Presentation is loading. Please wait.

Presentation is loading. Please wait.

6/12/2015 9:14 PM Lecture 2: Access Control James Hook CS 591: Introduction to Computer Security.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "6/12/2015 9:14 PM Lecture 2: Access Control James Hook CS 591: Introduction to Computer Security."— Presentation transcript:

1 6/12/2015 9:14 PM Lecture 2: Access Control James Hook CS 591: Introduction to Computer Security

2 6/12/2015 9:14 PM Objectives Introduce the mechanism of Access Control Relate mechanism to Confidentiality, Integrity and Availability Introduce the Access Control Matrix Model and Protection State Transitions

3 6/12/2015 9:14 PM Alice and Bob Standard names for “agents” in a security or crypto scenario Also known as “A” and “B”

4 6/12/2015 9:14 PM An Access Control Scenario Alice: 1.New Secret foo Bob: 2. If (cp foo afoo) 3. then echo “success” 4. else echo “fail” Intent: Bob’s cp is attempting to violate Alice’s expected access policy If cp succeeds then the principle of confidentiality is not satisfied Q: Revise scenario to violate availability

5 6/12/2015 9:14 PM Characterizing the Violation Basic Abstraction: States and Transitions 0 1 2 4 A: New Secret foo 3 5 B: echo “success” B: echo “fail” B: cp foo afoo Q: What are the States? Q: If we reach State 5 was State 1 good? Q: What determines if we reach State 2 or 4 from State 1?

6 6/12/2015 9:14 PM Secure and non-Secure States Characterize states in a system as “Secure” and “non-Secure” A system is Secure if every transition maps Secure states to Secure states Consequence: In the scenario, security is compromised if Alice’s “New secret foo” yields a state in which Bob can access foo.

7 6/12/2015 9:14 PM Abstraction X=17,y=23,z= -20,… X=42,y=17,z= 25,… X < yX ¸ y Abstract state: Concrete state: X=17,y=23,z= -21,… X=17,y=23,z= -22,…

8 6/12/2015 9:14 PM Protection States An abstraction that focuses on security properties Primarily interested in characterizing Safe states Goal is to prove that all operations in the system preserve “security” of the protection state Access Control Matrix is our first Protection State model

9 6/12/2015 9:14 PM Access Control Matrix Model – Lampson ‘71, refined by Graham and Denning (‘71, ‘72) – Concepts –Objects, the protected entities, O –Subjects, the active entities acting on the objects, S –Rights, the controlled operations subjects can perform on objects, R –Access Control Matrix, A, maps Objects and Subjects to sets of Rights –State: (S, O, A)

10 6/12/2015 9:14 PM Confidentiality Scenario 0 1 2 4 A: New Secret foo 3 5 B: echo “success” B: echo “fail” B: cp foo afoo Initial State Subjects S 0 = {A,B} Objects O 0 = {} AC Matrix A 0 = {} Rights R = {r,w,own} Intended State 1 Subjects S 1 = {A,B} Objects O 1 = {foo} AC Matrix A 1 ={(A,foo,[r,w,own]), (B,foo,[])} (S 0, O 0, A 0 ) ` A: New Secret foo (S 1, O 1, A 1 ) (S 1, O 1, A 1 ) ` B: cp foo afoo (S 1, O 1, A 1 )

11 6/12/2015 9:14 PM Confidentiality Scenario 0 1 2 4 A: New Secret foo 3 5 B: echo “success” B: echo “fail” B: cp foo afoo Initial State Subjects S 0 = {A,B} Objects O 0 = {} AC Matrix A 0 = {} Rights R = {r,w,own} States 1, 2 and 3 Subjects S 1 = {A,B} Objects O 1 = {foo} AC Matrix A 1 ={(A,foo,[r,w,own]), (B,foo,[]) } Is there a representation for Protection States 4 and 5? Critical issue is definition of ` cp … …

