Access control State of a system –Includes, e.g., current memory contents, all secondary storage, contents of all registers, etc. Secure states –States in which the system is allowed to reside –Security policy defines the set of secure states –Security mechanism ensures that system never leaves secure state
Access control Access control matrix –Characterizes rights of each active entity (“subject”) with respect to every other entity In any secure state, only transitions to other secure states are allowed –Often concerned with transitions that affect the protection state of the system –I.e., actions which alter the actions a subject is authorized to take
Access control matrix Protected entities: “objects” O Active objects: “subjects” S (i.e., users/processes) –Note that subjects are also objects Matrix A contains an entry for every pair (s, o) –The entry contains the rights for s on o –Examples: read/write/execute/etc. Protection states represented by (S, O, A)
Some examples Subjects/objects can be: –Files –Processes –Systems –Hosts –Functions/variables (within a program) –Database entries –Etc.
More complex access control In general, “rights” may be functions –“Actual” rights depend on the system state –Equivalently, may depend on system history May be more convenient to express in non- matrix form –E.g., boolean expression evaluation
Transitions Can view transitions that modify the protection state as transformations of the access control matrix –E.g., create object; add right r to A[s,o] Can build more complex commands out of these basic transformations –E.g., create_file: 1.Creates object 2.Gives creator rights to the file
Conditional commands Can define even more complex commands using conditionals –E.g., grant_read_access Only if the function caller “owns” the file! Only AND is used –OR can be replaced by two commands –NOT is not used
Attenuation of privilege Copy right –Ability to transfer your rights to someone else –Copier may have to surrender the right Own right –Ability to grant rights on the object to others Attenuation of privilege –“A subject may not give rights it does not possess”
Final points (for now…) Access control matrices can express any (reasonable) security policy –In practice, such matrices may not be used because of complexity, space requirements, etc.
Security policy View system as finite automaton –Transition functions change state Security policy classifies states as “secure” or “insecure” A secure system starts in a “secure” state and cannot enter an “insecure” state –“Breach of security” occurs when a system enters an “insecure” state
Confidentiality I = information; X = entities I has the property of confidentiality w.r.t. X if no member of X can obtain information about I –Note differences between “high-level” definition and “low-level” definition (i.e., encryption)
Integrity (of data or principles) Let I = data or resource; X = entities I has the property of integrity w.r.t. X if all members of X “trust” I –Again, notice differences (why do they trust I?) –They trust that the information was not modified and also trust the information itself
Availability I = resource; X = entities I has the property of availability w.r.t. X if all members of X can access I –“Availability” depends on context Available in finite, but unbounded, amount of time? Available within 3 second delay?
Time-dependence Security policy may be time-dependent –E.g., contractor has the right to access data, but only as long as she is working for the company
Policies… Confidentiality policy identifies states in which information is leaked to unauthorized entities Integrity policy identifies who may alter data, and how it may be altered Availability policy identifies which resources must be available, and to whom –If “availability” is precisely defined, this may also define “quality of service”
Security mechanism A security mechanism enforces (part of) the security policy –Includes procedural/operational controls, not just technical controls E.g., who may enter the room in which backup tapes are stored How new accounts are established
Security policies “Military security policy” is primarily concerned with confidentiality –Does not exclude other concerns… “Commercial security policy” is primarily concerned with integrity (think: banking industry) –E.g., consistent transactions –The question of “trust” is much harder than the question of confidentiality