Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS-2150/TEL-2810: Introduction of Computer Security1 September 7, 2005 Introduction to Computer Security Access Control Matrix Take-grant model.

Published byTyrone Lane Modified over 8 years ago

Similar presentations

Presentation on theme: "IS-2150/TEL-2810: Introduction of Computer Security1 September 7, 2005 Introduction to Computer Security Access Control Matrix Take-grant model."— Presentation transcript:

1 IS-2150/TEL-2810: Introduction of Computer Security1 September 7, 2005 Introduction to Computer Security Access Control Matrix Take-grant model

2 IS-2150/TEL-2810: Introduction of Computer Security2 Protection System State of a system State of a system  Current values of memory locations, registers, secondary storage, etc. other system components Protection state (P) Protection state (P)  A system state that is considered secure A protection system A protection system  Describes the conditions under which a system is secure (in a protection state)  Consists of two parts: A set of generic rights A set of commands State transition State transition  Occurs when an operation (command) is carried out

3 IS-2150/TEL-2810: Introduction of Computer Security3 Protection System Subject (S: set of all subjects) Subject (S: set of all subjects)  Active entities that carry out an action/operation on other entities; Eg.: users, processes, agents, etc. Object (O: set of all objects) Object (O: set of all objects)  Eg.:Processes, files, devices Right (R: set of all rights) Right (R: set of all rights)  An action/operation that a subject is allowed/disallowed on objects  Access Matrix A: a[s, o] ⊆ R Set of Protection States: (S, O, A) Set of Protection States: (S, O, A)

4 IS-2150/TEL-2810: Introduction of Computer Security4 Access Control Matrix Model Access control matrix Access control matrix  Describes the protection state of a system.  Characterizes the rights of each subject  Elements indicate the access rights that subjects have on objects ACM is an abstract model ACM is an abstract model  Rights may vary depending on the object involved ACM is implemented primarily in two ways ACM is implemented primarily in two ways  Capabilities (rows)  Access control lists (columns)

5 IS-2150/TEL-2810: Introduction of Computer Security5 Access Control Matrix

6 IS-2150/TEL-2810: Introduction of Computer Security6 Access Control Matrix HostnamesTelegraphNobToadflax Telegraphownftp Nobftp, nsf, mail, ownftp, nfs, mail Toadflaxftp, mailftp, nsf, mail, own CounterInc_ctrDcr_ctrManager Inc_ctr+ Dcr_ctr- managerCall telegraph is a PC with ftp client but no server nob provides NFS but not to Toadfax nob and toadfax can exchange mail

7 IS-2150/TEL-2810: Introduction of Computer Security7 Boolean Expression Evaluation ACM controls access to database fields ACM controls access to database fields  Subjects have attributes (name, role, groups)  Verbs define type of access/possible actions  Rules associated with (objects, verb) pair Subject attempts to access object Subject attempts to access object  Rule for object, verb evaluated, grants or denies access Can be converted to Access Control Matrix Can be converted to Access Control Matrix

8 IS-2150/TEL-2810: Introduction of Computer Security8 Access Restriction Facility NameRoleGroupsPrograms MattProgrammerSys, hackCompilers, Editors HollyArtistUser, Creative Editors, paint draw HeidiChef, gardener Acct., Creative Editors, kitchen VerbsDefault Rule Read1 Write, Paint, Temp_ctl 0 NameRules RecipesWrite: ‘creative’ in subject.group OverpassWrite: ‘artist’ in subject.role or ‘garderner’ in subject.role.shellrctWrite: ‘hack’ in subject.group and time.hour 0 Oven.devread: 0; temp_ctl: ‘kitechen’ in subject.programs and ‘chef’ in subject.role RecipesOverpass.shellrctOven.dev MattRead Read, write HollyRead, write Read HeidiRead, write ReadTemp_ctl

9 IS-2150/TEL-2810: Introduction of Computer Security9 Access Controlled by History Statistical databases need to Statistical databases need to  answer queries on groups  prevent revelation of individual records Query-set-overlap control Query-set-overlap control  Prevent an attacker to obtain individual piece of information using a set of queries C  A parameter r (=2) is used to determine if a query should be answered NamePositionAgeSalary CeliaTeacher4540K HeidiAide2020K HollyPrincipal3760K LeonardTeacher5050K MattTeacher3350K

