Cyber-safety, Cyber-security, Cyber-ethics, (C3) Digital Literacy Skills
ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.
-
Upload
mildred-lamb -
Category
Documents
-
view
229 -
download
4
Transcript of ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.
![Page 1: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/1.jpg)
ECE509 Cyber Security :
Concept, Theory, and Practice
Access Control MatrixSpring 2014
![Page 2: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/2.jpg)
Access Control Principles
![Page 3: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/3.jpg)
Types of Access Control Policies
• Discretionary Access Control (DAC)– Decision made based on identity of requestor and
access rules– Regular users can adjust the policy
• Mandatory Access Control (MAC)– Decision made by testing labels associated with
processes and resources against system policy rules
– Regular user cannot adjust the policy• Role Based Access Control (RBAC)
– Access decisions defined against roles rather than individual requestors
![Page 4: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/4.jpg)
Multiple Access Control Policies
DAC MAC
RBAC
![Page 5: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/5.jpg)
Access Control Requirements or Differentiators
• Reliable Input• Fine and course grain specifications• Least Privilege• Separation of Duty• Open and closed policies• Policy combination and conflict resolution• Administrative policies • Dual Control
![Page 6: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/6.jpg)
Chapter 2: Access Control Matrix
• Overview• Access Control Matrix Model
– Boolean Expression Evaluation– History
• Protection State Transitions– Commands– Conditional Commands
• Special Rights– Principle of Attenuation of Privilege
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-6
![Page 7: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/7.jpg)
Overview
• Protection state of system– Describes current settings, values of system
relevant to protection
• Access control matrix– Describes protection state precisely– Matrix describing rights of subjects– State transitions change elements of matrix
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-7
![Page 8: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/8.jpg)
Description
• Subjects S = { s1,…,sn }
• Objects O = { o1,…,om }
• Rights R = { r1,…,rk }
• Entries A[si, oj] R
• A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj
July 1, 2004 Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-8
objects (entities)
subj
ects
s1
s2
…
sn
o1 … om s1 … sn
![Page 9: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/9.jpg)
Example 1
• Processes p, q• Files f, g• Rights r, w, x, a, o
f g p q
p rwo r rwxo w
q a ro r rwxo
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-9
![Page 10: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/10.jpg)
Example 2
• Procedures inc_ctr, dec_ctr, manage• Variable counter• Rights +, –, call
counter inc_ctr dec_ctrmanage
inc_ctr +
dec_ctr –
manage call call call
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-10
![Page 11: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/11.jpg)
Boolean Expression Evaluation
• ACM controls access to database fields– Subjects have attributes– Verbs define type of access– Rules associated with objects, verb pair
• Subject attempts to access object– Rule for object, verb evaluated, grants or denies
access
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-11
![Page 12: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/12.jpg)
Example
• Subject annie– Attributes role (artist), groups (creative)
• Verb paint– Default 0 (deny unless explicitly granted)
• Object picture– Rule:
paint: ‘artist’ in subject.role and‘creative’ in subject.groups andtime.hour ≥ 0 and time.hour < 5
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-12
![Page 13: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/13.jpg)
ACM at 3AM and 10AM
July 1, 2004 Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-13
… picture …
… a
nnie
…
paint
At 3AM, time conditionmet; ACM is:
… picture …
… a
nnie
…
At 10AM, time conditionnot met; ACM is:
![Page 14: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/14.jpg)
History
Database:name position age salaryAlice teacher 45 $40,000Bob aide 20 $20,000Cathy principal 37 $60,000Dilbert teacher 50 $50,000Eve teacher 33 $50,000
Queries:1.sum(salary, “position = teacher”) = 140,0002.sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Eve’s salary)
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-14
![Page 15: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/15.jpg)
ACM of Database Queries
Oi = { objects referenced in query i }
f(oi) = { read } for oj Oi, if |j = 1,…,i Oj| < 2
f(oi) = for oj Oi, otherwise
1. O1 = { Alice, Dilbert, Eve } and no previous query set, so:
A[asker, Alice] = f(Alice) = { read }
A[asker, Dilbert] = f(Dilbert) = { read }
A[asker, Eve] = f(Eve) = { read }
and query can be answered
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-15
![Page 16: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/16.jpg)
But Query 2
From last slide:
f(oi) = { read } for oj in Oi, if |j = 1,…,i Oj| > 1
f(oi) = for oj in Oi, otherwise
2. O2 = { Alice, Dilbert } but | O2 O1 | = 2 so
A[asker, Alice] = f(Alice) = A[asker, Dilbert] = f(Dilbert) = and query cannot be answered
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-16
![Page 17: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/17.jpg)
State Transitions
• Change the protection state of system• |– represents transition
– Xi |– Xi+1: command moves system from state Xi to Xi+1
– Xi |– * Xi+1: a sequence of commands moves system from state Xi to Xi+1
• Commands often called transformation procedures
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-17
![Page 18: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/18.jpg)
Primitive Operations
• create subject s; create object o– Creates new row, column in ACM; creates new column in ACM
