1 / 28

Access Control Matrix

Access Control Matrix. Outline. Overview Access Control Matrix Model Boolean Expression Evaluation History Protection State Transitions Commands Conditional Commands Special Rights Principle of Attenuation of Privilege. Overview. State

yitro
Download Presentation

Access Control Matrix

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control Matrix csci5233 computer security & integrity

  2. Outline • Overview • Access Control Matrix Model • Boolean Expression Evaluation • History • Protection State Transitions • Commands • Conditional Commands • Special Rights • Principle of Attenuation of Privilege csci5233 computer security & integrity

  3. Overview • State • The collection of the current values of all memory locations, all secondary storage, and all registers and other components of the system. • Protection state of system • a subset of the states that are relevant to protection • Access control matrix • A tool that can describe protection state • Matrix describing rights of subjects • State transitions change elements of matrix csci5233 computer security & integrity

  4. Overview • Access control matrix model • The most precise model used to describe a protection state • It characterizes the rights of each subject with respect to every other entity, which can be active or passive. • The set of objects = the set of all protected entities • The set of subjects = the set of active objects, such as processes and users. • The ACM captures the relationships between the subjects and the objects. • When a command changes the state of the system, a state transition occurs. csci5233 computer security & integrity

  5. Subjects S = { s1,…,sn } Objects O = { o1,…,om } Rights R = { r1,…,rk } Entries A[si, oj] R A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj objects (entities) o1 … oms1 … sn s1 s2 … sn subjects Description A[sn, om] csci5233 computer security & integrity

  6. Example 1 • Processes p, q • Files f, g • Rights r, w, x (execute), a(ppend), o(wn) f g p q p rwo r rwxo w q a ro r rwxo csci5233 computer security & integrity

  7. Example 2 • Procedures inc_ctr, dec_ctr, manage • Variable counter • Rights +, –, call counterinc_ctr dec_ctr manage inc_ctr + dec_ctr – manage call call call csci5233 computer security & integrity

  8. Boolean Expression Evaluation • ACM may be used for control of access to database fields • ACM controls access to database fields • Subjects have attributes (e.g., name, role, groups, programs, etc.) • Verbs define type of access (e.g., read, write, paint, temp_ctl) • Rules associated with (objects, verb) pair (e.g., object = recipes; verb = write; rule = ‘creative’ in subject.group) • Subject attempts to access object • Rule for (object, verb) evaluated, grants or denies access csci5233 computer security & integrity

  9. Example of rules • Subject annie • Attributes role (artist), groups (creative) • Verb paint • Default 0 (deny unless explicitly granted) • Object picture • A sample rule paint: ‘artist’ in subject.role and ‘creative’ in subject.groups and time.hour >= 17 and time.hour < 20 csci5233 computer security & integrity

  10. ACM at 3AM and 10AM At 18 PM, time condition met; ACM is: At 10AM, time condition not met; ACM is: … picture … … picture … paint … annie … … annie … csci5233 computer security & integrity

  11. Access Controlled by History • Query-set-overlap-control: to prevent deduction/inference attack • Database: name position age salary Celia teacher 45 $40,000 Heidi aide 20 $20,000 Holly principal 37 $60,000 Leo teacher 50 $50,000 Matt teacher 33 $50,000 Queries: • C1 = sum(salary, “position = teacher”) = $140,000 • C3 = sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Matt’s salary) csci5233 computer security & integrity

  12. Access Controlled by History • Database: name position age salary Celia teacher 45 $40,000 Heidi aide 20 $20,000 Holly principal 37 $60,000 Leo teacher 50 $50,000 Matt teacher 33 $50,000 O1 = {Celia, Leo, Matt} O3 = {Celia, Leo} • Check out [Dobkins/Jones, 1979]. csci5233 computer security & integrity

  13. State Transitions • Change the protection state of system • |- represents transition Xi|- tXi+1: command t moves system from state Xi to Xi+1 Xi|-*Xi+1: a sequence of commands moves system from state Xi to Xi+1 • Commands are often called transformation procedures csci5233 computer security & integrity

