Computer Security Access Control Matrices

About This Presentation

Title:

Computer Security Access Control Matrices

Description:

Security Lab. Yih-Chun's Office. 8. State Transitions. Change the protection state of system ... Safety Question ... States K, symbols M; distinguished blank b ... – PowerPoint PPT presentation

Number of Views:101

Avg rating:3.0/5.0

Slides: 74

Provided by: matt294

Category:

more less

Transcript and Presenter's Notes

Title: Computer Security Access Control Matrices

1
Computer SecurityAccess Control Matrices

Fall 2006

Based on slides provided by Matt Bishop for use
with Computer Security Art and Science
Based on adaptations by Carl Gunter
2
Overview

Access control matrices and state transitions on
them
Harrison-Ruzzo-Ullman result
Corollaries
Take-Grant Protection Model
SPM and successors

3
Required

Reading
Chapter 2, as needed
Section 3.1
Section 3.2 through the proof of Theorem 3-2
All of Section 3.3 through the paragraph after
Definition 3-6
The example in Section 3.3 after Corollary 3-2
Exercises From 3.9 do 1, 4.

4
Access Control

Controlling access is a fundamental security
problem
Access control policy expresses who is authorized
to do what
Read files
Modify data
Access services
Change access

5
Access Control Matrices

Subjects S s1,,sn
Objects O o1,,om
Rights R r1,,rk
Entries Asi, oj ? R
Asi, oj rx, , ry means subject si has
rights rx, , ry over object oj

6
Example 1 File System
7
Example 2 CSL

Unlock - right to unlock a door
Log - request entry logs from a door

8
State Transitions

Change the protection state of system
represents transition
Xi ? Xi1 command ? moves system from state
Xi to Xi1
Xi Xi1 a sequence of commands moves system
from state Xi to Xi1
Commands often called transformation procedures

9
Primitive Operations

create subject s create object o
Creates new row, column in ACM creates new
column in ACM
destroy subject s destroy object o
Deletes row, column from ACM deletes column from
ACM
enter r into As, o
Adds r rights for subject s over object o
delete r from As, o
Removes r rights from subject s over object o

10
Create Subject

Precondition s ? S
Primitive command create subject s

11
Create Object

Precondition o ? O
Primitive command create object o

12
Add Right

Precondition p ? S, y ? O
Primitive command enter r into ap, y

13
Delete Right

Precondition p ? S, y ? O
Primitive command delete r from ap, y

14
Destroy Subject

Precondition s ? S
Primitive command destroy subject s

15
Destroy Object

Precondition o ? O
Primitive command destroy object o

16
Creating File

Process p creates file f with r and w permission
command createfile(p, f)
create object f
enter own into Ap, f
enter r into Ap, f
enter w into Ap, f
end

17
Own Right

Usually allows possessor to change entries in ACM
column
So owner of object can add, delete rights for
others
May depend on what system allows
Cant give rights to specific (set of) users
Cant pass copy flag to specific (set of) users

18
Mono-Operational Commands

Make process p the owner of file g
command makeowner(p, g)
enter own into Ap, g
end
Mono-operational command
Single primitive operation in this command

19
Conditional Commands

Let p give q r rights over f, if p owns f
command grantreadfile1(p, f, q)
if own in Ap, f
then
enter r into Aq, f
end
Mono-conditional command
Single condition in this command

20
Multiple Conditions

Let p give q r rights over f, if p has rights r
and c over f
command grantreadfile2(p, f, q)
if r in Ap, f and c in Ap, f
then
enter r into Aq, f
end

21
Copy Right

Allows possessor to give rights to another
Often attached to a right, so only applies to
that right
r is read right that cannot be copied
rc is read right that can be copied
Is copy flag copied when giving r rights?
Depends on model, instantiation of model

22
Attenuation of Privilege

Principle says you cant give rights you do not
possess
Restricts addition of rights within a system
Usually ignored for owner
Why? Owner gives herself rights, gives them to
others, deletes her rights.

