1. 2. Access Control Matrix
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

2. Introduction Chapter 1 Objectives of Access Control
Confidentiality:
Avoid disclosing sensitive data to unauthorized users
Integrity:
Reliable and dependable
Availability:
Provide information to authorized users on demand
Threats: Violation of Security
Some Secondary Objectives of providing access control
Separation of duties
Least privilege
Need-to-know
Need-to-share
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

3. Policy and Mechanism
Security Policy is a statement of what is and what is not allowed
Security Mechanism is a method, tool, or procedure for enforcing a security policy
Secure, precise or broad
P: set of all possible states
Q: set of secure states: defined by security policy
Security mechanisms restricts to R states (R  P)
Security Mechanism
is secure R  Q
is precise R = Q
Is broad if there are states r such that r ∈ R and r ∈ Q
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

4. Goals of security Prevention Detection Recovery
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

5. What to protect Based on business risk
Example the government classification
Unclassified
Confidential
Secret
Top secret
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

6. 3 Types of access controls
Administrative
Examples: separation of duties, dual control, etc.
Physical
Examples: fences, alarms, badges, CCTV, etc.
Technical
Examples: antivirus, antis-spam, logs, etc.
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

7. Steps in accessing systems
Authentication
Use a unique identifier–
Example: user ID, Account number, PIN
3 main datum used for authentication
Something requester know
Passwords
Pass-phrases
Something the requester is
Biometrics
Physical characteristics
Something the requester has
Tokens (one-time passwords, time synchronized token)
Smart Cards
USB Tokens
Authorization
Accounting
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

8. Using Biometrics for Authentication
Have false (rejection, acceptance) rates.
Examples static biometrics
Fingerprint or palm print
Hand Geometry
Retina
Example Dynamic biometrics
Face /gesture Recognition
Keystrokes
Voice characteristics
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

9. Chapter 2: Access Control Matrix
Overview
Defining the State
Access Control Matrix Model
Protection State Transitions
Commands
Conditional Commands
Introduction to Computer Security
© 2004 Matt Bishop
9/21/2018

10. Typical Layer for Access Control
Operating System
Database
Application
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

11. Access Control Matrix A model of protection systems
Describes who (subject) can do what (rights) to whom (object/subject)
Examples:
An instructor can assign and grade homework and exams
A Teaching Assistant can grade homework
Students can evaluate the instructor and TA
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

12. Defining Terms System State (S) Q  P  S Protection State (P)
Collection of memory contents
Registers
Main memory
Secondary storage
Protection State (P)
Conditions under which a system is secure
Authorized States (Q)
Subset of Protection States in which a system is authorized to reside
Secure states
Q  P  S
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

13. More Terms Security policy defines states in Q
Security mechanisms prevent transitions to states in P-Q.
Access Control Matrix describes protection states
Specifies rights of each subject (active entity) w.r.t. every other entity
State transitions are triggered by commands that change from one state to another
Constrains on State Transitions assures Security
Set of authorized states
Set of operations in authorized states
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

14. Overview Protection state of system Access control matrix
Describes current settings, values of system relevant to protection
Access control matrix
Describes protection state precisely
Matrix describing rights of subjects
State transitions change elements of matrix
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

15. Description Subjects S = { s1,…,sn } Objects O = { o1,…,om }
Rights R = { r1,…,rk }
Entries A[si, oj]  R
A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj
objects (entities)
subjects s1 s2 … sn
o1 … om s1 … sn
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

16. Example 1 Processes p, q Files f, g
Rights r, w, x, a, o (read, write, execute, append, own)
f g p q
p rwo r rwxo w
q a ro r rwxo
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

17. Example 2 Procedures inc_ctr, dec_ctr, manage Variable counter
Rights +, –, call
counter inc_ctr dec_ctr manage
inc_ctr +
dec_ctr –
manage call call call
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

18. State Transitions Change the protection state of system
|– represents transition
Xi |–  Xi+1: command  moves system from state Xi to Xi+1
Xi |– * Xi+1: a sequence of commands moves system from state Xi to Xi+1
Commands often called transformation procedures
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

19. Primitive Operations create subject s; create object o
Creates new row, column in ACM; creates new column in ACM
No rights added – just modifies matrix
destroy subject s; destroy object o
Deletes row, column from ACM; deletes column from ACM
enter r into A[s, o]
Adds r rights for subject s over object o
delete r from A[s, o]
Removes r rights from subject s over object o
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

20. Creating File create object f; enter own into A[p, f];
Process p creates file f with r and w permission
command create•file(p, f)
create object f;
enter own into A[p, f];
enter r into A[p, f];
enter w into A[p, f];
end
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

21. Mono-Operational Commands
Make process p the owner of file g
command make•owner(p, g)
enter own into A[p, g];
end
Mono-operational command
Single primitive operation in this command
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

22. Conditional Commands Let p give q r rights over f, if p owns f
command grant•read•file•1(p, f, q)
if own in A[p, f]
then
enter r into A[q, f];
end
Mono-conditional command
Single condition in this command
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

23. Multiple Conditions
Let p give q r and w rights over f, if p owns f and p has c rights over q
command grant•read•file•2(p, f, q)
if own in A[p, f] and c in A[p, q]
then
enter r into A[q, f];
enter w into A[q, f];
end
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

24. Copy Right Allows possessor to give rights to another
Often attached to a right, so only applies to that right
r is read right that cannot be copied
rc is read right that can be copied
Is copy flag copied when giving r rights?
Depends on the model and its instantiation
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

25. Own Right Usually allows possessor to change entries in ACM column
Owner of an object can add, delete rights for others
May depend on what system allows
Can’t give rights to specific (set of) users
Can’t pass copy flag to specific (set of) users
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

26. Attenuation of Privilege
Principle says you can’t give rights you do not possess
Restricts addition of rights within a system
Usually ignored for owner
Why? Owner gives herself rights, gives them to others, deletes her rights.
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018

27. Key Points
Access control matrix simplest abstraction mechanism for representing protection state
Transitions alter protection state
6 primitive operations alter matrix
Transitions can be expressed as commands composed of these operations and, possibly, conditions
Introduction to Computer Security © 2004 Matt Bishop
9/21/2018