10 IS-2150/TEL-2810: Introduction of Computer Security10 Access Controlled by History Query 1: Query 1:  sum_salary(position = teacher)  Answer: 140K Query 2: Query 2:  count(age < 40 & position = teacher)  Can be answered Query 3: Query 3:  sum_salary(age > 40 & position = teacher)  Should not be answered as Matt’s salary can be deduced Can be represented as an ACM Can be represented as an ACM NamePositionAgeSalary CeliaTeacher4540K LeonardTeacher5050K MattTeacher3350K NamePositionAgeSalary CeliaTeacher4540K LeonardTeacher5050K NamePositionAgeSalary MattTeacher3350K

11 IS-2150/TEL-2810: Introduction of Computer Security11 Solution: Query Set Overlap Control (Dobkin, Jones & Lipton ’79) Query valid if intersection of query coverage and each previous query < r Query valid if intersection of query coverage and each previous query < r Can represent as access control matrix Can represent as access control matrix  Subjects: entities issuing queries  Objects: Powerset of records  O s (i) : objects referenced by s in queries 1..i  A[s,o] = read iff

12 IS-2150/TEL-2810: Introduction of Computer Security12 Query 1: O 1 = {Celia, Leonard, Matt} so the query can be answered. Hence Query 1: O 1 = {Celia, Leonard, Matt} so the query can be answered. Hence  A[asker, Celia] = {read}  A[asker, Leonard] = {read}  A[asker, Matt] = {read} Query 2: O 3 = {Celia, Leonard} but | O 3  O 1 | = 2; so the query cannot be answered Query 2: O 3 = {Celia, Leonard} but | O 3  O 1 | = 2; so the query cannot be answered  A[asker, Celia] =   A[asker, Leonard] = 

13 IS-2150/TEL-2810: Introduction of Computer Security13 State Transitions Let initial state X 0 = (S 0, O 0, A 0 ) Let initial state X 0 = (S 0, O 0, A 0 ) Notation Notation  X i ├  i+1 X i+1 : upon transition  i+1, the system moves from state X i to X i+1  X ├* Y : the system moves from state X to Y after a set of transitions  X i ├ c i+1 (p i+1,1, p i+1,2, …, p i+1,m ) X i+1 : state transition upon a command For every command there is a sequence of state transition operations For every command there is a sequence of state transition operations

14 IS-2150/TEL-2810: Introduction of Computer Security14 Primitive commands (HRU) Create subject Create subject s Creates new row, column in ACM; Create object Create object o Creates new column in ACM Enterinto Enter r into a[s, o] Adds r right for subject s over object o Deletefrom Delete r from a[s, o] Removes r right from subject s over object o Destroy subject Destroy subject s Deletes row, column from ACM; Destroy object Destroy object o Deletes column from ACM

15 IS-2150/TEL-2810: Introduction of Computer Security15 Create Subject Precondition: s  S Precondition: s  S Primitive command: create subject s Primitive command: create subject s Postconditions: Postconditions:  S´ = S  { s }, O´ = O  { s }  (  y  O´)[a´[s, y] =  ] (row entries for s)  (  x  S´)[a´[x, s] =  ] (column entries for s)  (  x  S)(  y  O)[a´[x, y] = a[x, y]]

16 IS-2150/TEL-2810: Introduction of Computer Security16 Create Object Precondition: o  O Precondition: o  O Primitive command: create object o Primitive command: create object o Postconditions: Postconditions:  S´ = S, O´ = O  { o }  (  x  S´)[a´[x, o] =  ] (column entries for o)  (  x  S)(  y  O)[a´[x, y] = a[x, y]]

17 IS-2150/TEL-2810: Introduction of Computer Security17 Add Right Precondition: s  S, o  O Precondition: s  S, o  O Primitive command: enter r into a[s, o] Primitive command: enter r into a[s, o] Postconditions: Postconditions:  S´ = S, O´ = O  a´[s, o] = a[s, o]  { r }  (  x  S´)(  y  O´) [(x, y)  (s, o)  a´[x, y] = a[x, y]]

