Csci5233 computer security & integrity 1 Access Control Matrix.

Slides:



Advertisements
Similar presentations
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Advertisements

1 1 -Access Control Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine.
Access Control Discretionary Access Control Lecture 4 1.
1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.
Authentication James Walden Northern Kentucky University.
April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.
19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
590J Lecture 21: Access Control (contd). Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the.
Concepts of Database Management Sixth Edition
CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.
1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.
Database Lecture # 1 By Ubaid Ullah.
IS-2150/TEL-2810: Introduction of Computer Security1 September 7, 2005 Introduction to Computer Security Access Control Matrix Take-grant model.
ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.
Chapter 2: Access Control Matrix
Chapter 1 Overview of Database Concepts Oracle 10g: SQL
Concepts of Database Management, Fifth Edition Chapter 4: The Relational Model 3: Advanced Topics.
Chapter 4 The Relational Model 3: Advanced Topics Concepts of Database Management Seventh Edition.
ISA Access Control ISA 562 Internet Security Theory & Practice.
Lecture 7 Integrity & Veracity UFCE8K-15-M: Data Management.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Access Control.
Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model Protection State Transitions –Commands –Conditional Commands.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 4 – Access Control.
G53SEC 1 Access Control principals, objects and their operations.
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
CS 4432query processing1 CS4432: Database Systems II Lecture #11 Professor Elke A. Rundensteiner.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
Slide #2-1 Access Control Matrix and Safety Results CS461/ECE422 Computer Security I, Fall 2009 Based on slides provided by Matt Bishop for use with Computer.
1 SQL - II Data Constraints –Applying data constraints Types of data constraints –I/O constraints The PRIMARY KEY constraints The FOREIGN KEY constraints.
Access Control in Practice CS461/ECE422 Fall 2010.
Chapter 5 : Integrity And Security  Domain Constraints  Referential Integrity  Security  Triggers  Authorization  Authorization in SQL  Views 
Access Control: Policies and Mechanisms Vinod Ganapathy.
Privilege Management Chapter 22.
Design Principles and Common Security Related Programming Problems
Computer Security: Principles and Practice
1/30/20161 Computer Security Access Control Matrix.
2/1/20161 Computer Security Foundational Results.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 16 October 14, 2004.
What is the difference between authentication and authorization? Authorization is usually explained using the ___________________ model.
November 1, 2004Introduction to Computer Security © 2004 Matt Bishop Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model Protection.
CSE Operating System Principles Protection.
IS 2620: Developing Secure Systems Formal Verification/Methods Lecture 9 March 15, 2012.
September 10, 2012Introduction to Computer Security © 2004 Matt Bishop Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model.
Access Control Discretionary Access Control Chapter 3.
IS 2150 / TEL 2810 Introduction to Security
Chapter 14: System Protection
2. Access Control Matrix Introduction to Computer Security © 2004 Matt Bishop 9/21/2018.
Chapter 13: Design Principles
CE Operating Systems Lecture 21
Computer Security Access Control Matrix
IS 2150 / TEL 2810 Introduction to Security
Outline Motivation Access Control Matrix Model
Computer Security: Art and Science, 2nd Edition
IS 2150 / TEL 2810 Information Security & Privacy
Chapter 2: Access Control Matrix
Chapter 6: Integrity Policies
IS 2150 / TEL 2810 Introduction to Security
Computer Security Access Control Mechanisms
IS 2150 / TEL 2810 Introduction to Security
Chapter 2: Access Control Matrix
Presentation transcript:

csci5233 computer security & integrity 1 Access Control Matrix

csci5233 computer security & integrity 2 Outline Overview Access Control Matrix Model –Boolean Expression Evaluation –History Protection State Transitions –Commands –Conditional Commands Special Rights –Principle of Attenuation of Privilege

csci5233 computer security & integrity 3 Overview State –The collection of the current values of all memory locations, all secondary storage, and all registers and other components of the system. Protection state of system –a subset of the states that are relevant to protection Access control matrix –A tool that can describe protection state –Matrix describing rights of subjects –State transitions change elements of matrix

csci5233 computer security & integrity 4 Overview Access control matrix model –The most precise model used to describe a protection state –It characterizes the rights of each subject with respect to every other entity, which can be active or passive. –The set of objects = the set of all protected entities –The set of subjects = the set of active objects, such as processes and users. –The ACM captures the relationships between the subjects and the objects. –When a command changes the state of the system, a state transition occurs.

csci5233 computer security & integrity 5 Description objects (entities) subjects s1s2…sns1s2…sn o 1 … o m s 1 … s n Subjects S = { s 1,…,s n } Objects O = { o 1,…,o m } Rights R = { r 1,…,r k } Entries A[s i, o j ]   R A[s i, o j ] = { r x, …, r y } means subject s i has rights r x, …, r y over object o j A[s n, o m ]

csci5233 computer security & integrity 6 Example 1 Processes p, q Files f, g Rights r, w, x (execute), a(ppend), o(wn) fgpq p rwor rwxow qaror rwxo

csci5233 computer security & integrity 7 Example 2 Procedures inc_ctr, dec_ctr, manage Variable counter Rights +, –, call counter inc_ctr dec_ctrmanage inc_ctr+ dec_ctr– managecallcallcall

csci5233 computer security & integrity 8 Boolean Expression Evaluation ACM may be used for control of access to database fields ACM controls access to database fields –Subjects have attributes (e.g., name, role, groups, programs, etc.) –Verbs define type of access (e.g., read, write, paint, temp_ctl) –Rules associated with (objects, verb) pair (e.g., object = recipes; verb = write; rule = ‘creative’ in subject.group) Subject attempts to access object –Rule for (object, verb) evaluated, grants or denies access

