CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz

Midterm?  Likely during the week of Oct 20…  Will announce for certain next class

Back to computer security…

Access control  State of a system –Includes, e.g., current memory contents, all secondary storage, contents of all registers, etc.  Secure states –States in which the system is allowed to reside –Security policy defines the set of secure states –Security mechanism ensures that system never leaves secure state

Access control  Access control matrix –Characterizes rights of each active entity (“subject”) with respect to every other entity  In any secure state, only transitions to other secure states are allowed –Often concerned with transitions that affect the protection state of the system –I.e., actions which alter the actions a subject is authorized to take

Access control matrix  Protected entities: “objects” O  Active objects: “subjects” S (i.e., users/processes) –Note that subjects are also objects  Matrix A contains an entry for every pair (s, o) –The entry contains the rights for s on o –Examples: read/write/execute/etc.  Protection states represented by (S, O, A)

Some examples  Subjects/objects can be: –Files –Processes –Systems –Hosts –Functions/variables (within a program) –Database entries –Etc.

More complex access control  In general, “rights” may be functions –“Actual” rights depend on the system state –Equivalently, may depend on system history  May be more convenient to express in non- matrix form –E.g., boolean expression evaluation

Transitions  Can view transitions that modify the protection state as transformations of the access control matrix –E.g., create object; add right r to A[s,o]  Can build more complex commands out of these basic transformations –E.g., create_file: 1.Creates object 2.Gives creator rights to the file

Conditional commands  Can define even more complex commands using conditionals –E.g., grant_read_access Only if the function caller “owns” the file!  Only AND is used –OR can be replaced by two commands –NOT is not used

Attenuation of privilege  Copy right –Ability to transfer your rights to someone else –Copier may have to surrender the right  Own right –Ability to grant rights on the object to others  Attenuation of privilege –“A subject may not give rights it does not possess”

Final points (for now…)  Access control matrices can express any (reasonable) security policy –In practice, such matrices may not be used because of complexity, space requirements, etc.

Security policies

Security policy  View system as finite automaton –Transition functions change state  Security policy classifies states as “secure” or “insecure”  A secure system starts in a “secure” state and cannot enter an “insecure” state –“Breach of security” occurs when a system enters an “insecure” state

Confidentiality  I = information; X = entities  I has the property of confidentiality w.r.t. X if no member of X can obtain information about I –Note differences between “high-level” definition and “low-level” definition (i.e., encryption)

Integrity (of data or principles)  Let I = data or resource; X = entities  I has the property of integrity w.r.t. X if all members of X “trust” I –Again, notice differences (why do they trust I?) –They trust that the information was not modified and also trust the information itself

Availability  I = resource; X = entities  I has the property of availability w.r.t. X if all members of X can access I –“Availability” depends on context Available in finite, but unbounded, amount of time? Available within 3 second delay?

Time-dependence  Security policy may be time-dependent –E.g., contractor has the right to access data, but only as long as she is working for the company

Policies…  Confidentiality policy identifies states in which information is leaked to unauthorized entities  Integrity policy identifies who may alter data, and how it may be altered  Availability policy identifies which resources must be available, and to whom –If “availability” is precisely defined, this may also define “quality of service”

Security mechanism  A security mechanism enforces (part of) the security policy –Includes procedural/operational controls, not just technical controls E.g., who may enter the room in which backup tapes are stored How new accounts are established

Security policies  “Military security policy” is primarily concerned with confidentiality –Does not exclude other concerns…  “Commercial security policy” is primarily concerned with integrity (think: banking industry) –E.g., consistent transactions –The question of “trust” is much harder than the question of confidentiality