Access-control Matrix Model (访问控制矩阵):
矩阵的行对应‘主体’(Subject),列表示‘实体’(Entity,包括主体Subject和客体Object)。
术语:
- Subject,is an active entity, such as a process or a user. 主动的实体,主体。
- Object, is a passive entity, such as a file.被动的实体,客体。
- Right, describes what a subject is allowed to do to an object; for example, the read right gives permission for a subject to read a file. 主体对客体的操作权限。
- Protection state, of a system simply refers to the rights held by all subjects on the system.系统所有主体拥有的权限。
Primitive Operations(原始操作/基本操作):
Create subject s creates a new row and column, both labeled s
Create object o creates a new column labeled o
Enter r into A[s, o] adds the right r into the entry in row s and column o; it corresponds to giving the subject s the right r over the entity o
Delete r from A[s, o] removes the right r from the entry in row s and column o; it corresponds to deleting the subject s’s right r over the entity o
Destroy subject s removes the row and column labeled s
Destroy object o removes the column labeled o
每一个操作都能对应到一个命令(Commands),如:
command createread(p, f)
create object f
enter read into A[p, f]
enter own into A[p, f]
end.
Mono-operational command(单操作命令):
A mono-operational command consists of a single primitive operation. 对应一个‘原始操作’ 的命令。
命令中可加入执行条件,如:
command grantexec(p, f)
if read in A[p, f] then
enter execute into A[p, f]
end.
Monoconditional command(单条件命令):只有一个条件的命令。
Biconditional command(双条件命令):命令执行条件是用and连接的两个子条件。如:
command copyread(p, q, f)
if read in A[p, f] and own in A[p, f] then
enter read into A[q, f]
end.
Mono-operational system(单操作系统):所有命令都是‘单操作命令’的系统。
相似的,有Monocaonditionial system(单条件系统:所有命令都是单条件的)、Biconditional system(双条件系统:所有命令都是双条件的)。
Monotonic system(单调系统):没有delete或destroy原始操作的系统。
monotonic policies:如:where access rights can be deleted only if the deletion is itself reversible.
系统安全的定义:A system is secure with repect to a generic right r if that right cannot be added to an entity in the access-control matrix unless that square already contains it.
如果任意权限无法加入现有的访问控制矩阵,则该系统是安全的。
Safety Question(安全问题):Is there an algorithm to determine whether a given system with
initial state 𝜎 is secure with respect to a given right? 对于给定初态为𝜎的系统,是否存在一个算法,该算法可根据给定的某系统权限确定该系统是否是安全的?
定理1:Safety Question是不可判定的。
安全问题等价于‘停机问题’。没有一个通用的算法可确定系统是否是安全的。但对某类特定系统,安全问题是可判定的。
定理2:There is an algorithm that will determine whether mono-operational systems are secure with respect to a generic right r. 存在算法,可根据某权限r,确定‘单操作系统’是否是安全的。
定理3:The safety question for monotonic systems is undecidable. 单调系统的安全性是不可判定的。
定理4:The safety question for biconditional monotonic systems is undecidable. 双条件单调系统的安全性是不可判定的。
定理5:There is an algorithm that will determine whether monoconditional monotonic systems are secure with respect to a generic right r. 单条件单调系统的安全性是可判定的。
定理6:There is an algorithm that will determine whether monotonic systems that do not use the destroy primitive operations are secure with respect to a generic right r. 仅没有使用destroy原始操作的系统,其安全性是可判定的。
Typed Access-control Martix Model (TAM):
给访问控制矩阵中的实体增加了类型type,(而不只是主体和客体)。
定理7:There is an algorithm that will determine whether acyclic, monotonic typed matrix models are secure with respect to a generic right r. 非循环单调系统的TAM模型可用于判定系统是否是安全的。
In TAM, a rule set is acyclic非循环的 if neither an entity E nor any of its descendants can create a new entity with the same type as E.
非循环、单调,是安全性可判定的充分条件,但安全性可判定的必要条件仍是未知的。