Slide #2-1Access Control Matrix andSafety ResultsCS498IAInformation Assurance, Spring 2007Susan HinrichsBased on slides provided by Matt Bishop for use withComputer Security: Art and SciencePlus HRU examples from Ravi SandhuSlide #2-2Reading• Chapter 2 – Access Control Matrix• A little bit from Chapter 3 to talk aboutSafetySlide #2-3Outline• Motivation• Access Control Matrix Model• Protection State Transitions• HRU Model– Commands– Conditional Commands• Basic Safety resultsSlide #2-4Definitions• Protection state of system– Describes current settings, values of systemrelevant to protection• Access control matrix– Describes protection state precisely– Matrix describing rights of subjects– State transitions change elements of matrixSlide #2-5Descriptionobjects (entities)subjectss1s2…sno1 … om s1 … sn• Subjects S = { s1,…,sn }• Objects O = { o1,…,om }• Rights R = { r1,…,rk }• Entries A[si, oj] ⊆ R• A[si, oj] = { rx, …, ry }means subject si has rightsrx, …, ry over object ojSlide #2-6Example 1• Processes p, q• Files f, g• Rights r, w, x, a, o F G P QP RWO R RWXO WQ A RO RWXOSlide #2-7Example 2• Procedures inc_ctr, dec_ctr, manage• Variable counter• Rights +, –, call counter inc_ctr dec_ctr manageinc_ctr +dec_ctr –manage call call callSlide #2-8Boolean Expression Evaluation• ACM controls access to database fields– Subjects have attributes– Verbs define type of access– Rules associated with objects, verb pair• Subject attempts to access object– Rule for object, verb evaluated, grants or deniesaccessSlide #2-9Example• Subject annie– Attributes role (artist), groups (creative)• Verb paint– Default 0 (deny unless explicitly granted)• Object picture– Rule:paint: ‘artist’ in subject.role and‘creative’ in subject.groups andtime.hour ≥ 0 and time.hour < 5Slide #2-10ACM at 3AM and 10AM… picture …… annie …paintAt 3AM, time conditionmet; ACM is:… picture …… annie …At 10AM, time conditionnot met; ACM is:Slide #2-11HistoryDatabase:Queries:1.sum(salary, “position=teacher”) = 140,0002.count(“age < 40 & position = teacher”) = 13.sum(salary, “age >= 40 & position = teacher”)should not answer this. Overlap = 2Name Position Age SalaryAlice Teacher 45 $40,000Bob Aid 20 $20,000Cathy Principal 37 $60,000Dilbert Teacher 50 $50,000Eve Teacher 33 $50,000Slide #2-12State Transitions• Change the protection state of system• |– represents transition– Xi |– τ Xi+1: command τ moves system fromstate Xi to Xi+1– Xi |– * Xi+1: a sequence of commands movessystem from state Xi to Xi+1• Commands often called transformationproceduresSlide #2-13Example TransitionsSlide #2-14Example Composite TransitionSlide #2-15HRU Model• Harrison, Ruzzo, and Ullman proved keysafety results in 1976• Talked about systems– With initial protection state expressed in ACM– State transition commands built from a set ofprimitive operations– Applied conditionally.Slide #2-16HRU Commands and Operations• command α(X1, X2 , . . ., Xk)if rl in A[Xs1, Xo1] and r2 in A[Xs2, Xo2] and ... rk inA[Xsk, Xok]thenop1; op2; … opnend• 6 Primitive Operations• enter r into A[Xs, Xo]• delete r from A[Xs, Xo]• create subject Xs• create object Xo• destroy subject Xs• destroy object XoSlide #2-17Create Subject• Precondition: s ∉ S• Primitive command: create subject s• Postconditions:– S′ = S ∪{ s }, O′ = O ∪{ s }– (∀y ∈ O′)[a′[s, y] = ∅], (∀x ∈ S′)[a′[x, s] = ∅]– (∀x ∈ S)(∀y ∈ O)[a′ [x, y] = a[x, y]]Slide #2-18Create Object• Precondition: o ∉ O• Primitive command: create object o• Postconditions:– S′ = S, O′ = O ∪ { o }– (∀x ∈ S′)[a′ [x, o] = ∅]– (∀x ∈ S)(∀y ∈ O)[a′ [x, y] = a[x, y]]Slide #2-19Add Right• Precondition: s ∈ S, o ∈ O• Primitive command: enter r into a[s, o]• Postconditions:– S′ = S, O′ = O– a′[s, o] = a[s, o] ∪ { r }– (∀x ∈ S′)(∀y ∈ O′ – { o }) [a′[x, y] = a[x, y]]– (∀x ∈ S′ – { s })(∀y ∈ O′) [a′[x, y] = a[x, y]]Slide #2-20Delete Right• Precondition: s ∈ S, o ∈ O• Primitive command: delete r from a[s, o]• Postconditions:– S′ = S, O′ = O– a′[s, o] = a[s, o] – { r }– (∀x ∈ S′)(∀y ∈ O′ – { o }) [a′[x, y] = a[x, y]]– (∀x ∈ S′ – { s })(∀y ∈ O′) [a′[x, y] = a[x, y]]Slide #2-21Destroy Subject• Precondition: s ∈ S• Primitive command: destroy subject s• Postconditions:– S′ = S – { s }, O′ = O – { s }– (∀y ∈ O′)[a′[s, y] = ∅], (∀x ∈ S′)[a´[x, s] = ∅]– (∀x ∈ S′)(∀y ∈ O′) [a′[x, y] = a[x, y]]Slide #2-22Destroy Object• Precondition: o ∈ O• Primitive command: destroy object o• Postconditions:– S′ = S, O′ = O – { o }– (∀x ∈ S′)[a′ [x, o] = ∅]– (∀x ∈ S′)(∀y ∈ O′) [a′[x, y] = a[x, y]]Slide #2-23Creating File• Process p creates file f with r and wpermissioncommand create•f ile(p, f)create object f;enter own into A[p, f];enter r into A[p, f];enter w into A[p, f];endSlide #2-24Confer Right• Example of a mono-conditional command• Also, mono-operational commandcommand confer_r(owner, friend,f)if own in A[owner, f] then enter r into A[friend,f]endSlide #2-25Remove Right• Example using multiple conditions• command remove_r(owner,exfriend, f)if own in A[owner, f] and r in A[exfriend, f] then delete r from A[exfriend, f]endSlide #2-26Copy Right• Allows possessor to give rights to another• Often attached to a right, so only applies tothat right– r is read right that cannot be copied– rc is read right that can be copied• Is copy flag copied when giving r rights?– Depends on model, instantiation of modelSlide #2-27Attenuation of Privilege• Principle says you can’t give rights you donot possess– Restricts addition of rights within a system– Usually ignored for owner• Why? Owner gives herself rights, gives them toothers, deletes her rights.Slide #2-28The Safety Problem• Given– initial state– protection scheme (HRU commands)• Can r appear in a cell that exists in the initial stateand does not contain r in the initial state?• More specific question might be:can r appear in a specific cell A[s,o]Safety with respect to rSlide #2-29Safety of a Specific Access ControlSystem• Is it decidable?• Is it
View Full Document
Unlocking...