Matrix Security Solutions: COSEC - Access Control and Time-Attendance
Access Control Matrix
-
Upload
burmansoft -
Category
Documents
-
view
11 -
download
2
Transcript of Access Control Matrix
Ch 2: Access Control Matrix
Week 2
Protection State
• The state of a system:– The collection of the current values of all memory
locations, all secondary storage, and all registers and other components of the system.
• The subset of this collection that deals with protection is the protection state of the system.
2
Protection State• Consider the set of possible protection states P.
Some subset Q of P consists of exactly those states in which the system is authorized to reside. – So, whenever the system state is in Q, the system is
secure. – When the current state is in P – Q , the system is not
secure.
• We want to ensure that the system state is always an element of Q.
3
Security Policy, Security Mechanism, Precision
• Characterizing the states in Q is the function of a security policy.
• Preventing the system from entering a state in P – Q is the function of a security mechanism.
Types of Security Mechanisms• Let P be the set of all possible states and Q be the set
of secure states (as specified by the security policy). Let the security mechanisms restrict the system to some set of states R (thus, R ⊆ P). – A security mechanism is secure if R ⊆ Q; it is precise if
R = Q; and it is broad if there are states r such that r ∊ R and r ∉ Q.
secure precise broad
R: set of reachable states Q: set of secure states
Access Control
• An access control system regulates the operations that can be executed on data and resources to be protected
• Its goal is to control operations executed by subjects in order to prevent actions that could damage data and resources
• Access control is typically provided as part of the operating system and of the database management system (DBMS)
Access Control Model• By B. Lampson. Protection. ACM Operating
System Reviews, 8, 1974.– The very nature of access control suggests that
there is an active subject requiring access to a passive object to perform some specific access operation.
– A reference monitor grants or denies access
Subject Accessrequest
Reference monitor
Object
Access Control Mechanism
• Typically a software system implements the access control function
• Usually part of other systems• The access control mechanism uses some
access control policies to decide whether to grant or deny a subject access to a requested resource
• We will refer to an access control system as system comprising an access control mechanism and all information required to take access control decisions (for example, access permissions)
Object
• Objects are the set of all protected entities.• Anything that holds data: such as relations,
directories, interprocess messages, network packets, I/O devices, or physical media
• Note that not all resources managed by a system need to be protected
Subject
• Subjects are the set of active objects• It is an abstraction of any active entity that
performs computation in the system• Subjects can be classified into:
– users -- single individuals connecting to the system– groups -- sets of users– roles -- named collections of privileges / functional
entities within the organization– processes -- executing programs on behalf of users
• Relations may exist among various types of subjects
Access Operations (Modes)• Operations that a subject can exercise on the
protected objects in the system
• Each type of operation corresponds to an access mode
• Several different types:– Read: look at the contents of an object– Write: change the contents of an object– Execute, select, insert, update, delete, etc.
• The same mode can correspond to different operations when applied to different objects
Access Modes – Unix OS Example
– Access modes defined for files• read: reading from a file• write: writing to a file• execute: executing a (program) file
– Access modes defined for directories• read: list a directory contents• write: create or rename a file in a directory• execute: search a directory (including
subdirectiroes) – Access modes defined for processes
• read: receive signals• write: send signals• execute: execute a process as a subprocess
Access Permissions• Access permissions, also called authorizations, are
expressed in terms of subjects, objects, and access modes
• From a conceptual point of view an access permission is a tuple <s, o, a> where – s is a subject– o is an object– a is an access modeIt states that subject s has the permission to execute
operation a on object oWe also say that s has access right a on object o
• Example: the access permission <Bob, Read, F1> states that Bob has the permission to read file F1
Access Permission
• Subjects, objects, and access modes can be organized into hierarchies
• The semantics of the hierarchy depends on the domain
• The use of hierarchies has two important advantages:– It reduces the number of permissions that need to be entered
into the access control system, thus reducing administration costs
– Combined with negative authorizations, it supports the specification of exceptions
Object Hierarchy
object
component object
PART-OFdirectory
file
Role Hierarchy
senior role
junior role
technical manager
programmer
Group Hierarchy
• Suppose that the group CS department has 200 members and the University group 5000 members; suppose we have the policy that the department calendar can be read to all members of the University and written only by the members of CS; these policies can be encoded into two access permissions of the form: <University, calendar, Read> <CS Dept, calendar, Write>
group
group member
GROUP MEMBERSHIP
University
CS Dept
Access Mode Hierarchy
mode
implied mode
SUBSUMPTION
write
read
Groups and Negative Permissions
• Groups can be seen as an intermediate level between users and objects
• An example of an ideal world where all access permissions are mediated by groups
g1 g2
s1 s2 s3 s4 s5 Users
Groups
Objectso1 o2 o3 o4 o5 o6
Groups and Negative Permissions
• Often access control policies have special cases where it proves convenient to give some user a permission for an object directly or deny a user a permission that it would normally derive from its membership in some group
• A negative permission specifies an operation that a subject is not allowed to perform
• Representing negative permissions requires extending our simple tuple model with an additional component sign:
<s, o, a, sign> where sign ϵ{+, -}
Groups and Negative Permissions
• An example in which not all access permissions are mediated through groups
Users
Groups
Objects
g1
s1 s2 s3
o1 o2 o3 o4 o5
Ownership and Administration
• A key question when dealing with access control is who specifies which subjects can access which objects for which operations
• In the case of permissions, this means specifying which are the subjects that can enter permissions
22
Ownership and Administration
• Discretionary approach – the owner of a resource decrees who is
allowed to have access– But then: who is the owner of a resource?
