2. Access Control Matrix Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Introduction Chapter 1 Objectives of Access Control Confidentiality: Avoid disclosing sensitive data to unauthorized users Integrity: Reliable and dependable Availability: Provide information to authorized users on demand Threats: Violation of Security Some Secondary Objectives of providing access control Separation of duties Least privilege Need-to-know Need-to-share Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Policy and Mechanism Security Policy is a statement of what is and what is not allowed Security Mechanism is a method, tool, or procedure for enforcing a security policy Secure, precise or broad P: set of all possible states Q: set of secure states: defined by security policy Security mechanisms restricts to R states (R  P) Security Mechanism is secure R  Q is precise R = Q Is broad if there are states r such that r ∈ R and r ∈ Q Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Goals of security Prevention Detection Recovery Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

What to protect Based on business risk Example the government classification Unclassified Confidential Secret Top secret Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

3 Types of access controls Administrative Examples: separation of duties, dual control, etc. Physical Examples: fences, alarms, badges, CCTV, etc. Technical Examples: antivirus, antis-spam, logs, etc. Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Steps in accessing systems Authentication Use a unique identifier– Example: user ID, Account number, PIN 3 main datum used for authentication Something requester know Passwords Pass-phrases Something the requester is Biometrics Physical characteristics Something the requester has Tokens (one-time passwords, time synchronized token) Smart Cards USB Tokens Authorization Accounting Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Using Biometrics for Authentication Have false (rejection, acceptance) rates. Examples static biometrics Fingerprint or palm print Hand Geometry Retina Example Dynamic biometrics Face /gesture Recognition Keystrokes Voice characteristics Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Chapter 2: Access Control Matrix Overview Defining the State Access Control Matrix Model Protection State Transitions Commands Conditional Commands Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Typical Layer for Access Control Operating System Database Application Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Access Control Matrix A model of protection systems Describes who (subject) can do what (rights) to whom (object/subject) Examples: An instructor can assign and grade homework and exams A Teaching Assistant can grade homework Students can evaluate the instructor and TA Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Defining Terms System State (S) Q  P  S Protection State (P) Collection of memory contents Registers Main memory Secondary storage Protection State (P) Conditions under which a system is secure Authorized States (Q) Subset of Protection States in which a system is authorized to reside Secure states Q  P  S Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

More Terms Security policy defines states in Q Security mechanisms prevent transitions to states in P-Q. Access Control Matrix describes protection states Specifies rights of each subject (active entity) w.r.t. every other entity State transitions are triggered by commands that change from one state to another Constrains on State Transitions assures Security Set of authorized states Set of operations in authorized states Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Overview Protection state of system Access control matrix Describes current settings, values of system relevant to protection Access control matrix Describes protection state precisely Matrix describing rights of subjects State transitions change elements of matrix Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Description Subjects S = { s1,…,sn } Objects O = { o1,…,om } Rights R = { r1,…,rk } Entries A[si, oj]  R A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj objects (entities) subjects s1 s2 … sn o1 … om s1 … sn Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Example 1 Processes p, q Files f, g Rights r, w, x, a, o (read, write, execute, append, own) f g p q p rwo r rwxo w q a ro r rwxo Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Example 2 Procedures inc_ctr, dec_ctr, manage Variable counter Rights +, –, call counter inc_ctr dec_ctr manage inc_ctr + dec_ctr – manage call call call Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

State Transitions Change the protection state of system |– represents transition Xi |–  Xi+1: command  moves system from state Xi to Xi+1 Xi |– * Xi+1: a sequence of commands moves system from state Xi to Xi+1 Commands often called transformation procedures Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Primitive Operations create subject s; create object o Creates new row, column in ACM; creates new column in ACM No rights added – just modifies matrix destroy subject s; destroy object o Deletes row, column from ACM; deletes column from ACM enter r into A[s, o] Adds r rights for subject s over object o delete r from A[s, o] Removes r rights from subject s over object o Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Creating File create object f; enter own into A[p, f]; Process p creates file f with r and w permission command create•file(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Mono-Operational Commands Make process p the owner of file g command make•owner(p, g) enter own into A[p, g]; end Mono-operational command Single primitive operation in this command Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Conditional Commands Let p give q r rights over f, if p owns f command grant•read•file•1(p, f, q) if own in A[p, f] then enter r into A[q, f]; end Mono-conditional command Single condition in this command Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Multiple Conditions Let p give q r and w rights over f, if p owns f and p has c rights over q command grant•read•file•2(p, f, q) if own in A[p, f] and c in A[p, q] then enter r into A[q, f]; enter w into A[q, f]; end Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Copy Right Allows possessor to give rights to another Often attached to a right, so only applies to that right r is read right that cannot be copied rc is read right that can be copied Is copy flag copied when giving r rights? Depends on the model and its instantiation Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Own Right Usually allows possessor to change entries in ACM column Owner of an object can add, delete rights for others May depend on what system allows Can’t give rights to specific (set of) users Can’t pass copy flag to specific (set of) users Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Attenuation of Privilege Principle says you can’t give rights you do not possess Restricts addition of rights within a system Usually ignored for owner Why? Owner gives herself rights, gives them to others, deletes her rights. Introduction to Computer Security © 2004 Matt Bishop 9/21/2018

Key Points Access control matrix simplest abstraction mechanism for representing protection state Transitions alter protection state 6 primitive operations alter matrix Transitions can be expressed as commands composed of these operations and, possibly, conditions Introduction to Computer Security © 2004 Matt Bishop 9/21/2018