A new security model

Let $F$ be the set of files on the system. In $F$, we can find /sbin/init, /etc/modules.conf, /usr/bin/, etc.

Let $R$ be the set of rights that can be given to a program. In $R$ we can find «mount a partition» or «read /this/file» or «execute /that/program if uid=0». We will see more details on this set later.

Then we can consider two functions $\sigma$ and $\mu$ from $F$ to $\mathcal{P}(R)$ (the set of parts of $R$), that map a sub-set of $R$ to each file on the system.

The set of rights mapped by $\sigma$ to a file are the rights that will be given to a process exec'ed with this file. Those mapped with $\mu$ are those the process will be able to transmit to a child.

Let $X$ be the property to be executable. For $f \in F$, $X(f)$ will mean that $f$ is executable. $X$ is defined by induction :

• $X($/sbin/init$)$
• $X(f) \Leftrightarrow \exists g \in F ~\vert~$«execute $f$» $\in \sigma(g)$ and $X(g)$

which mean that /sbin/init is executable and that the file $f$ is executable if there exists another file $g$ that is executable and that has the right to execute $f$.

The files can't use by themselves the rights they are given. They must be executed to give their process their rights. A file that can't be executed and that have some rights won't be able to use them, but who cares ?

When a file is exec'ed, the new process inherits its rights from the rights mapped to the file but also from its parent process rights.

Note that for $f \in F$, there can exist $r \in R$ so that we have $r \notin \sigma(f)$ and $r \in \mu(f)$, i.e. $f$ can have the right to give as inheritage a right it doesn't own. That means that if its process obtain this right by inheritage, it can transmit it.

We can't consider a static set of processes. Let $P(t)$ be the set of running processes at the time $t$. $t$ is a discrete virtual time variable that is incremented when a process is forked, is exec'ed or dies.

Let $\tau_t$ be a function from $P(t)$ to $\mathcal{P}(R)$ that maps a sub-set of $R$ to each running processes, which will be the rights of this process.

Let $\nu_t$ be a function from $P(t)$ to $\mathcal{P}(R)$ that maps a sub-set of $R$ to each running processes, which will be the rights the process can give to its lineage by inheritage.

The initial state, $P(0)$, is a singleton and the unique element is the init process.

So, if $i \in F$ is /sbin/init and $P(0)=\{\iota\}$ then $\phi_0(\iota)=i$. Moreover, we define $\tau_0(\iota)=\sigma(i)$ and $\nu_0(\iota)=\mu(i)$. This is the initial state.

The transition rules are :

A process $p$ forks :

a new task $p'$ is created from $p$.

$$P(t+1) = P(t) \cup \{p'\}$$

$$\phi_{t+1}(x) = \begin{cases} \ \phi_t(x) & \text{for $x \in P(t)$}\\ \ \phi_t(p) & \text{for $x=p'$} \end{cases}$$

$$\tau_{t+1}(x) = \begin{cases} \ \tau_t(x) & \text{for $x \in P(t)$}\\ \ \tau_t(p) & \text{for $x=p'$} \end{cases}$$

$$\nu_{t+1}(x) = \begin{cases} \ \nu_t(x) & \text{for $x \in P(t)$}\\ \ \nu_t(p) & \text{for $x=p'$} \end{cases}$$

A process $p$ execs a file $f$ :

if «execute $f$» $\in \tau_t(p)$ (with possible uid checks) then

$$P(t+1) = P(t)$$

$$\phi_{t+1}(x) = \begin{cases} \ \phi_t(x) & \text{for $x \in P(t)-\{p\}$}\\ \ f & \text{for $x=p$} \end{cases}$$

$$\tau_{t+1}(x) = \begin{cases} \ \tau_t(x) & \text{for $x \in P(t)-\{p\}$}\\ ... ...p \nu_t(p)\right) \cup \sigma(f) & \text{for $x=p$} \end{cases}$$

$$\nu_{t+1}(x) = \begin{cases} \ \nu_t(x) & \text{for $x \in P(t)-\{p\}$}\\ \ \nu_{t}(p) \cup \mu(f) & \text{for $x=p$} \end{cases}$$

A process $p$ dies :

$P(t+1)=P(t)-\{p\}$ and $\phi_{t+1}$, $\tau_{t+1}$ and $\nu_{t+1}$, are the restrictions of respectively $\phi_t$, $\tau_t$ and $\nu_t$ over $P(t+1)$.

Let $\Sigma$ be the set of couple of functions $(\sigma,\mu)$ that enable the computer to fulfill its work. Each element $s$ of $\Sigma$ is a complete set of access controls that can rule the behaviour of the machine. Let define the partial order $\prec$ over $\Sigma$ :

$$(\sigma_1,\mu_1) \prec (\sigma_2,\mu_2) \Leftrightarrow \fora... ... \end{cases}\text{ and } (\sigma_1,\mu_1) \neq (\sigma_2,\mu_2)$$

If $s_1$ and $s_2$ are two elements of $\Sigma$ and $s_1 \prec s_2$, we can affirm that $s_1$ is more secure than $s_2$ because $s_2$ give at the very least one unnecessary right to a file. As the order is partial^1.9, there can be more than one minimal element^1.10.

There is no rule to decide which of two minimal elements is the most secure, but I think there will generally be only one minimal element.