1 / 33

Information Security: Access Control Matrix

Information Security: Access Control Matrix. Dr. Shahriar Bijani Shahed University. Slide References. Matt Bishop, Computer Security: Art and Science , the author homepage, 2002-2004. Chris Clifton, CS 526: Information Security course, Purdue university , 2010. .

paxton
Télécharger la présentation

Information Security: Access Control Matrix

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security:Access Control Matrix Dr. ShahriarBijani Shahed University

  2. Slide References • Matt Bishop, Computer Security: Art and Science, the author homepage, 2002-2004. • Chris Clifton, CS 526: Information Security course, Purdue university, 2010.

  3. Chapter 2: Access Control Matrix • Overview • Access Control Matrix Model • Boolean Expression Evaluation • History • Protection State Transitions • Commands • Conditional Commands • Special Rights • Principle of Attenuation of Privilege

  4. Introduction • What is access control? • Limiting who is allowed to do what • What is an access control model? • Specifying who is allowed to do what • What makes this hard? • Interactions between types of access

  5. Overview • Protection state of system • Describes current settings, values of system relevant to protection • Access control matrix • Describes protection state precisely • Matrix describing rights of subjects • State transitions change elements of matrix

  6. Basics • State:Statusof thesystem • Protectionstate:subsetthatdealswithprotection • AccessControlMatrix • Describesprotectionstate • Formally: • ObjectsO • SubjectsS • MatrixA S ×O • Tuple(S,O,A) defines protectionstatesof system

  7. Subjects S = { s1,…,sn } Objects O = { o1,…,om } Rights R = { r1,…,rk } Entries A[si, oj] R A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj objects (entities) o1 … oms1 … sn s1 s2 … sn subjects Description

  8. Example 1 • Processes p, q • Files f, g • Rights r, w, x, a, o f g p q p rwo r rwxo w q a ro r rwxo

  9. Example 2 • Procedures inc_ctr, dec_ctr, manage • Variable counter • Rights +, –, call counterinc_ctrdec_ctr manage inc_ctr + dec_ctr – manage call call call

  10. Boolean Expression Evaluation • ACM controls access to database fields • Subjects have attributes: name, role, group,.. • Verbs are possible actions and define type of access • Rules associated with (objects, verb) pair • Subject attempts to access object • Rule for object, verb evaluated, grants or denies access

  11. Example • Subject Sara • Attributes role (artist), groups (creative) • Verb paint • Default 0 (deny unless explicitly granted) • Object picture • Rule: paint: ‘artist’ in subject.role and ‘creative’ in subject.groups and time.hour ≥ 0 and time.hour < 5

  12. ACM at 3AM and 10AM At 3AM, time condition met; ACM is: At 10AM, time condition not met; ACM is: … picture … … picture … paint … Sara … … Sara…

  13. History • Statistical databases are designed to answer queries about groups of records yet not reveal information about any single specific record. • Assume that the database contains N records. Users query the database about sets of records C; this set is the query set. The goal of attackers is to obtain a statistic for an individual record. • The query-set-overlap controlis a prevention mechanism that answers queries only when the size of the intersection of the query set and each previous query set is smaller than some parameter r.

  14. History Database: name position age salary Alice teacher 45 $40,000 Bob aide 20 $20,000 Cathy principal 37 $60,000 Dilbert teacher 50 $50,000 Eve teacher 33 $50,000 Queries: • sum(salary, “position = teacher”) = 140,000 • sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Eve’s salary)

  15. ACM of Database Queries Oi = { objects referenced in query i } f(oi) = { read } for ojOi, if |j = 1,…,iOj| < 2 f(oi) =  for ojOi, otherwise • O1 = { Alice, Dilbert, Eve } and no previous query set, so: A[asker, Alice] = f(Alice) = { read } A[asker, Dilbert] = f(Dilbert) = { read } A[asker, Eve] = f(Eve) = { read } and query can be answered

  16. But Query 2 From last slide: f(oi) = { read } for oj in Oi, if |j = 1,…,iOj| > 1 f(oi) =  for oj in Oi, otherwise • O2 = { Alice, Dilbert } but | O2O1 | = 2 so A[asker, Alice] = f(Alice) =  A[asker, Dilbert] = f(Dilbert) =  and query cannot be answered

