Extended Abstract - Semantic Scholar

Download PDF
Comment
Report 5 Downloads 200 Views
On the Decidability of Accessibility Problems (Extended Abstract) Rajeev Motwani

Stanford University

Rina Panigrahyy

Cisco Systems

Vijay Saraswatz

AT&T Labs { Research

Suresh Venkatasubramanianx

AT&T Labs { Research

Abstract

the Chomsky hierarchy.

the study of security and access mechanisms in computer systems for many years and, more recently, in the context of trust management. The main objective in the design and analysis of such systems is to express policies that prescribe how objects interact and share information with each other, and verify that undesirable actions cannot take place. The latter problem is referred to as the safety or accessibility problem, since it is often phrased in the form \Can object p gain (illegal) access to object q by a series of legal moves (as prescribed by a policy)?". Much work has gone into designing protection systems that have signi cant expressive power and e ective procedures for verifying accessibility. In this paper, we study one such general protection system, providing algorithms for deciding accessibility within the system. Our methods involve relating this problem to membership problems for certain classes of grammars, and reveal interesting connections between protection systems and the grammars that describe them. Of independent interest is the discovery of an elegantly characterised family of grammars that to the best of our knowledge has not been placed within

1 Introduction

Protection systems have provided the formal basis for

 Department of Computer Science, Stanford University. Email: [email protected]. Supported by an ARO MURI Grant DAAH04{96{1{0007 and NSF Grant IIS-9811904. y Cisco Systems, San Jose, CA. Email: [email protected]. z AT&T Shannon Laboratory, 180 Park Ave, Florham Park, NJ 07932. Email: [email protected]. x AT&T Shannon Laboratory, 180 Park Ave, Florham Park, NJ 07932. Email: [email protected]. Work done partly while at Stanford University, supported by ARO MURI Grant DAAH04{96{1{0007 and NSF Award CCR-9357849, with matching funds from IBM, Mitsubishi, Schlumberger Foundation, Shell Foundation, and Xerox Corporation.

In a computer system, a protection system is a set of policies that prescribes the ways in which objects interact with each other. Objects could be users, processes, agents or other entities, and interactions could include access rights, information sharing privileges and other such mechanisms. In such a framework, a key question is that of accessibility (also referred to as the safety question): do the policies speci ed by the model ensure that only appropriate entities gain access to other entities ? In this paper, we present schemes for determining accessibility. Our model, rst proposed in [16, 6] in the context of Java virtual worlds, is a capability-based system, in which objects possess rights that they transfer to each other in ways speci ed by the model. The model strictly generalizes grammatical protection systems [5, 10] (in which the creation of new objects is disallowed) and the take-grant model [11], (where there is only a restricted set of rights) [6]. Our model is a special case of the general access-matrix model [8]; however, unlike the general model, we show that accessibility is decidable for our model. The main technique in our results is the mapping of the accessibility problem to a membership query for an instance of a syntactically characterised grammar. A question of independent interest concerns the characterisations of such grammars within the Chomsky hierarchy. One such grammar can be characterised in terms of rules of the form A ! BA and CA ! C, where A; B; C are non-terminals; however to the best of our knowledge it is not known whether all instances of this grammar are context-free. The connection between accessibility questions and grammar questions goes even deeper; we can show that slight modi cations in the grammar speci cation (which translate to di erent access passing methods) render the membership problem

(and therefore the accessibility problem) undecidable 1 . 1.1 Related Work. The problem of protecting information in computer systems was rst addressed by Saltzer and Schroeder in the early 70s [13]. A formal treatment of accessibility was rst presented by Harrison, Ruzzo and Ullman [8] who showed that for a general access-matrix model of object-resource interaction, the accessibility question is undecidable. This result prompted many researchers to study the tradeo between expressibility and veri ability in protection systems; namely, the design of systems powerful enough to express general-purpose security policies but with eciently computable accessibility properties [11, 17, 1, 7, 5, 10]. Among these are the TakeGrant model designed by Lipton and Snyder [11, 17], a simple protection system with linear-time decidable accessibility properties. Other work includes the BellLaPadula multi-level model [1], grammatical protection systems [5, 10], and more recently, the schematic protection model and the typed access matrix model [14, 15]. Early work on protection systems took place in the context of operating systems, (the access-matrix model can be thought of in terms of access control lists, and the take-grant model and others in terms of capabilities), and current operating systems have robust and ecient protection mechanisms in place. However, in the context of trust management [3, 4], \existing authorization mechanisms fail to provide powerful and robust tools for handling security at the scale necessary for today's Internet" [2]. The problems of reconciling expressibility and eciency for protection systems take on a renewed importance in this setting 2 . 1.2 The Accessibility Problem. We now give a formal de nition of the accessibility problem. Let G = (V; E) be a directed graph. Let t : V ! T be a type function mapping vertices to the set of types T . In addition, let Ri; Re  T  T be two binary relations on T. We de ne O2, a set of operations on G that are illustrated in Figure 1 (the reader may note the loose analogy to the operations of the take-grant model): Insert (v; x): v inserts x of arbitrary type t(x), yielding the graph (V [ fxg; E [ fv ! xg. Give (a; b; c): a \gives c to b" by adding b ! c to E, provided a ! b; a ! c 2 E and (t(b); t(c)) 2 Ri . Get (a; b; c): a \gets c from b" by adding a ! c to E, provided a ! b; b ! c 2 E and (t(b); t(c)) 2 Re. 1 For reasons of space, these results will not be mentioned further in this paper. 2 The design of protection systems is orthogonal to the study of trust management, as de ned in [3, 4]; for a detailed explanation, see [3].

a v a

b

c

x c

b Insert

Give

Get

Figure 1: The three operations For a graph G, a class of operations O, and an operation f 2 O, denote the action of f on G as G  f. We now de ne the following predicate.

