Chapter 2: Access Control Matrix

Slides:



Advertisements
Similar presentations
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Advertisements

1 1 -Access Control Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine.
Database Management System
Access Control Intro, DAC and MAC System Security.
1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.
Authentication James Walden Northern Kentucky University.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result.
April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.
19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
590J Lecture 21: Access Control (contd). Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the.
CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.
A Guide to MySQL 7. 2 Objectives Understand, define, and drop views Recognize the benefits of using views Use a view to update data Grant and revoke users’
Chapter 5 Database Application Security Models
1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.
LESSON 17 PREPARED BY MANJU. database A database is a collection of related information Access is the Microsoft Office database program that enables you.
Csci5233 computer security & integrity 1 Access Control Matrix.
IS-2150/TEL-2810: Introduction of Computer Security1 September 7, 2005 Introduction to Computer Security Access Control Matrix Take-grant model.
ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.
ISA Access Control ISA 562 Internet Security Theory & Practice.
Computer Security: Principles and Practice
1 Database Administration. 2 Objectives  Understand, create, and drop views  Grant and revoke users’ privileges  Understand and obtain information.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Access Control.
Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model Protection State Transitions –Commands –Conditional Commands.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 4 – Access Control.
Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
Slide #2-1 Access Control Matrix and Safety Results CS461/ECE422 Computer Security I, Fall 2009 Based on slides provided by Matt Bishop for use with Computer.
Access Control in Practice CS461/ECE422 Fall 2010.
Courtesy of Professors Prasant Krisnamurthy, Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 August 28, 2003 Introduction to.
Chapter 5 : Integrity And Security  Domain Constraints  Referential Integrity  Security  Triggers  Authorization  Authorization in SQL  Views 
Access Control: Policies and Mechanisms Vinod Ganapathy.
1/30/20161 Computer Security Access Control Matrix.
2/1/20161 Computer Security Foundational Results.
June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #13-1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 16 October 14, 2004.
What is the difference between authentication and authorization? Authorization is usually explained using the ___________________ model.
November 1, 2004Introduction to Computer Security © 2004 Matt Bishop Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model Protection.
CSE Operating System Principles Protection.
IS 2620: Developing Secure Systems Formal Verification/Methods Lecture 9 March 15, 2012.
Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University
September 10, 2012Introduction to Computer Security © 2004 Matt Bishop Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model.
Database Security Advanced Database Dr. AlaaEddin Almabhouh.
IS 2150 / TEL 2810 Introduction to Security
Introduction to Computer Security Lecture 2
2. Access Control Matrix Introduction to Computer Security © 2004 Matt Bishop 9/21/2018.
Chapter 13: Design Principles
CE Operating Systems Lecture 21
Computer Security Access Control Matrix
IS 2150 / TEL 2810 Introduction to Security
Chapter 29: Program Security
Outline Motivation Access Control Matrix Model
Computer Security: Art and Science, 2nd Edition
IS 2150 / TEL 2810 Information Security & Privacy
Lesson 23 Getting Started with Access Essentials
Chapter 2: Access Control Matrix
Chapter 6: Integrity Policies
IS 2150 / TEL 2810 Introduction to Security
Chapter 4: Security Policies
Computer Security Access Control Mechanisms
IS 2150 / TEL 2810 Introduction to Security
Chapter 2: Access Control Matrix
Presentation transcript:

Chapter 2: Access Control Matrix Overview Access Control Matrix Model Boolean Expression Evaluation History Protection State Transitions Commands Conditional Commands Special Rights Principle of Attenuation of Privilege Computer Security: Art and Science © 2002-2004 Matt Bishop

History Statistical databases allow queries about groups of records, yet should not reveal information about any specific record. C – query set (queries about sets of records) N - # of records Attacker: Determine statistic for individual record query-set-overlap – prevention mechanism Answer query only when the size of the intersection of the query set and each previous query set is smaller than parameter r Computer Security: Art and Science © 2002-2004 Matt Bishop

History - Example Banner database contains your grades and GPAs. C1: CPEs taking CSSE442 in winter 08-09 Query 1: average_gpa(C1) Query2: count(C1) (answer = 3) C2: Senior CPEs taking CSSE 442 in winter 08-09 Query3: average_gpa(C2) Query4: count(C2) (answer = 2) Now, I can determine the GPA of the non-senior CPE in the class. If the query is JR CPE taking CSSE 442 in winter 08-09, then since there is only one, the database will not respond. So, I can use the above attack. Computer Security: Art and Science © 2002-2004 Matt Bishop

Query-set-overlap control using ACM Subjects: entities querying the database Objects: elements of the power set of the records Verb: read (i.e. database being able to answer the query for that particular query set) In practice, difficult to use because of the need to remember all prior queries. Power set – P(S) – all subsets of S Computer Security: Art and Science © 2002-2004 Matt Bishop

