Chapter 2: Access Control

1
Chapter 2Access Control

• Bill Harrison

2
Objectives

• Introduce the mechanism of Access Control
• Relate mechanism to Confidentiality, Integrity
  and Availability
• Introduce the Access Control Matrix Model and
  Protection State Transitions

3
Preliminaries

• The material in chapters 23 makes use of what
  are known as
• transition systems
• rewrite systems
• small-step semantics
• Each of these terms means the same thing
• These ideas are used to give precise meaning to
  systems, programs, etc.

4
Example Small step semantics of a simple language
Increment and decrement two registers
Dec(R0) Dec(R1) Inc(R0) Inc(R1)
5
Example small-step semantics for a small language
The state of a program can be expressed as a pair
of integers (r0,r1) where r0 (r1) is
the current value of register R0 (R1)
The meaning of instructions can be defined by
transitions (r0,r1) ?Dec(R0) (r0-1,r1)
(r0,r1) ?Dec(R1) (r0,r1-1) (r0,r1) ?Inc(R0)
(r01,r1) (r0,r1) ?Inc(R1) (r0,r11)
6
Example Small-step semantics for a small language
Meaning of a program (c1c2) in state (i,j) is
(i,j) ?c1(i,j) and (i,j)
?c2(i,j) Then, (i,j)
?c1c2 (i,j)
secure
One can also ask questions like starting from
initial state s0, can I reach state s1?
insecure
7
Alice and Bob

• Standard names for agents in a security or
  crypto scenario
• Also known as A and B

8
An Access Control Scenario

• Alice
• New Secret foo

• Bob
• If (cp foo afoo)
• then echo success
• else echo fail

• Intent
• Bobs cp is attempting to violate Alices
  expected access policy
• If cp succeeds then the confidentiality is not
  satisfied

Q Revise scenario to violate availability
9
Characterizing the Violation
0
A New Secret foo
B cp foo afoo
1
B cp foo afoo
4
2
B echo success
B echo fail
3
5

• Basic Abstraction States and Transitions

Q What are the States?
Q What determines if we reach State 2 or 4 from
State 1?
Q If we reach State 5 was State 1 good?
10
Secure and non-Secure States

• Characterize states in a system as Secure and
  non-Secure
• A system is Secure if every transition maps
  Secure states to Secure states
• Consequence In the scenario, security is
  compromised if Alices New secret foo yields a
  state in which Bob can access foo.

11
Abstract vs Concrete States
Partitions concrete states into two abstract
states
X lt y
X ? y
Abstract state
Concrete state
X17,y23,z-20,
X17,y23,z-21,
X42,y17,z25,
X17,y23,z-22,
12
Protection States

• An abstraction that focuses on security
  properties
• Primarily interested in characterizing Safe
  states
• Goal is to prove that all operations in the
  system preserve security of the protection
  state
• E.g., by analyzing states reachable by
  transitions
• Access Control Matrix is our first Protection
  State model

13
Access Control Matrix Model

• Lampson 71, refined by Graham and Denning (71,
  72)
• Concepts
• Objects, the protected entities, O
• Subjects, the active entities acting on the
  objects, S
• Rights, the controlled operations subjects can
  perform on objects, R
• Access Control Matrix, A, maps Objects and
  Subjects to sets of Rights
• Protection State (S, O, A)

14
Confidentiality Scenario
Initial State Subjects S0 A,B Objects O0
AC Matrix A0 Rights R r,w,own
(S0, O0, A0) ?A New Secret foo (S1, O1, A1)
(S1, O1, A1) ?B cp foo afoo
(S1, O1, A1)
0
A New Secret foo
B cp foo afoo
1
B cp foo afoo
4
2
B echo success
B echo fail
3
5
Intended State 1 Subjects S1 A,B Objects
O1 foo AC Matrix A1
(A,foo,r,w,own), (B,foo,)
15
Confidentiality Scenario
Initial State Subjects S0 A,B Objects O0
AC Matrix A0 Rights R r,w,own
Is there a representation for Protection States 4
and 5?
0
A New Secret foo
B cp foo afoo
1
B cp foo afoo
4
2
B echo success
B echo fail
3
5
States 1, 2 and 3 Subjects S1 A,B Objects
O1 foo AC Matrix A1 (A,foo,r,w,own),
(B,foo,)
Critical issue is definition of ?cp
16
Insecure Scenario
Initial State Subjects S0 A,B Objects O0
AC Matrix A0 Rights R r,w,o
(S0, O0, A0) ?A New Public foo (S1, O1, A1)
(S1, O1, A1) ?B cp foo afoo
(S4, O4, A4)
0
A New Public foo
B cp foo afoo
1
B cp foo afoo
4
2
B echo success
B echo fail
3
5
State 1 Subjects S1 A,B Objects O1
foo AC Matrix A1 (A,foo,r,w,o),
(B,foo,r)
State 4 Subjects S4 S1 Objects O4 O1 ?
afoo AC Matrix A4 (A,foo,r,w,o),
(B,foo,r), (A,afoo,),
(B,afoo,r,w,o)
17
Ch 2.3. A Domain-Specific Language for Access
Control

