Slide #2-1 Access Control Matrix and Safety Results CS461/ECE422 Computer Security I, Fall 2009 Based on slides provided by Matt Bishop for use with Computer.

Slides:



Advertisements
Similar presentations
© 2004 Ravi Sandhu The Safety Problem in Access Control HRU Model Ravi Sandhu Laboratory for Information Security Technology George Mason.
Advertisements

© Ravi Sandhu HRU and TAM Ravi Sandhu Laboratory for Information Security Technology George Mason University
Access Control CS461/ECE422 Fall Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.
1 1 -Access Control Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine.
Access Control Discretionary Access Control Lecture 4 1.
1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.
Authentication James Walden Northern Kentucky University.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result.
6/12/2015 9:14 PM Lecture 2: Access Control James Hook CS 591: Introduction to Computer Security.
April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.
April 13, 2004ECS 235Slide #1 Expressive Power How do the sets of systems that models can describe compare? –If HRU equivalent to SPM, SPM provides more.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
590J Lecture 21: Access Control (contd). Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the.
CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.
1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.
1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.
Csci5233 computer security & integrity 1 Access Control Matrix.
IS-2150/TEL-2810: Introduction of Computer Security1 September 7, 2005 Introduction to Computer Security Access Control Matrix Take-grant model.
ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.
Chapter 2: Access Control Matrix
ISA Access Control ISA 562 Internet Security Theory & Practice.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Access Control.
Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model Protection State Transitions –Commands –Conditional Commands.
Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.
1 ISA 562 Internet Security Theory and Practice Midterm Exam Review.
Decidability or Impossibility? 02b = a bit of boring theory Nicolas T. Courtois - University College of London.
Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.
Access Control in Practice CS461/ECE422 Fall 2010.
Access Control: Policies and Mechanisms Vinod Ganapathy.
1/30/20161 Computer Security Access Control Matrix.
2/1/20161 Computer Security Foundational Results.
Protection & Security Greg Bilodeau CS 5204 October 13, 2009.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 4 September 18, 2012 Access Control Model Foundational Results.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 16 October 14, 2004.
April 8, 2004ECS 235Slide #1 Overview Safety Question HRU Model Take-Grant Protection Model SPM, ESPM –Multiparent joint creation Expressive power Typed.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result.
November 1, 2004Introduction to Computer Security © 2004 Matt Bishop Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model Protection.
IS 2620: Developing Secure Systems Formal Verification/Methods Lecture 9 March 15, 2012.
Slide #13-1 Design Principles CS461/ECE422 Computer Security I Fall 2008 Based on slides provided by Matt Bishop for use with Computer Security: Art and.
September 10, 2012Introduction to Computer Security © 2004 Matt Bishop Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model.
Access Control Discretionary Access Control Chapter 3.
IS 2150 / TEL 2810 Introduction to Security
Institute for Cyber Security
IS 2150 / TEL 2810 Introduction to Security
Introduction to Computer Security Lecture 2
2. Access Control Matrix Introduction to Computer Security © 2004 Matt Bishop 9/21/2018.
IS 2150 / TEL 2810 Information Security & Privacy
Chapter 13: Design Principles
Computer Security Access Control Matrix
IS 2150 / TEL 2810 Introduction to Security
مدلهاي کنترل دسترسي اختياري
Overview Safety Question HRU Model Take-Grant Protection Model
Computer Security Foundations
Outline Motivation Access Control Matrix Model
Computer Security: Art and Science, 2nd Edition
IS 2150 / TEL 2810 Information Security & Privacy
Chapter 3: Foundational Results
Chapter 2: Access Control Matrix
IS 2150 / TEL 2810 Introduction to Security
Computer Security Access Control Mechanisms
IS 2150 / TEL 2810 Introduction to Security
IS 2150 / TEL 2810 Introduction to Security
Chapter 2: Access Control Matrix
Presentation transcript:

Slide #2-1 Access Control Matrix and Safety Results CS461/ECE422 Computer Security I, Fall 2009 Based on slides provided by Matt Bishop for use with Computer Security: Art and Science Plus HRU examples from Ravi Sandhu

Slide #2-2 Reading Chapter 2 – Access Control Matrix A little bit from Chapter 3 to talk about Safety

Slide #2-3 Outline Motivation Access Control Matrix Model Protection State Transitions HRU Model –Commands –Conditional Commands Basic Safety results

Slide #2-4 Motivation Access Control Matrix (ACM) and related concepts provides very basic abstraction –Map different systems to a common form for comparison –Enables standard proof techniques –Not directly used in implementation Basis for key safety decidability results

Slide #2-5 Definitions Protection state of system –Describes current settings, values of system relevant to protection Access control matrix –Describes protection state precisely –Matrix describing rights of subjects –State transitions change elements of matrix

Slide #2-6 Description objects (entities) subjects s1s2…sns1s2…sn o 1 … o m s 1 … s n Subjects S = { s 1,…,s n } Objects O = { o 1,…,o m } Rights R = { r 1,…,r k } Entries A[s i, o j ]   R A[s i, o j ] = { r x, …, r y } means subject s i has rights r x, …, r y over object o j

Slide #2-7 Example 1 Processes p, q Files f, g Rights r, w, x, a, o f g p q prwo r rwxo w qa ro r rwxo

Slide #2-8 Example 2 Procedures inc_ctr, dec_ctr, manage Variable counter Rights +, –, call counter inc_ctr dec_ctr manage inc_ctr+ dec_ctr– manage call call call

