Upload
phanleson
View
271
Download
4
Tags:
Embed Size (px)
Citation preview
csci5233 computer security & integrity 1
Access Control Matrix
csci5233 computer security & integrity 2
Outline Overview Access Control Matrix Model
– Boolean Expression Evaluation– History
Protection State Transitions– Commands– Conditional Commands
Special Rights– Principle of Attenuation of Privilege
csci5233 computer security & integrity 3
Overview State
– The collection of the current values of all memory locations, all secondary storage, and all registers and other components of the system.
Protection state of system– a subset of the states that are relevant to
protection
Access control matrix– A tool that can describe protection state– Matrix describing rights of subjects
– State transitions change elements of matrix
csci5233 computer security & integrity 4
Overview Access control matrix model
– The most precise model used to describe a protection state
– It characterizes the rights of each subject with respect to every other entity, which can be active or passive.
– The set of objects = the set of all protected entities– The set of subjects = the set of active objects,
such as processes and users.– The ACM captures the relationships between the
subjects and the objects.– When a command changes the state of the
system, a state transition occurs.
csci5233 computer security & integrity 5
Descriptionobjects (entities)
subj
ects
s1
s2
…
sn
o1 … om s1 … sn
Subjects S = { s1,…,sn }
Objects O = { o1,…,om }
Rights R = { r1,…,rk }
Entries A[si, oj] ⊆ R A[si, oj] = { rx, …, ry }
means subject si has rights rx, …, ry over object oj
A[sn, om]
csci5233 computer security & integrity 6
Example 1 Processes p, q Files f, g Rights r, w, x (execute), a(ppend),
o(wn)
f g p q
p rwo r rwxo w
q a ro r rwxo
csci5233 computer security & integrity 7
Example 2
Procedures inc_ctr, dec_ctr, manage Variable counter Rights +, –, call
counter inc_ctr dec_ctr manage
inc_ctr +
dec_ctr –
manage call call call
csci5233 computer security & integrity 8
Boolean Expression Evaluation ACM may be used for control of access to
database fields ACM controls access to database fields
– Subjects have attributes (e.g., name, role, groups, programs, etc.)
– Verbs define type of access (e.g., read, write, paint, temp_ctl)
– Rules associated with (objects, verb) pair (e.g., object = recipes; verb = write; rule = ‘creative’ in subject.group)
Subject attempts to access object– Rule for (object, verb) evaluated, grants or denies
access
csci5233 computer security & integrity 9
Example of rules Subject annie
– Attributes role (artist), groups (creative)
Verb paint– Default 0 (deny unless explicitly granted)
Object picture A sample rule
paint: ‘artist’ in subject.role and
‘creative’ in subject.groups and
time.hour >= 17 and time.hour < 20
csci5233 computer security & integrity 10
ACM at 3AM and 10AM
… picture …
… a
nnie
…
paint
At 18 PM, time conditionmet; ACM is:
… picture …
… a
nnie
…
At 10AM, time conditionnot met; ACM is:
csci5233 computer security & integrity 11
Access Controlled by History Query-set-overlap-control: to prevent deduction/inference attack Database:
name position age salaryCelia teacher 45 $40,000Heidi aide 20 $20,000Holly principal 37 $60,000Leo teacher 50 $50,000Matt teacher 33 $50,000
Queries:10. C1 = sum(salary, “position = teacher”) = $140,00011. C3 = sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Matt’s salary)
csci5233 computer security & integrity 12
Access Controlled by History Database:
name position age salaryCelia teacher 45 $40,000Heidi aide 20 $20,000Holly principal 37 $60,000Leo teacher 50 $50,000Matt teacher 33 $50,000
O1 = {Celia, Leo, Matt}
O3 = {Celia, Leo}
Check out [Dobkins/Jones, 1979].