csci5233 computer security & integrity 9 Example of rules Subject annie –Attributes role (artist), groups (creative) Verb paint –Default 0 (deny unless explicitly granted) Object picture A sample rule paint:‘artist’ in subject.role and ‘creative’ in subject.groups and time.hour >= 17 and time.hour < 20

csci5233 computer security & integrity 10 ACM at 3AM and 10AM … picture … … annie … paint At 18 PM, time condition met; ACM is: … picture … … annie … At 10AM, time condition not met; ACM is:

csci5233 computer security & integrity 11 Access Controlled by History Query-set-overlap-control: to prevent deduction/inference attack Database: namepositionagesalary Celiateacher45$40,000 Heidiaide20$20,000 Hollyprincipal37$60,000 Leoteacher50$50,000 Mattteacher33$50,000 Queries: 1. C1 = sum(salary, “position = teacher”) = $140, C3 = sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Matt’s salary)

csci5233 computer security & integrity 12 Access Controlled by History Database: namepositionagesalary Celiateacher45$40,000 Heidiaide20$20,000 Hollyprincipal37$60,000 Leoteacher50$50,000 Mattteacher33$50,000 O 1 = {Celia, Leo, Matt} O 3 = {Celia, Leo} Check out [Dobkins/Jones, 1979].

csci5233 computer security & integrity 13 State Transitions Change the protection state of system |- represents transition X i |-  X i+1 : command  moves system from state X i to X i+1 X i |- * X i+1 : a sequence of commands moves system from state X i to X i+1 Commands are often called transformation procedures

csci5233 computer security & integrity 14 Primitive Operations create subject s –Creates new row, column in ACM; create object o –creates new column in ACM destroy subject s –Deletes row, column from ACM destroy object o –deletes column from ACM enter r into A[s,o] –Adds r rights for subject s over object o delete r from A[s,o] –Removes r rights from subject s over object o

csci5233 computer security & integrity 15 Create Subject Precondition: s  S Primitive command: create subject s Postconditions: –S´ = S  { s }, O´ = O  { s } –(  y  O´)[a´[s, y] =  ], (  x  S´)[a´[x, s] =  ] –(  x  S)(  y  O)[a´[x, y] = a[x, y]]

csci5233 computer security & integrity 16 Create Object Precondition: o  O Primitive command: create object o Postconditions: –S´ = S, O´ = O  { o } –(  x  S´)[a´[x, o] =  ] –(  x  S)(  y  O)[a´[x, y] = a[x, y]]

csci5233 computer security & integrity 17 Add Right Precondition: s  S, o  O Primitive command: enter r into a[s, o] Postconditions: –S´ = S, O´ = O –a´[s, o] = a[s, o]  { r } –(  x  S´ – { s })(  y  O´ – { o }) [a´[x, y] = a[x, y]]

csci5233 computer security & integrity 18 Delete Right Precondition: s  S, o  O Primitive command: delete r from a[s, o] Postconditions: –S´ = S, O´ = O –a´[s, o] = a[s, o] – { r } –(  x  S´ – { s })(  y  O´ – { o }) [a´[x, y] = a[x, y]]

csci5233 computer security & integrity 19 Destroy Subject Precondition: s  S Primitive command: destroy subject s Postconditions: –S´ = S – { s }, O´ = O – { s } –(  y  O´)[a´[s, y] =  ], (  x  S´)[a´[x, s] =  ] –(  x  S´)(  y  O´) [a´[x, y] = a[x, y]]

csci5233 computer security & integrity 20 Destroy Object Precondition: o  o Primitive command: destroy object o Postconditions: –S´ = S, O´ = O – { o } –(  x  S´)[a´[x, o] =  ] –(  x  S´)(  y  O´) [a´[x, y] = a[x, y]]

csci5233 computer security & integrity 21 Creating File Process p creates file f with r and w permission command createfile(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end

csci5233 computer security & integrity 22 Mono-Operational Commands Single primitive operation in a command Example: Make process p the owner of file g command makeowner(p, g) enter own into A[p, g]; end

csci5233 computer security & integrity 23 Conditional Commands Let p give q r rights over f, if p owns f command grantreadfile1(p, f, q) if own in A[p, f] then enter r into A[q, f]; end Mono-conditional command –Single condition in this command

csci5233 computer security & integrity 24 Multiple Conditions Let p give q r and w rights over f, if p owns f and p has c rights over q command grantreadfile2(p, f, q) if own in A[p, f] and c in A[p, q] then enter r into A[q, f]; enter w into A[q, f]; end

csci5233 computer security & integrity 25 Copy Right Allows possessor to give rights to another Often attached to a right, so only applies to that right –r is read right that cannot be copied –rc is read right that can be copied Is copy flag copied when giving r rights? –Depends on model, instantiation of model

csci5233 computer security & integrity 26 Own Right Usually allows the possessor to change entries in ACM column –So owner of object can add, delete rights for others –May depend on what system allows Can’t give rights to specific (set of) users Can’t pass copy flag to specific (set of) users

csci5233 computer security & integrity 27 Attenuation of Privilege The principle says you can’t give rights you do not possess. –Restricts addition of rights within a system –Usually ignored for owner Why? Owner gives herself rights, gives them to others, deletes her rights.

csci5233 computer security & integrity 28 Key Points Access control matrix simplest abstraction mechanism for representing protection state Transitions alter protection state 6 primitive operations alter matrix –Transitions can be expressed as commands composed of these operations and, possibly, conditions