De nition 1.1 (can-accessO(p; q)) Given a graph G, set of types T , relations Ri; Re  T  T , and two vertices p; q 2 V (G), can-accessO (p; q) is true i there exists a graph G0 and a nite sequence of operations f ; f ; : : : ; fk 2 O such that G0 = G  f  f      fk , and p ! q 2 E(G0 ). 1

2

1

2

Our main result is:

Theorem 1.1 Given a graph G and vertices p; q, and relations RI ; RE 2 T T , the predicate can-accessO2 (p; q) is decidable.

In general, the operations could be a function of the types of all three vertices participating in an operation. Let the class of operations O3 be de ned by the above three rules and two ternary relations RI ; RE  T  T  T, such that Give (a; b; c) requires that (t(a); t(b); t(c) 2 RI , and similarly for Get (a; b; c). The di erence between the operation classes O2 and O3 is quite signi cant. Theorem 1.2 can-accessO3 (p; q) is undecidable. 1.3 Overview of Results and Techniques The basic idea underlying the proof of Theorem 1.1 is that we can encode an undirected path from p to q in G as a string, where each symbol in the string is the type of the corresponding node. The graph operations will then correspond to production rules on this string. These rules de ne an accessibility grammar described in Section 2. We show that determining can-accessO2 (p; q) on a path is equivalent to checking whether the string corresponding to this path is in the language de ned by the corresponding accessibility grammar. Moreover, for an arbitrary graph, determining can-accessO2 (p; q) is equivalent to checking whether the string for any path from p to q is in the language induced by the grammar. Since the set of paths in a graph forms a regular language, the latter is equivalent to checking whether the language de ned by a given accessibility grammar has non-empty intersection with a given regular language (we will call this the intersection problem). For ease of exposition, we outline in detail this proof schema for a restricted accessibility problem, de ned in

Section 2.1. The grammar induced by the restricted set of operations has a special structure, i.e., all insert or delete operations occur only to the left of a symbol, and we call it a leftist grammar. In Section 2.2, we show that the restricted accessibility problem is equivalent to the intersection problem for leftist grammars. In Section 3 we show that the intersection problem on leftist grammars is decidable by rst presenting an algorithm to for a single string w, and then using this algorithm as primitive to solve the intersection problem. We mention here that the problem of placing leftist grammars within the Chomsky hierarchy [9] remains open; we were unable to construct an instance of a leftist grammar that was not context-free. This issue is also relevant from the perspective of eciency; context free grammars have polynomial time membership algorithms. In Section 4, we focus on can-accessO2 (p; q) . First, we de ne an accessibility grammar that corresponds to can-accessO2 (p; q) and show that this is equivalent to another grammar that is \almost" leftist. We show that membership for this new grammar can be solved via a non-trivial generalization of the techniques in Section 3, and that the intersection problem can be solved similarly. This yields the decidability result for canaccessO2 (p; q). While we have established the decidability of the accessibility problem, our algorithms are by no means ecient and nding more e ective algorithms remains a major open problem. Additionally, it is conceivable that for restricted classes of type systems, more ecient algorithms for checking accessibility could be developed. Better understanding the complexity of the accessibility grammars and their variants is also an interesting direction for future work. For instance, we can show that membership for certain types of non-leftist grammars is undecidable. A nal note: the proofs in this paper are long and fairly technical. Therefore, to satisfy the space constraints and improve clarity of presentation, we have chosen to omit detailed proofs of theorems, replacing them with sketches and explanations wherever appropriate. We defer full proofs to a longer version of the paper.

2 Accessibility Grammars We are interested in the following special class of grammars over a nite alphabet . We use upper-case letters to denote arbitrary symbols from , lower-case letters a; b; c; : : : to denote actual symbols from , and lowercase letters s; t; u; : : : and Greek symbols ; ; : : : to denote strings from  ; except, x is a special reserved symbol in the grammar. De nition 2.1 An accessibility grammar G = (; P; x) consists of a nite alphabet , a set of production rules P of the form y ! z for strings y; z 2  , and a nal

symbol x 2 . We say that a string u 2  derives a string v 2  , denoted by u ) v, if u = u1 yu2 and v = v1 zv2 such that y ! z is a production rule in P .  denotes the re exive and transitive cloAs usual, ) sure of ). Finally, the language of G is de ned to be L(G) = fw 2  j wx ) xg.