csci5233 computer security & integrity 13
State Transitions
Change the protection state of system |- represents transition
Xi |- τ Xi+1: command τ moves system from state Xi to Xi+1
Xi |-* Xi+1: a sequence of commands moves system from state Xi to Xi+1
Commands are often called transformation procedures
csci5233 computer security & integrity 14
Primitive Operations create subject s
– Creates new row, column in ACM;
create object o– creates new column in ACM
destroy subject s– Deletes row, column from ACM
destroy object o– deletes column from ACM
enter r into A[s,o]– Adds r rights for subject s over object o
delete r from A[s,o]– Removes r rights from subject s over object o
csci5233 computer security & integrity 15
Create Subject
Precondition: s ∉ S Primitive command: create subject s Postconditions:
– S´ = S ∪{ s }, O´ = O ∪{ s }– (∀y ∈ O´)[a´[s, y] = ∅], (∀x ∈ S´)[a´[x, s] =
∅]– (∀x ∈ S)(∀y ∈ O)[a´[x, y] = a[x, y]]
csci5233 computer security & integrity 16
Create Object
Precondition: o ∉ O Primitive command: create object o Postconditions:
– S´ = S, O´ = O ∪ { o }– (∀x ∈ S´)[a´[x, o] = ∅]– (∀x ∈ S)(∀y ∈ O)[a´[x, y] = a[x, y]]
csci5233 computer security & integrity 17
Add Right
Precondition: s ∈ S, o ∈ O Primitive command: enter r into a[s, o] Postconditions:
– S´ = S, O´ = O– a´[s, o] = a[s, o] ∪ { r }– (∀x ∈ S´ – { s })(∀y ∈ O´ – { o })
[a´[x, y] = a[x, y]]
csci5233 computer security & integrity 18
Delete Right
Precondition: s ∈ S, o ∈ O Primitive command: delete r from a[s,
o] Postconditions:
– S´ = S, O´ = O– a´[s, o] = a[s, o] – { r }– (∀x ∈ S´ – { s })(∀y ∈ O´ – { o })
[a´[x, y] = a[x, y]]
csci5233 computer security & integrity 19
Destroy Subject
Precondition: s ∈ S Primitive command: destroy subject s Postconditions:
– S´ = S – { s }, O´ = O – { s }– (∀y ∈ O´)[a´[s, y] = ∅], (∀x ∈ S´)[a´[x, s] =
∅]– (∀x ∈ S´)(∀y ∈ O´) [a´[x, y] = a[x, y]]
csci5233 computer security & integrity 20
Destroy Object
Precondition: o ∈ o Primitive command: destroy object o Postconditions:
– S´ = S, O´ = O – { o }– (∀x ∈ S´)[a´[x, o] = ∅]– (∀x ∈ S´)(∀y ∈ O´) [a´[x, y] = a[x, y]]
csci5233 computer security & integrity 21
Creating File
Process p creates file f with r and w permissioncommand create•file(p, f)
create object f;enter own into A[p, f];enter r into A[p, f];enter w into A[p, f];
end
csci5233 computer security & integrity 22
Mono-Operational Commands
Single primitive operation in a command Example: Make process p the owner of
file gcommand make•owner(p, g)enter own into A[p, g];
end
csci5233 computer security & integrity 23
Conditional Commands
Let p give q r rights over f, if p owns fcommand grant•read•file•1(p, f, q)
if own in A[p, f]then
enter r into A[q, f];end
Mono-conditional command– Single condition in this command
csci5233 computer security & integrity 24
Multiple Conditions
Let p give q r and w rights over f, if p owns f and p has c rights over qcommand grant•read•file•2(p, f, q)
if own in A[p, f] and c in A[p, q]then
enter r into A[q, f];enter w into A[q, f];
end
csci5233 computer security & integrity 25
Copy Right
Allows possessor to give rights to another
Often attached to a right, so only applies to that right– r is read right that cannot be copied– rc is read right that can be copied
Is copy flag copied when giving r rights?– Depends on model, instantiation of model
csci5233 computer security & integrity 26
Own Right
Usually allows the possessor to change entries in ACM column– So owner of object can add, delete rights
for others
– May depend on what system allows• Can’t give rights to specific (set of) users• Can’t pass copy flag to specific (set of) users
csci5233 computer security & integrity 27
Attenuation of Privilege
The principle says you can’t give rights you do not possess.– Restricts addition of rights within a system
– Usually ignored for owner• Why? Owner gives herself rights, gives them to
others, deletes her rights.
csci5233 computer security & integrity 28
Key Points Access control matrix simplest
abstraction mechanism for representing protection state
Transitions alter protection state 6 primitive operations alter matrix
– Transitions can be expressed as commands composed of these operations and, possibly, conditions