280 likes | 458 Views
Access Control Matrix. Outline. Overview Access Control Matrix Model Boolean Expression Evaluation History Protection State Transitions Commands Conditional Commands Special Rights Principle of Attenuation of Privilege. Overview. State
E N D
Access Control Matrix csci5233 computer security & integrity
Outline • Overview • Access Control Matrix Model • Boolean Expression Evaluation • History • Protection State Transitions • Commands • Conditional Commands • Special Rights • Principle of Attenuation of Privilege csci5233 computer security & integrity
Overview • State • The collection of the current values of all memory locations, all secondary storage, and all registers and other components of the system. • Protection state of system • a subset of the states that are relevant to protection • Access control matrix • A tool that can describe protection state • Matrix describing rights of subjects • State transitions change elements of matrix csci5233 computer security & integrity
Overview • Access control matrix model • The most precise model used to describe a protection state • It characterizes the rights of each subject with respect to every other entity, which can be active or passive. • The set of objects = the set of all protected entities • The set of subjects = the set of active objects, such as processes and users. • The ACM captures the relationships between the subjects and the objects. • When a command changes the state of the system, a state transition occurs. csci5233 computer security & integrity
Subjects S = { s1,…,sn } Objects O = { o1,…,om } Rights R = { r1,…,rk } Entries A[si, oj] R A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj objects (entities) o1 … oms1 … sn s1 s2 … sn subjects Description A[sn, om] csci5233 computer security & integrity
Example 1 • Processes p, q • Files f, g • Rights r, w, x (execute), a(ppend), o(wn) f g p q p rwo r rwxo w q a ro r rwxo csci5233 computer security & integrity
Example 2 • Procedures inc_ctr, dec_ctr, manage • Variable counter • Rights +, –, call counterinc_ctr dec_ctr manage inc_ctr + dec_ctr – manage call call call csci5233 computer security & integrity
Boolean Expression Evaluation • ACM may be used for control of access to database fields • ACM controls access to database fields • Subjects have attributes (e.g., name, role, groups, programs, etc.) • Verbs define type of access (e.g., read, write, paint, temp_ctl) • Rules associated with (objects, verb) pair (e.g., object = recipes; verb = write; rule = ‘creative’ in subject.group) • Subject attempts to access object • Rule for (object, verb) evaluated, grants or denies access csci5233 computer security & integrity
Example of rules • Subject annie • Attributes role (artist), groups (creative) • Verb paint • Default 0 (deny unless explicitly granted) • Object picture • A sample rule paint: ‘artist’ in subject.role and ‘creative’ in subject.groups and time.hour >= 17 and time.hour < 20 csci5233 computer security & integrity
ACM at 3AM and 10AM At 18 PM, time condition met; ACM is: At 10AM, time condition not met; ACM is: … picture … … picture … paint … annie … … annie … csci5233 computer security & integrity
Access Controlled by History • Query-set-overlap-control: to prevent deduction/inference attack • Database: name position age salary Celia teacher 45 $40,000 Heidi aide 20 $20,000 Holly principal 37 $60,000 Leo teacher 50 $50,000 Matt teacher 33 $50,000 Queries: • C1 = sum(salary, “position = teacher”) = $140,000 • C3 = sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Matt’s salary) csci5233 computer security & integrity
Access Controlled by History • Database: name position age salary Celia teacher 45 $40,000 Heidi aide 20 $20,000 Holly principal 37 $60,000 Leo teacher 50 $50,000 Matt teacher 33 $50,000 O1 = {Celia, Leo, Matt} O3 = {Celia, Leo} • Check out [Dobkins/Jones, 1979]. csci5233 computer security & integrity
