September 9, 2004Protection SystemSlide 3Access Control Matrix ModelAccess Control MatrixSlide 6Boolean Expression EvaluationExampleACM at 3AM and 10AMAccess Controlled by HistorySlide 11Solution: Query Set Overlap Control (Dobkin, Jones & Lipton ’79)Slide 13State TransitionsPrimitive commands (HRU)Create SubjectCreate ObjectAdd RightDelete RightDestroy SubjectDestroy ObjectSystem commands using primitive operationsConditional CommandsAttenuation of privilegeFundamental questionsWhat is a secure system?Safety Problem: formallyDecidability Results (Harrison, Ruzzo, Ullman)Slide 29What is the implication?Take-Grant Protection ModelSlide 32Take-Grant Protection Model: SharingAny two subjects with tg-path of length 1 can share rightsSlide 35Other definitionsBridgeTheorem: Can_share(α,x,y,G0) (for subjects)What about objects? Initial, terminal spansTheorem: Can_share(α,x,y,G0)Courtesy of Professors Prasant Krisnamurthy, Chris Clifton & Matt BishopINFSCI 2935: Introduction of Computer Security1September 9, 2004September 9, 2004Introduction to Introduction to Computer SecurityComputer SecurityAccess Control MatrixAccess Control MatrixTake-grant modelTake-grant modelINFSCI 2935: Introduction to Computer Security 2Protection SystemProtection SystemState of a systemState of a systemCurrent values of memory locations, registers, secondary storage, etc.other system componentsProtection state (P)Protection state (P)A system state that is considered secureA protection system A protection system Describes the conditions under which a system is secure (in a protection state)Consists of two parts:A set of generic rightsA set of commandsState transitionState transitionOccurs when an operation (command) is carried outINFSCI 2935: Introduction to Computer Security 3Protection SystemProtection SystemSubject (S: set of all subjects)Subject (S: set of all subjects)Active entities that carry out an action/operation on other entities; Eg.: users, processes, agents, etc.Object (O: set of all objects)Object (O: set of all objects)Eg.:Processes, files, devicesRightRightAn action/operation that a subject is allowed/disallowed on objectsINFSCI 2935: Introduction to Computer Security 4Access Control Matrix ModelAccess Control Matrix ModelAccess control matrix Access control matrix Describes the protection state of a system.Characterizes the rights of each subjectElements indicate the access rights that subjects have on objectsACM is an abstract modelACM is an abstract modelRights may vary depending on the object involvedACM is implemented primarily in two waysACM is implemented primarily in two waysCapabilities (rows)Access control lists (columns)INFSCI 2935: Introduction to Computer Security 5Access Control MatrixAccess Control Matrixs3 r s1f1 f2 f3 f4 f5 f6s2s3o, r, wo, r, wo, r, wo, r, wo, r, wo, r, wr r r r w f1f2f3f4f6s2s1 o, r, w s2 r s1 o, r, w s3 r s3 o, r, wf5s2 o, r, w s3 r s1 w s3 o, r, wf5 w s1f2 o, r, w f3 o, r, wf2 r s2f1 o, r, w f5 o, r, wf3 r s3f4 o, r, wf2 r f5 r f6 o, r, wo: ownr: readw:writeAccess MatrixAccess Control ListCapabilitieso, r, wINFSCI 2935: Introduction to Computer Security 6Access Control MatrixAccess Control MatrixHostnames Telegraph Nob ToadflaxTelegraph own ftp ftpNob ftp, nsf, mail, own ftp, nfs, mailToadflax ftp, mail ftp, nsf, mail, ownCounter Inc_ctr Dcr_ctr ManagerInc_ctr +Dcr_ctr -manager Call Call Call•telegraph is a PC with ftp client but no server•nob is provides NFS but not to Toadfax•nob and toadfax can exchange mailINFSCI 2935: Introduction to Computer Security 7Boolean Expression EvaluationBoolean Expression EvaluationACM controls access to database fieldsACM controls access to database fieldsSubjects have attributesVerbs define type of accessRules associated with objects, verb pairSubject attempts to access objectSubject attempts to access objectRule for object, verb evaluated, grants or denies accessINFSCI 2935: Introduction to Computer Security 8ExampleExampleSubject annieSubject annieAttributes role (artist), groups (creative)Verb paintVerb paintDefault 0 (deny unless explicitly granted)Object pictureObject pictureRule:paint: ‘artist’ in subject.role and‘creative’ in subject.groups andtime.hour ≥ 0 and time.hour < 5INFSCI 2935: Introduction to Computer Security 9ACM at 3AM and 10AMACM at 3AM and 10AM… picture …… annie …paintAt 3AM, time conditionmet; ACM is:… picture …… annie …At 10AM, time conditionnot met; ACM is:INFSCI 2935: Introduction to Computer Security 10Access Controlled by HistoryAccess Controlled by HistoryStatistical databases need to Statistical databases need to answer queries on groupsprevent revelation of individual recordsQuery-set-overlap controlQuery-set-overlap controlPrevent an attacker to obtain individual piece of information using a set of queries CA parameter r (=2) is used to determine if a query should be answeredName Position Age SalaryAlice Teacher 45 40KBob Aide 20 20KCathy Principal 37 60KDilbert Teacher 50 50KEve Teacher 33 50KINFSCI 2935: Introduction to Computer Security 11Access Controlled by HistoryAccess Controlled by HistoryQuery 1:Query 1:sum_salary(position = teacher) Answer: 140K Query 2:Query 2:sum_salary(age > 40 & position = teacher) Should not be answered as Matt’s salary can be deducedCan be represented as an Can be represented as an ACMACMName Position Age SalaryCelia Teacher 45 40KLeonard Teacher 50 50KMatt Teacher 33 50KName Position Age SalaryCelia Teacher 45 40KLeonard Teacher 50 50KINFSCI 2935: Introduction to Computer Security 12Solution: Query Set Overlap Control (Dobkin, Jones & Solution: Query Set Overlap Control (Dobkin, Jones & Lipton ’79)Lipton ’79)Query valid if intersection of query Query valid if intersection of query coverage and each previous query < coverage and each previous query < rrCan represent as access control matrixCan represent as access control matrixSubjects: entities issuing queriesObjects: Powerset of recordsOs(i) : objects referenced by s in queries 1..iA[s,o] = read iff( 1)sq iq o rO� -" � <INFSCI 2935: Introduction to Computer Security 13Query 1Query 1: : OO11 = {Celia, Leonard, Matt} so the = {Celia, Leonard, Matt} so the query can be answered. Hencequery can be answered. HenceA[asker, Celia] = {read}A[asker, Leonard] = {read}A[asker,
View Full Document