• Mandatory approach– a system-wide policy decrees who is
allowed to have access
Basic Operations in Access Control
• Grant permissions– Inserting values in the access control
mechanism’s entries• Revoke permissions
– Remove values from the access control mechanism’s entries
• Check permissions– Verifying whether the entry related to a subject
s and an object o contains a given access mode
Access Control Matrix (ACM)
• Recall that protection state of system– Describes current settings, values of system
relevant to protection– An access control matrix is one tool that can
describe the current protection state.• Access control matrix
– Describes protection state precisely– Matrix describing rights of subjects– State transitions change elements of matrix
Access Control Matrix (ACM)
objects (entities)
subj
ects
s1
s2
…
sn
o1 … om s1 … sn• Subjects S = { s1,…,sn }• Objects O = { o1,…,om }• Rights R = { r1,…,rk }• Entries A[si, oj] R• A[si, oj] = { rx, …, ry }
means subject si has rights rx, …, ry over object oj
Example 1 – Protection State of a System
• Processes p, q• Files f, g• Rights r: read, w: write, x: execute, a: append, o:
own
f g p qp rwo r rwxo w
q a ro r rwxoProcess 1 can read or write file 1 and can read file 2; process 2 can append to file 1 and read file 2. Process 1 can communicate with process 2 by writing to it, and process 2 can read from process 1. The processes themselves are treated as both subjects (rows) and objects (columns).
subj
ects
objects (entities)
Example 2• Procedures inc_ctr, dec_ctr, manage• Variable counter• Rights +, –, call
counter inc_ctr dec_ctr manageinc_ctr +dec_ctr –manage call call call
At the micro level, access control matrices can model programming language accesses: Objects are the variables and subjects are the procedures.
subj
ects
objects (entities)
Protection State Transitions
• Change the protection state of system
• |– represents transition– Xi |– Xi+1: command moves system from state Xi to
Xi+1
– Xi |– * Y : a sequence of commands moves system from state Xi to Y
• Commands often called transformation procedures
6 Primitive Operations
• create subject s; create object o– Creates new row, column in ACM; creates new
column in ACM• destroy subject s; destroy object o
– Deletes row, column from ACM; deletes column from ACM
• enter r into A[s, o]– Adds r rights for subject s over object o
• delete r from A[s, o]– Removes r rights from subject s over object o
Creating File• In the UNIX system, if process p created a file f
with owner read (r) and write (w) permission, the command capturing the resulting changes in the access control matrix would be:
command create•file(p, f)create object f;enter own into A[p, f];enter r into A[p, f];enter w into A[p, f];
end
Mono-Operational Commands
• Make process p the owner of file gcommand make•owner(p, g)
enter own into A[p, g];end
• Mono-operational command– Single primitive operation in this command
Conditional Commands
• Let process p give process q r (read) right over file f, if p owns f:
command grant•read•file•1(p, f, q)if own in A[p, f]then
enter r into A[q, f];end
• Mono-conditional command– Single condition in this command
Multiple Conditions
• Let p give q r and w rights over f, if p owns f and p has a distinguished c right over q:
command grant•read•file•2(p, f, q)if own in A[p, f] and c in A[p, q]thenenter r into A[q, f];enter w into A[q, f];end
• Bi-conditional command– Two conditions in this command connected with an
AND
Key Points
• Access control matrix is the simplest abstraction mechanism for representing protection state
• Transitions alter protection state• 6 primitive operations alter matrix
– Transitions can be expressed as commands composed of these operations and, possibly, conditions
Discussion
• Directly implementing access control matrices is quite inefficient, because in most cases these matrices are sparse
• Therefore two main implementations have been developed– Access Control Lists (ACL)
• Store columns with objects of the access control matrix. • Used in DBMS and Operating Systems
– Capabilities• Store rows with subjects of the access control matrix.• Used in Operating Systems (such as Linux capabilities
at /usr/src/linux/include/linux/capability.h)
36
Access Control Lists (ACLs)• Given the ACM below:
• The set of objects is file 1 and file 2. The corresponding ACL for each object will be:– acl(file 1) = { (John, { read}), (John, {write}), (John,
{execute}), (Jane, {own}) }– acl(file 2) = { (John, { read }), (Jane, {execute}) }
37
file1 file2John R, W, X RJane O X
Capabilities• Conceptually, a capability is the row of an access
control matrix. Each subject has associated with it a set of pairs, with each pair containing an object and a set of rights. The subject associated with this list can access the named object in any of the ways indicated by the named rights.
• Each subject has an associated Capability-List.
Capabilities - Example• Given the ACM below:
• The set of subjects is process 1 and process 2. The corresponding capability lists for each subject are:– cap(process 1) = { (file 1, { read, write, own }), (file
2, { read }), (process 1, {read, write, execute, own}), (process 2, { write }) }
– cap(process 2) = { (file 1, { append }), (file 2, { read, own }), (process 1, { read }), (process 2, {read, write, execute, own}) }
39
UNIX Access Control Manipulation
• chmod: Change mode command• chmod u=rx file (Give the owner rx permissions)• chmod go-rwx file (Deny rwx permission for group
and others)• chmod g+w file (Give write permission to the
group)• chmod a+x fileA fileB (Give execute permission to all)• chmod g+rx, o+x file (Give rx write to the group, and x
right to the others)• chmod 751 file1 (Give rwx rights to the user, rx
rights to the group, x right to the others)40
UNIX Access Control Manipulation
• chown: Change owner command.
41