September 7, 2005Protection SystemSlide 3Access Control Matrix ModelAccess Control MatrixSlide 6Boolean Expression EvaluationAccess Restriction FacilityAccess Controlled by HistorySlide 10Solution: Query Set Overlap Control (Dobkin, Jones & Lipton ’79)Slide 12State TransitionsPrimitive commands (HRU)Create SubjectCreate ObjectAdd RightDelete RightDestroy SubjectDestroy ObjectSystem commands using primitive operationsConditional CommandsAttenuation of privilegeFundamental questionsWhat is a secure system?Safety Problem: formallyDecidability Results (Harrison, Ruzzo, Ullman)Slide 28What is the implication?Take-Grant Protection ModelSlide 31Take-Grant Protection Model: SharingAny two subjects with tg-path of length 1 can share rightsSlide 34Other definitionsBridgeTheorem: Can_share(α,x,y,G0) (for subjects)What about objects? Initial, terminal spansTheorem: Can_share(α,x,y,G0)IS-2150/TEL-2810: Introduction of Computer Security 1September 7, 2005September 7, 2005Introduction to Introduction to Computer SecurityComputer SecurityAccess Control MatrixAccess Control MatrixTake-grant modelTake-grant modelIS-2150/TEL-2810: Introduction of Computer Security 2Protection SystemProtection SystemState of a systemState of a systemCurrent values of memory locations, registers, secondary storage, etc.other system componentsProtection state (P)Protection state (P)A system state that is considered secureA protection system A protection system Describes the conditions under which a system is secure (in a protection state)Consists of two parts:A set of generic rightsA set of commandsState transitionState transitionOccurs when an operation (command) is carried outIS-2150/TEL-2810: Introduction of Computer Security 3Protection SystemProtection SystemSubject (S: set of all subjects)Subject (S: set of all subjects)Active entities that carry out an action/operation on other entities; Eg.: users, processes, agents, etc.Object (O: set of all objects)Object (O: set of all objects)Eg.:Processes, files, devicesRight (R: set of all rights)Right (R: set of all rights)An action/operation that a subject is allowed/disallowed on objectsAccess Matrix A: a[s, o] ⊆RSet of Protection States: (S, O, A)Set of Protection States: (S, O, A)IS-2150/TEL-2810: Introduction of Computer Security 4Access Control Matrix ModelAccess Control Matrix ModelAccess control matrix Access control matrix Describes the protection state of a system.Characterizes the rights of each subjectElements indicate the access rights that subjects have on objectsACM is an abstract modelACM is an abstract modelRights may vary depending on the object involvedACM is implemented primarily in two waysACM is implemented primarily in two waysCapabilities (rows)Access control lists (columns)IS-2150/TEL-2810: Introduction of Computer Security 5Access Control MatrixAccess Control Matrixs3 r s1f1 f2 f3 f4 f5 f6s2s3o, r, wo, r, wo, r, wo, r, wo, r, wo, r, wr r r r w f1f2f3f4f6s2s1 o, r, w s2 r s1 o, r, w s3 r s3 o, r, wf5s2 o, r, w s3 r s1 w s3 o, r, wf5 w s1f2 o, r, w f3 o, r, wf2 r s2f1 o, r, w f5 o, r, wf3 r s3f4 o, r, wf2 r f5 r f6 o, r, wo: ownr: readw:writeAccess MatrixAccess Control ListCapabilitieso, r, wIS-2150/TEL-2810: Introduction of Computer Security 6Access Control MatrixAccess Control MatrixHostnames Telegraph Nob ToadflaxTelegraph own ftp ftpNob ftp, nsf, mail, own ftp, nfs, mailToadflax ftp, mail ftp, nsf, mail, ownCounter Inc_ctr Dcr_ctr ManagerInc_ctr +Dcr_ctr -manager Call Call Call•telegraph is a PC with ftp client but no server•nob provides NFS but not to Toadfax•nob and toadfax can exchange mailIS-2150/TEL-2810: Introduction of Computer Security 7Boolean Expression EvaluationBoolean Expression EvaluationACM controls access to database fieldsACM controls access to database fieldsSubjects have attributes (name, role, groups)Verbs define type of access/possible actionsRules associated with (objects, verb) pairSubject attempts to access objectSubject attempts to access objectRule for object, verb evaluated, grants or denies accessCan be converted to Access Control Can be converted to Access Control MatrixMatrixIS-2150/TEL-2810: Introduction of Computer Security 8Access Restriction FacilityAccess Restriction FacilityName Role Groups ProgramsMatt Programmer Sys, hack Compilers,EditorsHolly Artist User,CreativeEditors, paintdrawHeidi Chef, gardenerAcct.,CreativeEditors, kitchenVerbs DefaultRuleRead 1Write,Paint,Temp_ctl0Name RulesRecipes Write: ‘creative’ in subject.groupOverpass Write: ‘artist’ in subject.role or ‘garderner’ in subject.role.shellrct Write: ‘hack’ in subject.group and time.hour < 4 and time.hour >0Oven.dev read: 0; temp_ctl: ‘kitechen’ in subject.programs and ‘chef’ in subject.roleRecipes Overpass .shellrct Oven.devMatt Read Read Read, writeHolly Read, write Read, write ReadHeidi Read, write Read, write Read Temp_ctlIS-2150/TEL-2810: Introduction of Computer Security 9Access Controlled by HistoryAccess Controlled by HistoryStatistical databases need to Statistical databases need to answer queries on groupsprevent revelation of individual recordsQuery-set-overlap controlQuery-set-overlap controlPrevent an attacker to obtain individual piece of information using a set of queries CA parameter r (=2) is used to determine if a query should be answeredName Position Age SalaryCelia Teacher 45 40KHeidi Aide 20 20KHolly Principal 37 60KLeonard Teacher 50 50KMatt Teacher 33 50KIS-2150/TEL-2810: Introduction of Computer Security 10Access Controlled by HistoryAccess Controlled by HistoryQuery 1:Query 1:sum_salary(position = teacher) Answer: 140KQuery 2:Query 2:count(age < 40 & position = teacher) Can be answeredQuery 3:Query 3:sum_salary(age > 40 & position = teacher) Should not be answered as Matt’s salary can be deducedCan be represented as an ACMCan be represented as an ACMName Position Age SalaryCelia Teacher 45 40KLeonard Teacher 50 50KMatt Teacher 33 50KName Position Age SalaryCelia Teacher 45 40KLeonard Teacher 50 50KName Position Age SalaryMatt Teacher 33 50KIS-2150/TEL-2810: Introduction of Computer Security 11Solution: Query Set Overlap Control (Dobkin, Jones & Solution: Query Set Overlap Control (Dobkin, Jones & Lipton ’79)Lipton ’79)Query valid if intersection of query Query valid if intersection of query coverage and each
View Full Document