Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 2: Access Control Matrix

Published byClemence Copeland Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 2: Access Control Matrix"— Presentation transcript:

1 Chapter 2: Access Control Matrix
Overview Access Control Matrix Model Boolean Expression Evaluation History Protection State Transitions Commands Conditional Commands Special Rights Principle of Attenuation of Privilege Computer Security: Art and Science © Matt Bishop

2 History Statistical databases allow queries about groups of records, yet should not reveal information about any specific record. C – query set (queries about sets of records) N - # of records Attacker: Determine statistic for individual record query-set-overlap – prevention mechanism Answer query only when the size of the intersection of the query set and each previous query set is smaller than parameter r Computer Security: Art and Science © Matt Bishop

3 History - Example Banner database contains your grades and GPAs.
C1: CPEs taking CSSE442 in winter 08-09 Query 1: average_gpa(C1) Query2: count(C1) (answer = 3) C2: Senior CPEs taking CSSE 442 in winter 08-09 Query3: average_gpa(C2) Query4: count(C2) (answer = 2) Now, I can determine the GPA of the non-senior CPE in the class. If the query is JR CPE taking CSSE 442 in winter 08-09, then since there is only one, the database will not respond. So, I can use the above attack. Computer Security: Art and Science © Matt Bishop

4 Query-set-overlap control using ACM
Subjects: entities querying the database Objects: elements of the power set of the records Verb: read (i.e. database being able to answer the query for that particular query set) In practice, difficult to use because of the need to remember all prior queries. Power set – P(S) – all subsets of S Computer Security: Art and Science © Matt Bishop

5 History - example Database: name position age salary Alice teacher 45 $40,000 Bob aide 20 $20,000 Cathy principal 37 $60,000 Dilbert teacher 50 $50,000 Eve teacher 33 $50,000 Alice(45), Dilbert(50), Eve(33) sum(C1) = 140,000 Query set C1: “position is teacher” Query1: sum_salary(C1) = ____________________ (allow/deny) Query set C2: “age less than 40 and teacher” Query2: count(C2) = _____________________ (allow/deny) Query3: name(C2) = _____________________ (allow/deny) Query set C3: “age greater than 40 and teacher” Query4: sum_salary(C3) = ___________________ (allow/deny) Computer Security: Art and Science © Matt Bishop

6 State Transitions Change the protection state of system
|– represents transition Xi |–  Xi+1: command  moves system from state Xi to Xi+1 Xi |– * Xi+1: a sequence of commands moves system from state Xi to Xi+1 Commands often called transformation procedures Computer Security: Art and Science © Matt Bishop

7 Primitive Operations create subject s; create object o
Creates new row, column in ACM; creates new column in ACM destroy subject s; destroy object o Deletes row, column from ACM; deletes column from ACM enter r into A[s, o] Adds r rights for subject s over object o delete r from A[s, o] Removes r rights from subject s over object o Computer Security: Art and Science © Matt Bishop

8 Create Subject Precondition: s  S Primitive command: create subject s
Postconditions: S = S { s }, O = O { s } (y  O)[a[s, y] = ], (x  S)[a[x, s] = ] (x  S)(y  O)[a[x, y] = a[x, y]] Computer Security: Art and Science © Matt Bishop

9 Create Object Precondition: o  O Primitive command: create object o
Postconditions: S = S, O = O  { o } (x  S)[a[x, o] = ] (x  S)(y  O)[a[x, y] = a[x, y]] Computer Security: Art and Science © Matt Bishop

10 Add Right Precondition: s  S, o  O
Primitive command: enter r into a[s, o] Postconditions: S = S, O = O a[s, o] = a[s, o]  { r } (x  S)(y  O – { o }) [a[x, y] = a[x, y]] (x  S – { s })(y  O) [a[x, y] = a[x, y]] Computer Security: Art and Science © Matt Bishop

11 Delete Right Precondition: s  S, o  O
Primitive command: delete r from a[s, o] Postconditions: S = S, O = O a[s, o] = a[s, o] – { r } (x  S)(y  O – { o }) [a[x, y] = a[x, y]] (x  S – { s })(y  O) [a[x, y] = a[x, y]] Computer Security: Art and Science © Matt Bishop

12 Destroy Subject Precondition: s  S
Primitive command: destroy subject s Postconditions: S = S – { s }, O = O – { s } (y  O)[a[s, y] = ], (x  S)[a´[x, s] = ] (x  S)(y  O) [a[x, y] = a[x, y]] Computer Security: Art and Science © Matt Bishop

13 Destroy Object Precondition: o  O Primitive command: destroy object o
Postconditions: S = S, O = O – { o } (x  S)[a[x, o] = ] (x  S)(y  O) [a[x, y] = a[x, y]] Computer Security: Art and Science © Matt Bishop

14 Creating File Process p creates file f with r and w permission
command create_file(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end Computer Security: Art and Science © Matt Bishop

15 Mono-Operational Commands
Make process p the owner of file g command make_owner(p, g) enter own into A[p, g]; end Mono-operational command Single primitive operation in this command Computer Security: Art and Science © Matt Bishop

16 Conditional Commands Let p give q r rights over f, if p owns f
command grant_read_file_1(p, f, q) if own in A[p, f] then enter r into A[q, f]; end Mono-conditional command Single condition in this command Computer Security: Art and Science © Matt Bishop

17 Multiple Conditions Let p give q r and w rights over f, if p owns f and p has c rights over q command grant_readwrite_file_2(p, f, q) if own in A[p, f] and c in A[p, q] then enter r into A[q, f]; enter w into A[q, f]; end C – distinguished right. If p has to give q the right to r/w. then it must have c rights over q and must own f. Computer Security: Art and Science © Matt Bishop

18 Copy Right (i.e. grant right)
Allows possessor to give rights to another Often attached to a right, so only applies to that right r is read right that cannot be copied rc is read right that can be copied Is copy flag copied when giving r rights? Depends on model, instantiation of model e.g. In Windows NT, this corresponds to the “P” or change permissions right. Computer Security: Art and Science © Matt Bishop

19 Own Right Usually allows possessor to change entries in ACM column
So owner of object can add, delete rights for others May depend on what system allows Can’t give rights to specific (set of) users Can’t pass copy flag to specific (set of) users UNIX has “chown()” function. Computer Security: Art and Science © Matt Bishop

20 Attenuation of Privilege
Principle says you can’t give rights you do not possess Restricts addition of rights within a system Usually ignored for owner Why? Owner gives herself rights, gives them to others, deletes her rights. Computer Security: Art and Science © Matt Bishop

21 Key Points Access control matrix simplest abstraction mechanism for representing protection state Transitions alter protection state 6 primitive operations alter matrix Transitions can be expressed as commands composed of these operations and, possibly, conditions Computer Security: Art and Science © Matt Bishop

Download ppt "Chapter 2: Access Control Matrix"

Similar presentations

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
1 1 -Access Control - 2 - Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine.

1 1 -Access Control Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine.
Database Management System

Database Management System
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.

1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.
Authentication James Walden Northern Kentucky University.

Authentication James Walden Northern Kentucky University.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result.

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result.
April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.

April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.
19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.

19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
590J Lecture 21: Access Control (contd). Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the.

590J Lecture 21: Access Control (contd). Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the.
CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.
A Guide to MySQL 7. 2 Objectives Understand, define, and drop views Recognize the benefits of using views Use a view to update data Grant and revoke users’

A Guide to MySQL 7. 2 Objectives Understand, define, and drop views Recognize the benefits of using views Use a view to update data Grant and revoke users’
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.

1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.

Similar presentations

Ads by Google