Upload
garrett-rivas
View
27
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Access Control Matrix. Outline. Overview Access Control Matrix Model Boolean Expression Evaluation History Protection State Transitions Commands Conditional Commands Special Rights Principle of Attenuation of Privilege. Overview. State - PowerPoint PPT Presentation
Citation preview
csci5233 computer security & integrity
1
Access Control Matrix
csci5233 computer security & integrity
2
Outline Overview Access Control Matrix Model
– Boolean Expression Evaluation– History
Protection State Transitions– Commands– Conditional Commands
Special Rights– Principle of Attenuation of Privilege
csci5233 computer security & integrity
3
Overview State
– The collection of the current values of all memory locations, all secondary storage, and all registers and other components of the system.
Protection state of system– a subset of the states that are relevant to
protection
Access control matrix– A tool that can describe protection state– Matrix describing rights of subjects– State transitions change elements of matrix
csci5233 computer security & integrity
4
Overview Access control matrix model
– The most precise model used to describe a protection state
– It characterizes the rights of each subject with respect to every other entity, which can be active or passive.
– The set of objects = the set of all protected entities– The set of subjects = the set of active objects,
such as processes and users.– The ACM captures the relationships between the
subjects and the objects.– When a command changes the state of the
system, a state transition occurs.
csci5233 computer security & integrity
5
Descriptionobjects (entities)
subj
ects
s1
s2
…
sn
o1 … om s1 … sn
Subjects S = { s1,…,sn } Objects O = { o1,…,om } Rights R = { r1,…,rk } Entries A[si, oj] R A[si, oj] = { rx, …, ry }
means subject si has rights rx, …, ry over object oj
A[sn, om]
csci5233 computer security & integrity
6
Example 1 Processes p, q Files f, g Rights r, w, x (execute), a(ppend),
o(wn)
f g p q
p rwo r rwxo w
q a ro r rwxo
csci5233 computer security & integrity
7
Example 2
Procedures inc_ctr, dec_ctr, manage Variable counter Rights +, –, call
counter inc_ctr dec_ctr manage
inc_ctr +
dec_ctr –
manage call call call
csci5233 computer security & integrity
8
Boolean Expression Evaluation ACM may be used for control of access to
database fields ACM controls access to database fields
– Subjects have attributes (e.g., name, role, groups, programs, etc.)
– Verbs define type of access (e.g., read, write, paint, temp_ctl)
– Rules associated with (objects, verb) pair (e.g., object = recipes; verb = write; rule = ‘creative’ in subject.group)
Subject attempts to access object– Rule for (object, verb) evaluated, grants or denies
access
csci5233 computer security & integrity
9
Example of rules Subject annie
– Attributes role (artist), groups (creative)
Verb paint– Default 0 (deny unless explicitly granted)
Object picture A sample rule
paint: ‘artist’ in subject.role and
‘creative’ in subject.groups and
time.hour >= 17 and time.hour < 20
csci5233 computer security & integrity
10
ACM at 3AM and 10AM
… picture …
… a
nnie
…
paint
At 18 PM, time conditionmet; ACM is:
… picture …
… a
nnie
…
At 10AM, time conditionnot met; ACM is:
csci5233 computer security & integrity
11
Access Controlled by History Query-set-overlap-control: to prevent deduction/inference attack Database:
name position age salaryCelia teacher 45 $40,000Heidi aide 20 $20,000Holly principal 37 $60,000Leo teacher 50 $50,000Matt teacher 33 $50,000
Queries:1. C1 = sum(salary, “position = teacher”) = $140,0002. C3 = sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Matt’s salary)
csci5233 computer security & integrity
12
Access Controlled by History Database:
name position age salaryCelia teacher 45 $40,000Heidi aide 20 $20,000Holly principal 37 $60,000Leo teacher 50 $50,000Matt teacher 33 $50,000
O1 = {Celia, Leo, Matt}
O3 = {Celia, Leo}
Check out [Dobkins/Jones, 1979].
