03.pdf ini adalah fondasi dari keamanan informasi

adiwahyucandrakusuma1 0 views 14 slides Oct 28, 2025

Slide 1 of 14

About This Presentation

Size: 105.55 KB

Language: en

Added: Oct 28, 2025

Slides: 14 pages

Slide Content

November 1, 2004 Introduction to Computer Security
©2004 Matt Bishop
Slide #3-1
Chapter 3: Foundational Results
•Overview
•Harrison-Ruzzo-Ullman result
–Corollaries

November 1, 2004 Introduction to Computer Security
©2004 Matt Bishop
Slide #3-2
Overview
•Safety Question
•HRU Model

November 1, 2004 Introduction to Computer Security
©2004 Matt Bishop
Slide #3-3
What Is “Secure”?
•Adding a generic right r where there was
not one is “leaking”
•If a system S, beginning in initial state s
0
,
cannot leak right r, it is safe with respect to
the right r.

November 1, 2004 Introduction to Computer Security
©2004 Matt Bishop
Slide #3-4
Safety Question
•Does there exist an algorithm for
determining whether a protection system S
with initial state s
0
is safe with respect to a
generic right r?
–Here, “safe” = “secure” for an abstract model

November 1, 2004 Introduction to Computer Security
©2004 Matt Bishop
Slide #3-5
Mono-Operational Commands
•Answer: yes
•Sketch of proof:
Consider minimal sequence of commands c
1, …,
c
k to leak the right.
– Can omit delete, destroy
– Can merge all creates into one
Worst case: insert every right into every entry;
with s subjects and o objects initially, and n
rights, upper bound is k ≤ n(s+1)(o+1)

November 1, 2004 Introduction to Computer Security
©2004 Matt Bishop
Slide #3-6
General Case
•Answer: no
•Sketch of proof:
Reduce halting problem to safety problem
Turing Machine review:
–Inﬁnite tape in one direction
–States K, symbols M; distinguished blank b
–Transition function δ(k, m) = (k′, m′, L) means in state
k, symbol m on tape location replaced by symbol m′,
head moves to left one square, and enters state k′
–Halting state is q
f
; TM halts when it enters this state

November 1, 2004 Introduction to Computer Security
©2004 Matt Bishop
Slide #3-7
Mapping
ABCD…
1 2 3 4
head
s
1
s
2
s
3
s
4
s
4
s
3
s
2
s
1
A
B
C k
D end
own
own
own
Current state is k

November 1, 2004 Introduction to Computer Security
©2004 Matt Bishop
Slide #3-8
Mapping
ABXD…
1 2 3 4
head
s
1
s
2
s
3
s
4
s
4
s
3
s
2
s
1
A
B
X
D k
1
end
own
own
own
After δ(k, C) = (k
1
, X, R)
where k is the current
state and k
1
the next state

November 1, 2004 Introduction to Computer Security
©2004 Matt Bishop
Slide #3-9
Command Mapping
δ(k, C) = (k
1
, X, R) at intermediate becomes
command c
k,C
(s
3
,s
4
)
if own in A[s
3
,s
4
] and k in A[s
3
,s
3
]
and C in A[s
3
,s
3
]
then
delete k from A[s
3
,s
3
];
delete C from A[s
3
,s
3
];
enter X into A[s
3
,s
3
];
enter k
1
into A[s
4
,s
4
];
end

November 1, 2004 Introduction to Computer Security
©2004 Matt Bishop
Slide #3-10
Mapping
ABXY
1 2 3 4
head
s
1
s
2
s
3
s
4
s
4
s
3
s
2
s
1
A
B
X
Y
own
own
own
After δ(k
1
, D) = (k
2
, Y, R)
where k
1
is the current
state and k
2
the next state
s
5
s
5
own
b k
2
end
5
b

November 1, 2004 Introduction to Computer Security
©2004 Matt Bishop
Slide #3-11
Command Mapping
δ(k
1
, D) = (k
2
, Y, R) at end becomes
command crightmost
k,C
(s
4
,s
5
)
if end in A[s
4
,s
4
] and k
1
in A[s
4
,s
4
]
and D in A[s
4
,s
4
]
then
delete end from A[s
4
,s
4
];
create subject s
5
;
enter own into A[s
4
,s
5
];
enter end into A[s
5
,s
5
];
delete k
1
from A[s
4
,s
4
];
delete D from A[s
4
,s
4
];
enter Y into A[s
4
,s
4
];
enter k
2
into A[s
5
,s
5
];
end

November 1, 2004 Introduction to Computer Security
©2004 Matt Bishop
Slide #3-12
Rest of Proof
•Protection system exactly simulates a TM
–Exactly 1 end right in ACM
–1 right in entries corresponds to state
–Thus, at most 1 applicable command
•If TM enters state q
f, then right has leaked
•If safety question decidable, then represent TM as
above and determine if q
f leaks
–Implies halting problem decidable
•Conclusion: safety question undecidable

November 1, 2004 Introduction to Computer Security
©2004 Matt Bishop
Slide #3-13
Other Results
•Set of unsafe systems is recursively enumerable
•Delete create primitive; then safety question is complete
in P-SPACE
•Delete destroy, delete primitives; then safety question is
undecidable
–Systems are monotonic
•Safety question for monoconditional, monotonic
protection systems is decidable
•Safety question for monoconditional protection systems
with create, enter, delete (and no destroy) is decidable.

November 1, 2004 Introduction to Computer Security
©2004 Matt Bishop
Slide #3-14
Key Points
•Safety problem undecidable
•Limiting scope of systems can make
problem decidable

03.pdf ini adalah fondasi dari keamanan informasi

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

03.pdf ini adalah fondasi dari keamanan informasi

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

DTI BPI Pivot Small Business - BUSINESS START UP PLAN

CATHOLIC EDUCATIONAL Corporate Responsibilities

Karin Schaupp – Evocation; lançamento: 2000

Pillars of Biblical Oneness in the Book of Acts

7-10. STP + Branding and Product &amp; Services Strategies.pptx

Business Legislation PPT - UNIT 1 jimllpkggg

7-10. STP + Branding and Product & Services Strategies.pptx