We remark that reversing the directions of all production rules would give a more standard de nition of a grammar, where x would be the start symbol. Our grammars will be such that the right-most symbol must remain invariant during a derivation. Note also that we do not distinguish between terminal and non-terminal symbols in this grammar. De nition 2.2 For two strings u; v 2  , we say that u  v if u is a subsequence of v, i.e., u can be obtained from v by deleting an arbitrary set of symbols therein; also, then v is said to be a supersequence of u. For any string u, [u] denotes the set of all supersequences of u, i.e., [u] = fv j u  vg. For a set of strings S , [S] is de ned as [S] = fv j 9u 2 S; u  vg. It is easy to verify the following two properties: a) if u  v, then [v]  [u]; and, b) for nite sets of strings S; T   , [S [ T] = [S] [ [T ]. 2.1 Restricted Accessibility In this section, we consider a restricted set of operations for the accessibility problem. Let the class Ob2 denote a class of operations where the Get operation remains the same as in O2, but the Insert and Give operations are combined into one operation called Insert (a; x; c): Given a; c 2 V such that a ! c 2 E, add vertex x to V and edges a ! x; x ! c to E if (t(x); t(c)) 2 Ri. This restricted accessibility problem leads to a class of accessibility grammars that we call leftist grammars. De nition 2.3 An accessibility grammar G = (; P; x) is said to be a leftist grammar if all its production rules are of one of the following two types, where a; b; c; d 2 . ab ! b (Delete Rule) c ! dc (Insert Rule) Informally, a production rule in this grammar allows a symbol to insert or delete a symbol immediately to its left. Note that for a pair of symbols a and b, it is possible that only one of these two rules, or neither, is present in P ; also, a and b need not be distinct. We will show in Section 3 that membership in leftist grammars is decidable. 2.2 Equivalence of Restricted Accessibility and Leftist Grammars We rst show that deciding can-accessOb2 (p; q) on a directed path from p to q is equivalent to deciding an instance of a leftist grammar. Consider the following mapping from the graph problem to the grammar: Given a

graph (V; E), vertices p; q 2 V , set of types T , and relations Ri; Re, an instance G = (; P; t(q)) of the grammar can be constructed as follows with  = T:  If (t1; t2) 2 Ri , then t2 ! t1t2 2 P.  If (t1; t2) 2 Re , then t1 t2 ! t2 2 P . In general, a path L = p ! u1 !    ! uk ! q in the graph corresponds to a string sL = t(u1 )t(u2 ) : : :t(uk ) t(q). We will abuse notation and refer to t(u) as u, for clarity of presentation. Let L ) G1 ) G2 )    ) Gf , where p ! q 2 Gf . If Gk+1 = Gk Get(a; b; c), then we say that edge a ! c is explained by edges a ! b, b ! c. Similarly, if Gk+1 = Gk Insert(a; b; c), then we say that edges a ! b, b ! c are explained by a ! c. Consider p ! q in Gf . Let S = Sf = fp ! qg be the set of unexplained edges. Let Gk+1 = Gk Insert(a; b; c). We set Sk = Sk+1 n fa ! b; b ! cg [ fa ! cg. A similar procedure exists for the Get operation. In other words, Sk consists of all the unexplained edges at step k as well as some edges of L. We prove the following lemma in Appendix A.1:

Lemma 2.1 For all k; Sk consists of edges on a directed path from p to q. Moreover, if sk is the string corresponding to the path Sk , then if Gk+1 = Gk  Ik , where Ik is a graph operation, then sk+1 = sk  ik , where ik is the corresponding string operation. Note that S0 = L, so by Lemma 2.1 there exists a derivation sL ) q. Thus, can-accessOb2 (p; q) implies  q. Combining this with the fact that s )  sL ) L q implies can-accessOb2 (p; q) is true for the path L, we obtain:

Theorem 2.1 can-accessOb2 (p; q) is true i sL ) q.

Consider now a graph G instead of the path L. Let R be the set of all strings corresponding to directed walks from p to q in G. Clearly, R is a regular language. We show that deciding can-accessOb2 (p; q) in G is equivalent to deciding whether L(G) \ R 6= ;. We use the expression Rx ) x to denote the predicate (9w 2 R)wx ) x. As in Theorem 2.1, we can de ne a notion of unexplained edges. The set Sk now corresponds to a directed walk from p to q, and sk is a regular expression corresponding to this walk. By induction, we can show that sk ) x, and hence, there exists some regular expression s0 ) x such that s0 corresponds to a directed walk from p to q.

Theorem 2.2 can-accessOb2 (p; q) is true in G i Rx ) x.

In Section 3, we will prove that it is decidable to determine whether L(G) \ R 6= ;. Thus:

Theorem 2.3 can-accessOb2 (p; q) is decidable.

3 Membership Testing for Leftist Grammars Our main goal is to prove the decidability of the membership problem for languages of leftist grammars. In the remainder of this section we refer to a xed leftist grammar G.  s )  De nition 3.1 For a string w 2 L(G), let wx ) 1 s2 )    ) sn ) x be a derivation for w. For 1  i  n, let ai denote the leftmost symbol in si . The string { = a1a2 : : :an is said to be an interface for wx. Let I(wx) denote the set of all interfaces for wx. Intuitively, an interface is the sequence of symbols that will be observed if we were to view the derivation wx ) x from the left, when we choose to view only at snapshots of time represented in the derivation sequence wx ) s1 ) s2 )    ) sn ) x. Note that by de nition, if { is an interface for wx then so is any |  {. The following fact is obvious and is the motivation for introducing the notion of interfaces: w 2 L(G) if and only if I(wx) 6= ;. To be able to employ this fact, we need to devise an algorithm for computing the interface set I(wx). To this end, we will provide a technique for computing I(awx) from I(wx). Consider the following function on interfaces3 : Da ({) = f| = a+ b j b  { and ab ! b 2 P g. In other words, Da applied to an interface { returns a set of interfaces which are pre xed by a nonempty sequence of a's and followed by a subsequence of { whose rst symbol b must be able to delete a to its left in the grammar G. We show in Appendix A.2 that if { is an interface for wx, then every string in Da ({) is an interface for awx. Lemma 3.1 If { 2 I(wx), then Da ({)  I(awx). Further, let R({) be a function that returns a set of strings obtained by a single application to { of one of the following types of transformation rules, de ned for all ; 2  and for all a; b; c 2 . Delete a symbol: b ) . Replicate a symbol: b ) bb . Insert a symbol: ab ) acb , provided a ! ca 2 P and cb ! b 2 P. We claim that I(wx) is closed under R; for proof details, see Appendix A.3. Lemma 3.2 If { 2 I(wx), then R({)  I(wx). For a set of strings I, de ne Da (I) = [{2I Da ({) and R(I) = [{2I R({). Further, let Rk denote the composition of R with itself k times; thus, Rk (I) is the

