next up previous contents
Next: Adopted approach Up: Introduction Previous: Comparison with previous LIDS   Contents

A new security model

Let $ F$ be the set of files on the system. In $ F$, we can find /sbin/init, /etc/modules.conf, /usr/bin/, etc.

Let $ R$ be the set of rights that can be given to a program. In $ R$ we can find «mount a partition» or «read /this/file» or «execute /that/program if uid=0». We will see more details on this set later.

Then we can consider two functions $ \sigma$ and $ \mu$ from $ F$ to $ \mathcal{P}(R)$ (the set of parts of $ R$), that map a sub-set of $ R$ to each file on the system.

The set of rights mapped by $ \sigma$ to a file are the rights that will be given to a process exec'ed with this file. Those mapped with $ \mu$ are those the process will be able to transmit to a child.

Let $ X$ be the property to be executable. For $ f \in F$, $ X(f)$ will mean that $ f$ is executable. $ X$ is defined by induction :

which mean that /sbin/init is executable and that the file $ f$ is executable if there exists another file $ g$ that is executable and that has the right to execute $ f$.

The files can't use by themselves the rights they are given. They must be executed to give their process their rights. A file that can't be executed and that have some rights won't be able to use them, but who cares ?

When a file is exec'ed, the new process inherits its rights from the rights mapped to the file but also from its parent process rights.

Note that for $ f \in F$, there can exist $ r \in R$ so that we have $ r \notin \sigma(f)$ and $ r \in \mu(f)$, i.e. $ f$ can have the right to give as inheritage a right it doesn't own. That means that if its process obtain this right by inheritage, it can transmit it.

We can't consider a static set of processes. Let $ P(t)$ be the set of running processes at the time $ t$. $ t$ is a discrete virtual time variable that is incremented when a process is forked, is exec'ed or dies.

Let $ \tau_t$ be a function from $ P(t)$ to $ \mathcal{P}(R)$ that maps a sub-set of $ R$ to each running processes, which will be the rights of this process.

Let $ \nu_t$ be a function from $ P(t)$ to $ \mathcal{P}(R)$ that maps a sub-set of $ R$ to each running processes, which will be the rights the process can give to its lineage by inheritage.

The initial state, $ P(0)$, is a singleton and the unique element is the init process.

So, if $ i \in F$ is /sbin/init and $ P(0)=\{\iota\}$ then $ \phi_0(\iota)=i$. Moreover, we define $ \tau_0(\iota)=\sigma(i)$ and $ \nu_0(\iota)=\mu(i)$. This is the initial state.

The transition rules are :

A process $ p$ forks :
a new task $ p'$ is created from $ p$.
$\displaystyle P(t+1)$ $\displaystyle =$ $\displaystyle P(t) \cup \{p'\}$  
$\displaystyle \phi_{t+1}(x)$ $\displaystyle =$ \begin{displaymath}\begin{cases}
\ \phi_t(x) & \text{for $x \in P(t)$}\\
\ \phi_t(p) & \text{for $x=p'$}
\end{cases}\end{displaymath}  
$\displaystyle \tau_{t+1}(x)$ $\displaystyle =$ \begin{displaymath}\begin{cases}
\ \tau_t(x) & \text{for $x \in P(t)$}\\
\ \tau_t(p) & \text{for $x=p'$}
\end{cases}\end{displaymath}  
$\displaystyle \nu_{t+1}(x)$ $\displaystyle =$ \begin{displaymath}\begin{cases}
\ \nu_t(x) & \text{for $x \in P(t)$}\\
\ \nu_t(p) & \text{for $x=p'$}
\end{cases}\end{displaymath}  

A process $ p$ execs a file $ f$ :
if «execute $ f$» $ \in \tau_t(p)$ (with possible uid checks) then

$\displaystyle P(t+1)$ $\displaystyle =$ $\displaystyle P(t)$  
$\displaystyle \phi_{t+1}(x)$ $\displaystyle =$ \begin{displaymath}\begin{cases}
\ \phi_t(x) & \text{for $x \in P(t)-\{p\}$}\\
\ f & \text{for $x=p$}
\end{cases}\end{displaymath}  
$\displaystyle \tau_{t+1}(x)$ $\displaystyle =$ \begin{displaymath}\begin{cases}
\ \tau_t(x) & \text{for $x \in P(t)-\{p\}$}\\
...
...p \nu_t(p)\right) \cup \sigma(f) & \text{for $x=p$}
\end{cases}\end{displaymath}  
$\displaystyle \nu_{t+1}(x)$ $\displaystyle =$ \begin{displaymath}\begin{cases}
\ \nu_t(x) & \text{for $x \in P(t)-\{p\}$}\\
\ \nu_{t}(p) \cup \mu(f) & \text{for $x=p$}
\end{cases}\end{displaymath}  

A process $ p$ dies :
$ P(t+1)=P(t)-\{p\}$ and $ \phi_{t+1}$, $ \tau_{t+1}$ and $ \nu_{t+1}$, are the restrictions of respectively $ \phi_t$, $ \tau_t$ and $ \nu_t$ over $ P(t+1)$.

Let $ \Sigma$ be the set of couple of functions $ (\sigma,\mu)$ that enable the computer to fulfill its work. Each element $ s$ of $ \Sigma$ is a complete set of access controls that can rule the behaviour of the machine. Let define the partial order $ \prec$ over $ \Sigma$ :

\begin{displaymath}(\sigma_1,\mu_1) \prec (\sigma_2,\mu_2) \Leftrightarrow \fora...
...
\end{cases}\text{ and } (\sigma_1,\mu_1) \neq (\sigma_2,\mu_2)\end{displaymath}

If $ s_1$ and $ s_2$ are two elements of $ \Sigma$ and $ s_1 \prec s_2$, we can affirm that $ s_1$ is more secure than $ s_2$ because $ s_2$ give at the very least one unnecessary right to a file. As the order is partial1.9, there can be more than one minimal element1.10.

There is no rule to decide which of two minimal elements is the most secure, but I think there will generally be only one minimal element.


next up previous contents
Next: Adopted approach Up: Introduction Previous: Comparison with previous LIDS   Contents
Biondi Philippe 2000-12-15