Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model Protection State Transitions –Commands –Conditional Commands

Slide #2-2 Overview Protection state of system –The state of a system is the collection of the current values of all memory locations, secondary storage, registers, and other components of the system Access control matrix –Describes protection state precisely –Matrix describing rights of subjects –State transitions change elements of matrix

Slide #2-3 Description objects (entities) subjects s1s2…sns1s2…sn o 1 … o m s 1 … s n Subjects S = { s 1,…,s n } Objects O = { o 1,…,o m } Rights R = { r 1,…,r k } Entries A[s i, o j ]   R A[s i, o j ] = { r x, …, r y } means subject s i has rights r x, …, r y over object o j

Slide #2-4 Example 1 Processes p, q Files f, g Rights r, w, x, a, o fgpq prworrwxow qarorrwxo

Slide #2-5 Example 2 Procedures inc_ctr, dec_ctr, manage Variable counter Rights +, –, call counterinc_ctrdec_ctrmanage inc_ctr + dec_ctr – manage callcall call

Slide #2-6 State Transitions Change the protection state of system |– represents transition –X i |–  X i+1 : command  moves system from state X i to X i+1 –X i |– * X i+1 : a sequence of commands moves system from state X i to X i+1 Commands often called transformation procedures

Slide #2-7 Primitive Operations (HRU model) create subject s; create object o –Creates new row, column in ACM; creates new column in ACM destroy subject s; destroy object o –Deletes row, column from ACM; deletes column from ACM enter r into A[s, o] –Adds r rights for subject s over object o delete r from A[s, o] –Removes r rights from subject s over object o

Slide #2-8 Creating File Process p creates file f with r and w permission command createfile(p,f) create object f; enter own into A[p,f]; enter r into A[p,f]; enter w into A[p,f]; end

Slide #2-9 Mono-Operational Commands Make process p the owner of file g command makeowner(p,g) enter own into A[p,g]; end Mono-operational command –Single primitive operation in this command

Slide #2-10 Conditional Commands Let p give q r rights over f, if p owns f command grantreadfile1(p,f,q) if own in A[p,f] then enter r into A[q,f]; end Mono-conditional command –Single condition in this command

Slide #2-11 Multiple Conditions Let p give q w rights over f, if p owns f and p has c rights over q command grantwritefile2(p,f,q) if own in A[p,f] and c in A[p,q] then enter w into A[q,f]; end

Slide #2-12 Key Points Access control matrix simplest abstraction mechanism for representing protection state Transitions alter protection state 6 primitive operations alter matrix –Transitions can be expressed as commands composed of these operations and, possibly, conditions

Slide # 2-13 Postcript In our model a computer system is represented by a family of states: the set of all reachable states must be a subset of the set of secure states, if the system is to be secure.

Slide # 2-14 Security – Leaking rights Let R be the set of generic (primitive) rights of the system, r e R and let A be the ACM. Definitions 1.If r  R is added to an element of A not already containing r, then r is said to be leaked. 2.Let s 0 be the initial protection state. a. If a system can never leak the right r  R then the system is safe with respect to r. b. If a system can leak r  R then the system is called unsafe with respect to r.

Slide # 2-15 Safe vs secure We use the term safe to refer to the (abstract) model. Secure is used when referring to implementations. So a secure implementations must be modeled on a safe system.

Slide # 2-16 Foundation theorems The model we have discussed is called the Harrison- Ruzzo-Ruzzo (HRU) model. Safety question Does there exist an algorithm for determining whether a given protection system (with initial state s 0 ) is safe with respect to a generic right r ?

Slide # 2-17 Theorem 1 There exists an algorithm that will determine whether a given mono-operational protection system with initial protection state s 0 is safe with respect to a generic right. Proof: A mono-operational command invokes a single primitive operation.

Slide # 2-18 Theorem 2 It is undecidable whether a given state of a given protection system is safe wrt a generic right. Proof –next Chapter.