |
654 \begin{tabular}{@ {}c@ {}} |
725 \begin{tabular}{@ {}c@ {}} |
655 \mbox{@{thm [mode=Axiom] valid.intros(1)}}\hspace{5mm} |
726 \mbox{@{thm [mode=Axiom] valid.intros(1)}}\hspace{5mm} |
656 \mbox{@{thm [mode=Rule] valid.intros(2)}} |
727 \mbox{@{thm [mode=Rule] valid.intros(2)}} |
657 \end{tabular} |
728 \end{tabular} |
658 \end{center} |
729 \end{center} |
659 |
730 *} |
|
731 |
|
732 section {* The Tainted Relation *} |
|
733 |
|
734 text {* |
660 The novel notion we introduce in this paper is the @{text tainted} |
735 The novel notion we introduce in this paper is the @{text tainted} |
661 relation. It characterises how a system can become infected when |
736 relation. It characterises how a system can become infected when |
662 a file in the system contains, for example, a virus. We assume |
737 a file in the system contains, for example, a virus. We assume |
663 that the initial state contains some tainted |
738 that the initial state contains some tainted |
664 objects (we call them @{term "seeds"}). Therefore in the initial state @{term "[]"} |
739 objects (we call them @{term "seeds"}). Therefore in the initial state @{term "[]"} |
765 |
840 |
766 \noindent |
841 \noindent |
767 The point of this definition is that our static taintable check will only be |
842 The point of this definition is that our static taintable check will only be |
768 complete for undeletable objects. But these are |
843 complete for undeletable objects. But these are |
769 the ones system administrators are typically interested in (for |
844 the ones system administrators are typically interested in (for |
770 example system files). It should be clear, however, that we cannot |
845 example system files). |
|
846 |
|
847 It should be clear that we cannot |
771 hope for a meaningful check by just trying out all possible |
848 hope for a meaningful check by just trying out all possible |
772 valid states in our dynamic model. The reason is that there are |
849 valid states in our dynamic model. The reason is that there are |
773 potentially infinitely many of them and therefore the search space would be |
850 potentially infinitely many of them and therefore the search space would be |
774 infinite. For example starting from an |
851 infinite. For example starting from an |
775 initial state containing a process @{text p} and a file @{text pf}, |
852 initial state containing a process @{text p} and a file @{text pf}, |
1302 equally apply to the access control model of SELinux. In fact, |
1379 equally apply to the access control model of SELinux. In fact, |
1303 we expect that the formalisation is simpler for SELinux, since |
1380 we expect that the formalisation is simpler for SELinux, since |
1304 its rules governing roles are much simpler than in the RC-Model. |
1381 its rules governing roles are much simpler than in the RC-Model. |
1305 The definition of our admissibility rules can be copied verbatim for SELinux; |
1382 The definition of our admissibility rules can be copied verbatim for SELinux; |
1306 we would need to modify our granted rules and slightly adapt our |
1383 we would need to modify our granted rules and slightly adapt our |
1307 static check. We leave this as future work. |
1384 static check. We leave this as future work. Another direction |
|
1385 of future work could be to reason formally about confidentiality in |
|
1386 access control models. This would, of course, need the explicit assumption |
|
1387 about the absence of any covert channels in systems. |
1308 |
1388 |
1309 |
1389 |
1310 Our formalisation is carried out in the Isabelle/HOL theorem prover. |
1390 Our formalisation is carried out in the Isabelle/HOL theorem prover. |
1311 It uses Paulson's inductive method for |
1391 It uses Paulson's inductive method for |
1312 reasoning about sequences of events \cite{Paulson98}. |
1392 reasoning about sequences of events \cite{Paulson98}. |