Access Control Matrix
-
Upload
garrett-rivas -
Category
Documents
-
view
24 -
download
0
description
Transcript of Access Control Matrix
csci5233 computer security & integrity
1
Access Control Matrix
csci5233 computer security & integrity
2
Outline Overview Access Control Matrix Model
– Boolean Expression Evaluation– History
Protection State Transitions– Commands– Conditional Commands
Special Rights– Principle of Attenuation of Privilege
csci5233 computer security & integrity
3
Overview State
– The collection of the current values of all memory locations, all secondary storage, and all registers and other components of the system.
Protection state of system– a subset of the states that are relevant to
protection
Access control matrix– A tool that can describe protection state– Matrix describing rights of subjects– State transitions change elements of matrix
csci5233 computer security & integrity
4
Overview Access control matrix model
– The most precise model used to describe a protection state
– It characterizes the rights of each subject with respect to every other entity, which can be active or passive.
– The set of objects = the set of all protected entities– The set of subjects = the set of active objects,
such as processes and users.– The ACM captures the relationships between the
subjects and the objects.– When a command changes the state of the
system, a state transition occurs.
csci5233 computer security & integrity
5
Descriptionobjects (entities)
subj
ects
s1
s2
…
sn
o1 … om s1 … sn
Subjects S = { s1,…,sn } Objects O = { o1,…,om } Rights R = { r1,…,rk } Entries A[si, oj] R A[si, oj] = { rx, …, ry }
means subject si has rights rx, …, ry over object oj
A[sn, om]
csci5233 computer security & integrity
6
Example 1 Processes p, q Files f, g Rights r, w, x (execute), a(ppend),
o(wn)
f g p q
p rwo r rwxo w
q a ro r rwxo
csci5233 computer security & integrity
7
Example 2
Procedures inc_ctr, dec_ctr, manage Variable counter Rights +, –, call
counter inc_ctr dec_ctr manage
inc_ctr +
dec_ctr –
manage call call call
csci5233 computer security & integrity
8
Boolean Expression Evaluation ACM may be used for control of access to
database fields ACM controls access to database fields
– Subjects have attributes (e.g., name, role, groups, programs, etc.)
– Verbs define type of access (e.g., read, write, paint, temp_ctl)
– Rules associated with (objects, verb) pair (e.g., object = recipes; verb = write; rule = ‘creative’ in subject.group)
Subject attempts to access object– Rule for (object, verb) evaluated, grants or denies
access
csci5233 computer security & integrity
9
Example of rules Subject annie
– Attributes role (artist), groups (creative)
Verb paint– Default 0 (deny unless explicitly granted)
Object picture A sample rule
paint: ‘artist’ in subject.role and
‘creative’ in subject.groups and
time.hour >= 17 and time.hour < 20
csci5233 computer security & integrity
10
ACM at 3AM and 10AM
… picture …
… a
nnie
…
paint
At 18 PM, time conditionmet; ACM is:
… picture …
… a
nnie
…
At 10AM, time conditionnot met; ACM is:
csci5233 computer security & integrity
11
Access Controlled by History Query-set-overlap-control: to prevent deduction/inference attack Database:
name position age salaryCelia teacher 45 $40,000Heidi aide 20 $20,000Holly principal 37 $60,000Leo teacher 50 $50,000Matt teacher 33 $50,000
Queries:1. C1 = sum(salary, “position = teacher”) = $140,0002. C3 = sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Matt’s salary)
csci5233 computer security & integrity
12
Access Controlled by History Database:
name position age salaryCelia teacher 45 $40,000Heidi aide 20 $20,000Holly principal 37 $60,000Leo teacher 50 $50,000Matt teacher 33 $50,000
O1 = {Celia, Leo, Matt}
O3 = {Celia, Leo}
Check out [Dobkins/Jones, 1979].
