Computer Security Access Control Mechanisms
-
Upload
clinton-fletcher -
Category
Documents
-
view
30 -
download
5
description
Transcript of Computer Security Access Control Mechanisms
04/19/23 1
Computer SecurityAccess Control Mechanisms
04/19/23 2
States of a Computer SystemThe state of a system is the collection of current values of all components of the system: memory locations, secondary storage, registers etc. Protection states are those states that have to be protected. • .P = set of all protection states of the system• .Q = set of all authorized protection states • The system is not secure if the current state is in P -Q • A security policy characterizes the states in Q • A security mechanism prevents the system entering a state in P -Q
04/19/23 3
Access Control Matrix Model
This is used to describe the protection states.It characterizes the rights of each subject of the system (entity/process) regarding the objects of the system (entities/processes) in terms of a matrix.
04/19/23 4
Butler-Lampson Model
This describes the rights of users s (subjects) over files o (objects) by a matrix A whose rows are indexed by the subjects and whose columns are indexed by the objects. The rights belong to a set R.
Each entry a[s,o] of matrix A is a subset of the set R, and is the set of rights of user s over file o.
04/19/23 5
Butler-Lampson Model
The set of protection states P of a system is represented by a set of triples in (S,O,A),
where S is the set of users, O the set of files and A the
Access Control Matrix.The set of rights R (the entries in A) depends on the application.
04/19/23 6
Examples of ACMs file 1 file 2 process 1 process 2
process 1 read, write read read, write, write own execute, own
process 2 append read, own read read, write
execute, own
Here R = { read, wright, own, append, execute }
process 1 can read/write file 1, read file 2, communicate with process 2 by writing to it, etc.
04/19/23 7
Examples: rights on a LAN
host names telegraph nob toadflex
telegraph own ftp ftp
nob ftp,nfs,mail,own ftp,nfs,mail
toadflex ftp,mail ftp,nfs,mail,own
Here R = { ftp, mail, nfs, own }, where ftp = the right to access the File Transfer Protocolmail = the right to send/receive using the Simple Mail Transfer Protocol (SMTP) nfs = the right to access file systems using the Network File System protocol
04/19/23 8
Examples: rights in a program to synchronize events
host names counter inc_ctr dec_ctr manager
inc_ctr +
dec_ctr -
manager call call call
Here R = { +, -, call } (+,- represent the ability to add or subtract and call is
the ability to invoke a procedure)inc_ctr increases a counter and dec_ctr decreases itmanager calls the functions inc_ctr and dec_ctr
04/19/23 9
Other examples
• Access Control by Boolean expression evaluation• Access Control by History
See textbook
04/19/23 10
Protection State Transitions
Initial state of the system: X0 = (S0,O0,A0 )Transitions: 1, 2, …Corresponding states: X1, X2, …
We use the notation: Xi ├─ i+1 Xi+1
to indicate the state transition i+1 moves the system from Xi to Xi+1
X ├─* Y indicates that starting at X, after a series of transitions the system enters state Y.
04/19/23 11
Protection State Transitions
Xi ├─ ci+1 (pi+1,1 ,…, pi+1,m) Xi+1
indicates that the transition is caused by the command ci+1 with parameters pi+1,1 ,…, pi+1,m .
04/19/23 12
The Harrison-Ruzzo-Ullman Model
This is based on a set of primitive commands.• create subject s [precondition: sS postcondition: S’ = S { s }, O’ = O, no rights are assigned to
s, all other rights are not affected ]• create object o [precondition: oO postcondition: S’= S, O’ = O { o }, no rights are assigned to o
all other rights are not affected ]
04/19/23 13
The Harrison-Ruzzo-Ullman Model• Enter right r into a[s,o] [precondition: sS, oO postcondition: S’ = S, O’ = O, a’ [s,o] = a [s.o] { r },
no other rights are affected ]• Delete right r from a[s,o] [precondition: sS, oO postcondition: S’ = S, O’ = O, a’ [s,o] = a [s.o] - { r },
no other rights are affected ]
04/19/23 14
The Harrison-Ruzzo-Ullman Model• destroy subject s [precondition: sS postcondition: S’ = S - { s }, O’= O, a’ [s,o]= for all oO,
no other rights are affected ]• destroy object o [precondition: oO postcondition: S’ = S, O’ = O - { o }, a’ [s,o] = for all sS,
no other rights are affected ]
04/19/23 15
The Harrison-Ruzzo-Ullman Model
Examplecommand create • file (p,f) create object f ; enter right own into a [p,f] ; enter right r into a [p,f] ; enter right w into a [p,f] ; end
04/19/23 16
The Harrison-Ruzzo-Ullman Model
Example –conditional commands
Suppose process p wants to give process q the right to read file fcommand grant•read•file1•(p,f,q) if own in a [p,f] then
enter r into a [q,f] ; end
04/19/23 17
The Harrison-Ruzzo-Ullman ModelExample –conditional commands using and
Suppose process p wants to give process q the right to read file fcommand grant•read•file2•(p,f,q) if r in a [p,f] and c in a [p,f] then
enter r into a [q,f] ; end
See textbook for other examples.
04/19/23 18
Copying and owning
Rights• copy right (grant right) – augments existing rights• own right
The copy right allows its possessor to grant rights (this right is often considered a flag attachment –hence flag right)The own right allows its possessor to add or delete privileges to
themselves.
04/19/23 19
Copying
Example Suppose process p has right r over object f , and let c be a copy right. The following command allows p to copy r over f to another process q only if p has copy right over f .command grant•r(p,f,q) if r in a [p,f] and c in a [p,f] then enter r into a [q,f] ; end
04/19/23 20
Attenuation of privilege
The Principle of Attenuation of Privilege says that • a subject may not give rights it does not possess to
another subject.