d. give si-1 the 'own' right for si (needed for ACM to maintain TM's symbol order)
2. For every state, q, in the TM, create an access right, rq
3. Grant the subject corresponding to the first symbol on the tape the right corresponding to the initial state of the TM.
4. Encode every transition function as a command (ex. if subject, s, has state right, rq, and symbol right, ri, then delete rq and add rq_next to the subject that either owns or is owned by s.) A command may need to add a new subject to the ACM.
5. Create a command that grants subject, s1, the done right if any subject owns a state right that is a final state.
II. The TM halts if and only if the corresponding ACM's subject s1 can get the done right. Since we know that the halting problem is undecidable, determining if s1 can get the done right must also be undecidable which means that the general safety question is undecidable.
Note: The safety question for certain restricted policies is decidable.
Reference Monitors
A reference monitor is a piece of software that checks every access to every object. As part of the system's trusted code base (the hardware and software needed to maintain security), it is evaluated according to its size and complexity. Performance is also a practical concern.
Reference monitors are often used to provide complete mediation for access control.
They can be implemented in the following ways:
- Every program instruction is sent to the reference monitor (called an interpreter) where it is checked for policy compliance. If the instruction does not violate policy, then it is forwarded to the hardware. Although low-level policies such as restricting memory access are easily implemented with this mechanism, high-level functions are difficult to regulate and interrupt policies are not supported. Since every instruction must go through the interpreter, performance is typically poor.
- A wrapper is similar to an interpreter, except that some instructions bypass it. Instructions can be chosen to go through the wrapper based on the operation (ex. read) or the data (ex. memory-mapped I/O) involved. Since some instructions are not checked by the wrapper, performance can be better than an interpreter's. Policies involving the unchecked instructions, however, cannot be enforced.
- Special purpose hardware can be used to provide complete mediation. This option will be discussed in the next lecture.
Note: Adding a security layer that can reject program instructions changes the program's interface, since the program must now handle the rejection.