Presentation is loading. Please wait.

Presentation is loading. Please wait.

590J Lecture 21: Access Control (contd). Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "590J Lecture 21: Access Control (contd). Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the."— Presentation transcript:

1 590J Lecture 21: Access Control (contd)

2 Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the set of all protection states – Q is the set of authorized protection states ● Q  secure system ● P-Q  insecure system – Secure policies characterize the states of Q – Security mechanisms ensure the system never enters P-Q

3 Review (contd) ● Access control matrix (A) relates – Objects (O) entities relevant to the protection state – Subjects (S) are active object – Rights (R) a subject has over an object; implementation dependent ● Example: file_1file_2proc_1 proc_1r,w,xrr,w,x,own proc_2rr,wr

4 Protection State Transitions ● Process execution causes the protection system states to change: t i+1 : X i  X i+1 ● This implies the access control matrix representation must change via commands: c i+1 (p i+1,1,...,p i+1,m ): X i  X i+1

5 Primitive Commands ● Harrison, Ruzzo, and Ullman define a set of six primitive commands that alter the ACM: 1. create subject s4. delete r from a[s,o] 2. create object o5. destroy subject s 3. enter r into a[s,o]6. destroy object o ● These primitive commands are used to construct more sophisticated commands ● Recall that S  O.

6 create subject s ● Precondition: s  S ● Postconditions: S' = S  {s}, O' = O  {s}, (  y  O')[a'[s,y] =  ], (  x  S'  [a'[x,s] =  ], (  x  S)(  y  O)[a'[x,y]=a[x,y]] ● This primitive creates a new subject s, which must not exist as an object before command execution. Note that no rights are added to the matrix.

7 create object o ● Precondition: o  O ● Postconditions: S' = S, O' = O  {s}, (  x  S'  [a'[x,o] =  ], (  x  S)(  y  O)[a'[x,y]=a[x,y]] ● This primitive creates a new object o, which must not exist as an object before command execution. Note that no rights are added to the matrix.

8 enter r into a[s,o] ● Precondition: s  S, o  O ● Postconditions: S'=S, O'=O, a'[s,o] = a[s,o]  {r}, (  x  S')(  y  O')[(x,y)  (s,o)  a'[x,y]=a[x,y]] ● This command adds r to the set of rights at a[s,o]. If r  a[s,o] prior to the execution of the command, the behavior depends on the model instantiation.

9 delete r from a[s,o] ● Precondition: s  S, o  O ● Postconditions: S'=S, O'=O, a'[s,o] = a[s,o] - {r}, (  x  S')(  y  O')[(x,y)  (s,o)  a'[x,y] = a[x,y]] ● This command removes r from the set of rights at a[s,o]. If r  a[s,o] prior to the execution of the command, then the effect of the operation is null.

10 destroy subject s ● Precondition: s  S ● Postconditions: S' = S  {s}, O' = O  {s}, (  y  O')[a'[s,y] =  ], (  x  S'  [a'[x,s] =  ], (  x  S')(  y  O')[a'[x,y]=a[x,y]] ● This primitive deletes the subject s and the column/row defined by s in A.

11 destroy object o ● Precondition: o  O ● Postconditions: S' = S, O' = O  {s}, (  x  S'  [a'[x,o] =  ], (  x  S')(  y  O')[a'[x,y]=a[x,y]] ● This primitive deletes the object o and removes the column defined by o from the matrix A.

12 Example: UNIX files ● Suppose a process p creates a file f with read and write permissions. Then A is updated with the following command: command create-file (p,f) create object f; enter own into a[p,f]; enter r into a[p,f]; enter w into a[p,f]; end

13 Example: UNIX process ● Support a process p spawns a child process q. The following command updates the matrix A: command spawn-process (p,q) create subject q; enter own into a[p,q]; enter r into a[p,q]; enter w into a[p,q]; enter r into a[q,p]; enter w into a[q,p]; end interprocess signals

14 Example: Uni-operational commands ● Primitive commands are not meant to be used directly. Instead, a wrapper around them provides their functionality: command make-owner (p,f) enter own into a[p,f]; end

15 Conditional Commands ● What if a process p wanted to give permission to read a file f to another process q? ● Process p would have to have the rights to that file. – Principle of Attenuation of Privilege: A subject s 1 may not grant rights to another subject s 2 of an object o that it does not have those rights to. ● Conditional statements in commands allow specific preconditions to be satisfied.

16 Conditional Commands (contd) ● Example: conjunction command grant-read-file (p,f,q) if r in a[p,f] and c in a[p,f] then enter r into a[q,f]; end ● Disjunctions and negations are not allowed. – 'or' can be represented as two commands – absence of rights is not permitted.

17 The own Right ● The own right allows – a subject to grant rights to other (may be restricted) – self-referential right granting ● The owner is usually the creator of an object ● Semantics get tricky: – Can new owners delete objects? – Should ownership be transferred? – Who is reponsible for the object?

Download ppt "590J Lecture 21: Access Control (contd). Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the."

Similar presentations

Protection Goals of Protection Domain of Protection Access Matrix

Protection Goals of Protection Domain of Protection Access Matrix
Jan. 2014Dr. Yangjun Chen ACS-49021 Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )

Jan. 2014Dr. Yangjun Chen ACS Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )
Database Management System

Database Management System
1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.

1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.
Authentication James Walden Northern Kentucky University.

Authentication James Walden Northern Kentucky University.
6/12/2015 9:14 PM Lecture 2: Access Control James Hook CS 591: Introduction to Computer Security.

6/12/2015 9:14 PM Lecture 2: Access Control James Hook CS 591: Introduction to Computer Security.
April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.

April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.
1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.

1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.
Lecture 7 Access Control

Lecture 7 Access Control
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.
1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.

1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.
CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.

CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.
Csci5233 computer security & integrity 1 Access Control Matrix.

Csci5233 computer security & integrity 1 Access Control Matrix.
IS-2150/TEL-2810: Introduction of Computer Security1 September 7, 2005 Introduction to Computer Security Access Control Matrix Take-grant model.

IS-2150/TEL-2810: Introduction of Computer Security1 September 7, 2005 Introduction to Computer Security Access Control Matrix Take-grant model.
ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.

ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.
Chapter 2: Access Control Matrix

Chapter 2: Access Control Matrix

Similar presentations

Ads by Google