18 IS-2150/TEL-2810: Introduction of Computer Security18 Delete Right Precondition: s  S, o  O Precondition: s  S, o  O Primitive command: delete r from a[s, o] Primitive command: delete r from a[s, o] Postconditions: Postconditions:  S´ = S, O´ = O  a´[s, o] = a[s, o] – { r }  (  x  S´)(  y  O´) [(x, y)  (s, o)  a´[x, y] = a[x, y]]

19 IS-2150/TEL-2810: Introduction of Computer Security19 Destroy Subject Precondition: s  S Precondition: s  S Primitive command: destroy subject s Primitive command: destroy subject s Postconditions: Postconditions:  S´ = S – { s }, O´ = O – { s }  (  y  O´)[a´[s, y] =  ] (row entries removed)  (  x  S´)[a´[x, s] =  ] (column entries removed)  (  x  S´)(  y  O´) [a´[x, y] = a[x, y]]

20 IS-2150/TEL-2810: Introduction of Computer Security20 Destroy Object Precondition: o  o Precondition: o  o Primitive command: destroy object o Primitive command: destroy object o Postconditions: Postconditions:  S´ = S, O´ = O – { o }  (  x  S´)[a´[x, o] =  ] (column entries removed)  (  x  S´)(  y  O´) [a´[x, y] = a[x, y]]

21 IS-2150/TEL-2810: Introduction of Computer Security21 System commands using primitive operations process p creates file f with owner read and write ( r, w ) will be represented by the following: process p creates file f with owner read and write ( r, w ) will be represented by the following: Command create_file(p, f) Create object f Enter own into a[p,f] Enter r into a[p,f] Enter w into a[p,f] End Defined commands can be used to update ACM Defined commands can be used to update ACM Command make_owner(p, f) Enter own into a[p,f] End Mono-operational: the command invokes only one primitive Mono-operational: the command invokes only one primitive

22 IS-2150/TEL-2810: Introduction of Computer Security22 Conditional Commands Mono-operational + mono-conditional Mono-operational + mono-conditional Command grant_read_file(p, f, q) If own in a[p,f] Then Enter r into a[q,f] End Why not “OR”?? Why not “OR”?? Mono-operational + biconditional Mono-operational + biconditional Command grant_read_file(p, f, q) If r in a[p,f] and c in a[p,f] Then Enter r into a[q,f] End

23 IS-2150/TEL-2810: Introduction of Computer Security23 Attenuation of privilege Principle of attenuation Principle of attenuation  A subject may not give rights that it does not posses to others Copy Copy  Augments existing rights  Often attached to a right, so only applies to that right r is read right that cannot be copied rc is read right that can be copied Also called the grant right Own Own  Allows adding or deleting rights, and granting rights to others  Creator has the own right  Subjects may be granted own right  Owner may give rights that he does not have to others on the objects he owns (chown command) Example: John owns file f but does not have read permission over it. John can grant read right on f to Matt.

24 IS-2150/TEL-2810: Introduction of Computer Security24 Fundamental questions How can we determine that a system is secure? How can we determine that a system is secure?  Need to define what we mean by a system being “secure” Is there a generic algorithm that allows us to determine whether a computer system is secure? Is there a generic algorithm that allows us to determine whether a computer system is secure?

25 IS-2150/TEL-2810: Introduction of Computer Security25 What is a secure system? A simple definition A simple definition  A secure system doesn’t allow violations of a security policy Alternative view: based on distribution of rights to the subjects Alternative view: based on distribution of rights to the subjects  Leakage of rights: (unsafe with respect to right r) Assume that A representing a secure state does not contain a right r in any element of A. A right r is said to be leaked, if a sequence of operations/commands adds r to an element of A, which not containing r Safety of a system with initial protection state X o Safety of a system with initial protection state X o  Safe with respect to r: System is safe with respect to r if r can never be leaked  Else it is called unsafe with respect to right r.

26 IS-2150/TEL-2810: Introduction of Computer Security26 Safety Problem: formally Given iinitial state X 0 = (S 0, O 0, A 0 ) SSet of primitive commands c rr is not in A 0 [s, o] Can we reach a state Xn where  s,o such that A n [s,o] includes a right r not in A 0 [s,o]? - If so, the system is not safe - But is “safe” secure?