• Harrison, Ruzzo, and Ullman defined a set of
  primitive commands
• Create subject s
• Create object o
• Enter r into as,o
• Delete r from as,o
• Destroy subject s
• Destroy object o
• We will use this DSL of primitive commands to
  model the system in our example

Heads upWe have 2 languages HRU primitives and
the example!
18
Access Control Matrix

• Very high fidelity model
• Every user and process can be modeled as a
  subject
• Every file and process can be modeled as an
  object
• Does it scale?
• Is it useful?

19
Access Control Matrix

• The access control matrix model is a critical
  reference point
• most systems can be modeled within the framework
• most mechanisms are an imperfect approximation of
  the Access Control Matrix

20
Foundational Results

• Can we use an algorithm to test if a system is
  secure?
• What do we mean by system?
• What do we mean by secure?

21
Aside Safety and Liveness

• Safety property A bad thing does not happen
• E.g. A memory safe program will not dereference a
  bad pointer
• Liveness property A good thing will happen
  eventually
• E.g. Every runnable process will eventually be
  scheduled

22
Security safe or live?

• Availability is often a liveness property
• Confidentiality is often cast as a safety
  property
• Integrity can be both
• The processor will execute the instruction stream
  is a liveness property
• All memory will be accessed consistent with the
  protection state is a safety property

23
Bounding the Problem

• Mono-operational commands
• If each system level command in the modeled
  system is implemented by a single HRU primitive
  the system is mono-operational
• General case
• In the general case the commands of the system
  being modeled are implemented by arbitrary
  combinations of HRU primitives
• Cast Problem as Safety Property
• Bad things dont happen

24
What is secure?

• Must designate a bad thing and then prove it
  doesnt happen
• Definition A right r is leaked if it is added
  to an element of the access control matrix that
  does not already contain it
• In our example new secret foo leaks rights
  own, r and w if foo did not already exist
• Definition A system is safe with respect to
  right r if it does not leak the right r

25
Conclusion

• Modeling is the process of abstracting to the
  essence of the property of concern
• Security Modeling exploits protection state
  abstractions
• Access Control Matrix is a best model for file
  and process granularity modeling
• With virtually any realistic system the general
  security question will be undecidable

26
Primitive Operations

• create subject s create object o
• Creates new row, column in ACM creates new
  column in ACM
• destroy subject s destroy object o
• Deletes row, column from ACM deletes column from
  ACM
• enter r into As, o
• Adds r rights for subject s over object o
• delete r from As, o
• Removes r rights from subject s over object o

27
Meaning of DSL (S,O,A) ? (S,O,A)
Definition of (S,O,A) ?create_subject(s)
(S,O,A)
For any protection state (S,O,A)
Precondition s?S
create_subject(s) Postcondition
S S?s O O?s
? y?O, As,y? ? x?S,
Ax,s? ? x?S, y?O, Ax,y
Ax,y
? for all
28
Create Subject

• Precondition s ? S, s ? O
• Primitive command create subject s
• Postconditions
• S ? S ? s , O ? O ? s
• (?y ? O?)a?s, y ?, (?x ? S?)a?x, s ?
• (?x ? S)(?y ? O)a?x, y ax, y

29
Create Object

• Precondition o ? O
• Primitive command create object o
• Postconditions
• S? S, O? O ? o
• (?x ? S ?)a?x, o ?
• (?x ? S)(?y ? O)a?x, y ax, y

30
Add Right

• Precondition s ? S, o ? O
• Primitive command enter r into as, o
• Postconditions
• S? S, O? O
• a?s, o as, o ? r
• (?x ? S?)(?y ? O? o ) a?x, y ax, y
• (?x ? S? s )(?y ? O?) a?x, y ax, y

31
Delete Right

• Precondition s ? S, o ? O
• Primitive command delete r from as, o
• Postconditions
• S? S, O? O
• a?s, o as, o r
• (?x ? S?)(?y ? O? o ) a?x, y ax, y
• (?x ? S? s )(?y ? O?) a?x, y ax, y

32
Destroy Subject

• Precondition s ? S
• Primitive command destroy subject s
• Postconditions
• S? S s , O? O s
• (?x ? S?)(?y ? O?) a?x, y ax, y
• Thrown out
• (?y ? O?)a?s, y ?, (?x ? S?)ax, s ?

33
Destroy Object

• Precondition o ? O
• Primitive command destroy object o
• Postconditions
• S? S, O? O o
• (?x ? S?)(?y ? O?) a?x, y ax, y
• Thrown out
• (?x ? S?)a?x, o ?

