Chapter 1: Introduction
Fall 2021
Cp 633
Slide #2-*
Chapter 2: Access Control Matrix
Protection state describes conditions under which system is secure.
Access Control Matrix Model (ACM) is a formulation of protection state (initially developed for OS and databases)
Protection State Transitions occur after:
Commands
Conditional Commands
Special Rights
Principle of Attenuation of Privilege
Cp 633
*
Fall 2021
Cp 633
Slide #2-*
Overview
Protection state of system
Describes current settings, values of system relevant to protection, i.e. the access rights.
Access control matrix
Describes protection state precisely at one moment of time.
Matrix describing rights of subjects over objects
State transitions (i.e. protection commands) change elements of matrix
Access control matrix is an abstract model of the protection state and must always be discussed with respect to the implementation.
Cp 633
*
Fall 2021
cp 633
Slide #2-*
ACM Description
Subjects S = { s1,…,sn },
Note that all the subjects which are of interest to us are not trusted. Trusted subjects should not appear in the matrix.
Objects O = { o1,…,om }
Rights R = { r1,…,rk }
Entries A[si, oj] R
A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj
objects (entities)
subjects
s1
s2
…
sn
o1 … om s1 … sn
cp 633
*
Fall 2021
cp 633
Slide #2-*
Example 1
Processes p, q
Files f, g
Rights r (read), w (write), x (execute), a (append), o (own)
f g p q
p rwo r rwxo w
q a ro r rwxo
cp 633
*
Fall 2021
Cp 633
Slide #2-*
Example 2, macro level
Rights on a local network
Computers: telegraph, nob, toadflax
Rights: own, ftp, mail, www, dns
telegraph nob toadflax
telegraph own ftp, www dns, mail
Nob – own, ftp, www dns, mail
toadflax – ftp, www mail, dns, own
Cp 633
*
Fall 2021
Cp 633
Slide #2-*
Example 3, micro level at the programming language
Procedures inc_ctr, dec_ctr, manage – are subjects
Variable counter – is object
Rights +, –, call
counter inc_ctr dec_ctr manager
inc_ctr +
dec_ctr –
manager call call call
Cp 633
*
Fall 2021
Cp 633
Slide #2-*
Access control by Boolean Expression Evaluation in databases
ACM can be used also to control access to database fields (objects) by using Access Restriction Facility (ARF).
Subjects have attributes e.g. name, role, group, etc…
Verbs define type of access (like read, write, execute)
Rule is associated with (object, verb) pair, and there is default rule for each verb.
Name role group program
matt programmer Sys, hack Complilers, editors
holly artist User, creative Editors, paint, draw
heidi Chef, gardener Acct, creative Editors, kitchen
Cp 633
*
Verbs
Verbs have a default rule:
Access denied unless explicitly granted (0) or
Access granted unless explicitly denied (1)
Fall 2021
Cp 633
Slide #2-*
verb Default rule
read 1
write 0
paint 0
Temperture.control 0
Cp 633
Relationship between names, verbs and rules
Associated with each object is a set of verbs, and each (object, verb) pair has an associated rule:
Subject attempts to access object
Rule for (object, verb) is evaluated, which grants or denies access
Fall 2021
Cp 633
Slide #2-*
name Verb: rules
recipies Write: ‘creative’ in subject.group
overpass Write: ‘artist’ in subject.role or gardener in subject.role
.shellrct Write: ‘hack’ in subject group and time.hour <4 and time.hour >0
Oven.dev Temperature.control: ‘kitchen’ in subject.program and ‘chef’ in subject.role
Cp 633
Fall 2021
Cp 633
Slide #2-*
Example
ACM between midnight and 4am:
ACM at other times
ACM between midnight and 4am:
recipes overpass .shellrct oven.dev
matt read Read,write Read, write
holly Read, write Read,write read
heidi Read, write Read,write read Temperature control
recipes overpass .shellrct oven.dev
matt read Read,write Read
holly Read, write Read,write read
heidi Read, write Read,write read Temperature control
Cp 633
*
Fall 2021
Cp 633
Slide #2-*
Protection State Transitions in ACM
Change the protection state of system Xi =(Si, Oi, Ai)
|– represents transition due to a command