12 6/12/2015 9:14 PM Availability Scenario 0 1 2 4 A: New Public foo 3 5 B: echo “success” B: echo “fail” B: cp foo afoo Initial State Subjects S 0 = {A,B} Objects O 0 = {} AC Matrix A 0 = {} Rights R = {r,w,o} State 1 Subjects S 1 = {A,B} Objects O 1 = {foo} AC Matrix A 1 ={(A,foo,[r,w,o]), (B,foo,[r])} (S 0, O 0, A 0 ) ` A: New Public foo (S 1, O 1, A 1 ) (S 1, O 1, A 1 ) ` B: cp foo afoo (S 4, O 4, A 4 ) State 4 Subjects S 4 = S 1 Objects O 4 = O 1 [ {afoo} AC Matrix A 4 ={(A,foo,[r,w,o]), (B,foo,[r]), (A,afoo,[]), (B,afoo,[r,w,o])}

13 6/12/2015 9:14 PM Voting Machine How can a voting machine be modeled with subjects, objects, and rights? In what ways do the rights change dynamically?

14 6/12/2015 9:14 PM A Domain-Specific Language for Access Control Harrison, Ruzzo, and Ullman defined a set of primitive commands –Create subject s –Create object o –Enter r into a[s,o] –Delete r from a[s,o] –Destroy subject s –Destroy object o We will use this DSL of primitive commands to model the system in our example Heads up: We have 2 languages: HRU primitives and the example!

15 6/12/2015 9:14 PM HRU Semantics (S, O, A) ` Create subject s (S [ {s}, O, A) (S, O, A) ` Create object o (S, O [ {o}, A) (S, O, A) ` Enter r into a[s,o] (S, O, A’) where A’[s,o] = A[s,o] [ {r} (S, O, A) ` Delete r from a[s,o] (S, O, A’) where A’[s,o] = A[s,o] - {r} (S, O, A) ` Destroy subject s (S - {s}, O, A º ) (S, O, A) ` Destroy object o (S, O - {o}, A º ) where A º is the appropriate restriction of A

16 6/12/2015 9:14 PM Molecules from Atoms This DSL gives us atomic transitions To model a system we combine these atomic operations into commands A system model in this framework is the set of commands that implement the system primitives

17 6/12/2015 9:14 PM Modeling the Example Interface –X: New Secret –X: New Public –X: Cp –X: If then else Assumptions –X ranges over {A,B}

18 6/12/2015 9:14 PM Example Initialize () create subject A create subject B end New.Secret (x,f) create object f enter own into a[x,f] enter r into a[x,f] enter w into a[x,f] end New.Public (x,f) create object f enter own into a[x,f] enter r into a[A,f] enter r into a[B,f] enter w into a[x,f] End

19 6/12/2015 9:14 PM Example (cont) Cp(x,src,dest) if r 2 a[x,src] then create object dest enter own into a[x,dest] enter w into a[x,dest] ? End Modeling helps us be precise: Is the new file “public” or “secret”? Conditional command

20 6/12/2015 9:14 PM Modeling if How do we model the if statement in our scenario? We assumed Unix like “exit status” Could enrich model to have statements have value Does that add value?

21 6/12/2015 9:14 PM Modeling if (cont) To establish system security we must model all sequences of commands What matters is that cp won’t reveal Alice’s secret Since we are considering all sequences of non- conditional commands we don’t need to model If c1 then c2 else c3 since we model both c1; c2 c1; c3 Why doesn’t this argument apply to primitive commands?

22 6/12/2015 9:14 PM Conditional Commands To obtain results in Chapter 3 we place technical restrictions on HRU conditional commands Condition must be “positive” –r 2 a[s,o] –Cf. negative: r  a[s,o] Conjunctions of conditions are allowed –r 2 a[s,o] Æ r’ 2 a[s’,o’] Disjunctions are unnecessary –All atomic actions are idempotent –if  Ç  then C ´ if  then C; if  then C

23 6/12/2015 9:14 PM Access Control Matrix Very high fidelity model Every user and process can be modeled as a subject Every file and process can be modeled as an object Does it scale? Is it useful?

24 6/12/2015 9:14 PM Access Control Matrix The access control matrix model is a critical reference point –most systems can be modeled within the framework –most mechanisms are an imperfect approximation of the Access Control Matrix

25 6/12/2015 9:14 PM Foundational Results Can we use an algorithm to test if a system is secure? –What do we mean by “system”? –What do we mean by “secure”?

