2. Access Control Matrix
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
1
Introduction
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
2
Chapter 1Objectivesof Access ControlConfidentiality:Avoid disclosing sensitive data to unauthorized usersIntegrity:Reliable and dependableAvailability:Provide information to authorized users ondemandThreats: Violation of SecuritySomeSecondary Objectivesof providing access controlSeparation of dutiesLeast privilegeNeed-to-knowNeed-to-share
Policy and Mechanism
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
3
Security Policy is a statement of what is and what is not allowedSecurity Mechanism is a method, tool, or procedure for enforcing a security policySecure, precise or broadP: set of all possible statesQ: set of secure states: defined by security policySecurity mechanisms restricts to R states (RP)Security Mechanismis secureRQis precise R = QIs broad if there are states r such that r∈R and r∈Q
Goals of security
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
4
PreventionDetectionRecovery
What to protect
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
5
Based on business riskExample the government classificationUnclassifiedConfidentialSecretTop secret
3 Types of access controls
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
6
AdministrativeExamples: separation of duties, dual control, etc.PhysicalExamples: fences, alarms, badges, CCTV, etc.TechnicalExamples: antivirus, antis-spam, logs, etc.
Steps in accessing systems
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
7
AuthenticationUse a unique identifier–Example: user ID, Account number, PIN3 main datum used for authenticationSomething requester knowPasswordsPass-phrasesSomething the requester isBiometricsPhysical characteristicsSomething the requester hasTokens (one-time passwords, time synchronized token)Smart CardsUSB TokensAuthorizationAccounting
Using Biometrics for Authentication
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
8
Have false (rejection, acceptance) rates.Examplesstatic biometricsFingerprint or palm printHand GeometryRetinaExampleDynamic biometricsFace /gesture RecognitionKeystrokesVoice characteristics
Chapter 2: Access Control Matrix
OverviewDefining the StateAccess Control Matrix ModelProtection State TransitionsCommandsConditional Commands
1/30/2017
Introduction to Computer Security© 2004 Matt Bishop
9
Typical Layer for Access Control
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
10
Operating SystemDatabaseApplication
Access Control Matrix
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
11
A model of protection systemsDescribes who (subject) can do what (rights) to whom (object/subject)Examples:An instructor can assign and grade homework and examsA Teaching Assistant can grade homeworkStudents can evaluate the instructor and TA
Defining Terms
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
12
System State (S)Collection of memory contentsRegistersMain memorySecondary storageProtection State (P)Conditions under which a system is secureAuthorized States (Q)Subset of Protection States in which a system is authorized to resideSecure states
QPS
More Terms
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
13
Security policy defines states in QSecurity mechanisms prevent transitions to states in P-Q.Access Control Matrix describes protection statesSpecifies rights of each subject (active entity) w.r.t. everyotherentityState transitions are triggered by commands that change from one state to anotherConstrains on State Transitions assures SecuritySet of authorized statesSet of operations in authorized states
Overview
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
14
Protection state of systemDescribes current settings, values of system relevant to protectionAccess control matrixDescribes protection state preciselyMatrix describing rights of subjectsState transitions change elements of matrix
Description
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
15
SubjectsS= {s1,…,sn}ObjectsO= {o1,…,om}RightsR= {r1,…,rk}EntriesA[si,oj]RA[si,oj] = {rx, …,ry} means subjectsihas rightsrx, …,ryover objectoj
objects (entities)
subjects
s1s2…sn
o1…oms1…sn
Example 1
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
16
Processesp,qFilesf,gRightsr,w,x,a,o (read, write, execute, append, own)f g pqprworrwxowq arorrwxo
Example 2
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
17
Proceduresinc_ctr,dec_ctr,manageVariablecounterRights+,–,callcounterinc_ctrdec_ctrmanageinc_ctr+dec_ctr–managecall call call
State Transitions
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
18
Change the protection state of system|–represents transitionXi|–Xi+1: commandmoves system from stateXitoXi+1Xi|–*Xi+1: a sequence of commands moves system from stateXitoXi+1Commands often calledtransformation procedures
Primitive Operations
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
19
create subjects;create objectoCreates new row, column in ACM; creates new column inACMNo rights added – just modifies matrixdestroy subjects;destroy objectoDeletes row, column from ACM; deletes column from ACMenterrintoA[s,o]Addsrrights for subjectsover objectodeleterfromA[s,o]Removesrrights from subjectsover objecto
Creating File
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
20
Processpcreates filefwithrandwpermissioncommandcreate•file(p,f)create objectf;enterownintoA[p,f];enterrintoA[p,f];enterwintoA[p,f];end
Mono-Operational Commands
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
21
Make processpthe owner of filegcommandmake•owner(p,g)enterownintoA[p,g];endMono-operational commandSingle primitive operation in this command
Conditional Commands
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
22
Letpgiveqrrights overf, ifpownsfcommandgrant•read•file•1(p,f,q)ifowninA[p,f]thenenterrintoA[q,f];endMono-conditional commandSingle condition in this command
Multiple Conditions
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
23
Letpgiveqrandwrights overf, ifpownsfandphascrights overqcommandgrant•read•file•2(p,f,q)ifowninA[p,f] andcinA[p,q]thenenterrintoA[q,f];enterwintoA[q,f];end
Copy Right
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
24
Allows possessor to give rights to anotherOften attached to a right, so only applies to that rightris read right that cannot be copiedrcis read right that can be copiedIs copy flag copied when givingrrights?Depends on the model and its instantiation
Own Right
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
25
Usually allows possessor to change entries in ACM columnOwner of an object can add, delete rights for othersMay depend on what system allowsCan’t give rights to specific (set of) usersCan’t pass copy flag to specific (set of) users
Attenuation of Privilege
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
26
Principle says you can’t give rights you do not possessRestricts addition of rights within a systemUsuallyignoredfor ownerWhy? Owner gives herself rights, gives them to others, deletes her rights.
Key Points
1/30/2017
Introduction to Computer Security © 2004 Matt Bishop
27
Access control matrix simplest abstraction mechanism for representing protection stateTransitions alter protection state6 primitive operations alter matrixTransitions can be expressed as commands composed of these operations and, possibly, conditions
0
Embed
Upload