Presentation is loading. Please wait.

Presentation is loading. Please wait.

July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model.

Published byMagnus Davis Modified over 8 years ago

Similar presentations

Presentation on theme: "July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model."— Presentation transcript:

1 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model –Boolean Expression Evaluation –History Protection State Transitions –Commands –Conditional Commands Special Rights –Principle of Attenuation of Privilege

2 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-2 Overview Protection state of system –Describes current settings, values of system relevant to protection Access control matrix –Describes protection state precisely –Matrix describing rights of subjects –State transitions change elements of matrix

3 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-3 Description objects (entities) subjects s1s2…sns1s2…sn o 1 … o m s 1 … s n Finite Sets Subjects S = { s 1,…,s n } Objects O = { o 1,…,o m } Rights R = { r 1,…,r k } const Entries A[s i, o j ]   R A[s i, o j ] = { r x, …, r y } means subject s i has rights r x, …, r y over object o j

4 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-4 Example 1 Processes p, q Files f, g Rights r, w, x, a, o fgpq prworrwxow qarorrwxo Nota bene: Subjects are also objects

5 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-5 Example 2 Procedures inc_ctr, dec_ctr, manage Variable counter Rights +, –, call counterinc_ctrdec_ctrmanage inc_ctr+ dec_ctr– managecallcallcall

6 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-6 Boolean Expression Evaluation ACM controls access to database fields –Subjects have attributes –Verbs define type of access –Rules associated with objects, verb pair Subject attempts to access object –Rule for object, verb evaluated, grants or denies access

7 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-7 Example Subject annie –Attributes role (artist), groups (creative) Verb paint –Default 0 (deny unless explicitly granted) Object picture –Rule: paint:‘artist’ in subject.role and ‘creative’ in subject.groups and time.hour ≥ 0 and time.hour < 5

8 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-8 ACM at 3AM and 10AM … picture … … annie … paint At 3AM, time condition met; ACM is: … picture … … annie … At 10AM, time condition not met; ACM is:

9 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-9 History Database: namepositionagesalary Aliceteacher45$40,000 Bobaide20$20,000 Cathyprincipal37$60,000 Dilbertteacher50$50,000 Eveteacher33$50,000 Queries: 1.sum(salary, “position = teacher”) = 140,000 2.sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Eve’s salary)

10 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-10 ACM of Database Queries O i = { objects referenced in query i } f(o i ) = { read }for o j  O i, if |  j = 1,…,i  O j | < 2 f(o i ) =  for o j  O i, otherwise 1. O 1 = { Alice, Dilbert, Eve } and no previous query set, so: A[asker, Alice] = f(Alice) = { read } A[asker, Dilbert] = f(Dilbert) = { read } A[asker, Eve] = f(Eve) = { read } and query can be answered

11 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-11 But Query 2 From last slide: f(o i ) = { read }for o j in O i, if |  j = 1,…,i  O j | > 1 f(o i ) =  for o j in O i, otherwise 2.O 2 = { Alice, Dilbert } but | O 2  O 1 | = 2 so A[asker, Alice] = f(Alice) =  A[asker, Dilbert] = f(Dilbert) =  and query cannot be answered

12 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-12 State Transitions Change the protection state of system |– represents transition –X i |–  X i+1 : command  moves system from state X i to X i+1 –X i |– * X i+1 : a sequence of commands moves system from state X i to X i+1 Commands often called transformation procedures

13 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-13 Primitive Operations create subject s; create object o –Creates new row, column in ACM; creates new column in ACM destroy subject s; destroy object o –Deletes row, column from ACM; deletes column from ACM enter r into A[s, o] –Adds r rights for subject s over object o delete r from A[s, o] –Removes r rights from subject s over object o

14 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-14 Create Subject Precondition: s  S Primitive command: create subject s Postconditions: –S = S  { s }, O = O  { s } –(  y  O)[a[s, y] =  ], (  x  S)[a[x, s] =  ] –(  x  S)(  y  O)[a[x, y] = a[x, y]]

