Computer Security Access Control Mechanisms 12292021 1 States

Computer Security Access Control Mechanisms 12/29/2021 1

States of a Computer System The state of a system is the collection of current values of all components of the system: memory locations, secondary storage, registers etc. Protection states are those states that have to be protected. • . P = set of all protection states of the system • . Q = set of all authorized protection states • The system is not secure if the current state is in P -Q • 12/29/2021 A security policy characterizes the states in Q 2

Access Control Matrix Model This is used to describe the protection states. It characterizes the rights of each subject of the system (entity/process) regarding the objects of the system (entities/processes) in terms of a matrix. 12/29/2021 3

Butler-Lampson Model This describes the rights of users s (subjects) over files o (objects) by a matrix A whose rows are indexed by the subjects and whose columns are indexed by the objects. The rights belong to a set R. Each entry a[s, o] of matrix A is a subset of 12/29/2021 4

Butler-Lampson Model The set of protection states P of a system is represented by a set of triples in (S, O, A), where S is the set of users, O the set of files and A the Access Control Matrix. The set of rights R (the entries in A) depends on the application. 12/29/2021 5

Examples of ACMs file 1 file 2 process 1 read, write, process 2 process 1 write own process 2 append read, write execute, own read ex ecute, own Here R = { read, wright, own, append, execute } process 1 can read/write file 1, read file 2, communicate with process 2 by writing to it, etc. 12/29/2021 6

Examples: rights on a LAN host names telegraph toadflex telegraph own nob ftp, nfs, mail toadflex ftp, nfs, mail, own nob ftp, nfs, mail, own ftp, mail Here R = { ftp, mail, nfs, own }, where ftp = the right to access the File Transfer Protocol mail = the right to send/receive using the Simple Mail Transfer 12/29/2021 Protocol (SMTP) 7

Examples: rights in a program to synchronize events host names manager inc_ctr dec_ctr manager call counter inc_ctr dec_ctr call + - Here R = { +, -, call } (+, - represent the ability to add or subtract and call is the ability to invoke a procedure) inc_ctr increases a counter and dec_ctr decreases it 12/29/2021 manager calls the functions inc_ctr and dec_ctr 8

Other examples • Access Control by Boolean expression evaluation • Access Control by History See textbook 12/29/2021 9

Protection State Transitions Initial state of the system: X 0 = (S 0, O 0, A 0 ) Transitions: t 1, t 2, … Corresponding states: X 1, X 2, … We use the notation: Xi ├─ ti+1 Xi+1 to indicate the state transition ti+1 moves the system from Xi to Xi+1 X ├─* Y indicates that starting at X, after a series of transitions the system enters state Y. 12/29/2021 10

Protection State Transitions Xi ├─ ci+1 (pi+1, 1 , …, pi+1, m) Xi+1 indicates that the transition is caused by the command ci+1 with parameters pi+1, 1 , …, pi+1, m. 12/29/2021 11

The Harrison-Ruzzo-Ullman Model This is based on a set of primitive commands. • create subject s [precondition: s S postcondition: S’ = S { s }, O’ = O, no rights are assigned to s, all other rights are not affected ] • create object o [precondition: o O postcondition: S’= S, O’ = O { o }, no rights are assigned to o all other rights are not affected ] 12/29/2021 12

The Harrison-Ruzzo-Ullman Model • Enter right r into a[s, o] [precondition: s S, o O postcondition: S’ = S, O’ = O, a’ [s, o] = a [s. o] { r }, no other rights are affected ] • Delete right r from a[s, o] [precondition: s S, o O postcondition: S’ = S, O’ = O, a’ [s, o] = a [s. o] - { r }, no other rights are affected ] 12/29/2021 13

The Harrison-Ruzzo-Ullman Model • destroy subject s [precondition: s S postcondition: S’ = S - { s }, O’= O, a’ [s, o]= for all o O, no other rights are affected ] • destroy object o [precondition: o O postcondition: S’ = S, O’ = O - { o }, a’ [s, o] = for all s S, no other rights are affected ] 12/29/2021 14

The Harrison-Ruzzo-Ullman Model Example command create • file (p, f) create object f ; enter right own into a [p, f] ; enter right r into a [p, f] ; enter right w into a [p, f] ; end 12/29/2021 15

The Harrison-Ruzzo-Ullman Model Example –conditional commands Suppose process p wants to give process q the right to read file f command grant • read • file 1 • (p, f, q) if own in a [p, f] then enter r into a [q, f] ; end 12/29/2021 16

The Harrison-Ruzzo-Ullman Model Example –conditional commands using and Suppose process p wants to give process q the right to read file f command grant • read • file 2 • (p, f, q) if r in a [p, f] and c in a [p, f] then enter r into a [q, f] ; end See textbook for other examples. 12/29/2021 17

Copying and owning Rights • copy right (grant right) – augments existing rights • own right The copy right allows its possessor to grant rights (this right is often considered a flag attachment –hence flag right) The own right allows its possessor to add or delete privileges to themselves. 12/29/2021 18

Copying Example Suppose process p has right r over object f , and let c be a copy right. The following command allows p to copy r over f to another process q only if p has copy right over f. command grant • r(p, f, q) if r in a [p, f] and c in a [p, f] then enter r into a [q, f] ; end 12/29/2021 19

Attenuation of privilege The Principle of Attenuation of Privilege says that • a subject may not give rights it does not possess to another subject. 12/29/2021 20