csci5233 computer security & integrity
13
State Transitions
Change the protection state of system |- represents transition
Xi |- Xi+1: command moves system from state Xi to Xi+1
Xi |-* Xi+1: a sequence of commands moves system from state Xi to Xi+1
Commands are often called transformation procedures
csci5233 computer security & integrity
14
Primitive Operations create subject s
– Creates new row, column in ACM; create object o
– creates new column in ACM destroy subject s
– Deletes row, column from ACM destroy object o
– deletes column from ACM enter r into A[s,o]
– Adds r rights for subject s over object o delete r from A[s,o]
– Removes r rights from subject s over object o
csci5233 computer security & integrity
15
Create Subject
Precondition: s S Primitive command: create subject s Postconditions:
– S´ = S { s }, O´ = O { s }– (y O´)[a´[s, y] = ], (x S´)[a´[x, s] =
]– (x S)(y O)[a´[x, y] = a[x, y]]
csci5233 computer security & integrity
16
Create Object
Precondition: o O Primitive command: create object o Postconditions:
– S´ = S, O´ = O { o }– (x S´)[a´[x, o] = ]– (x S)(y O)[a´[x, y] = a[x, y]]
csci5233 computer security & integrity
17
Add Right
Precondition: s S, o O Primitive command: enter r into a[s, o] Postconditions:
– S´ = S, O´ = O– a´[s, o] = a[s, o] { r }– (x S´ – { s })(y O´ – { o })
[a´[x, y] = a[x, y]]
csci5233 computer security & integrity
18
Delete Right
Precondition: s S, o O Primitive command: delete r from a[s,
o] Postconditions:
– S´ = S, O´ = O– a´[s, o] = a[s, o] – { r }– (x S´ – { s })(y O´ – { o })
[a´[x, y] = a[x, y]]
csci5233 computer security & integrity
19
Destroy Subject
Precondition: s S Primitive command: destroy subject s Postconditions:
– S´ = S – { s }, O´ = O – { s }– (y O´)[a´[s, y] = ], (x S´)[a´[x, s] =
]– (x S´)(y O´) [a´[x, y] = a[x, y]]
csci5233 computer security & integrity
20
Destroy Object
Precondition: o o Primitive command: destroy object o Postconditions:
– S´ = S, O´ = O – { o }– (x S´)[a´[x, o] = ]– (x S´)(y O´) [a´[x, y] = a[x, y]]
csci5233 computer security & integrity
21
Creating File
Process p creates file f with r and w permissioncommand create•file(p, f)
create object f;enter own into A[p, f];enter r into A[p, f];enter w into A[p, f];
end
csci5233 computer security & integrity
22
Mono-Operational Commands
Single primitive operation in a command Example: Make process p the owner of
file gcommand make•owner(p, g)
enter own into A[p, g];end
csci5233 computer security & integrity
23
Conditional Commands
Let p give q r rights over f, if p owns fcommand grant•read•file•1(p, f, q)
if own in A[p, f]then
enter r into A[q, f];end
Mono-conditional command– Single condition in this command
csci5233 computer security & integrity
24
Multiple Conditions
Let p give q r and w rights over f, if p owns f and p has c rights over qcommand grant•read•file•2(p, f, q)
if own in A[p, f] and c in A[p, q]then
enter r into A[q, f];enter w into A[q, f];
end
csci5233 computer security & integrity
25
Copy Right
Allows possessor to give rights to another
Often attached to a right, so only applies to that right– r is read right that cannot be copied– rc is read right that can be copied
Is copy flag copied when giving r rights?– Depends on model, instantiation of model
csci5233 computer security & integrity
26
Own Right
Usually allows the possessor to change entries in ACM column– So owner of object can add, delete rights
for others– May depend on what system allows
• Can’t give rights to specific (set of) users• Can’t pass copy flag to specific (set of) users
csci5233 computer security & integrity
27
Attenuation of Privilege
The principle says you can’t give rights you do not possess.– Restricts addition of rights within a system– Usually ignored for owner
• Why? Owner gives herself rights, gives them to others, deletes her rights.
csci5233 computer security & integrity
28
Key Points Access control matrix simplest
abstraction mechanism for representing protection state
Transitions alter protection state 6 primitive operations alter matrix
– Transitions can be expressed as commands composed of these operations and, possibly, conditions