3 We will use the notational device a+ to denote one or more repetitions of symbol a, and a to denote zero or more repetitions of symbol a.

set of strings obtained by applying all possible rule sequences of length k. Finally, we de ne the closure of R as R (I) = [k Rk (I). By Lemma 3.2, it must be the case that R (I(wx))  I(wx); thus, R (I(wx)) = I(wx). We also de ne inverses of the above two functions. For any string |, we de ne Ea (|) = Da,1 (|) = f{ j | = a+ b ; b  {; and ab ! b 2 P g. Let Q denote R,1. Speci cally, Q({) is a function that returns a set of strings obtained by a single application to { of one of the following types of transformation rules, de ned for all ; 2  and for all a; b; c 2 . Insert a symbol: ) b . Remove duplicate: bb ) b . Delete a symbol: acb ) ab , provided a ! ca 2 P and cb ! b 2 P. We de ne Qk and Q as before. All inverse functions are extended to apply to sets of strings, rather than taking only a single string as an argument. The following lemma explains the motivation for introducing Da and R, i.e., they can be used to de ne I(awx) in terms of I(wx). The proof is given in Appendix A.4. Lemma 3.3 I(awx) = R(Da (I(wx))). 3.1 Compactness Lemmas Lemma 3.3 describes the relation between the set of interfaces of a string and the set of interfaces for its sux. To properly exploit this property, we will need compact representations of the possibly in nite sets of interfaces. The following lemmas provide such compact representations. Lemma 3.4 ([12]) Let fsn j n  1g be an in nite sequence of strings over a nite alphabet. Then there exists i and j > i, such that si  sj .

Let Q,({) be a function that returns a set of strings obtained by at most one application to { of one of the following types of transformation rules, de ned for all ; 2  and for all a; b; c 2 .  bb ) b ;  acb ) ab , ac ) ab , cb ) ab , and c ) ab , provided a ! ca 2 P and cb ! b 2 P. Observe that Q, contains the \reductive" rules of Q, but not the \expansive" rule of inserting symbols. The motivation is that Q, ({) will give us a compact representation of Q([{]); that is, Q, ({) is a nite core of Q([{]) such that the set of all supersequences of Q, ({) will capture Q([{]). The three additional variants of the delete rule of Q are required in Q, because a and/or b

may not be present in { itself, but instead are available to Q because of the supersequence operation applied to get [{]. We claim the following lemma giving only a brief overview of its proof. Lemma 3.5 Q([{]) = [Q, ({)]. Observe that by the de nition of Q, , { 2 Q({) and so [{] 2 [Q,({)]. Consider some string | 2 [{]. If a rule of Q is applied to a portion of | that is not a part of {, then clearly Q(|)  [{]  [Q,({)]. Otherwise, if a rule of Q is applied to a portion of | inherited from {, then we argue that applying a rule of Q, () before computing a supersequence can generate the same string. The interesting case is when the rule of Q is the deletion rule acb , where a and/or b are a part of | but not of {; in this case, applying one of the four variants of the deletion rule from Q, , followed by a supersequence operation, has the same result. Similarly, we de ne a \reductive" version Ea, of Ea. Let | = a+ b .  !b2P Ea, (|) = fcb j acfb !g c 2 P g ifif ab ab ! b 2= P As before, Ea, gives a compact representation of Ea. We omit the proof of the following lemma. Lemma 3.6 Ea([H]) = [Ea,(H)] Observe that Q, (S) and Ea, (S) are easily computable for any nite set of strings S. The proof of the following lemma can be found in Appendix A.5. Lemma 3.7 Given a nite set of strings S and any symbol a, there exists a nite set of strings H such that Ea(Q ([S])) = [H] 3.2 The Decision Procedure We are now ready to describe the decision procedure for testing membership for leftist grammars. Given a leftist grammar G and a string w, we wish to determine whether wx ) x in G. Alternatively, since I(wx) is closed under subsequence operations, it is sucient to determine whether  2 I(wx) or equivalently to verify that [] \ I(wx) 6= ; Let w = aw0. Then [] \ I(wx) = [] \ R (Da (I(w0 x))) = Q ([]) \ Da (I(w0 x)) = Ea (Q ([])) \ I(w0 x) Consider the following algorithm for computing [S] \ I(wx), where S is any nite set of strings.

Algorithm A(G, w)

1. If w = x, then return S \ f; xg. 2. Let w = aw0. 3. Compute a nite set H such that [H] = Ea (Q ([S])). 4. Return A(H; w0).

In Step 2 of the algorithm, we are guaranteed by Lemma 3.7 that a nite H exists. Such an H can be determined in Step 3 by computing Ea,(Q, (S)). By invoking A(; w), we compute [] \ I(wx). We have the following theorem.

Theorem 3.1 The membership problem for leftist grammars is decidable.

