csci5233 computer security & integrity 1 Access Control Matrix

csci5233 computer security & integrity 2 Outline Overview Access Control Matrix Model –Boolean Expression Evaluation –History Protection State Transitions –Commands –Conditional Commands Special Rights –Principle of Attenuation of Privilege

csci5233 computer security & integrity 3 Overview State –The collection of the current values of all memory locations, all secondary storage, and all registers and other components of the system. Protection state of system –a subset of the states that are relevant to protection Access control matrix –A tool that can describe protection state –Matrix describing rights of subjects –State transitions change elements of matrix

csci5233 computer security & integrity 4 Overview Access control matrix model –The most precise model used to describe a protection state –It characterizes the rights of each subject with respect to every other entity, which can be active or passive. –The set of objects = the set of all protected entities –The set of subjects = the set of active objects, such as processes and users. –The ACM captures the relationships between the subjects and the objects. –When a command changes the state of the system, a state transition occurs.

csci5233 computer security & integrity 5 Description objects (entities) subjects s1s2…sns1s2…sn o 1 … o m s 1 … s n Subjects S = { s 1,…,s n } Objects O = { o 1,…,o m } Rights R = { r 1,…,r k } Entries A[s i, o j ]   R A[s i, o j ] = { r x, …, r y } means subject s i has rights r x, …, r y over object o j A[s n, o m ]

csci5233 computer security & integrity 6 Example 1 Processes p, q Files f, g Rights r, w, x (execute), a(ppend), o(wn) fgpq p rwor rwxow qaror rwxo

csci5233 computer security & integrity 7 Example 2 Procedures inc_ctr, dec_ctr, manage Variable counter Rights +, –, call counter inc_ctr dec_ctrmanage inc_ctr+ dec_ctr– managecallcallcall

csci5233 computer security & integrity 8 Boolean Expression Evaluation ACM may be used for control of access to database fields ACM controls access to database fields –Subjects have attributes (e.g., name, role, groups, programs, etc.) –Verbs define type of access (e.g., read, write, paint, temp_ctl) –Rules associated with (objects, verb) pair (e.g., object = recipes; verb = write; rule = ‘creative’ in subject.group) Subject attempts to access object –Rule for (object, verb) evaluated, grants or denies access

csci5233 computer security & integrity 9 Example of rules Subject annie –Attributes role (artist), groups (creative) Verb paint –Default 0 (deny unless explicitly granted) Object picture A sample rule paint:‘artist’ in subject.role and ‘creative’ in subject.groups and time.hour >= 17 and time.hour < 20

csci5233 computer security & integrity 10 ACM at 3AM and 10AM … picture … … annie … paint At 18 PM, time condition met; ACM is: … picture … … annie … At 10AM, time condition not met; ACM is:

csci5233 computer security & integrity 11 Access Controlled by History Query-set-overlap-control: to prevent deduction/inference attack Database: namepositionagesalary Celiateacher45$40,000 Heidiaide20$20,000 Hollyprincipal37$60,000 Leoteacher50$50,000 Mattteacher33$50,000 Queries: 1. C1 = sum(salary, “position = teacher”) = $140, C3 = sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Matt’s salary)

csci5233 computer security & integrity 12 Access Controlled by History Database: namepositionagesalary Celiateacher45$40,000 Heidiaide20$20,000 Hollyprincipal37$60,000 Leoteacher50$50,000 Mattteacher33$50,000 O 1 = {Celia, Leo, Matt} O 3 = {Celia, Leo} Check out [Dobkins/Jones, 1979].

csci5233 computer security & integrity 13 State Transitions Change the protection state of system |- represents transition X i |-  X i+1 : command  moves system from state X i to X i+1 X i |- * X i+1 : a sequence of commands moves system from state X i to X i+1 Commands are often called transformation procedures

csci5233 computer security & integrity 14 Primitive Operations create subject s –Creates new row, column in ACM; create object o –creates new column in ACM destroy subject s –Deletes row, column from ACM destroy object o –deletes column from ACM enter r into A[s,o] –Adds r rights for subject s over object o delete r from A[s,o] –Removes r rights from subject s over object o

csci5233 computer security & integrity 15 Create Subject Precondition: s  S Primitive command: create subject s Postconditions: –S´ = S  { s }, O´ = O  { s } –(  y  O´)[a´[s, y] =  ], (  x  S´)[a´[x, s] =  ] –(  x  S)(  y  O)[a´[x, y] = a[x, y]]

csci5233 computer security & integrity 16 Create Object Precondition: o  O Primitive command: create object o Postconditions: –S´ = S, O´ = O  { o } –(  x  S´)[a´[x, o] =  ] –(  x  S)(  y  O)[a´[x, y] = a[x, y]]

csci5233 computer security & integrity 17 Add Right Precondition: s  S, o  O Primitive command: enter r into a[s, o] Postconditions: –S´ = S, O´ = O –a´[s, o] = a[s, o]  { r } –(  x  S´ – { s })(  y  O´ – { o }) [a´[x, y] = a[x, y]]

csci5233 computer security & integrity 18 Delete Right Precondition: s  S, o  O Primitive command: delete r from a[s, o] Postconditions: –S´ = S, O´ = O –a´[s, o] = a[s, o] – { r } –(  x  S´ – { s })(  y  O´ – { o }) [a´[x, y] = a[x, y]]

csci5233 computer security & integrity 19 Destroy Subject Precondition: s  S Primitive command: destroy subject s Postconditions: –S´ = S – { s }, O´ = O – { s } –(  y  O´)[a´[s, y] =  ], (  x  S´)[a´[x, s] =  ] –(  x  S´)(  y  O´) [a´[x, y] = a[x, y]]

csci5233 computer security & integrity 20 Destroy Object Precondition: o  o Primitive command: destroy object o Postconditions: –S´ = S, O´ = O – { o } –(  x  S´)[a´[x, o] =  ] –(  x  S´)(  y  O´) [a´[x, y] = a[x, y]]

csci5233 computer security & integrity 21 Creating File Process p creates file f with r and w permission command createfile(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end

csci5233 computer security & integrity 22 Mono-Operational Commands Single primitive operation in a command Example: Make process p the owner of file g command makeowner(p, g) enter own into A[p, g]; end

csci5233 computer security & integrity 23 Conditional Commands Let p give q r rights over f, if p owns f command grantreadfile1(p, f, q) if own in A[p, f] then enter r into A[q, f]; end Mono-conditional command –Single condition in this command

csci5233 computer security & integrity 24 Multiple Conditions Let p give q r and w rights over f, if p owns f and p has c rights over q command grantreadfile2(p, f, q) if own in A[p, f] and c in A[p, q] then enter r into A[q, f]; enter w into A[q, f]; end

csci5233 computer security & integrity 25 Copy Right Allows possessor to give rights to another Often attached to a right, so only applies to that right –r is read right that cannot be copied –rc is read right that can be copied Is copy flag copied when giving r rights? –Depends on model, instantiation of model

csci5233 computer security & integrity 26 Own Right Usually allows the possessor to change entries in ACM column –So owner of object can add, delete rights for others –May depend on what system allows Can’t give rights to specific (set of) users Can’t pass copy flag to specific (set of) users

csci5233 computer security & integrity 27 Attenuation of Privilege The principle says you can’t give rights you do not possess. –Restricts addition of rights within a system –Usually ignored for owner Why? Owner gives herself rights, gives them to others, deletes her rights.

csci5233 computer security & integrity 28 Key Points Access control matrix simplest abstraction mechanism for representing protection state Transitions alter protection state 6 primitive operations alter matrix –Transitions can be expressed as commands composed of these operations and, possibly, conditions