Access Control Matrix
Outline <ul><li>Overview </li></ul><ul><li>Access Control Matrix Model </li></ul><ul><ul><li>Boolean Expression Evaluation...
Overview <ul><li>State </li></ul><ul><ul><li>The collection of the current values of all memory locations, all secondary s...
Overview <ul><li>Access control matrix model </li></ul><ul><ul><li>The most precise model used to describe a protection st...
Description <ul><li>Subjects  S  = {  s 1 ,…, s n  } </li></ul><ul><li>Objects  O  = {  o 1 ,…, o m  } </li></ul><ul><li>R...
Example 1 <ul><li>Processes  p ,  q </li></ul><ul><li>Files  f ,  g </li></ul><ul><li>Rights  r ,  w ,  x (execute) ,  a(p...
Example 2 <ul><li>Procedures  inc_ctr ,  dec_ctr ,  manage </li></ul><ul><li>Variable  counter </li></ul><ul><li>Rights  +...
Boolean Expression Evaluation <ul><li>ACM may be used for control of access to database fields </li></ul><ul><li>ACM contr...
Example of rules <ul><li>Subject  annie </li></ul><ul><ul><li>Attributes role (artist), groups (creative) </li></ul></ul><...
ACM at 3AM and 10AM …  picture … …  annie … paint At 18 PM, time condition met; ACM is: …  picture … …  annie … At 10AM, t...
Access Controlled by History <ul><li>Query-set-overlap-control : to prevent deduction/inference attack </li></ul><ul><li>D...
Access Controlled by History <ul><li>Database: </li></ul><ul><li>name position age salary </li></ul><ul><li>Celia teacher ...
State Transitions <ul><li>Change the protection state of system </li></ul><ul><li>|- represents transition </li></ul><ul><...
Primitive Operations <ul><li>create subject   s </li></ul><ul><ul><li>Creates new row, column in ACM;  </li></ul></ul><ul>...
Create Subject <ul><li>Precondition:  s      S </li></ul><ul><li>Primitive command:  create subject   s </li></ul><ul><li...
Create Object <ul><li>Precondition:  o      O </li></ul><ul><li>Primitive command:  create object   o </li></ul><ul><li>P...
Add Right <ul><li>Precondition:  s      S ,  o      O </li></ul><ul><li>Primitive command: enter  r  into  a [ s ,  o ] ...
Delete Right <ul><li>Precondition:  s      S ,  o      O </li></ul><ul><li>Primitive command:  delete   r   from   a [ s...
Destroy Subject <ul><li>Precondition:  s      S </li></ul><ul><li>Primitive command:  destroy   subject   s </li></ul><ul...
Destroy Object <ul><li>Precondition:  o      o </li></ul><ul><li>Primitive command:  destroy   object   o </li></ul><ul><...
Creating File <ul><li>Process  p  creates file  f  with  r  and  w  permission </li></ul><ul><li>command  create•file ( p ...
Mono-Operational Commands <ul><li>Single primitive operation in a command </li></ul><ul><li>Example: Make process  p  the ...
Conditional Commands <ul><li>Let  p  give  q   r  rights over  f , if  p  owns  f </li></ul><ul><li>command  grant•read•fi...
Multiple Conditions <ul><li>Let  p  give  q   r  and  w  rights over  f , if  p  owns  f  and  p  has  c  rights over  q <...
Copy Right <ul><li>Allows possessor to give rights to another </li></ul><ul><li>Often attached to a right, so only applies...
Own Right <ul><li>Usually allows the possessor to change entries in ACM column </li></ul><ul><ul><li>So owner of object ca...
Attenuation of Privilege <ul><li>The principle says you can’t give rights you do not possess. </li></ul><ul><ul><li>Restri...
Key Points <ul><li>Access control matrix simplest abstraction mechanism for representing protection state </li></ul><ul><l...
Upcoming SlideShare
Loading in …5
×

Acm

395 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
395
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Acm

