DOC PREVIEW
U of I CS 498 - Access Control Matrix and Safety Results

This preview shows page 1-2-15-16-31-32 out of 32 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 32 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 32 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 32 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 32 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 32 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 32 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 32 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide #2-1Access Control Matrix and Safety ResultsCS498SHInformation Assurance, Fall 2006Susan HinrichsBased on slides provided by Matt Bishop for use with Computer Security: Art and SciencePlus HRU examples from Ravi SandhuSlide #2-2Reading•Chapter 2 – Access Control Matrix•A little bit from Chapter 3 to talk about SafetySlide #2-3Outline•Motivation •Access Control Matrix Model•Protection State Transitions •HRU Model–Commands–Conditional Commands •Basic Safety resultsSlide #2-4Motivation•Access Control Matrix (ACM) and related concepts provides very basic abstraction–Map different systems to a common form for comparison–Enables standard proof techniques–Not directly used in implementation•Basis for key safety decidability resultsSlide #2-5Definitions•Protection state of system–Describes current settings, values of system relevant to protection•Access control matrix–Describes protection state precisely–Matrix describing rights of subjects–State transitions change elements of matrixSlide #2-6Descriptionobjects (entities)subjectss1s2…sno1 … om s1 … sn•Subjects S = { s1,…,sn }•Objects O = { o1,…,om }•Rights R = { r1,…,rk }•Entries A[si, oj] R•A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object ojSlide #2-7Example 1•Processes p, q•Files f, g•Rights r, w, x, a, of g p qp rwo r rwxo wq a ro r rwxoSlide #2-8Example 2•Procedures inc_ctr, dec_ctr, manage•Variable counter•Rights +, –, call counter inc_ctr dec_ctr manageinc_ctr +dec_ctr –manage call call callSlide #2-9Boolean Expression Evaluation•ACM controls access to database fields–Subjects have attributes–Verbs define type of access–Rules associated with objects, verb pair•Subject attempts to access object–Rule for object, verb evaluated, grants or denies accessSlide #2-10Example•Subject annie–Attributes role (artist), groups (creative)•Verb paint–Default 0 (deny unless explicitly granted)•Object picture–Rule:paint: ‘artist’ in subject.role and‘creative’ in subject.groups andtime.hour ≥ 0 and time.hour < 5Slide #2-11ACM at 3AM and 10AM… picture …… annie …paintAt 3AM, time conditionmet; ACM is:… picture …… annie …At 10AM, time conditionnot met; ACM is:Slide #2-12HistoryDatabase:name position age salaryAlice teacher 45 $40,000Bob aide 20 $20,000Cathy principal 37 $60,000Dilbert teacher 50 $50,000Eve teacher 33 $50,000Queries:1.sum(salary, “position = teacher”) = 140,0002.sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Eve’s salary)Slide #2-13State Transitions•Change the protection state of system•|– represents transition–Xi |–  Xi+1: command  moves system from state Xi to Xi+1–Xi |– * Xi+1: a sequence of commands moves system from state Xi to Xi+1•Commands often called transformation proceduresSlide #2-14Example TransitionsSlide #2-15Example Composite TransitionSlide #2-16HRU Model•Harrison, Ruzzo, and Ullman proved key safety results in 1976•Talked about systems–With initial protection state expressed in ACM–State transition commands built from a set of primitive operations–Applied conditionally.Slide #2-17HRU Commands and Operations•command α(X1, X2 , . . ., Xk)if rl in A[Xs1, Xo1] and r2 in A[Xs2, Xo2] and ... rk in A[Xsk, Xok]thenop1; op2; … opnend•6 Primitive Operations•enter r into A[Xs, Xo]•delete r from A[Xs, Xo]•create subject Xs•create object Xo•destroy subject Xs•destroy object XoSlide #2-18Create Subject•Precondition: s  S•Primitive command: create subject s•Postconditions:–S = S { s }, O = O { s }–(y  O)[a[s, y] = ], (x  S)[a[x, s] = ]–(x  S)(y  O)[a[x, y] = a[x, y]]Slide #2-19Create Object•Precondition: o  O•Primitive command: create object o•Postconditions:–S = S, O = O  { o }–(x  S)[a[x, o] = ]–(x  S)(y  O)[a[x, y] = a[x, y]]Slide #2-20Add Right•Precondition: s  S, o  O•Primitive command: enter r into a[s, o]•Postconditions:–S = S, O = O–a[s, o] = a[s, o]  { r }–(x  S)(y  O – { o }) [a[x, y] = a[x, y]]–(x  S – { s })(y  O) [a[x, y] = a[x, y]]Slide #2-21Delete Right•Precondition: s  S, o  O•Primitive command: delete r from a[s, o]•Postconditions:–S = S, O = O–a[s, o] = a[s, o] – { r }–(x  S)(y  O – { o }) [a[x, y] = a[x, y]]–(x  S – { s })(y  O) [a[x, y] = a[x, y]]Slide #2-22Destroy Subject•Precondition: s  S•Primitive command: destroy subject s•Postconditions:–S = S – { s }, O = O – { s }–(y  O)[a[s, y] = ], (x  S)[a´[x, s] = ]–(x  S)(y  O) [a[x, y] = a[x, y]]Slide #2-23Destroy Object•Precondition: o  O•Primitive command: destroy object o•Postconditions:–S = S, O = O – { o }–(x  S)[a[x, o] = ]–(x  S)(y  O) [a[x, y] = a[x, y]]Slide #2-24Creating File•Process p creates file f with r and w permissioncommand create•file(p, f)create object f;enter own into A[p, f];enter r into A[p, f];enter w into A[p, f];endSlide #2-25Confer Right•Example of a mono-conditional command•Also, mono-operational commandcommand confer_r(owner, friend,f)if own in A[owner, f] then enter r into A[friend,f]endSlide #2-26Remove Right•Example using multiple conditions•command remove_r(owner,exfriend, f)if own in A[owner, f] and r in A[exfriend, f] then delete r from A[exfriend, f]endSlide #2-27Copy Right•Allows possessor to give rights to another•Often attached to a right, so only applies to that right–r is read right that cannot be copied–rc is read right that can be copied•Is copy flag copied when giving r rights?–Depends on model, instantiation of modelSlide #2-28Attenuation of Privilege•Principle says you can’t give rights you do not possess–Restricts addition of rights within a system–Usually ignored for owner•Why? Owner gives


View Full Document

U of I CS 498 - Access Control Matrix and Safety Results

Documents in this Course
Lecture 5

Lecture 5

13 pages

LECTURE

LECTURE

39 pages

Assurance

Assurance

44 pages

LECTURE

LECTURE

36 pages

Pthreads

Pthreads

29 pages

Load more
Download Access Control Matrix and Safety Results
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Access Control Matrix and Safety Results and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Access Control Matrix and Safety Results 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?