34
Molecules from Atoms

• The HRU DSL gives us atomic transitions
• To model a system we combine these atomic
  operations into commands
• i.e., define the systems commands in terms of
  HRU atoms
• A system model in this framework is the set of
  commands that implement the system primitives

35
Mono-Operational Commands

• Make process p the owner of file g
• command make-owner(p, g)
• enter own into Ap, g
• end
• Mono-operational command
• Single primitive operation in this command

36
Creating File

• Process p creates file f with r and w permission
• command createfile(p, f)
• create object f
• enter own into Ap, f
• enter r into Ap, f
• enter w into Ap, f
• end

37
HRU Semantics Summary

• (S, O, A) ?Create subject s (S ? s, O, A)
• (S, O, A) ?Create object o (S, O ? o, A)
• (S, O, A) ?Enter r into as,o (S, O, A)where
  As,o As,o ? r
• (S, O, A) ?Delete r from as,o (S, O, A)where
  As,o As,o - r
• (S, O, A) ?Destroy subject s (S - s, O, A?)
• (S, O, A) ?Destroy object o (S, O - o,
  A?) where A? is the appropriate restriction of A

38
Modeling the Example

• Interface
• X New Secret ltfgt
• X New Public ltfgt
• X Cp ltfgt ltfgt
• X If ltcommandgt then ltcommandgt else ltcommandgt
• Assumptions
• X ranges over A,B

39
Example

• Initialize ()create subject Acreate subject B
• end
• New.Secret (x,f)create object fenter own into
  ax,fenter r into ax,fenter w into ax,f
• end

• New.Public (x,f)create object fenter own into
  ax,fenter r into aA,fenter r into
  aB,fenter w into ax,f
• End

Key
Key
40
Conditional Commands

• To obtain results in Chapter 3 we place technical
  restrictions on HRU conditional commands
• Condition must be positive
• r ? as,o
• Cf. negative r Ï as,o
• Conjunctions of conditions are allowed
• r ? as,o ? r ? as,o
• Disjunctions are unnecessary
• All atomic actions are idempotent
• if f ? y then C ? if f then C if y then C

41
Example (cont)
Conditional command

• Cp(x,src,dest)if r ? ax,srcthen create
  object dest enter own into ax,dest enter w
  into ax,dest ?
• End

Modeling helps us be precise Is the new file
public or secret?
42
Modeling if

• How do we model the if statement in our scenario?
• We assumed Unix like exit status
• Could enrich model to have statements have value
• Does that add value?

43
Modeling if (cont)

• To establish system security we must model all
  sequences of commands
• What matters is that cp wont reveal Alices
  secret
• Since we are considering all sequences of
  non-conditional commands we dont need to model
• If c1 then c2 else c3
• since we model both
• c1 c2
• c1 c3
• Why doesnt this argument apply to primitive
  commands?

44
Attenuation of Privilege

• Principle says you cant give rights you do not
  possess
• Restricts addition of rights within a system
• Usually ignored for owner
• Why? Owner gives herself rights, gives them to
  others, deletes her rights.

45
Key Points

• Access control matrix simplest abstraction
  mechanism for representing protection state
• Transitions alter protection state
• 6 primitive operations alter matrix
• Transitions can be expressed as commands composed
  of these operations and, possibly, conditions

46
Next Time

• Case Study Separation Kernel
• Start Chapter 3

47
Questions Voting Machine

• How can a voting machine be modeled with
  subjects, objects, and rights?
• In what ways do the rights change dynamically?

48
Looking Forward

• Complete Chapter 3
• Start Chapter 4, Security Policies

49
A scenario from the text

• Bishop models a language with interface
• Create.file(p,f)
• Spawn.process(p,q)
• Make.owner(p,f)
• Grant.read.file.1(p,f,q)
• Grant.read.file.2(p,f,q)
• Grant.write.file.1(p,f,q)
• Grant.write.file.2(p,f,q)
• Some of his examples follow

50
Commands

• Command create.file (p,f)create object fenter
  own into ap,fenter r into ap,fenter w
  into ap,f
• end

51
Commands (cont)

• Command spawn.process(p,q)create subject
  qenter own into ap,qenter r into
  ap,qenter w into ap,qenter r into
  aq,penter w into aq,p
• End

52
Conditional Commands

• Command grant.read.file.1(p,f,q)if own in
  ap,fthen enter r into aq,f
• End

53
Root Agent

• Create subjects voter, tallyAgent, reporter
• Create objects vote, state, tally, voterCard
• Initialize tally0
• Enter

54
Voter Agent

• Repeat IndefinitelyPresent credentialIf
  credential accepted then Prepare ballot
  Confirm voteWithdraw credential

55
Tally Agent

• While (mode election) doOn credential
  presented do If credential valid then
  Enable voting On vote commit do atomic
  add vote to tally invalidate
  credential