3.3 Generalization to Regular Languages We now have the tools to address the intersection problem; namely, given a regular language R and a leftist grammar G, check whether L(G) \ R 6= ;. This is equivalent to checking the decidability of L = f(G; R) j L(G) \ R 6= ;g. De ne I(Rx) = [w2R I(wx). The decidability of L is equivalent to the following problem: Is  2 I(Rx)? As before, it is sucient to check whether [] \ I(Rx) 6= ;. For a set of strings S, let f(a; S) = Ea (Q (S)). For a string wa, let f(wa; S) = Ea (Q (f(w; S))). For a set of strings A, f(A; S) = [w2A f(w; S). We show that f(R; [S]) is compactly representable, for a regular language R and a set of strings S.

Theorem 3.2 There exists a nite set of strings H such that f(R; [S]) = [H].

Proof : As in the previous section, we de ne a function f, (a; S) = Ea,(Q, (S)). Similarly, for regular expressions R ; R , we de ne f, (R + R ; S) = f, (R ; S) [ f, (R ; S) and f, (R  R ; S) = f, (R ; f,(R ; S)). A similar argument to that of Claim A.1 shows that there exists an i such that f, (R ; S) = [ij f, j (R; S). The 1

2

2

1

1

2

2

1

2

1

=0

proof follows by setting H = f, (R; G). In this notation, the output of A(; I(wx)) from the previous section is just [f,(wx; fg]. The following theorem is based on the fact that L(G) \ R = [] \ I(Rx) = f, (R; fg).

Theorem 3.3 L is decidable. 4 Accessibility Is Decidable In this section, we will prove the decidability of canaccessO2 (p; q) . The proof will use similar ideas to the proof of decidability of can-accessOb2 (p; q) . We rst reduce an instance of the accessibility problem on general

graphs to an instance of a special kind of grammar G1. This is then reduced to a grammar G2 having a form very similar to the leftist grammar of Section 2.1. We then prove the decidability of this grammar, using the ideas outlined in Section 3. 4.1 Accessibility  G1 The grammar G1 has two types of symbols, positive symbols that correspond to the types of vertices in the graph and negative symbols (one for each type) that encode back edges in the graph. More formally, given a graph (V; E) with type set T and relations RI ; RE , we construct a grammar G1 = (T [ T ; P; x), where where T = ft j t 2 T g. Intuitively, the string ab corresponds to the edge a ! b and the string a b corresponds to the string a b. In addition, let  denote an arbitrary symbol in T. We will refer to a as a backward symbol. The construction of P is as follows:

G1

Graph

(b; c) 2 RI P fb  c ! bc; c  b ! c bg (b; c) 2 RE P fbc ! c; c b  ! c g Insert(a; b) P fa ! ab a j 8a; b 2 T g Also, for every rule a ! a; a 2 T, there is a corresponding rule of the form a ! a . Let R denote the set of all walks from p to q in the graph, where directions of edges are ignored. For each such walk, there exists a corresponding string over T [ T . For example, the walk p b ! c ! p ! d q corresponds to the string p bcpd q. The proof of the following theorem is analogous to that of Theorem 2.1.

Theorem 4.1 can-accessO2 (p; q) , L(G1) \ R 6= ;. 4.2 The Grammar G2 We now show that G1 is equivalent to a grammar G2 that is almost leftist. In order to do this, we extend our alphabet to include symbols of the form a; a 2 T [ T . We will refer to a symbol a as a new symbol. The construction of P is as follows:

Graph

(b; c) 2 RI (b; c) 2 RE

P

P P

G2 fb ! cd; cb ! bg fbc ! c; c ! bcg fc ! c; c  c ! c j 8c 2 T g

We de ne L(G2) = faw j awx ) axg [ fa w j a wx ) axg. It follows from the de nition of G2 that a can never be deleted. Additionally, a will remain intact until it is changed into a and then it will never be deleted. A somewhat tedious case analysis shows that G1 and G2 are essentially equivalent. This implies that proving decidability for membership in G2 is sucient to prove decidability of can-accessO2 (p; q) .

4.3 Membership in G2 is Decidable In this section, we show that for the grammar G2 and a regular language R, determining whether L(G2) \ R 6= ; is decidable. As in Section 3, we will rst show that membership in L(G2) is decidable. The grammar G2 is very similar to a leftist grammar; note that all insert and delete operations happen to the left. However, there are extra rules involving new nodes and backward nodes which are not strictly leftist. Our proof will proceed along the lines of the proof of membership for leftist grammars. Speci cally, we will rst extend the notion of an interface to incorporate backward symbols, and will then show how these interfaces can be computed recursively. We will also use similar compact representation arguments to those in Section 3 to implement the algorithm e ectively. For technical reasons, we will not work directly with G2, but with a slightly modi ed version G3, which is constructed as follows:

G2 G3 ab ! b b ! ab ab ! b b ! ab d ! cd cd ! d d ! cd cd ! d c c!c c, c !  c!c c!c 1

Notice that G3 has leftist rules, except for the two rules c,1 c !  and c ! c. De nition 4.1 Let wx ) a1w1x ) a2 w2x ) : : : )  ak wk x ) vx be a derivation in a grammar. The string { = a1a2 : : :ak is said to be an interface of the pair wx; vx (where none of the ai are negated). Let I(wx; vx) denote the set of all such interfaces.