• destroy subject s; destroy object o– Deletes row, column from ACM; deletes column from ACM
• enter r into A[s, o]– Adds r rights for subject s over object o
• delete r from A[s, o]– Removes r rights from subject s over object o
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-18
![Page 19: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/19.jpg)
Create Subject
• Precondition: s S• Primitive command: create subject s• Postconditions:
– S = S { s }, O = O { s }– (y O)[a[s, y] = ], (x S)[a[x, s] = ]– (x S)(y O)[a[x, y] = a[x, y]]
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-19
![Page 20: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/20.jpg)
Create Object
• Precondition: o O• Primitive command: create object o• Postconditions:
– S = S, O = O { o }– (x S)[a[x, o] = ]– (x S)(y O)[a[x, y] = a[x, y]]
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-20
![Page 21: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/21.jpg)
Add Right
• Precondition: s S, o O• Primitive command: enter r into a[s, o]• Postconditions:
– S = S, O = O– a[s, o] = a[s, o] { r }– (x S)(y O – { o }) [a[x, y] = a[x, y]]– (x S – { s })(y O) [a[x, y] = a[x, y]]
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-21
![Page 22: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/22.jpg)
Delete Right
• Precondition: s S, o O• Primitive command: delete r from a[s, o]• Postconditions:
– S = S, O = O– a[s, o] = a[s, o] – { r }– (x S)(y O – { o }) [a[x, y] = a[x, y]]– (x S – { s })(y O) [a[x, y] = a[x, y]]
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-22
![Page 23: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/23.jpg)
Destroy Subject
• Precondition: s S• Primitive command: destroy subject s• Postconditions:
– S = S – { s }, O = O – { s }– (y O)[a[s, y] = ], (x S)[a´[x, s] = ]– (x S)(y O) [a[x, y] = a[x, y]]
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-23
![Page 24: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/24.jpg)
Destroy Object
• Precondition: o O• Primitive command: destroy object o• Postconditions:
– S = S, O = O – { o }– (x S)[a[x, o] = ]– (x S)(y O) [a[x, y] = a[x, y]]
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-24
![Page 25: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/25.jpg)
Creating File
• Process p creates file f with r and w permissioncommand create•file(p, f)
create object f;enter own into A[p, f];enter r into A[p, f];enter w into A[p, f];
end
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-25
![Page 26: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/26.jpg)
Mono-Operational Commands
• Make process p the owner of file gcommand make•owner(p, g)
enter own into A[p, g];end
• Mono-operational command– Single primitive operation in this command
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-26
![Page 27: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/27.jpg)
Conditional Commands
• Let p give q r rights over f, if p owns fcommand grant•read•file•1(p, f, q)
if own in A[p, f]then
enter r into A[q, f];end
• Mono-conditional command– Single condition in this command
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-27
![Page 28: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/28.jpg)
Multiple Conditions
• Let p give q r and w rights over f, if p owns f and p has c rights over qcommand grant•read•file•2(p, f, q)
if own in A[p, f] and c in A[p, q]then
enter r into A[q, f];enter w into A[q, f];
end
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-28
![Page 29: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/29.jpg)
Copy Right
• Allows possessor to give rights to another• Often attached to a right, so only applies to
that right– r is read right that cannot be copied– rc is read right that can be copied
• Is copy flag copied when giving r rights?– Depends on model, instantiation of model
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-29
![Page 30: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/30.jpg)
Own Right
• Usually allows possessor to change entries in ACM column– So owner of object can add, delete rights for
others– May depend on what system allows
• Can’t give rights to specific (set of) users• Can’t pass copy flag to specific (set of) users
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-30
![Page 31: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/31.jpg)
Attenuation of Privilege
• Principle says you can’t give rights you do not possess– Restricts addition of rights within a system– Usually ignored for owner
• Why? Owner gives herself rights, gives them to others, deletes her rights.
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-31
![Page 32: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/32.jpg)
Key Points
• Access control matrix simplest abstraction mechanism for representing protection state
• Transitions alter protection state• 6 primitive operations alter matrix
– Transitions can be expressed as commands composed of these operations and, possibly, conditions
July 1, 2004Computer Security: Art and Science
© 2002-2004 Matt Bishop
Slide #2-32
![Page 33: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/33.jpg)
Slice and Dice File example
![Page 34: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/34.jpg)
Unix Access Control
• Three permission octets associated with each file and directory– Owner, group, and other – Read, write, execute
• For each file/directory– Can specify RWX permissions for one owner,
one group, and one other
9/29/2010Computer Security I 34
![Page 35: ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649e4d5503460f94b43da6/html5/thumbnails/35.jpg)
Reading
• Sandhu, R.S.; Samarati, P., "Access control: principle and practice," Communications Magazine, IEEE , vol.32, no.9, pp.40,48, Sept. 1994
[http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=312842&ranges%3D1990_2000_p_Publication_Year%26queryText%3Daccess+control+matrix]