Xi |– Xi+1: command moves system from state Xi to Xi+1
Xi |– * Xi+1: a sequence of commands moves system from state Xi to Xi+1
Commands are often called transformation procedures
Cp 633
Fall 2021
Cp 633
Slide #2-*
Primitive Operations on ACM
create subject s; create object o
Creates new row, column in ACM; creates new column in ACM
destroy subject s; destroy object o
Deletes row, column from ACM; deletes column from ACM
enter r into A[s, o]
Adds right r for subject s over object o (to the cell a[s,o])
delete r from A[s, o]
Removes right r from subject s over object o (from the cell a[s,o])
Cp 633
Fall 2021
Cp 633
Slide #2-*
Example: Creating File in Unix
Process p creates file f with r and w permission
command create•file (p, f)
create object f;
enter own into A[p, f];
enter r into A[p, f];
enter w into A[p, f];
end
The system can update the ACM by using defined commands i.e it can not use primitive commands directly
Command can have any number of primitive commands.
Cp 633
Fall 2021
Cp 633
Slide #2-*
Mono-Operational Commands
Make process p the owner of file g
command make•owner(p, g)
enter own into A[p, g];
end
This is mono-operational command
Single primitive operation in this command
Cp 633
Fall 2021
Cp 633
Slide #2-*
Conditional Commands
Let process p give process q right r over f, if p owns f
command grant•read•file•1(p, f, q)
if own in A[p, f]
then
enter r into A[q, f];
end
Mono-conditional command
There is single condition in this command
Conditions can be linked using and
Cp 633
Fall 2021
Cp 633
Slide #2-*
Multiple Conditions with grant/copy right
Let process p give process q, r and w rights over file f.
The condition is that p owns f and p has distinguished right c over object f.
command grant•read•file•2(p, f, q)
if own in A[p, f] and c in A[p, f]
then
enter r into A[q, f];
enter w into A[q, f];
end
Note that all conditions are joined by and and never by or since or is equivalent to two commands with single condition.
Negation of condition is not permitted.
Cp 633
Fall 2021
Cp 633
Slide #2-*
Copy – flag
Allows possessor to give rights to another
Often attached to a right, so only applies to that right
r is read right that cannot be copied
rc is read right that can be copied
command grant•r•right(p, f, q)
if r in A[p, f] and c in A[p, f]
then
enter r into A[q, f];
end
Is copy flag copied when giving r rights?
Depends on model, instantiation of model
Cp 633
Fall 2021
Cp 633
Slide #2-*
Own Right
Special right to enable possessor of object to add and delete privileges for themselves or to others.
Usually allows possessor to change entries in ACM column
So owner of object can add, delete rights for others like in command chmod in Unix
May depend on what system allows (chown in Unix and Linux)
Can’t give rights to specific (set of) users
Can’t pass copy flag to specific (set of) users
Cp 633
Fall 2021
Cp 633
Slide #2-*
Principle of Attenuation of Privilege
Subject may not increase its rights nor grant rights it does not possess to another subject.
This rule should exist in all correct implementations.
Restricts addition of rights within a system
Usually ignored for owner
Why? Owner gives herself rights, gives them to others, deletes her rights.
Suppose user matt owns the file /home/matt/xyz and he does not have read permission. However, he can issue command:
Chmod go+r /home/matt/xyz
User holly from the same group can not change the rights on xyz since she does not own it. However she can read it, copy it and make copy world-readable.
Cp 633
Fall 2021
Cp 633
Slide #2-*
Key Points
Access control matrix is the simplest abstraction mechanism for representing protection state
In practice, it is not used directly due to space requirements
Transitions caused by commands alter protection state
Primitive operations alter access control matrix
Transitions can be expressed as commands composed of these operations and, possibly, conditions
Cp 633
*