We immediatelyobserve that I(wx) = I(wx; x). Further, let sx be a string such that sx ) f1 u1x; u1x ) f2 u2x; : : : ; ukx ) x. We de ne the generalized interface J(sx) of the string sx as the set I(sx; f1 u1x)  f f1 gI(u1x; f2 u2x)f f2 g: : :I(uk x), where f1 ; f2 , : : : fk are special characters called stops. Given a generalized interface w1 f1 w2 f2 : : :wk 2 J(sx), we refer to wi as the ith segment of the interface. In the sequel, we shall use the term interface to refer to a generalized interface. We now extend the de nitions of Da ; R; Ea; Q to our new types of interfaces. Da is the same as in Section 3, except that it applies only on the rst segment of the interface. In addition, let D a ({) = f| j a | = {g. The functions Ea and E a are de ned similarly. Further, let R0({) be a function that returns a set of strings obtained by a single application to the rst segment of { of one of the following types of transformation rules, de ned for all ; 2  and for all a; b; c 2 . Delete a symbol: b ) .

Replicate a symbol: b ) bb . Insert a symbol: ab ) accb , provided a ! ca 2 P and cb ! b 2 P . Let R1({) be a function that returns a set of strings obtained by a single application of the following rule ac c ) a provided ac is in the rst segment of { and a ! ca 2 P . Let R denote the union of the operations R0 and R1. Note that only E a can introduce stops and only R1 can remove them. As before w 2 L(G3) i x 2 J(wx). The following lemma is analogous to Lemma 3.3. Lemma 4.1 1. J(awx) = R (Da (J(wx))) 2. J(a,1wx) = D a (J(wx))

Proof :[sketch] The rst part follows along the lines of Lemma 3.3. For the second part, note that any interface | of a,1wx is a substring of a string of the form a .

De nition 4.2 De ne a eraser of a string w; K(w) recursively as follows 1. K() = [] 2. K(aw) = Q (Ea (K(w))) 3. K(a,1w) = E a (K(w))

For a string s, sx ! x i x 2 K(s). Note that K(s) could contain stops. Let a string s 2 K(s) containing k stops be called a type k eraser. Denote the set of type 0 erasers of s by K0 (s). To check if sx ! x we thus need to check if x 2 K0(s) In Section 3.2 we presented an algorithm for deciding membership in a leftist grammar, and then generalized this procedure to compute the intersection of such a grammar with a regular language. In this section, we will combine the two procedures. Consider the NFA corresponding to the regular expression de ned by all paths from p to q in the graph G. For each pair of nodes u; v in the NFA, there is a set of strings obtained by traversing all possible paths between u and v. This regular set is denoted by Puv . We will compute the type zero erasers, Suv , of all the strings in Puv . Note that L(G3) \ R 6= ; () x 2 Spq . The sets Suv are computed via dynamic programming, using the following lemma: Lemma 4.2 Let be a type 0 eraser of s1 and be a type 0 eraser of s0 . then f is a type 1 eraser of a string s = s0 f ,1 s1 . Conversely, if f is a type 1 eraser of a string s then s = s0 f ,1 s1 where is a type 0 eraser of s1 and is a type 0 eraser of s0

Proof :[sketch] The rst part is clear from the formula

for computing K(s). Conversely, note that the f can only be introduced because of a f ,1 2 s. Therefore s must be of the form s = s0 f ,1 s1 . When f ,1 is encountered an E f operation is applied, thus creating two segments in the eraser. Subsequently, these segments remain independent. The rst segment is a type zero eraser of s1 and the second segment is a type zero eraser of s0 . Let Mu denote the set of nodes v such that vu is an edge labeled with a non-inverse element. Let N denote the edges (p; q) labeled with an inverse element. Let fpq,1 denote this inverse element. Lemma 4.3 Suv can be computed for every pair u; v by using the following iterative procedure till all Suv con-

verge: Initialization: (8x)Sxx = []; (8p 6= q)Spq = ; IterativeSStep: S

Suv = p2Mv Q0 (Eapv (Sup )) (p;q)2N Q0 (Q1 (Sqv  S f  Sup )) Suv Convergence of the algorithm is established by using a compactness lemma akin to that of Section 3.1. To show that the algorithm converges with the correct values for each Suv , we employ an induction argument on the cases in the iterative step. The details are deferred to a full version of the paper. Once we have the sets Suv , we can determine whether x 2 Spq , yielding the following:

Theorem 4.2 For the grammar G3 and regular language R, checking whether L(G) \ R 6= ; is decidable.

It can be shown that G2 and G3 are equivalent. From the equivalence of G1 and G2, the decidability of can-accessO2 (p; q) follows.

5 Acknowledgments The authors would like to thank Dave Kormannfor, John Mitchell, Mark Mitchell, Michael Riter, Rebecca Wright, Avi Rubin, and Oleg Cheiner for many helpful discussions. References [1] D. Bell and L. LaPadula. Secure computer systems: Uni ed exposition and MULTICS interpretation. Technical Report MTR-2997, MITRE Corporation, Bedford, MA, 1975. [2] M. Blaze, J. Feigenbaum, J. Ioannidis, and A. Keromytis. The role of trust management in distributed system security. In J. Vitek and C. Jensen, editors, Secure Internet Programming: Security Issues for Distributed and Mobile Objects, volume LNCS 1603, pages 185{210. Springer, Berlin.