csci5233 computer security & integrity
13
State Transitions
Change the protection state of system |- represents transition
Xi |- Xi+1: command moves system from state Xi to Xi+1
Xi |-* Xi+1: a sequence of commands moves system from state Xi to Xi+1
Commands are often called transformation procedures
csci5233 computer security & integrity
14
Primitive Operations create subject s
– Creates new row, column in ACM; create object o
– creates new column in ACM destroy subject s
– Deletes row, column from ACM destroy object o
– deletes column from ACM enter r into A[s,o]
– Adds r rights for subject s over object o delete r from A[s,o]
– Removes r rights from subject s over object o
csci5233 computer security & integrity
15
Create Subject
Precondition: s S Primitive command: create subject s Postconditions:
– S´ = S { s }, O´ = O { s }– (y O´)[a´[s, y] = ], (x S´)[a´[x, s] =
]– (x S)(y O)[a´[x, y] = a[x, y]]
csci5233 computer security & integrity
16
Create Object
Precondition: o O Primitive command: create object o Postconditions:
– S´ = S, O´ = O { o }– (x S´)[a´[x, o] = ]– (x S)(y O)[a´[x, y] = a[x, y]]
csci5233 computer security & integrity
17
Add Right
Precondition: s S, o O Primitive command: enter r into a[s, o] Postconditions:
– S´ = S, O´ = O– a´[s, o] = a[s, o] { r }– (x S´ – { s })(y O´ – { o })
[a´[x, y] = a[x, y]]
csci5233 computer security & integrity
18
Delete Right
Precondition: s S, o O Primitive command: delete r from a[s,
o] Postconditions:
– S´ = S, O´ = O– a´[s, o] = a[s, o] – { r }– (x S´ – { s })(y O´ – { o })
[a´[x, y] = a[x, y]]
csci5233 computer security & integrity
19
Destroy Subject
Precondition: s S Primitive command: destroy subject s Postconditions:
– S´ = S – { s }, O´ = O – { s }– (y O´)[a´[s, y] = ], (x S´)[a´[x, s] =
]– (x S´)(y O´) [a´[x, y] = a[x, y]]
csci5233 computer security & integrity
20
Destroy Object
Precondition: o o Primitive command: destroy object o Postconditions:
– S´ = S, O´ = O – { o }– (x S´)[a´[x, o] = ]– (x S´)(y O´) [a´[x, y] = a[x, y]]
csci5233 computer security & integrity
21
Creating File
Process p creates file f with r and w permissioncommand create•file(p, f)
create object f;enter own into A[p, f];enter r into A[p, f];enter w into A[p, f];
end
csci5233 computer security & integrity
22
Mono-Operational Commands
Single primitive operation in a command Example: Make process p the owner of
file gcommand make•owner(p, g)
enter own into A[p, g];end
csci5233 computer security & integrity
23
Conditional Commands
Let p give q r rights over f, if p owns fcommand grant•read•file•1(p, f, q)
if own in A[p, f]then
enter r into A[q, f];end
Mono-conditional command– Single condition in this command
csci5233 computer security & integrity
24
Multiple Conditions
Let p give q r and w rights over f, if p owns f and p has c rights over qcommand grant•read•file•2(p, f, q)
if own in A[p, f] and c in A[p, q]then
enter r into A[q, f];enter w into A[q, f];
end
csci5233 computer security & integrity
25
Copy Right
Allows possessor to give rights to another
Often attached to a right, so only applies to that right– r is read right that cannot be copied– rc is read right that can be copied
Is copy flag copied when giving r rights?– Depends on model, instantiation of model
csci5233 computer security & integrity
26
Own Right
Usually allows the possessor to change entries in ACM column– So owner of object can add, delete rights
for others– May depend on what system allows
• Can’t give rights to specific (set of) users• Can’t pass copy flag to specific (set of) users
csci5233 computer security & integrity
27
Attenuation of Privilege
The principle says you can’t give rights you do not possess.– Restricts addition of rights within a system– Usually ignored for owner
• Why? Owner gives herself rights, gives them to others, deletes her rights.
csci5233 computer security & integrity
28
Key Points Access control matrix simplest
abstraction mechanism for representing protection state
Transitions alter protection state 6 primitive operations alter matrix
– Transitions can be expressed as commands composed of these operations and, possibly, conditions