1 / 20

Computer Security Access Control Mechanisms

Computer Security Access Control Mechanisms. States of a Computer System. The state of a system is the collection of current values of all components of the system: memory locations, secondary storage, registers etc. Protection states are those states that have to be protected.

clinton-fletcher
Download Presentation

Computer Security Access Control Mechanisms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer SecurityAccess Control Mechanisms

  2. States of a Computer System The state of a system is the collection of current values of all components of the system: memory locations, secondary storage, registers etc. Protection states are those states that have to be protected. • .P = set of all protection states of the system • .Q = set of all authorized protection states • The system is not secure if the current state is in P -Q • A security policy characterizes the states in Q • A security mechanism prevents the system entering a state in P -Q

  3. Access Control Matrix Model This is used to describe the protection states. It characterizes the rights of each subject of the system (entity/process) regarding the objects of the system (entities/processes) in terms of a matrix.

  4. Butler-Lampson Model This describes the rights of users s (subjects) over files o (objects) by a matrix A whose rows are indexed by the subjects and whose columns are indexed by the objects. The rights belong to a set R. Each entry a[s,o] of matrix A is a subset of the set R, and is the set of rights of user s over file o.

  5. Butler-Lampson Model The set of protection states P of a system is represented by a set of triples in (S,O,A), where S is the set of users, O the set of files and A the Access Control Matrix. The set of rights R (the entries in A) depends on the application.

  6. Examples of ACMs file 1 file 2 process 1 process 2 process 1 read, write read read, write, write own execute, own process 2 append read, own read read, write execute, own Here R = { read, wright, own, append, execute } process 1 can read/write file 1, read file 2, communicate with process 2 by writing to it, etc.

  7. Examples: rights on a LAN host names telegraph nob toadflex telegraph own ftp ftp nob ftp,nfs,mail,own ftp,nfs,mail toadflex ftp,mail ftp,nfs,mail,own Here R = { ftp, mail, nfs, own }, where ftp = the right to access the File Transfer Protocol mail = the right to send/receive using the Simple Mail Transfer Protocol (SMTP) nfs = the right to access file systems using the Network File System protocol

  8. Examples: rights in a program to synchronize events host names counter inc_ctrdec_ctr manager inc_ctr+ dec_ctr- manager call callcall Here R = { +, -, call } (+,- represent the ability to add or subtract and call is the ability to invoke a procedure) inc_ctrincreases a counter and dec_ctrdecreases it manager calls the functions inc_ctr and dec_ctr

  9. Other examples • Access Control by Boolean expression evaluation • Access Control by History See textbook

  10. Protection State Transitions Initial state of the system: X0 = (S0,O0,A0 ) Transitions: t1, t2, … Corresponding states: X1, X2, … We use the notation: Xi ├─ ti+1 Xi+1 to indicate the state transition ti+1 moves the system from Xito Xi+1 X ├─* Y indicates that starting at X, after a series of transitions the system enters state Y.

  11. Protection State Transitions Xi├─ci+1(pi+1,1 ,…, pi+1,m) Xi+1 indicates that the transition is caused by the command ci+1 with parameters pi+1,1 ,…, pi+1,m.

  12. The Harrison-Ruzzo-Ullman Model This is based on a set of primitive commands. • create subject s [precondition: sS postcondition: S’ = S  { s }, O’ = O, no rights are assigned to s, all other rights are not affected ] • create object o [precondition: oO postcondition: S’= S, O’ = O  { o }, no rights are assigned to o all other rights are not affected ]

  13. The Harrison-Ruzzo-Ullman Model • Enter right r into a[s,o] [precondition: sS, oO postcondition: S’ = S, O’ = O, a’ [s,o] = a [s.o] { r }, no other rights are affected ] • Delete right r from a[s,o] [precondition: sS, oO postcondition: S’ = S, O’ = O, a’ [s,o] = a [s.o]- { r }, no other rights are affected ]

  14. The Harrison-Ruzzo-Ullman Model • destroy subject s [precondition: sS postcondition: S’ = S - { s }, O’= O, a’ [s,o]=  for all oO, no other rights are affected ] • destroy object o [precondition: oO postcondition: S’ = S, O’ = O - { o }, a’ [s,o] =  for all sS, no other rights are affected ]

  15. The Harrison-Ruzzo-Ullman Model Example command create•file(p,f) create object f ; enter right owninto a [p,f]; enter right r into a [p,f]; enter right winto a [p,f]; end

  16. The Harrison-Ruzzo-Ullman Model Example –conditional commands Suppose process p wants to give process q the right to read file f command grant•read•file1•(p,f,q) if ownin a [p,f] then enter rinto a [q,f]; end

  17. The Harrison-Ruzzo-Ullman Model Example –conditional commands using and Suppose process p wants to give process q the right to read file f command grant•read•file2•(p,f,q) if rin a[p,f] and cin a[p,f] then enter rinto a[q,f]; end See textbook for other examples.

  18. Copying and owning Rights • copy right(grant right) – augments existing rights • own right The copy right allows its possessor to grant rights (this right is often considered a flag attachment –hence flag right) The own right allows its possessor to add or delete privileges to themselves.

  19. Copying Example Suppose process p has right r over object f , and let c be a copy right. The following command allows p to copy r over f to another process q only if p has copy right over f . command grant•r(p,f,q) if rin a[p,f] and cin a[p,f] then enter rinto a[q,f]; end

  20. Attenuation of privilege The Principle of Attenuation of Privilege says that • a subject may not give rights it does not possess to another subject.

More Related