[3] M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized trust management. In Proc. 17th Symposium on Security and Privacy,, pages 164{173, Los Alamitos, New Mexico, 1996. IEEE Computer Society Press. [4] M. Blaze, J. Feigenbaum, and M. Strauss. Compliance checking in the PolicyMaker trust management system. In Proc. 2nd Financial Cryptography Conference, pages 254{274, 1998. [5] T. Budd. Safety in grammatical protection systems. International Journal of Computer and Information Sciences, 12(6):413{430, 1983. [6] O. Cheiner and V. Saraswat. Security analysis of matrix. Technical report, AT& T Shannon Laboratory, 1999. [7] M. Harrison and W. Ruzzo. Monotonic protection systems. In Foundations of Secure Computation, pages 461{471. Academic Press, Inc., 1978. [8] M. Harrison, W. Ruzzo, and J. Ullman. Protection in operating systems. Communications of the ACM, 19(8):461{470, August 1976. [9] J. Hopcroft and J. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley, 1979. [10] R. Lipton and T. Budd. On classes of protection systems. In Foundations of Secure Computation, pages 281{296. Academic Press, Inc., 1978. [11] R. Lipton and L. Snyder. A linear time algorithm for deciding subject security. Journal of the ACM, 24(3):455{464, July 1977. [12] M. Lothaire. Combinatorics on Words. AddisonWesley, 1983. [13] J. Saltzer and M. Schroeder. The protection of information in computer systems. Proc. IEEE, pages 1238{1308, September 1975. [14] R. Sandhu. The schematic protection model: Its de nition and analysis for acyclic attenuating schemes. J. ACM, 35(2):404{432, April 1988. [15] R. Sandhu. The typed access matrix model. In Proc. IEEE Symposium on Research in Security and Privacy, 1992.

[16] V. Saraswat. The matrix design. Technical report, AT& T Laboratory, April 1997. [17] L. Snyder. Formal models of capability-based protection systems. IEEE Transactions on Computers, C-30(3), March 1981.

A Proofs A.1 Proof of Lemma 2.1 Proof : The proof proceeds by reverse induction on k i.e we assume the property holds for all j > k, and prove that it holds for k. The base case is clearly true, as Sf = fp ! qg. Let the claim be true for all j > k. Therefore, Sk+1 is a directed path from p to q, and

sk+1 ) sf = q.  Ik =Insert(a; b; c): At least one of a ! b; b ! c must be unexplained. Suppose that a ! b is explained. Since by the hypothesis, b ! c 2 Sk+1 , b has degree 2 in Gk+1. However, the vertex b is created at step k + 1, and so cannot have degree 2, a contradiction. Therefore, both edges belong to Sk+1 and are unexplained. Replacing these edges by a ! c preserves the directed path between p and q. Let the path Sk+1 correspond to the string abc . The path Sk corresponds to the string ac . The grammar contains the rule c ) bc, and hence we have sk ) sk+1 .  Ik =Get(a; b; c): Suppose b 2 V (Gk+1 ) n V (Sk+1 ). For some k0 > k + 1, b 2 V (Sk ) and b 2= V (Sk ,1 ). Therefore b participates in an Insert(l; b; m) operation. But this implies that b was created at step k0 , and therefore did not exist at step k (and so could not participate in the Get operation). If b 2 V (Sk+1 ), then replacing a ! c by the edges a ! b; b ! c creates a cycle. However, L is a path and both operations preserve order. Hence b 2= V (Sk+1 . Therefore, b is a new node and Sk = Sk+1 n a ! c [ fa ! b; b ! cg, which is also a directed path from p to q. Since b is a new node, it can be easily seen that sk ) sk+1. Hence, the claim holds for k and so is true for all k. A.2 Proof of Lemma 3.1 Proof : We assume that Da({) is nonempty, since otherwise the lemma is vacuous. (Note that it is possible that I(awx) is empty in which case Da ({) must be empty.) Consider any string | = a+ b 2 Da ({). We will establish that | 2 I(awx). By de nition, b  { and so wx ) bs ) x is a valid derivation, where  is an interface for bs. It follows that awx ) abs ) bs ) x is a valid derivation since ab ! b 2 P , which implies that ab 2 I(awx). Since ) is re exive, we have the  awx )   )  awx )  abs ) bs )  x, derivation awx ) which in turn veri es that | = a+ b 2 I(awx). A.3 Proof of Lemma 3.2 Proof : We show that applying any one of the three transformation rules in the de nition of R to an interface { 2 I(wx) yields another valid interface | 2 I(wx).  s )   Suppose that { = b , and let wx ) i,1 si = bs )  si+1 ) x be a derivation yielding { in which corre s and corresponds to sponds to the pre x wx ) i,1  x. The delete the sux si+1 ) rule gives | = which is in I(wx) since it is a valid interface for the derivation  s )  s )  x obtained via the transitivity wx ) i,1 i+1 0

