1. Computer Security Access Control Matrix
11/23/2018

2. States of a Computer System
The state of a system is the collection of current values of all
components of the system: memory locations, secondary
storage, registers etc
Protection states are those states that have to be protected.
.P = set of all protection states of the system
.Q = set of all authorized protection states
The system is not secure if the current state is in P - Q
A security policy characterizes the states in Q
A security mechanism prevents the system entering
a state in P - Q
11/23/2018

3. Access Control Matrix Model
A model used to describe the protection states.
It characterizes the rights of each subject of the
system (entity/process) regarding the objects of the
system (entities/processes) in terms of a matrix.
11/23/2018

4. Butler-Lampson Model
This describes the rights of users s (subjects) over
files o (objects) by a matrix A whose rows are indexed
By the subjects and columns by the objects.
The rights belong to a set R.
Each entry a[s,o] of A belongs to R, and is the right of
user s over file s.
11/23/2018

5. Butler-Lampson Model In this model P is the triple (S,O,A)
where S is the set of users, O the set of files, A the
Access Control Matrix.
R depends on the application.
11/23/2018

6. Examples of ACMs file 1 file 2 process 1 process 2
process R, W, O R R, W, E, O W
process A R, O R R, W, E, O
Here R = { Read, Wright, Own, Append, Execute }
process 1 can read/write file 1, read file 2, communicate
with process 2 by writing to it, etc
11/23/2018

7. Examples: rights on a LAN
host names telegraph nob toadflex
telegraph own ftp ftp
nob ftp, nfs, amil own ftp, nfs, mail
toadflex ftp, mail ftp, nfs, amil own
Here R = { ftp, mail, nfs, own }, where
ftp = the right to access the File Transfer Protocol
mail = the right to send/receive using the Simple Mail Transfer Protocol (SMTP)
nsf = the right to access file systems using the Network File System protocol
11/23/2018

8. Examples: rights in a program
host names counter inc_ctr dec_ctr manager
inc_ctr
dec_ctr
manager call call call
Here inc_ctr increases a counter and dec_ctr decreases it.
R = { +, -, call }
11/23/2018

9. Other examples Access Control by Boolean expression evaluation
Access Control by History
See textbook
11/23/2018

10. Protection State Transitions
Initial state of the system X0 = (S0,O0,A0 )
Transitions: t1, t2, …
Corresponding states: X1, X2, …
We use the notation: Xi ├─ ti+1 Xi+1
to indicate the state transition from Xi to Xi+1
X ├─ *Y indicates that starting at X, after a series of
transitions the system enters state Y.
11/23/2018

11. Protection State Transitions
Xi ├─ ci+1 (pi+1,1 ,…, pi+1,m) Xi+1
Indicates that the transition is caused by the command
ci+1 on the parameters pi+1,1 ,…, pi+1,m.
11/23/2018

12. The Harrison-Ruzzo-Ullman Model
This is based on a set of primitive commands.
create subject s
create object o
enter r into a[s,o]
delete r from a[s,o]
destroy subject s
destroy object o
11/23/2018

13. The Harrison-Ruzzo-Ullman Model
Example.
command create•file(p,f)
create object f ;
enter own into a(p,f) ;
enter r into a(p,f) ;
enter w into a(p,f) ;
end
11/23/2018

14. The Harrison-Ruzzo-Ullman Model
Example. –conditional commands
Suppose process p wants to give process q the right to read file f
command grant•read•file1•(p,f,q)
if own in a(p,f)
then
enter r into a(q,f) ;
end
See textbook for other examples.
11/23/2018

15. Copying and owning Rights
copy right (grant right) – augments existing rights
own right
Copy right allows its possessor to grant rights (this right is often
considered a flag attachment –hence flag right)
Own right allows its possessor to add or delete privileges to
themselves.
11/23/2018

16. Attenuation of privilege
The Principle of Attenuation of Privilege says that
a subject may not give rights it does not possess to another subject.
11/23/2018