23
Key Points

Access control matrix simplest abstraction
mechanism for representing protection state
Transitions alter protection state
6 primitive operations alter matrix
Transitions can be expressed as commands composed
of these operations and, possibly, conditions

24
Proving Safety

Want to prove system safe or secure
What does that mean?
Subjects should only have authorized rights
E.g. no one except for me can write to my home
directory
Easy to check in any given protection state
What about the dynamic protection system?

25
Formalizing Safety

Adding a generic right r where there was not one
is leaking
If a system S, beginning in initial state s0,
cannot leak right r, it is safe with respect to
the right r.
General property, can simulate
Leaking a right r on a specific object o
Leaking r to a subject outside a trusted set

26
Safety Question

Does there exist an algorithm for determining
whether a protection system S with initial state
s0 is safe with respect to a generic right r?
Here, safe secure for an abstract model

27
General Case

Answer no
Sketch of proof
Reduce halting problem to safety problem
Turing Machine review
Infinite tape in one direction
States K, symbols M distinguished blank b
Transition function ?(k, m) (k?, m?, L) means
in state k, symbol m on tape location replaced by
symbol m?, head moves to left one square, and
enters state k?
Halting state is qf TM halts when it enters this
state

Harrison, Ruzzo, Ullman 76
28
Mapping
1
2
3
4
s1
s2
s3
s4
A
B
C
D

s1
A
own
head
s2
B
own
s3
C k
own
Current state is k
s4
D end
29
Mapping
1
2
3
4
s1
s2
s3
s4
A
B
X
D

s1
A
own
head
s2
B
own
s3
X
own
After ?(k, C) (k1, X, R) where k is the
current state and k1 the next state
s4
D k1 end
30
Command Mapping

?(k, C) (k1, X, R) at intermediate becomes
command ck,C(s3,s4)
if own in As3,s4 and k in As3,s3
and C in As3,s3
then
delete k from As3,s3
delete C from As3,s3
enter X into As3,s3
enter k1 into As4,s4
end

31
Mapping
1
2
3
4
5
s1
s2
s3
s4
s5
A
B
X
Y
b
s1
A
own
head
s2
B
own
s3
X
own
After ?(k1, D) (k2, Y, R) where k1 is the
current state and k2 the next state
s4
Y
own
s5
b k2 end
32
Command Mapping

?(k1, D) (k2, Y, R) at end becomes
command crightmostk,C(s4,s5)
if end in As4,s4 and k1 in As4,s4
and D in As4,s4
then
delete end from As4,s4
create subject s5
enter own into As4,s5
enter end into As5,s5
delete k1 from As4,s4
delete D from As4,s4
enter Y into As4,s4
enter k2 into As5,s5
end

33
Rest of Proof

Protection system exactly simulates a TM
Exactly 1 end right in ACM
1 right in entries corresponds to state
Thus, at most 1 applicable command
If TM enters state qf, then right has leaked
If safety question decidable, then represent TM
as above and determine if qf leaks
Implies halting problem decidable
Conclusion safety question undecidable

34
Mono-Operational Commands

Answer yes
Sketch of proof
Consider minimal sequence of commands c1, , ck
to leak the right.
Can omit delete, destroy
Can merge all creates into one
Worst case insert every right into every entry
with s subjects and o objects initially, and n
rights, upper bound is k n(s1)(o1)

35
Proof Details
36
Detailed Proof Continued
37
Take-Grant Protection Model

A specific (not generic) system
Set of rules for state transitions
Safety decidable, and in time linear with the
size of the system
Goal find conditions under which rights can be
transferred from one entity to another in the
system

Jones, Lipton, Snyder 76
38
System

? objects (files, )
l subjects (users, processes, )
? don't care (either a subject or an object)
G x G' apply a rewriting rule x (witness) to
G to get G'
G G' apply a sequence of rewriting rules
(witness) to G to get G'
R t, g, r, w, set of rights

39
Rules
?
?
?
l
l
-
?
?
t
t
take
?
?
?
?
?
?
?
-
grant
g
?
?
g
l
l
40
More Rules
-
?
?
create
l
l
-?
?
?? ?
?
?
l
l
remove
These four rules are called the de jure rules
41
Example Shared Buffer