0

of the ) relation. Similarly, the replicate rule gives | = bb which is in I(wx) since it is a valid interface  s = bs )  s = bs )  for the derivation wx ) si,1 ) i i si+1 ) x obtained via the re exivity of the ) relation. For the insert rule, consider the interface { = ab obtained from a derivation wx )  as ) bs0 ) x, where corresponds to the pre x wx ) as and corresponds to the sux bs0 ) x. Since the insert rule is only applicable when a ! ca and cb ! b are valid production rules, we know that the following is a valid derivation:  cbs0 ) bs0 )  x. Clearly, | = acb wx ) as ) cas ) is an interface for the latter derivation. A.4 Proof of Lemma 3.3 Proof : From Lemma 3.1, we know that Da (I(wx))  I(awx). Also, Lemma 3.2 implies that I(awx) is closed under R, and hence it follows that R (Da (I(wx)))  I(awx). Therefore, it suces to prove that I(awx)  R(Da (I(wx))). We assume that I(awx) is nonempty, otherwise there is nothing to prove. Let | 2 I(awx) be an interface and x a derivation awx ) s1 )    ) sn ) x corresponding to |. One of the following two cases must hold in the derivation: Case 1. [a does not insert any symbol] Eventually, the leftmost a in awx must be deleted. Let da denote the symbol that deletes a via a production of the form ada ! da. Since a cannot a ect anything to its right in a leftist grammar, the derivation corresponding to | must have the form awx ) ada s ) da s ) x. This  x. means that |  a+ d a , where corresponds to da s )  Observe that wx ) da s ) x is a valid derivation with an interface { 2 I(wx) of the form da , where corresponds to wx ) da s. Using { in the de nition of Da , it now follows that a+ da 2 Da (I(wx)). Since |  a+ da and the delete rule in the de nition of R implies closure under subsequences, we conclude that | 2 R (Da (I(wx))). Case 2. [a inserts at least one symbol] We use induction on the length k of a derivation. The induction hypothesis is that R(Da (I(wx))) contains each interface | for a length-k derivation of awx in which a inserts a symbol. The base case is k = 3 and here w must be . This is because when a inserts some symbol b and both of these must be somehow deleted, it is not possible to have a derivation of length less than 3. In fact, the only possible derivations are ax ) bax ) bx ) x and ax ) bax ) ax ) x. Consider the rst derivation and observe that each interface for it must be of the form a b x . Since x 2 I(wx) and x deletes a in the derivation, we have that a+ x 2 Da (I(wx)). Since a inserts b and x deletes b, by the insert rule of R we have a+ bx 2 R (Da (I(wx))). Then, by the replicate rule of R, we have that a+ b+ x+ 2 R (Da (I(wx))). Finally, by the delete rule of R, we obtain that a b x 2 R(Da (I(wx))). Similarly, each interface for the sec-

ond derivation must be of the form a ba x . Since x 2 I(wx) and x deletes a in the derivation, we obtain that a+ x 2 Da (I(wx)). Since a both inserts and deletes b, by the insert rule of R we have that a+ ba+ x 2 R (Da (I(wx))). Employing the replicate and delete rules of R, we conclude that a b a x 2 R (Da (I(wx))). We now turn to the induction step. Assume that | 2 R (Da (I(wx))) for all interfaces | 2 I(awx) obtained from derivations of length less than k where a inserts a symbol. Let { 2 I(awx) be an interface for a derivation  x, of length k. Note that in any derivation awx ) there must exist some symbol c which does not insert anything. We consider two cases. Suppose { = c . Let ic and dc be the symbols that insert and delete c, respectively, in the derivation corresponding to {. If both ic and dc are present in {, we have { = 0ic c dc 0 , for some 0 and 0 . Consider the string {0 = 0 ic dc 0 . Clearly, {0 is an interface for the modi ed derivation where c is not inserted, and which therefore has length k , 1. By the induction hypothesis, {0 2 R (Da (I(wx))), and by application of the insert and replicate rules of R, we can verify that { 2 R ({0 )  R (Da (I(wx))). If either ic or dc is not present in {, we de ne a new interface {00 obtained by inserting ic and/or dc appropriately into {; clearly, {00 is a valid interface for the derivation corresponding to {. By the preceding argument, {00 2 R(Da (I(wx))) and since { 2 R ({00 ), the claim follows again. Alternatively, suppose that c is not present in {. In this case, since c does not insert anything, we can modify the derivation corresponding to { by omitting the insertion (and deletion) of c to obtain a valid derivation sequence for which { is still an interface. Since the new derivation is shorter, by the induction hypothesis { 2 R (Da (I(wx))). A.5 Proof of Lemma 3.7 Proof : We start by showing that there exists some nite set H 0 such that Q ([S]) = [H 0]. Observe that Q ([S]) = [i Qi([S]) = [[iQ, i(S)], where the latter follows from Lemma 3.5. Let (I + Q)(S) denote the set S [Q(S), and let (I+Q, )(S) denote S [Q, (S); observe, while (I + Q, )(S) = Q, (S), it is not necessary that S be contained in Q(S). Finally, de ne Fi = (I +Q, )i (S).

Claim A.1 There exists a nite i such that Q, i (S)  i +1

[Q, (S)].

Proof : Suppose that for all j, Q,(Fj ) 6 [Fj ]. For each j, select a string sj 2 Fj +1 n [Fj ]. In the sequence s1 , s2 , : : :, we have that sj 2= [sk ] for all k and j > k. But by Lemma 3.4 such an in nite sequence of strings cannot exist, giving a contradiction. We conclude that there exists an i such that Q, (Fi )  [Fi].

By Lemma 3.5, (I + Q)([Fi]) = [(I + Q, )(Fi)] = [Q,(Fi )] which is easily seen to be [Fi] by applying Claim A.1. It follows that Q ([Fi]) = [Fi]. Now, Q ([S]) = = = =

Q ((I + Q)i ([S])) Q ([(I + Q, )i (S)]) by Lemma 3.5 Q ([Fi]) [Fi]

We conclude that there exists a nite set H 0 = Fi such that Q ([S]) = [H 0]. Furthermore, Ea ([H 0]) = [Ea, (H 0)] from Lemma 3.6. Since H 0 is nite, it follows from the de nition of Ea, that Ea, (H 0 ) is nite. Setting H = Ea, (H 0 ), the result follows.

Recommend Documents