Computer Security Access Control Matrix

1
Computer SecurityAccess Control Matrix
2
States of a Computer System

• The state of a system is the collection of
  current values of all
• components of the system memory locations,
  secondary
• storage, registers etc
• Protection states are those states that have to
  be protected.
• .P set of all protection states of the system
• .Q set of all authorized protection states
• The system is not secure if the current state is
  in P - Q
• A security policy characterizes the states in Q
• A security mechanism prevents the system entering
• a state in P - Q

3
Access Control Matrix Model

• A model used to describe the protection states.
• It characterizes the rights of each subject of
  the
• system (entity/process) regarding the objects of
  the
• system (entities/processes) in terms of a matrix.

4
Butler-Lampson Model

• This describes the rights of users s (subjects)
  over
• files o (objects) by a matrix A whose rows are
  indexed
• By the subjects and columns by the objects.
• The rights belong to a set R.
• Each entry as,o of A belongs to R, and is the
  right of
• user s over file s.

5
Butler-Lampson Model

• In this model P is the triple (S,O,A)
• where S is the set of users, O the set of files,
  A the
• Access Control Matrix.
• R depends on the application.

6
Examples of ACMs

• file 1 file 2
  process 1 process 2
• process 1 R, W, O R R,
  W, E, O W
• process 2 A R, O
  R R, W, E, O
• Here R Read, Wright, Own, Append, Execute
• process 1 can read/write file 1, read file 2,
  communicate
• with process 2 by writing to it, etc

7
Examples rights on a LAN

• host names telegraph nob
  toadflex
• telegraph own ftp
  ftp
• nob ftp,
  nfs, amil own ftp, nfs, mail
  
• toadflex ftp,
  mail ftp, nfs, amil own
• Here R ftp, mail, nfs, own , where
• ftp the right to access the File Transfer
  Protocol
• mail the right to send/receive using the Simple
  Mail Transfer Protocol (SMTP)
• nsf the right to access file systems using the
  Network File System protocol

8
Examples rights in a program

• host names counter inc_ctr dec_ctr
  manager
• inc_ctr
• dec_ctr -
• manager call
  call call
• Here inc_ctr increases a counter and dec_ctr
  decreases it.
• R , -, call

9
Other examples

• Access Control by Boolean expression evaluation
• Access Control by History
• See textbook

10
Protection State Transitions

• Initial state of the system X0 (S0,O0,A0 )
• Transitions t1, t2,
• Corresponding states X1, X2,
• We use the notation Xi - ti1 Xi1
• to indicate the state transition from Xi to Xi1
• X - Y indicates that starting at X, after a
  series of
• transitions the system enters state Y.

11
Protection State Transitions

• Xi - ci1 (pi1,1 ,, pi1,m) Xi1
• Indicates that the transition is caused by the
  command
• ci1 on the parameters pi1,1 ,, pi1,m.

12
The Harrison-Ruzzo-Ullman Model

• This is based on a set of primitive commands.
• create subject s
• create object o
• enter r into as,o
• delete r from as,o
• destroy subject s
• destroy object o

13
The Harrison-Ruzzo-Ullman Model

• Example.
• command createfile(p,f)
• create object f
• enter own into a(p,f)
• enter r into a(p,f)
• enter w into a(p,f)
• end

14
The Harrison-Ruzzo-Ullman Model

• Example. conditional commands
• Suppose process p wants to give process q the
  right to read file f
• command grantreadfile1(p,f,q)
• if own in a(p,f)
• then
• enter r into a(q,f)
• end
• See textbook for other examples.

15
Copying and owning

• Rights
• copy right (grant right) augments existing
  rights
• own right
• Copy right allows its possessor to grant rights
  (this right is often
• considered a flag attachment hence flag right)
• Own right allows its possessor to add or delete
  privileges to
• themselves.

16
Attenuation of privilege

• The Principle of Attenuation of Privilege says
  that
• a subject may not give rights it does not possess
  to another subject.