Slide #2-9 Boolean Expression Evaluation ACM controls access to database fields –Subjects have attributes –Verbs define type of access –Rules associated with objects, verb pair Subject attempts to access object –Rule for object, verb evaluated, grants or denies access

Slide #2-10 Example Subject annie –Attributes role (artist), groups (creative) Verb paint –Default 0 (deny unless explicitly granted) Object picture –Rule: paint:‘artist’ in subject.role and ‘creative’ in subject.groups and time.hour ≥ 0 and time.hour < 5

Slide #2-11 ACM at 3AM and 10AM … picture … … annie … paint At 3AM, time condition met; ACM is: … picture … … annie … At 10AM, time condition not met; ACM is:

Slide #2-12 History Query-Set overlap limit = 2 Database: namepositionagesalary Aliceteacher45$40,000 Bobaide20$20,000 Carolprincipal37$60,000 Daveteacher50$50,000 Eveteacher33$50,000 Queries: C1: sum(salary, “position = teacher”) = 140,000 C2: count(set(age < 40 & position = teacher) C3: sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Eve's salary)

Slide #2-13 State Transitions Change the protection state of system |– represents transition –X i |–  X i+1 : command  moves system from state X i to X i+1 –X i |– * X i+1 : a sequence of commands moves system from state X i to X i+1 Commands often called transformation procedures

Slide #2-14 Example Transitions

Slide #2-15 Example Composite Transition

Slide #2-16 HRU Model Harrison, Ruzzo, and Ullman proved key safety results in 1976 Talked about systems –With initial protection state expressed in ACM –State transition commands built from a set of primitive operations –Applied conditionally.

Slide #2-17 HRU Commands and Operations command α(X1, X2,..., Xk) if rl in A[Xs1, Xo1] and r2 in A[Xs2, Xo2] and... rk in A[Xsk, Xok] then op1; op2; … opn end 6 Primitive Operations enter r into A[Xs, Xo] delete r from A[Xs, Xo] create subject Xs create object Xo destroy subject Xs destroy object Xo

Slide #2-18 Create Subject Precondition: s  S Primitive command: create subject s Postconditions: –S = S  { s }, O = O  { s } –(  y  O)[a[s, y] =  ], (  x  S)[a[x, s] =  ] –(  x  S)(  y  O)[a[x, y] = a[x, y]]

Slide #2-19 Create Object Precondition: o  O Primitive command: create object o Postconditions: –S = S, O = O  { o } –(  x  S)[a[x, o] =  ] –(  x  S)(  y  O)[a[x, y] = a[x, y]]

Slide #2-20 Add Right Precondition: s  S, o  O Primitive command: enter r into a[s, o] Postconditions: –S = S, O = O –a[s, o] = a[s, o]  { r } –(  x  S)(  y  O – { o }) [a[x, y] = a[x, y]] –(  x  S – { s })(  y  O) [a[x, y] = a[x, y]]

Slide #2-21 Delete Right Precondition: s  S, o  O Primitive command: delete r from a[s, o] Postconditions: –S = S, O = O –a[s, o] = a[s, o] – { r } –(  x  S)(  y  O – { o }) [a[x, y] = a[x, y]] –(  x  S – { s })(  y  O) [a[x, y] = a[x, y]]

Slide #2-22 Destroy Subject Precondition: s  S Primitive command: destroy subject s Postconditions: –S = S – { s }, O = O – { s } –(  y  O)[a[s, y] =  ], (  x  S)[a´[x, s] =  ] –(  x  S)(  y  O) [a[x, y] = a[x, y]]

Slide #2-23 Destroy Object Precondition: o  O Primitive command: destroy object o Postconditions: –S = S, O = O – { o } –(  x  S)[a[x, o] =  ] –(  x  S)(  y  O) [a[x, y] = a[x, y]]

Slide #2-24 Creating File Process p creates file f with r and w permission command createfile(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end

Slide #2-25 Confer Right Example of a mono-conditional command Also, mono-operational command command confer_r(owner, friend,f) if own in A[owner, f] then enter r into A[friend,f] end

Slide #2-26 Remove Right Example using multiple conditions command remove_r(owner,exfriend, f) if own in A[owner, f] and r in A[exfriend, f] then delete r from A[exfriend, f] end

Slide #2-27 Copy Right Allows possessor to give rights to another Often attached to a right, so only applies to that right –r is read right that cannot be copied –rc is read right that can be copied Is copy flag copied when giving r rights? –Depends on model, instantiation of model

Slide #2-28 Attenuation of Privilege Principle says you can’t give rights you do not possess –Restricts addition of rights within a system –Usually ignored for owner Why? Owner gives herself rights, gives them to others, deletes her rights.

Slide #2-29 The Safety Problem Given –initial state –protection scheme (HRU commands) Can r appear in a cell that exists in the initial state and does not contain r in the initial state? More specific question might be: can r appear in a specific cell A[s,o] Safety with respect to r

Slide #2-30 Safety of a Specific Access Control System Is it decidable? Is it computationally feasible? Safety is undecidable in the general HRU model –Maps to the Halting problem

Slide #2-31 Safety Results Constraints on HRU help some –Safety for mono-operational systems is decidable but NP-Complete –Mono-conditional monotonic HRU is decidable but not interesting Other systems proposed with better results –Take-Grant model – decidable in linear time Still an active research area –Comparing expressiveness with safety

Slide #2-32 Key Points Access control matrix simplest abstraction mechanism for representing protection state Transitions alter protection state 6 primitive operations alter matrix –Transitions can be expressed as commands composed of these operations and, possibly, conditions Early safety proofs build on this HRU model