History - example Database: name position age salary Alice teacher 45 $40,000 Bob aide 20 $20,000 Cathy principal 37 $60,000 Dilbert teacher 50 $50,000 Eve teacher 33 $50,000 Alice(45), Dilbert(50), Eve(33) sum(C1) = 140,000 Query set C1: “position is teacher” Query1: sum_salary(C1) = ____________________ (allow/deny) Query set C2: “age less than 40 and teacher” Query2: count(C2) = _____________________ (allow/deny) Query3: name(C2) = _____________________ (allow/deny) Query set C3: “age greater than 40 and teacher” Query4: sum_salary(C3) = ___________________ (allow/deny) Computer Security: Art and Science © 2002-2004 Matt Bishop

State Transitions Change the protection state of system |– represents transition Xi |–  Xi+1: command  moves system from state Xi to Xi+1 Xi |– * Xi+1: a sequence of commands moves system from state Xi to Xi+1 Commands often called transformation procedures Computer Security: Art and Science © 2002-2004 Matt Bishop

Primitive Operations create subject s; create object o Creates new row, column in ACM; creates new column in ACM destroy subject s; destroy object o Deletes row, column from ACM; deletes column from ACM enter r into A[s, o] Adds r rights for subject s over object o delete r from A[s, o] Removes r rights from subject s over object o Computer Security: Art and Science © 2002-2004 Matt Bishop

Create Subject Precondition: s  S Primitive command: create subject s Postconditions: S = S { s }, O = O { s } (y  O)[a[s, y] = ], (x  S)[a[x, s] = ] (x  S)(y  O)[a[x, y] = a[x, y]] Computer Security: Art and Science © 2002-2004 Matt Bishop

Create Object Precondition: o  O Primitive command: create object o Postconditions: S = S, O = O  { o } (x  S)[a[x, o] = ] (x  S)(y  O)[a[x, y] = a[x, y]] Computer Security: Art and Science © 2002-2004 Matt Bishop

Add Right Precondition: s  S, o  O Primitive command: enter r into a[s, o] Postconditions: S = S, O = O a[s, o] = a[s, o]  { r } (x  S)(y  O – { o }) [a[x, y] = a[x, y]] (x  S – { s })(y  O) [a[x, y] = a[x, y]] Computer Security: Art and Science © 2002-2004 Matt Bishop

Delete Right Precondition: s  S, o  O Primitive command: delete r from a[s, o] Postconditions: S = S, O = O a[s, o] = a[s, o] – { r } (x  S)(y  O – { o }) [a[x, y] = a[x, y]] (x  S – { s })(y  O) [a[x, y] = a[x, y]] Computer Security: Art and Science © 2002-2004 Matt Bishop

Destroy Subject Precondition: s  S Primitive command: destroy subject s Postconditions: S = S – { s }, O = O – { s } (y  O)[a[s, y] = ], (x  S)[a´[x, s] = ] (x  S)(y  O) [a[x, y] = a[x, y]] Computer Security: Art and Science © 2002-2004 Matt Bishop

Destroy Object Precondition: o  O Primitive command: destroy object o Postconditions: S = S, O = O – { o } (x  S)[a[x, o] = ] (x  S)(y  O) [a[x, y] = a[x, y]] Computer Security: Art and Science © 2002-2004 Matt Bishop

Creating File Process p creates file f with r and w permission command create_file(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end Computer Security: Art and Science © 2002-2004 Matt Bishop

Mono-Operational Commands Make process p the owner of file g command make_owner(p, g) enter own into A[p, g]; end Mono-operational command Single primitive operation in this command Computer Security: Art and Science © 2002-2004 Matt Bishop

Conditional Commands Let p give q r rights over f, if p owns f command grant_read_file_1(p, f, q) if own in A[p, f] then enter r into A[q, f]; end Mono-conditional command Single condition in this command Computer Security: Art and Science © 2002-2004 Matt Bishop

Multiple Conditions Let p give q r and w rights over f, if p owns f and p has c rights over q command grant_readwrite_file_2(p, f, q) if own in A[p, f] and c in A[p, q] then enter r into A[q, f]; enter w into A[q, f]; end C – distinguished right. If p has to give q the right to r/w. then it must have c rights over q and must own f. Computer Security: Art and Science © 2002-2004 Matt Bishop

Copy Right (i.e. grant right) Allows possessor to give rights to another Often attached to a right, so only applies to that right r is read right that cannot be copied rc is read right that can be copied Is copy flag copied when giving r rights? Depends on model, instantiation of model e.g. In Windows NT, this corresponds to the “P” or change permissions right. Computer Security: Art and Science © 2002-2004 Matt Bishop

Own Right Usually allows possessor to change entries in ACM column So owner of object can add, delete rights for others May depend on what system allows Can’t give rights to specific (set of) users Can’t pass copy flag to specific (set of) users UNIX has “chown()” function. Computer Security: Art and Science © 2002-2004 Matt Bishop

Attenuation of Privilege Principle says you can’t give rights you do not possess Restricts addition of rights within a system Usually ignored for owner Why? Owner gives herself rights, gives them to others, deletes her rights. Computer Security: Art and Science © 2002-2004 Matt Bishop

Key Points Access control matrix simplest abstraction mechanism for representing protection state Transitions alter protection state 6 primitive operations alter matrix Transitions can be expressed as commands composed of these operations and, possibly, conditions Computer Security: Art and Science © 2002-2004 Matt Bishop