27 IS-2150/TEL-2810: Introduction of Computer Security27 Decidability Results (Harrison, Ruzzo, Ullman) Theorem:Given a system where each command consists of a single primitive command (mono- operational), there exists an algorithm that will determine if a protection system with initial state X 0 is safe with respect to right r. Theorem:Given a system where each command consists of a single primitive command (mono- operational), there exists an algorithm that will determine if a protection system with initial state X 0 is safe with respect to right r. Proof: determine minimum commands k to leak Proof: determine minimum commands k to leak  Delete/destroy: Can’t leak (or be detected)  Create/enter: new subjects/objects “equal”, so treat all new subjects as one No test for absence Tests on A[s 1, o 1 ] and A[s 2, o 2 ] have same result as the same tests on A[s 1, o 1 ] and A[s 1, o 2 ] = A[s 2, o 2 ]  A[s 2, o 2 ]  If n rights leak possible, must be able to leak n(|S 0 |+1)(|O 0 |+1)+1 commands  Enumerate all possible states to decide

28 IS-2150/TEL-2810: Introduction of Computer Security28 Decidability Results (Harrison, Ruzzo, Ullman) It is undecidable if a given state of a given protection system is safe for a given generic right It is undecidable if a given state of a given protection system is safe for a given generic right For proof – need to know Turing machines and halting problem For proof – need to know Turing machines and halting problem

29 IS-2150/TEL-2810: Introduction of Computer Security29 What is the implication? Safety decidable for some models Safety decidable for some models  Are they practical? Safety only works if maximum rights known in advance Safety only works if maximum rights known in advance  Policy must specify all rights someone could get, not just what they have  Where might this make sense? Next: Example of a decidable model Next: Example of a decidable model  Take-Grant Protection Model

30 IS-2150/TEL-2810: Introduction of Computer Security30 Take-Grant Protection Model System is represented as a directed graph System is represented as a directed graph  Subject:  Object:  Labeled edge indicate the rights that the source object has on the destination object Four graph rewriting rules (“de jure”, “by law”, “by rights”) Four graph rewriting rules (“de jure”, “by law”, “by rights”)  The graph changes as the protection state changes according to 1. Take rule: if t  γ, the take rule produces another graph with a transitive edge α  β added. Either : γ α βγβ ├ x zy x zy x takes (α to y ) from z

31 IS-2150/TEL-2810: Introduction of Computer Security31 Take-Grant Protection Model 2. Grant rule: if g  γ, the take rule produces another graph with a transitive edge α  β added. γ α βγβ ├ x zy x zy 3. Create rule: ├ α x xy 4. Remove rule: ├ β -αβ -α xy β xy z grants (α to y ) to x x creates (α to new vertex) y x removes (α to) y

32 IS-2150/TEL-2810: Introduction of Computer Security32 Take-Grant Protection Model: Sharing Given G 0, can vertex x obtain α rights over y? Given G 0, can vertex x obtain α rights over y?  Can_share(α, x, y,G 0 ) is true iff G 0 ├* G n using the four rules, & There is an α edge from x to y in G n tg-path: v 0,…,v n with or edge between any pair of vertices v i, v i+1 tg-path: v 0,…,v n with t or g edge between any pair of vertices v i, v i+1  Vertices tg-connected if tg-path between them Theorem: Any two subjects with tg-path of length 1 can share rights Theorem: Any two subjects with tg-path of length 1 can share rights

33 IS-2150/TEL-2810: Introduction of Computer Security33 Any two subjects with tg-path of length 1 can share rights Four possible length 1 tg-paths 1. Take rule 2. Grant rule 3. Lemma 3.1 4. Lemma 3.2 {t}{t} β  α {g}{g} {t}{t} {g}{g} x, y Can_share(α, x, y,G 0 ) xyz

34 IS-2150/TEL-2810: Introduction of Computer Security34 Any two subjects with tg-path of length 1 can share rights Lemma 3.1 SSequence: Create Take Grant Take β  α α {t} x, y Can_share(α, x, y,G 0 ) x y g tg β  α {t}{t} α z

