CSCE 465 Lecture 14

« previous | Tuesday, March 5, 2013 | next »

Security Theory I

Access Control Matrix and Foundational Results

Access Control Matrix

Protection state of system: describes current settings, values of system relevant to protection

State of system

• collection of current values of all memory location, storages, registers, etc.
• Subset of collection that deals with protection is protection state of system

Matrix

• Describes protection state precisely
• Matrix describing rights of subjects
• State transitions Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \vdash} change elements of matrix
• Simplest abstraction mechanism for representing protection state.

|	objects (entities)
subjects | s1 |

• Objects and other subjects on columns
• Subjects on rows
• Rights in cells reflect subject's allowed actions, etc.

f | g | p | q

rwo | r | rwxo | w

a | ro | r | rwxo

State Transitions

Change protection state of system

State transitions due to commands

Represented by symbol Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \vdash} .

• ${\displaystyle x_{i}\vdash _{\tau }x_{i+1}}$: command ${\displaystyle \tau }$ moves system from state ${\displaystyle x_{i}}$ to ${\displaystyle x_{i+1}}$.

Protection State Transitions

Represented by 6 primitive commands that update/alter matrix:

create subject ${\displaystyle s}$

creates new row and column

create object ${\displaystyle o}$

creates new column

destroy subject ${\displaystyle s}$

removes row and column corresponding to ${\displaystyle s}$

destroy object ${\displaystyle o}$

removes column corresponding to ${\displaystyle o}$

enter Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle r} into Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle A[s,o]}

adds rights Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle r} from subject Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle s} to object Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle o}

delete Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle r} from Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle A[s,o]}

removes rights Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle r} from subject Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle s} to object Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle o}

Example usage in transition commands:

(* Mono-operation command = single operation command *)
command make-owner(p, g)
  enter own into A[p,g];
end

(* Conditional Command = Applies operation if access is granted *)
command grant-read-file-1(p, f, q)
  if own in A[p,f] then
    enter r into A[q,f]
end

(* Multiple Conditions: let p give q r and w rights over f if p owns f and p has c rights over q *)
command grant-read-file-2(p,f,q)
  if own in A[p,f] and c in A[p,q] then
    enter r into A[q,f]
    enter w into A[q,f]
  end
end

Special Rights

• Copy rights allows possessor to grant rights to other
• Own rights enables possessors to add/delete privileges for themselves and others

Foundational Results

Given a computer system, how can we determine if it is secure?

Security vs. Safety

Let Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle R} be set of generic (primitive) rights of system (no special rights)

When a generic right r is added to an element of access control matrix not already containing r, that right r is said to be leaked

• If a system can never leak a right r, it is said to be safe with respect to the right r.
• If a system can leak r, it is said to be unsafe with respect to right r

Safety refers to abstract model and security refers to actual implementation.

• Secure system corresponds to a model safe with respect to all rights
• However, a model safe with respect to all rights does not ensure a secure system

Our question can now be reworded into:

Does there exist an algorithm for determining whether a protection system S with initial state s_0 is safe with respect to a generic right r?

Here, "safe" = "secure" for an abstract model.

Algorithm exists, but only for case of mono-operational commands in which all states can be enumerated.

General Case: undecidable whether a given state of a protection system is safe for generic right

Security Policy and Models

X is a set of entities, I is information

Confidentiality

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle I} has confidentiality property with respect to Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle X} if no Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle x \in X} can obtain access to Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle I} .

Integrity

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle I} has integrity property with respect to Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle X} if all Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle x \in X} trust information in Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle I} .

Types:

• Trust the data contained in Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle I}
• Trust origin/identity of information in Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle I}

Availability

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle I} has availability property with respect to Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle X} if all Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle x \in X} can access Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle I} .

Example

Policy disallows cheating, including:

• Copying homework, with or without permission
• CSE class has students do homework on computer
• Anne forgets to read-protect her homework file
• Bill copies Anne's homework assignment

Bill cheated since

• Policy forbids copying homework assignment
• Bill did it
• System entered unauthorized state

• Anne didn't protect her homework (not required by security policy)
• She didn't breach security

Mechanisms

Entity or procedure that enforces some part of security policy

Access Control

Determines what rights a particular entity has for a set of objects

Answers questions like:

• Do you have right to read /etc/passwd?
• Does Alice right to view CSE website?

Access Control Policy

function Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle P(subj, obj, right) \to \left\{ accept, deny \right\}}

Policy is a lot of these tuples, whether explicitly represented that way or not.

Matrix is shorthand notation