15 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-15 Create Object Precondition: o  O Primitive command: create object o Postconditions: –S = S, O = O  { o } –(  x  S)[a[x, o] =  ] –(  x  S)(  y  O)[a[x, y] = a[x, y]]

16 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-16 Add Right Precondition: s  S, o  O Primitive command: enter r into a[s, o] Postconditions: –S = S, O = O –a[s, o] = a[s, o]  { r } –(  x  S)(  y  O – { o }) [a[x, y] = a[x, y]] –(  x  S – { s })(  y  O) [a[x, y] = a[x, y]]

17 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-17 Delete Right Precondition: s  S, o  O Primitive command: delete r from a[s, o] Postconditions: –S = S, O = O –a[s, o] = a[s, o] – { r } –(  x  S)(  y  O – { o }) [a[x, y] = a[x, y]] –(  x  S – { s })(  y  O) [a[x, y] = a[x, y]]

18 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-18 Destroy Subject Precondition: s  S Primitive command: destroy subject s Postconditions: –S = S – { s }, O = O – { s } –(  y  O)[a[s, y] =  ], (  x  S)[a´[x, s] =  ] –(  x  S)(  y  O) [a[x, y] = a[x, y]]

19 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-19 Destroy Object Precondition: o  O Primitive command: destroy object o Postconditions: –S = S, O = O – { o } –(  x  S)[a[x, o] =  ] –(  x  S)(  y  O) [a[x, y] = a[x, y]]

20 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-20 Creating File Process p creates file f with r and w permission command createfile(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end

21 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-21 Mono-Operational Commands Make process p the owner of file g command makeowner(p, g) enter own into A[p, g]; end Mono-operational command –Single primitive operation in this command

22 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-22 Conditional Commands Let p give q r rights over f, if p owns f command grantreadfile1(p, f, q) if own in A[p, f] then enter r into A[q, f]; end Mono-conditional command –Single condition in this command

23 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-23 Multiple Conditions Let p give q r and w rights over f, if p owns f and p has c rights over q command grantreadfile2(p, f, q) if own in A[p, f] and c in A[p, q] then enter r into A[q, f]; enter w into A[q, f]; end

24 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-24 Copy Right Allows possessor to give rights to another Often attached to a right, so only applies to that right –r is read right that cannot be copied –rc is read right that can be copied Is copy flag copied when giving r rights? –Depends on model, instantiation of model

25 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-25 Own Right Usually allows possessor to change entries in ACM column –So owner of object can add, delete rights for others –May depend on what system allows Can’t give rights to specific (set of) users Can’t pass copy flag to specific (set of) users

26 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-26 Attenuation of Privilege Principle says you can’t give rights you do not possess –Restricts addition of rights within a system –Usually ignored for owner Why? Owner gives herself rights, gives them to others, deletes her rights.

27 July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-27 Key Points Access control matrix simplest abstraction mechanism for representing protection state Transitions alter protection state 6 primitive operations alter matrix –Transitions can be expressed as commands composed of these operations and, possibly, conditions

Download ppt "July 1, 2004Computer Security: Art and Science © 2002-2004 Matt Bishop Slide #2-1 Chapter 2: Access Control Matrix Overview Access Control Matrix Model."

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
1 1 -Access Control - 2 - Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine.

1 1 -Access Control Foundational Results. 2 2 Preliminaries Undecidability The Halting Problem The Turing Machine.
Access Control Discretionary Access Control Lecture 4 1.

Access Control Discretionary Access Control Lecture 4 1.
1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.

1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.
Authentication James Walden Northern Kentucky University.

Authentication James Walden Northern Kentucky University.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.

Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result.

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result.
April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.

April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.
Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.

Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.
19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.

19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
590J Lecture 21: Access Control (contd). Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the.

590J Lecture 21: Access Control (contd). Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the.
CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.
1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.

1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.
1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.

1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.
Csci5233 computer security & integrity 1 Access Control Matrix.

Csci5233 computer security & integrity 1 Access Control Matrix.

Similar presentations

Ads by Google