CSCE 465 Lecture 14

« previous | Tuesday, March 5, 2013 | next »

Security Theory I

Access Control Matrix and Foundational Results

Access Control Matrix

Protection state of system: describes current settings, values of system relevant to protection

State of system

• collection of current values of all memory location, storages, registers, etc.
• Subset of collection that deals with protection is protection state of system

Matrix

• Describes protection state precisely
• Matrix describing rights of subjects
• State transitions ${\displaystyle \vdash }$ change elements of matrix
• Simplest abstraction mechanism for representing protection state.

|	objects (entities)
subjects | s1 |

• Objects and other subjects on columns
• Subjects on rows
• Rights in cells reflect subject's allowed actions, etc.

f | g | p | q

rwo | r | rwxo | w

a | ro | r | rwxo

State Transitions

Change protection state of system

State transitions due to commands

Represented by symbol ${\displaystyle \vdash }$.

• ${\displaystyle x_{i}\vdash _{\tau }x_{i+1}}$: command ${\displaystyle \tau }$ moves system from state ${\displaystyle x_{i}}$ to ${\displaystyle x_{i+1}}$.

Protection State Transitions

Represented by 6 primitive commands that update/alter matrix:

create subject ${\displaystyle s}$

creates new row and column

create object ${\displaystyle o}$

creates new column

destroy subject ${\displaystyle s}$

removes row and column corresponding to ${\displaystyle s}$

destroy object ${\displaystyle o}$

removes column corresponding to ${\displaystyle o}$

enter ${\displaystyle r}$ into ${\displaystyle A[s,o]}$

adds rights ${\displaystyle r}$from subject ${\displaystyle s}$ to object ${\displaystyle o}$

delete ${\displaystyle r}$ from ${\displaystyle A[s,o]}$

removes rights ${\displaystyle r}$from subject ${\displaystyle s}$ to object ${\displaystyle o}$

Example usage in transition commands:

(* Mono-operation command = single operation command *)
command make-owner(p, g)
  enter own into A[p,g];
end

(* Conditional Command = Applies operation if access is granted *)
command grant-read-file-1(p, f, q)
  if own in A[p,f] then
    enter r into A[q,f]
end

(* Multiple Conditions: let p give q r and w rights over f if p owns f and p has c rights over q *)
command grant-read-file-2(p,f,q)
  if own in A[p,f] and c in A[p,q] then
    enter r into A[q,f]
    enter w into A[q,f]
  end
end

Special Rights

• Copy rights allows possessor to grant rights to other
• Own rights enables possessors to add/delete privileges for themselves and others

Foundational Results

Given a computer system, how can we determine if it is secure?

Security vs. Safety

Let ${\displaystyle R}$ be set of generic (primitive) rights of system (no special rights)

When a generic right r is added to an element of access control matrix not already containing r, that right r is said to be leaked

• If a system can never leak a right r, it is said to be safe with respect to the right r.
• If a system can leak r, it is said to be unsafe with respect to right r

Safety refers to abstract model and security refers to actual implementation.

• Secure system corresponds to a model safe with respect to all rights
• However, a model safe with respect to all rights does not ensure a secure system

Our question can now be reworded into:

Does there exist an algorithm for determining whether a protection system S with initial state s_0 is safe with respect to a generic right r?

Here, "safe" = "secure" for an abstract model.

Algorithm exists, but only for case of mono-operational commands in which all states can be enumerated.

General Case: undecidable whether a given state of a protection system is safe for generic right

Security Policy and Models

X is a set of entities, I is information

Confidentiality

${\displaystyle I}$ has confidentiality property with respect to ${\displaystyle X}$ if no ${\displaystyle x\in X}$ can obtain access to ${\displaystyle I}$.

Integrity

${\displaystyle I}$ has integrity property with respect to ${\displaystyle X}$ if all ${\displaystyle x\in X}$ trust information in ${\displaystyle I}$.

Types:

• Trust the data contained in ${\displaystyle I}$
• Trust origin/identity of information in ${\displaystyle I}$

Availability

${\displaystyle I}$ has availability property with respect to ${\displaystyle X}$ if all ${\displaystyle x\in X}$ can access ${\displaystyle I}$.

Example

Policy disallows cheating, including:

• Copying homework, with or without permission
• CSE class has students do homework on computer
• Anne forgets to read-protect her homework file
• Bill copies Anne's homework assignment

Bill cheated since

• Policy forbids copying homework assignment
• Bill did it
• System entered unauthorized state

• Anne didn't protect her homework (not required by security policy)
• She didn't breach security

Mechanisms

Entity or procedure that enforces some part of security policy

Access Control

Determines what rights a particular entity has for a set of objects

Answers questions like:

• Do you have right to read /etc/passwd?
• Does Alice right to view CSE website?

Access Control Policy

function ${\displaystyle P(subj,obj,right)\to \left\{accept,deny\right\}}$

Policy is a lot of these tuples, whether explicitly represented that way or not.

Matrix is shorthand notation