Access Control Matrix Chapter 2 Version 1.0 Computer Security: Art
29 Slides236.21 KB
Access Control Matrix Chapter 2 Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-1
Overview Access Control Matrix Model Boolean Expression Evaluation History Protection State Transitions Commands Conditional Commands Special Rights Principle of Attenuation of Privilege Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-2
Description objects (entities) subjects o1 om s1 sn Version 1.0 Subjects S { s1, , sn } s1 s2 Objects O { o1, , om } Entries A[si, oj] R sn A[si, oj] { rx, , ry } means subject si has rights rx, , ry over object oj Rights R { r1, , rk } Computer Security: Art and Science, 2 nd Edition Slide 2-3
Example 1 Processes p, q Files f, g Rights r, w, x, a, o f g p rwo r q a ro Version 1.0 p q rwxo w r rwxo Computer Security: Art and Science, 2 nd Edition Slide 2-4
Example 2 Host names telegraph, nob, toadflax Rights own, ftp, nfs, mail telegraph nob toadflax telegraph own ftp ftp nob ftp, mail, nfs, own ftp, nfs, mail toadflax ftp, mail ftp, mail, nfs, own Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-5
Example 3 Procedures inc ctr, dec ctr, manage Variable counter Rights , –, call counter inc ctr dec ctr manage inc ctr dec ctr – manager call call call Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-6
Boolean Expression Evaluation ACM controls access to database fields Subjects have attributes Verbs define type of access Rules associated with objects, verb pair Subject attempts to access object Rule for object, verb evaluated, grants or denies access Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-7
Example Subject annie Attributes role (artist), group (creative) Verb paint Default 0 (deny unless explicitly granted) Object picture Rule: paint: ‘artist’ in subject.role and ‘creative’ in subject.groups and time.hour 0 and time.hour 4 Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-8
ACM at 3AM and 10AM At 3AM, time condition met ACM is: At 10AM, time condition not met ACM is: Version 1.0 paint picture annie annie picture Computer Security: Art and Science, 2 nd Edition Slide 2-9
History Problem: what a process has accessed may affect what it can access now Example: procedure in a web applet can access other procedures depending on what procedures it has already accessed S set of static rights associated with procedure C set of current rights associated with each executing process When process calls procedure, rights are S C Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-10
Example Program // This routine has no filesystem access rights // beyond those in a limited, temporary area procedure helper proc() return sys kernel file // But this has the right to delete files program main() sys load file(helper proc) tmp file helper proc() sys delete file(tmp file) Version 1.0 Computer Security: Art and Science, 2 nd Edition sys kernel file contains system kernel tmp file is in limited area that helper proc() can access Slide 2-11
Before helper proc Called Static rights of program sys kernel file tmp file main delete delete helper proc delete When program starts, current rights: sys kernel file tmp file main delete delete helper proc delete process delete delete Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-12
After helper proc Called Process rights are intersection of static, previous “current” rights: sys kernel file tmp file main delete delete helper proc delete process delete Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-13
State Transitions Change the protection state of system – represents transition Xi – Xi 1: command moves system from state Xi to Xi 1 Xi –* Y: a sequence of commands moves system from state Xi to Y Commands often called transformation procedures Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-14
Primitive Operations create subject s; create object o Creates new row, column in ACM; creates new column in ACM destroy subject s; destroy object o Deletes row, column from ACM; deletes column from ACM enter r into A[s, o] Adds r rights for subject s over object o delete r from A[s, o] Removes r rights from subject s over object o Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-15
Create Subject Precondition: s S Primitive command: create subject s Postconditions: S S { s }, O O {s} ( y O ) [A [s, y] ], ( x S ) [A [x, s] ] ( x S)( y O) [A [x, y] A[x, y]] Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-16
Create Object Precondition: o O Primitive command: create object o Postconditions: S S, O O {o} ( x S ) [A [x, o] ] ( x S)( y O) [A [x, y] A[x, y]] Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-17
Add Right Precondition: s S, o O Primitive command: enter r into A[s, o] Postconditions: S S, O O A [s, o] A[s, o] {r} ( x S )( y O – { o }) [A [x, y] A[x, y]] ( x S – { s })( y O ) [A [x, y] A[x, y]] Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-18
Delete Right Precondition: s S, o O Primitive command: delete r from A[s, o] Postconditions: S S, O O A [s, o] A[s, o] – { r } ( x S )( y O – { o }) [A [x, y] A[x, y]] ( x S – { s })( y O ) [A [x, y] A[x, y]] Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-19
Destroy Subject Precondition: s S Primitive command: destroy subject s Postconditions: S S – { s }, O O–{s} ( y O ) [A [s, y] ], ( x S ) [A [x, s] ] ( x S )( y O ) [A [x, y] A[x, y]] Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-20
Destroy Object Precondition: o O Primitive command: destroy object o Postconditions: S S, O O–{o} ( x S ) [A [x, o] ] ( x S )( y O ) [A [x, y] A[x, y]] Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-21
Creating File Process p creates file f with r and w permission command create file(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-22
Mono-Operational Commands Make process p the owner of file g command make owner(p, g) enter own into A[p, g]; end Mono-operational command Single primitive operation in this command Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-23
Conditional Commands Let p give q r rights over f, if p owns f command grant read file 1(p, f, q) if own in A[p, f] then enter r into A[q, f]; end Mono-conditional command Single condition in this command Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-24
Multiple Conditions Let p give q r and w rights over f, if p owns f and p has c rights over q command grant read file 2(p, f, q) if own in A[p, f] and c in A[p, q] then enter r into A[q, f]; enter w into A[q, f]; end Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-25
Copy Flag and Right Allows possessor to give rights to another Often attached to a right (called a flag), so only applies to that right r is read right that cannot be copied rc is read right that can be copied Is copy flag copied when giving r rights? Depends on model, instantiation of model Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-26
Own Right Usually allows possessor to change entries in ACM column So owner of object can add, delete rights for others May depend on what system allows Can’t give rights to specific (set of) users Can’t pass copy flag to specific (set of) users Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-27
Attenuation of Privilege Principle says you can’t increase your rights, or give rights you do not possess Restricts addition of rights within a system Usually ignored for owner Why? Owner gives herself rights, gives them to others, deletes her rights. Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-28
Key Points Access control matrix simplest abstraction mechanism for representing protection state Transitions alter protection state 6 primitive operations alter matrix Transitions can be expressed as commands composed of these operations and, possibly, conditions Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 2-29
