CS 513 - System Security
Lecture 17

Lecturer: Professor Fred B. Schneider
Notes by: Vicky Weissman
Lecture Date: 3/30/00


Today's Topics

Limitations of Policy Analysis

The Safety Question: given an access control matrix and a set of commands, can a subject every gain a particular right to an object?

Theorem: The safety question is undecidable.
Proof by Reduction to the Halting Problem:
I. Every Turing Machine (TM) can be represented as an access control matrix (ACM) and a set of commands.
To convert a TM to an ACM and a set of commands:
1. For every symbol, i, on the TM's tape,

a. create a subject, si, in the ACM
b. create an access right, ri.
c. add ri to (si, si) in the ACM
d. give si-1 the 'own' right for si (needed for ACM to maintain TM's symbol order)
2. For every state, q, in the TM, create an access right, rq
3. Grant the subject corresponding to the first symbol on the tape the right corresponding to the initial state of the TM.
4. Encode every transition function as a command (ex. if subject, s, has state right, rq, and symbol right, ri, then delete rq and add rq_next to the subject that either owns or is owned by s.) A command may need to add a new subject to the ACM.
5. Create a command that grants subject, s1, the done right if any subject owns a state right that is a final state.

II. The TM halts if and only if the corresponding ACM's subject s1 can get the done right. Since we know that the halting problem is undecidable, determining if s1 can get the done right must also be undecidable which means that the general safety question is undecidable.

Note: The safety question for certain restricted policies is decidable.

Reference Monitors

A reference monitor is a piece of software that checks every access to every object. As part of the system's trusted code base (the hardware and software needed to maintain security), it is evaluated according to its size and complexity. Performance is also a practical concern.

Reference monitors are often used to provide complete mediation for access control.
They can be implemented in the following ways:

Note: Adding a security layer that can reject program instructions changes the program's interface, since the program must now handle the rejection.