26 6/12/2015 9:14 PM Aside: Safety and Liveness Safety property: A bad thing does not happen –E.g. A memory safe program will not dereference a “bad” pointer Liveness property: A good thing will happen eventually –E.g. Every runnable process will eventually be scheduled

27 6/12/2015 9:14 PM Security: safe or live? Availability is often a liveness property Confidentiality is often cast as a safety property Integrity can be both –The processor will execute the instruction stream is a liveness property –All memory will be accessed consistent with the protection state is a safety property

28 6/12/2015 9:14 PM Bounding the Problem “Mono-operational” commands –If each system level command in the modeled system is implemented by a single HRU primitive the system is “mono-operational” General case –In the general case the commands of the system being modeled are implemented by arbitrary combinations of HRU primitives Cast Problem as Safety Property –Bad things don’t happen

29 6/12/2015 9:14 PM What is secure? Must designate a “bad thing” and then prove it doesn’t happen Definition: A right r is leaked if it is added to an element of the access control matrix that does not already contain it –In our example “new secret foo” leaks rights “own, r and w” if foo did not already exist Definition: A system is safe with respect to right r if it does not leak the right r

30 6/12/2015 9:14 PM Follow Bishop If time permits in this lecture jump to Bishop’s slide #03-04#03-04

31 6/12/2015 9:14 PM Conclusion Modeling is the process of abstracting to the essence of the property of concern Security Modeling exploits “protection state” abstractions Access Control Matrix is a “best” model for file and process granularity modeling With virtually any realistic system the general security question will be undecidable

32 6/12/2015 9:14 PM Looking Forward Next Week –Jim Binkley will lecture on Crypto –Bishop: 8, 9, 10 –Anderson: 2, 5 Following Week –Bishop: [1, 2, 3,] 4, 5, 7 –Anderson: [1,] 7

33 6/12/2015 9:14 PM Backup Materials

34 6/12/2015 9:14 PM A scenario from the text Bishop models a language with interface: –Create.file(p,f) –Spawn.process(p,q) –Make.owner(p,f) –Grant.read.file.1(p,f,q) –Grant.read.file.2(p,f,q) –Grant.write.file.1(p,f,q) –Grant.write.file.2(p,f,q) Some of his examples follow

35 6/12/2015 9:14 PM Commands Command create.file (p,f) create object f; enter own into a[p,f]; enter r into a[p,f]; enter w into a[p,f]; end

36 6/12/2015 9:14 PM Commands (cont) Command spawn.process(p,q) create subject q; enter own into a[p,q]; enter r into a[p,q]; enter w into a[p,q]; enter r into a[q,p]; enter w into a[q,p]; End

37 6/12/2015 9:14 PM Conditional Commands Command grant.read.file.1(p,f,q) if own in a[p,f] then enter r into a[q,f] End

38 6/12/2015 9:14 PM Root Agent Create subjects voter, tallyAgent, reporter Create objects vote, state, tally, voterCard Initialize tally=0 Enter

39 6/12/2015 9:14 PM Voter Agent Repeat Indefinitely: Present credential; If credential accepted then Prepare ballot; Confirm vote; Withdraw credential

40 6/12/2015 9:14 PM Tally Agent While (mode = election) do On credential presented do If credential valid then Enable voting; On vote commit do atomic add vote to tally invalidate credential

Download ppt "6/12/2015 9:14 PM Lecture 2: Access Control James Hook CS 591: Introduction to Computer Security."

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Operating System Security

Operating System Security
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
4/25/2015 6:17 PM Lecture 2: Voting Machine Study Access Control James Hook CS 591: Introduction to Computer Security.

4/25/2015 6:17 PM Lecture 2: Voting Machine Study Access Control James Hook CS 591: Introduction to Computer Security.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.

April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
590J Lecture 21: Access Control (contd). Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the.

590J Lecture 21: Access Control (contd). Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the.
CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.

CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.
CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.
Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.

Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.
Describing Syntax and Semantics

Describing Syntax and Semantics
1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.

1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

Similar presentations

Ads by Google