1 / 18

Chapter 2: Access Control Matrix

Chapter 2: Access Control Matrix. Overview Access Control Matrix Model Protection State Transitions Commands Conditional Commands. Overview. Protection state of system

hoai
Télécharger la présentation

Chapter 2: Access Control Matrix

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 2: Access Control Matrix • Overview • Access Control Matrix Model • Protection State Transitions • Commands • Conditional Commands

  2. Overview • Protection state of system • The state of a system is the collection of the current values of all memory locations, secondary storage, registers, and other components of the system • Access control matrix • Describes protection state precisely • Matrix describing rights of subjects • State transitions change elements of matrix

  3. Subjects S = { s1,…,sn } Objects O = { o1,…,om } Rights R = { r1,…,rk } Entries A[si, oj] R A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj objects (entities) o1 … oms1 … sn s1 s2 … sn subjects Description

  4. Example 1 • Processes p, q • Files f, g • Rights r, w, x, a, o f g p q p rwo r rwxo w q a ro r rwxo

  5. Example 2 • Procedures inc_ctr, dec_ctr, manage • Variable counter • Rights +, –, call counterinc_ctr dec_ctr manage inc_ctr + dec_ctr – manage call call call

  6. State Transitions • Change the protection state of system • |– represents transition • Xi|– Xi+1: command  moves system from state Xi to Xi+1 • Xi|– *Xi+1: a sequence of commands moves system from state Xi to Xi+1 • Commands often called transformation procedures

  7. Primitive Operations (HRU model) • create subjects; create object o • Creates new row, column in ACM; creates new column in ACM • destroy subjects; destroy object o • Deletes row, column from ACM; deletes column from ACM • enterrintoA[s, o] • Adds r rights for subject s over object o • deleterfromA[s, o] • Removes r rights from subject s over object o

  8. Creating File • Process p creates file f with r and w permission command create•file(p,f) create object f; enter own into A[p,f]; enter r into A[p,f]; enter w into A[p,f]; end

  9. Mono-Operational Commands • Make process p the owner of file g command make•owner(p,g) enter own into A[p,g]; end • Mono-operational command • Single primitive operation in this command

  10. Conditional Commands • Let p give q r rights over f, if p owns f command grant•read•file•1(p,f,q) if own in A[p,f] then enter r into A[q,f]; end • Mono-conditional command • Single condition in this command

  11. Multiple Conditions • Let p give q w rights over f, if p owns f and p has c rights over q command grant•write•file•2(p,f,q) if own in A[p,f] and c in A[p,q] then enter w into A[q,f]; end

  12. Key Points • Access control matrix simplest abstraction mechanism for representing protection state • Transitions alter protection state • 6 primitive operations alter matrix • Transitions can be expressed as commands composed of these operations and, possibly, conditions

  13. Postcript In our model a computer system is represented by a family of states: the set of all reachable states must be a subset of the set of secure states, if the system is to be secure.

  14. Security – Leaking rights Let R be the set of generic (primitive) rights of the system, r e R and let A be the ACM. Definitions • If r e R is added to an element of A not already containing r, then r is said to be leaked. • Let s0 be the initial protection state. a. If a system can never leak the right re R then the system is safe with respect to r. b. If a system can leak re R then the system is called unsafe with respect tor.

  15. Safe vs secure We use the term safe to refer to the (abstract) model. Secure is used when referring to implementations. So a secure implementations must be modeled on a safe system.

  16. Foundation theorems The model we have discussed is called theHarrison-Ruzzo-Ruzzo (HRU) model. Safety question Does there exist an algorithm for determining whether a given protection system (with initial state s0) is safe with respect to a generic right r ?

  17. Theorem 1 There exists an algorithm that will determine whether a given mono-operational protection system with initial protection state s0 is safe with respect to a generic right. Proof: A mono-operational command invokes a single primitive operation .

  18. Theorem 2 It is undecidable whether a given state of a given protection system is safe wrt a generic right. Proof –next Chapter.

More Related