State Transitions • Change the protection state of system • |- represents transition Xi|- tXi+1: command t moves system from state Xi to Xi+1 Xi|-*Xi+1: a sequence of commands moves system from state Xi to Xi+1 • Commands are often called transformation procedures csci5233 computer security & integrity
Primitive Operations • create subjects • Creates new row, column in ACM; • create object o • creates new column in ACM • destroy subjects • Deletes row, column from ACM • destroy object o • deletes column from ACM • enterrintoA[s,o] • Adds r rights for subject s over object o • deleterfromA[s,o] • Removes r rights from subject s over object o csci5233 computer security & integrity
Create Subject • Precondition: sS • Primitive command: create subjects • Postconditions: • S´ = S{ s }, O´ = O{ s } • (yO´)[a´[s, y] = ], (xS´)[a´[x, s] = ] • (xS)(yO)[a´[x, y] = a[x, y]] csci5233 computer security & integrity
Create Object • Precondition: oO • Primitive command: create objecto • Postconditions: • S´ = S, O´ = O { o } • (xS´)[a´[x, o] = ] • (xS)(yO)[a´[x, y] = a[x, y]] csci5233 computer security & integrity
Add Right • Precondition: sS, oO • Primitive command: enter r into a[s, o] • Postconditions: • S´ = S, O´ = O • a´[s, o] = a[s, o] { r } • (xS´ – { s })(yO´ – { o }) [a´[x, y] = a[x, y]] csci5233 computer security & integrity
Delete Right • Precondition: sS, oO • Primitive command: deleterfroma[s, o] • Postconditions: • S´ = S, O´ = O • a´[s, o] = a[s, o] – { r } • (xS´ – { s })(yO´ – { o }) [a´[x, y] = a[x, y]] csci5233 computer security & integrity
Destroy Subject • Precondition: sS • Primitive command: destroysubjects • Postconditions: • S´ = S – { s }, O´ = O – { s } • (yO´)[a´[s, y] = ], (xS´)[a´[x, s] = ] • (xS´)(yO´) [a´[x, y] = a[x, y]] csci5233 computer security & integrity
Destroy Object • Precondition: oo • Primitive command: destroyobjecto • Postconditions: • S´ = S, O´ = O – { o } • (xS´)[a´[x, o] = ] • (xS´)(yO´) [a´[x, y] = a[x, y]] csci5233 computer security & integrity
Creating File • Process p creates file f with r and w permission command create•file(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end csci5233 computer security & integrity
Mono-Operational Commands • Single primitive operation in a command • Example: Make process p the owner of file g command make•owner(p, g) enter own into A[p, g]; end csci5233 computer security & integrity
Conditional Commands • Let p give qr rights over f, if p owns f command grant•read•file•1(p, f, q) if own in A[p, f] then enter r into A[q, f]; end • Mono-conditional command • Single condition in this command csci5233 computer security & integrity
Multiple Conditions • Let p give qr and w rights over f, if p owns f and p has c rights over q command grant•read•file•2(p, f, q) if own in A[p, f] and c in A[p, q] then enter r into A[q, f]; enter w into A[q, f]; end csci5233 computer security & integrity
Copy Right • Allows possessor to give rights to another • Often attached to a right, so only applies to that right • r is read right that cannot be copied • rc is read right that can be copied • Is copy flag copied when giving r rights? • Depends on model, instantiation of model csci5233 computer security & integrity
Own Right • Usually allows the possessor to change entries in ACM column • So owner of object can add, delete rights for others • May depend on what system allows • Can’t give rights to specific (set of) users • Can’t pass copy flag to specific (set of) users csci5233 computer security & integrity
Attenuation of Privilege • The principle says you can’t give rights you do not possess. • Restricts addition of rights within a system • Usually ignored for owner • Why? Owner gives herself rights, gives them to others, deletes her rights. csci5233 computer security & integrity
Key Points • Access control matrix simplest abstraction mechanism for representing protection state • Transitions alter protection state • 6 primitive operations alter matrix • Transitions can be expressed as commands composed of these operations and, possibly, conditions csci5233 computer security & integrity