35 IS-2150/TEL-2810: Introduction of Computer Security35 Other definitions Island: Maximal tg-connected subject-only subgraph Island: Maximal tg-connected subject-only subgraph  Can_share all rights in island  Proof: Induction from previous theorem Bridge: tg-path between subjects v 0 and v n with edges of the following form: Bridge: tg-path between subjects v 0 and v n with edges of the following form:  t → *, t ← *  t → *, g →, t ← *  t → *, g ←, t ← * gtt v0v0 vnvn

36 IS-2150/TEL-2810: Introduction of Computer Security36 Bridge gtt v0v0 vnvn α By lemma 3.1 By grantBy take α α α

37 IS-2150/TEL-2810: Introduction of Computer Security37 Theorem: Can_share(α,x,y,G 0 ) (for subjects) Subject_can_share(α, x, y,G 0 ) is true iff if x and y are subjects and Subject_can_share(α, x, y,G 0 ) is true iff if x and y are subjects and  there is an α edge from x to y in G 0 OR if: s-y   a subject s  G 0 with an s- to- y α edge, and x   islands I 1, …, I n such that x  I 1, s  I n, and there is a bridge from I j to I j+1 x s α α α α y I1I1I1I1 I2I2I2I2 InInInIn

38 IS-2150/TEL-2810: Introduction of Computer Security38 What about objects? Initial, terminal spans x initially spans to y if x is a subject and there is a tg-path between them with t edges ending in a g edge (i.e., t → *g → ) x initially spans to y if x is a subject and there is a tg-path between them with t edges ending in a g edge (i.e., t → *g → )  xy  x can grant a right to y x terminally spans to y if x is a subject and there is a tg-path between them with t edges (i.e., t → *) x terminally spans to y if x is a subject and there is a tg-path between them with t edges (i.e., t → *)  xy  x can take a right from y

39 IS-2150/TEL-2810: Introduction of Computer Security39 Theorem: Can_share(α,x,y,G 0 ) Can_share(α, x, y, G 0 ) iff there is an α edge from x to y in G 0 or if: Can_share(α, x, y, G 0 ) iff there is an α edge from x to y in G 0 or if: ssy   a vertex s  G 0 with an s to y α edge, x’x’=xx’x   a subject x’ such that x’=x or x’ initially spans to x, s’s’=ss’s   a subject s’ such that s’=s or s’ terminally spans to s, and IIx’Is’I   islands I 1, …, I n such that x’  I 1, s’  I n, and there is a bridge from I j to I j +1 x’ s’ α α α α y I1I1I1I1 I2I2I2I2 InInInIn s x x’ can grant a right to x s’ can take a right from s

Download ppt "IS-2150/TEL-2810: Introduction of Computer Security1 September 7, 2005 Introduction to Computer Security Access Control Matrix Take-grant model."

Similar presentations

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
1 1 -Access Control - 2 - Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine.

1 1 -Access Control Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine.
File Management Chapter 12. File Management A file is a named entity used to save results from a program or provide data to a program. Access control.

File Management Chapter 12. File Management A file is a named entity used to save results from a program or provide data to a program. Access control.
Access Control Discretionary Access Control Lecture 4 1.

Access Control Discretionary Access Control Lecture 4 1.
1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.

1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.
July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result.

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result.
April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.

April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.
April 13, 2004ECS 235Slide #1 Expressive Power How do the sets of systems that models can describe compare? –If HRU equivalent to SPM, SPM provides more.

April 13, 2004ECS 235Slide #1 Expressive Power How do the sets of systems that models can describe compare? –If HRU equivalent to SPM, SPM provides more.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
590J Lecture 21: Access Control (contd). Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the.

590J Lecture 21: Access Control (contd). Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the.
CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.
1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.

1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Security & Protection.

Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Security & Protection.
CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Protection.

Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Protection.
1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.

1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.
CS526: Information Security Prof. Cristina Nita-Rotaru September 9, 2003 Protection Models.

CS526: Information Security Prof. Cristina Nita-Rotaru September 9, 2003 Protection Models.
CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.

CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.

Similar presentations

Ads by Google