IS 2150 / TEL 2810IS 2150 / TEL 2810Introduction to SecurityJames JoshiAssociate ProfessorSISAssociate Professor, SISLecture 3 September 15, 2009Access Control ModelFoundational Results1Foundational ResultsProtection System State of a system Current values of memory locations registers secondary storage etcmemory locations, registers, secondary storage, etc. other system components Protection state (P)A system state that is considered secureA system state that is considered secure A protection system Captures the conditions for state transition Consists of two parts: A set of generic rights A set of commands2Protection System Subject (S: set of all subjects) Eg.: users, processes, agents, etc. Object (O: set of all objects) Eg.:Processes, files, devicesRi ht (Rtflliht)Right (R: set of all rights) An action/operation that a subject is allowed/disallowed on objectsallowed/disallowed on objects Access Matrix A: a[s, o] ⊆R Set of Protection States: (S, O, A)3 Initial state X0= (S0, O0, A0)State Transitionsτi+1XiXi+1Xi├τi+1Xi+1: upon transition τi+1, the system moves from state Xito Xi+1X├*Y: the system moves from*X ├ Y: the system moves from state X to Y after a set of transitionsX Yci+1(pi+1,1, pi+1,2, …, pi+1,m)Xi├ ci+1(pi+1,1, pi+1,2, …, pi+1,m) Xi+1: state transition upon a command4XiXi+1pFor every command there is a sequence of state transition operationsPrimitive commands (HRU)Create subject sCreates new row, column in ACM; s does not exist prior to thisCreate object oCreates new column in ACMo does not exist prior to thisAddsrright for subjectsover objectoEnter r into a[s, o]Adds rright for subject sover object oIneffective if r is already thereDeleterfroma[s,o]Removesrright from subjectsover objectoDeleterfroma[s, o]Removes r right from subject sover object oDestroy subject sDeletes row, column from ACM;5Destroy object oDeletes column from ACMPrimitive commands (HRU)Create subject sCreates new row, column in ACM; s does not exist prior to thisPrecondition: Precondition: ss∉∉SSPostconditionsPostconditions::S´S{}O´O{}Precondition: Precondition: ss∉∉SSPostconditionsPostconditions::S´S{}O´O{}S´= S∪{ s}, O´= O∪{ s}(∀y∈O´)[a´[s, y] = ∅] (row entries for s)S´= S∪{ s}, O´= O∪{ s}(∀y∈O´)[a´[s, y] = ∅] (row entries for s)(y)[[,y]]( )(∀x∈S´)[a´[x, s] = ∅] (column entries for s)(∀x∈S)(∀y∈O)[a´[x, y] = a[x, y]](y)[[,y]]( )(∀x∈S´)[a´[x, s] = ∅] (column entries for s)(∀x∈S)(∀y∈O)[a´[x, y] = a[x, y]]6Primitive commands (HRU)Enter r into a[s, o]Adds r right for subject s over object oIneffective if r is already therePrecondition: Precondition: ss∈∈SS, , oo∈∈OOPostconditionsPostconditions::Precondition: Precondition: ss∈∈SS, , oo∈∈OOPostconditionsPostconditions::S´= S, O´= Oa´[s,o]=a[s,o]∪{r}S´= S, O´= Oa´[s,o]=a[s,o]∪{r}a[s, o] a[s, o] ∪{ r}(∀x∈S´)(∀y∈O´) [(x, y)≠(s, o) →a´[x, y] = a[x, y]]a[s, o] a[s, o] ∪{ r}(∀x∈S´)(∀y∈O´) [(x, y)≠(s, o) →a´[x, y] = a[x, y]]7System commands [Unix] process pcreates file fwith owner readand write(r, w) will be ()represented by the following:Command create_file(p, f)Create object fEnter owninto a[p,f]Enterinto[f]Enter rinto a[p,f]Enter winto a[p,f]End8EndSystem commands Process p creates a new process qCommand spawn_process(p, q)Create subject q;Enter owninto a[p,q]Etit[]Enter rinto a[p,q]Enter winto a[p,q]Enterrintoa[qp]P t d hildP t d hildEnter rinto a[q,p]Enter winto a[q,p]EndParent and child cansignal each otherParent and child cansignal each other9System commands Defined commands can be used to update ACMCommand make_owner(p, f)Enter owninto a[p,f]EdEnd Mono-operational: the command invokes only one primitivethe command invokes only one primitive10Conditional Commands Mono-operational + mono-conditionalconditionalCommand grant_read_file(p, f, q)If ownin a[p,f]Then Enter rinto a[q,f]End11Conditional Commands Mono-operational + biconditionalCommandgrant read file(pfq)Command grant_read_file(p, f, q)If rin a[p,f] andcin a[p,f]Then Enterrintoa[qf]Enter rinto a[q,f]End Why not “OR”??y12Fundamental questions How can we determine that a system is secure?secure? Need to define what we mean by a system being “secure”g Is there a generic algorithm that allows us to determine whether a computerus to determine whether a computer system is secure?13What is a secure system? A simple definition A secure system doesn’t allow violations of a security policypolicy Alternative view: based on distribution of rights Leakage of rights: (unsafe with respect to right r)Leakage of rights: (unsafe with respect to right r) Assume that A representing a secure state does not contain a right rin an element of A. A right r is said to be leaked, if a sequence of operations/commands adds rto an element of A, which did not contain r14What is a secure system? Safety of a system with initial protection state Xoo Safe with respect to r: System is safe with respect to rif rcan never be leaked Else it is called unsafe with respect to right
View Full Document