Computer Security Access Control Matrix 11/23/2018

States of a Computer System The state of a system is the collection of current values of all components of the system: memory locations, secondary storage, registers etc Protection states are those states that have to be protected. .P = set of all protection states of the system .Q = set of all authorized protection states The system is not secure if the current state is in P - Q A security policy characterizes the states in Q A security mechanism prevents the system entering a state in P - Q 11/23/2018

Access Control Matrix Model A model used to describe the protection states. It characterizes the rights of each subject of the system (entity/process) regarding the objects of the system (entities/processes) in terms of a matrix. 11/23/2018

Butler-Lampson Model This describes the rights of users s (subjects) over files o (objects) by a matrix A whose rows are indexed By the subjects and columns by the objects. The rights belong to a set R. Each entry a[s,o] of A belongs to R, and is the right of user s over file s. 11/23/2018

Butler-Lampson Model In this model P is the triple (S,O,A) where S is the set of users, O the set of files, A the Access Control Matrix. R depends on the application. 11/23/2018

Examples of ACMs file 1 file 2 process 1 process 2 process 1 R, W, O R R, W, E, O W process 2 A R, O R R, W, E, O Here R = { Read, Wright, Own, Append, Execute } process 1 can read/write file 1, read file 2, communicate with process 2 by writing to it, etc 11/23/2018

Examples: rights on a LAN host names telegraph nob toadflex telegraph own ftp ftp nob ftp, nfs, amil own ftp, nfs, mail toadflex ftp, mail ftp, nfs, amil own Here R = { ftp, mail, nfs, own }, where ftp = the right to access the File Transfer Protocol mail = the right to send/receive using the Simple Mail Transfer Protocol (SMTP) nsf = the right to access file systems using the Network File System protocol 11/23/2018

Examples: rights in a program host names counter inc_ctr dec_ctr manager inc_ctr + dec_ctr - manager call call call Here inc_ctr increases a counter and dec_ctr decreases it. R = { +, -, call } 11/23/2018

Other examples Access Control by Boolean expression evaluation Access Control by History See textbook 11/23/2018

Protection State Transitions Initial state of the system X0 = (S0,O0,A0 ) Transitions: t1, t2, … Corresponding states: X1, X2, … We use the notation: Xi ├─ ti+1 Xi+1 to indicate the state transition from Xi to Xi+1 X ├─ *Y indicates that starting at X, after a series of transitions the system enters state Y. 11/23/2018

Protection State Transitions Xi ├─ ci+1 (pi+1,1 ,…, pi+1,m) Xi+1 Indicates that the transition is caused by the command ci+1 on the parameters pi+1,1 ,…, pi+1,m. 11/23/2018

The Harrison-Ruzzo-Ullman Model This is based on a set of primitive commands. create subject s create object o enter r into a[s,o] delete r from a[s,o] destroy subject s destroy object o 11/23/2018

The Harrison-Ruzzo-Ullman Model Example. command create•file(p,f) create object f ; enter own into a(p,f) ; enter r into a(p,f) ; enter w into a(p,f) ; end 11/23/2018

The Harrison-Ruzzo-Ullman Model Example. –conditional commands Suppose process p wants to give process q the right to read file f command grant•read•file1•(p,f,q) if own in a(p,f) then enter r into a(q,f) ; end See textbook for other examples. 11/23/2018

Copying and owning Rights copy right (grant right) – augments existing rights own right Copy right allows its possessor to grant rights (this right is often considered a flag attachment –hence flag right) Own right allows its possessor to add or delete privileges to themselves. 11/23/2018

Attenuation of privilege The Principle of Attenuation of Privilege says that a subject may not give rights it does not possess to another subject. 11/23/2018