1/30/20161 Computer Security Access Control Matrix

1/30/20162 States of a Computer System The state of a system is the collection of current values of all components of the system: memory locations, secondary storage, registers etc. Protection states are those states that have to be protected.. P = set of all protection states of the system. Q = set of all authorized protection states The system is not secure if the current state is in P - Q A security policy characterizes the states in Q A security mechanism prevents the system entering a state in P - Q

1/30/20163 Access Control Matrix Model This is used to describe the protection states. It characterizes the rights of each subject of the system (entity/process) regarding the objects of the system (entities/processes) in terms of a matrix.

1/30/20164 Butler-Lampson Model This describes the rights of users s (subjects) over files o (objects) by a matrix A whose rows are indexed by the subjects and whose columns are indexed by the objects. The rights belong to a set R. Each entry a [ s,o ] of matrix A belongs to the set R, and is the right of user s over file o.

1/30/20165 Butler-Lampson Model In this model set of protection states P is a set of triples in ( S,O,A ), where S is the set of users, O the set of files and A the Access Control Matrix. The set of rights R (the entries in M) depends on the application.

1/30/20166 Examples of ACMs file 1 file 2 process 1 process 2 process 1 R, W, O R R, W, E, O W process 2 A R, O R R, W, E, O Here R = { Read, Wright, Own, Append, Execute } process 1 can read/write file 1, read file 2, communicate with process 2 by writing to it, etc.

1/30/20167 Examples: rights on a LAN host names telegraph nob toadflex telegraph own ftp ftp nob ftp, nfs, amil own ftp, nfs, mail toadflex ftp, mail ftp, nfs, amil own Here R = { ftp, mail, nfs, own }, where ftp = the right to access the File Transfer Protocol mail = the right to send/receive using the Simple Mail Transfer Protocol (SMTP) nfs = the right to access file systems using the Network File System protocol

1/30/20168 Examples: rights in a program host names counter inc_ctr dec_ctr manager inc_ctr + dec_ctr - manager call call call Here inc_ctr increases a counter and dec_ctr decreases it. R = { +, -, call }

1/30/20169 Other examples Access Control by Boolean expression evaluation Access Control by History See textbook

1/30/ Protection State Transitions Initial state of the system: X 0 = (S 0,O 0,A 0 ) Transitions:  1,  2, … Corresponding states: X 1, X 2, … We use the notation: X i ├─  i+1 X i+1 to indicate the state transition from X i to X i+1 X ├─ * Y indicates that starting at X, after a series of transitions the system enters state Y.

1/30/ Protection State Transitions X i ├─ c i+1 ( p i+ 1,1,…, p i+1,m ) X i+1 Indicates that the transition is caused by the command c i+1 on the parameters p i+1,1,…, p i+1,m.

1/30/ The Harrison-Ruzzo-Ullman Model This is based on a set of primitive commands. create subject s create object o Enter right r into a [ s,o ] Delete right r from a [ s,o ] destroy subject s destroy object o

1/30/ The Harrison-Ruzzo-Ullman Model Example command create file ( p,f ) create object f ; enter right own into a ( p,f ) ; enter right r into a ( p,f ) ; enter right w into a ( p,f ) ; end

1/30/ The Harrison-Ruzzo-Ullman Model Example – conditional commands Suppose process p wants to give process q the right to read file f command grant read file1 ( p,f,q ) if own in a [ p,f ] then enter r into a [ q,f ] ; end

1/30/ The Harrison-Ruzzo-Ullman Model Example – conditional commands using and Suppose process p wants to give process q the right to read file f command grant read file2 ( p,f,q ) if r in a [ p,f ] and c in a [ p,f ] then enter r into a ( q,f ) ; end See textbook for other examples.

1/30/ Copying and owning Rights copy right ( grant right ) – augments existing rights own right The copy right allows its possessor to grant rights (this right is often considered a flag attachment –hence flag right ) The own right allows its possessor to add or delete privileges to themselves.

1/30/ Copying Example Suppose process p has right r over object f, and let c be a copy right. The following command allows p to copy r over f to another process q only if p has copy right over f. command grant r ( p,f,q ) if r in a [ p,f ] and c in a [ p,f ] then enter r into a ( q,f ) ; end

1/30/ Attenuation of privilege The Principle of Attenuation of Privilege says that a subject may not give rights it does not possess to another subject.