  17. State Transitions • Change the protection state of system • Xi= (Si, Oi, Ai) • |– represents transition • Xi|– Xi+1: command  moves system from state Xi to Xi+1 • Xi|– *Xi+1: a sequence of commands moves system from state Xi to Xi+1 • Commands often called transformation procedures

  18. Primitive Operations • create subjects; create object o • Creates new row, column in ACM; creates new column in ACM • destroy subjects; destroy object o • Deletes row, column from ACM; deletes column from ACM • enterrintoA[s, o] • Adds r rights for subject s over object o • deleterfromA[s, o] • Removes r rights from subject s over object o

  19. Create Subject • Precondition: sS • Primitive command: create subjects • Postconditions: • S = S{ s }, O = O{ s } • (yO)[a[s, y] = ], (xS)[a[x, s] = ] • (xS)(yO)[a[x, y] = a[x, y]]

  20. Create Object • Precondition: oO • Primitive command: create objecto • Postconditions: • S = S, O = O { o } • (xS)[a[x, o] = ] • (xS)(yO)[a[x, y] = a[x, y]]

  21. Add Right • Precondition: sS, oO • Primitive command: enterrintoa[s, o] • Postconditions: • S = S, O = O • a[s, o] = a[s, o]  { r } • (xS)(yO – { o }) [a[x, y] = a[x, y]] • (xS – { s })(yO) [a[x, y] = a[x, y]]

  22. Delete Right • Precondition: sS, oO • Primitive command: deleterfroma[s, o] • Postconditions: • S = S, O = O • a[s, o] = a[s, o] – { r } • (xS)(yO – { o }) [a[x, y] = a[x, y]] • (xS – { s })(yO) [a[x, y] = a[x, y]]

  23. Destroy Subject • Precondition: sS • Primitive command: destroysubjects • Postconditions: • S = S – { s }, O = O – { s } • (yO)[a[s, y] = ], (xS)[a´[x, s] = ] • (xS)(yO) [a[x, y] = a[x, y]]

  24. Destroy Object • Precondition: oO • Primitive command: destroyobjecto • Postconditions: • S = S, O = O – { o } • (xS)[a[x, o] = ] • (xS)(yO) [a[x, y] = a[x, y]]

  25. Creating File • Process p creates file f with r and wpermission command create•file(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end

  26. Creating Process • Suppose the process p wishes to create a new process q. The following command would capture the resulting changes in the access control matrix. command create•process(p,q)createsubject q;enter own into a[p,q];enter r into a[p,q];enter w into a[p,q];enter r into a[q,p];enter w into a[q,p];end

  27. Mono-Operational Commands • Make process p the owner of file g command make•owner(p, g) enter own into A[p, g]; end • Mono-operational command • Single primitive operation in this command

  28. Conditional Commands • Let p give qrrights over f, if p owns f command grant•read•file•1(p, f, q) if own in A[p, f] then enter r into A[q, f]; end • Mono-conditional command • Single condition in this command

  29. Multiple Conditions • Let p give qr and w rights over f, if p owns f and p has c rights over q command grant•read•file•2(p, f, q) if own in A[p, f] and c in A[p, q] then enter r into A[q, f]; enter w into A[q, f]; end • Commands with two conditions are called biconditional.

  30. Copy Right • Allows possessor to give rights to another • Often attached to a right, so only applies to that right • r is read right that cannot be copied • rc is read right that can be copied • Is copy flag copied when giving r rights? • Depends on model, instantiation of model

  31. Own Right • Usually allows possessor to change entries in ACM column • So owner of object can add, delete rights for others • May depend on what system allows • Can’t give rights to specific (set of) users • Can’t pass copy flag to specific (set of) users

  32. Attenuation of Privilege • Principle says you can’t give rights you do not possess • Restricts addition of rights within a system • Usually ignored for owner • Why? Owner gives herself rights, gives them to others, deletes her rights.

  33. Key Points • Access control matrix simplest abstraction mechanism for representing protection state • Transitions alter protection state • 6 primitive operations alter matrix • Transitions can be expressed as commands composed of these operations and, possibly, conditions

More Related