  14. Primitive Operations • create subjects • Creates new row, column in ACM; • create object o • creates new column in ACM • destroy subjects • Deletes row, column from ACM • destroy object o • deletes column from ACM • enterrintoA[s,o] • Adds r rights for subject s over object o • deleterfromA[s,o] • Removes r rights from subject s over object o csci5233 computer security & integrity

  15. Create Subject • Precondition: sS • Primitive command: create subjects • Postconditions: • S´ = S{ s }, O´ = O{ s } • (yO´)[a´[s, y] = ], (xS´)[a´[x, s] = ] • (xS)(yO)[a´[x, y] = a[x, y]] csci5233 computer security & integrity

  16. Create Object • Precondition: oO • Primitive command: create objecto • Postconditions: • S´ = S, O´ = O { o } • (xS´)[a´[x, o] = ] • (xS)(yO)[a´[x, y] = a[x, y]] csci5233 computer security & integrity

  17. Add Right • Precondition: sS, oO • Primitive command: enter r into a[s, o] • Postconditions: • S´ = S, O´ = O • a´[s, o] = a[s, o]  { r } • (xS´ – { s })(yO´ – { o }) [a´[x, y] = a[x, y]] csci5233 computer security & integrity

  18. Delete Right • Precondition: sS, oO • Primitive command: deleterfroma[s, o] • Postconditions: • S´ = S, O´ = O • a´[s, o] = a[s, o] – { r } • (xS´ – { s })(yO´ – { o }) [a´[x, y] = a[x, y]] csci5233 computer security & integrity

  19. Destroy Subject • Precondition: sS • Primitive command: destroysubjects • Postconditions: • S´ = S – { s }, O´ = O – { s } • (yO´)[a´[s, y] = ], (xS´)[a´[x, s] = ] • (xS´)(yO´) [a´[x, y] = a[x, y]] csci5233 computer security & integrity

  20. Destroy Object • Precondition: oo • Primitive command: destroyobjecto • Postconditions: • S´ = S, O´ = O – { o } • (xS´)[a´[x, o] = ] • (xS´)(yO´) [a´[x, y] = a[x, y]] csci5233 computer security & integrity

  21. Creating File • Process p creates file f with r and w permission command create•file(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end csci5233 computer security & integrity

  22. Mono-Operational Commands • Single primitive operation in a command • Example: Make process p the owner of file g command make•owner(p, g) enter own into A[p, g]; end csci5233 computer security & integrity

  23. Conditional Commands • Let p give qr rights over f, if p owns f command grant•read•file•1(p, f, q) if own in A[p, f] then enter r into A[q, f]; end • Mono-conditional command • Single condition in this command csci5233 computer security & integrity

  24. Multiple Conditions • Let p give qr and w rights over f, if p owns f and p has c rights over q command grant•read•file•2(p, f, q) if own in A[p, f] and c in A[p, q] then enter r into A[q, f]; enter w into A[q, f]; end csci5233 computer security & integrity

  25. Copy Right • Allows possessor to give rights to another • Often attached to a right, so only applies to that right • r is read right that cannot be copied • rc is read right that can be copied • Is copy flag copied when giving r rights? • Depends on model, instantiation of model csci5233 computer security & integrity

  26. Own Right • Usually allows the possessor to change entries in ACM column • So owner of object can add, delete rights for others • May depend on what system allows • Can’t give rights to specific (set of) users • Can’t pass copy flag to specific (set of) users csci5233 computer security & integrity

  27. Attenuation of Privilege • The principle says you can’t give rights you do not possess. • Restricts addition of rights within a system • Usually ignored for owner • Why? Owner gives herself rights, gives them to others, deletes her rights. csci5233 computer security & integrity

  28. Key Points • Access control matrix simplest abstraction mechanism for representing protection state • Transitions alter protection state • 6 primitive operations alter matrix • Transitions can be expressed as commands composed of these operations and, possibly, conditions csci5233 computer security & integrity

More Related