  1. 1. Access Control Matrix
  2. 2. Outline <ul><li>Overview </li></ul><ul><li>Access Control Matrix Model </li></ul><ul><ul><li>Boolean Expression Evaluation </li></ul></ul><ul><ul><li>History </li></ul></ul><ul><li>Protection State Transitions </li></ul><ul><ul><li>Commands </li></ul></ul><ul><ul><li>Conditional Commands </li></ul></ul><ul><li>Special Rights </li></ul><ul><ul><li>Principle of Attenuation of Privilege </li></ul></ul>
  3. 3. Overview <ul><li>State </li></ul><ul><ul><li>The collection of the current values of all memory locations, all secondary storage, and all registers and other components of the system. </li></ul></ul><ul><li>Protection state of system </li></ul><ul><ul><li>a subset of the states that are relevant to protection </li></ul></ul><ul><li>Access control matrix </li></ul><ul><ul><li>A tool that can describe protection state </li></ul></ul><ul><ul><li>Matrix describing rights of subjects </li></ul></ul><ul><ul><li>State transitions change elements of matrix </li></ul></ul>
  4. 4. Overview <ul><li>Access control matrix model </li></ul><ul><ul><li>The most precise model used to describe a protection state </li></ul></ul><ul><ul><li>It characterizes the rights of each subject with respect to every other entity , which can be active or passive. </li></ul></ul><ul><ul><li>The set of objects = the set of all protected entities </li></ul></ul><ul><ul><li>The set of subjects = the set of active objects, such as processes and users. </li></ul></ul><ul><ul><li>The ACM captures the relationships between the subjects and the objects . </li></ul></ul><ul><ul><li>When a command changes the state of the system, a state transition occurs. </li></ul></ul>
  5. 5. Description <ul><li>Subjects S = { s 1 ,…, s n } </li></ul><ul><li>Objects O = { o 1 ,…, o m } </li></ul><ul><li>Rights R = { r 1 ,…, r k } </li></ul><ul><li>Entries A [ s i , o j ]   R </li></ul><ul><li>A [ s i , o j ] = { r x , …, r y } means subject s i has rights r x , …, r y over object o j </li></ul>A [ s n , o m ] objects (entities) subjects s 1 s 2 … s n o 1 … o m s 1 … s n
  6. 6. Example 1 <ul><li>Processes p , q </li></ul><ul><li>Files f , g </li></ul><ul><li>Rights r , w , x (execute) , a(ppend) , o(wn) </li></ul><ul><li>f g p q </li></ul><ul><li>p rwo r rwxo w </li></ul><ul><li>q a ro r rwxo </li></ul>
  7. 7. Example 2 <ul><li>Procedures inc_ctr , dec_ctr , manage </li></ul><ul><li>Variable counter </li></ul><ul><li>Rights + , – , call </li></ul><ul><li> counter inc_ctr dec_ctr manage </li></ul><ul><li>inc_ctr + </li></ul><ul><li>dec_ctr – </li></ul><ul><li>manage call call call </li></ul>
  8. 8. Boolean Expression Evaluation <ul><li>ACM may be used for control of access to database fields </li></ul><ul><li>ACM controls access to database fields </li></ul><ul><ul><li>Subjects have attributes (e.g., name, role, groups, programs, etc.) </li></ul></ul><ul><ul><li>Verbs define type of access (e.g., read, write, paint, temp_ctl) </li></ul></ul><ul><ul><li>Rules associated with (objects, verb) pair (e.g., object = recipes; verb = write; rule = ‘creative’ in subject.group) </li></ul></ul><ul><li>Subject attempts to access object </li></ul><ul><ul><li>Rule for (object, verb) evaluated, grants or denies access </li></ul></ul>
  9. 9. Example of rules <ul><li>Subject annie </li></ul><ul><ul><li>Attributes role (artist), groups (creative) </li></ul></ul><ul><li>Verb paint </li></ul><ul><ul><li>Default 0 (deny unless explicitly granted) </li></ul></ul><ul><li>Object picture </li></ul><ul><li>A sample rule </li></ul><ul><ul><li>paint: ‘artist’ in subject.role and </li></ul></ul><ul><ul><li>‘ creative’ in subject.groups and </li></ul></ul><ul><ul><li>time.hour >= 17 and time.hour < 20 </li></ul></ul>
  10. 10. ACM at 3AM and 10AM … picture … … annie … paint At 18 PM, time condition met; ACM is: … picture … … annie … At 10AM, time condition not met; ACM is:
  11. 11. Access Controlled by History <ul><li>Query-set-overlap-control : to prevent deduction/inference attack </li></ul><ul><li>Database: </li></ul><ul><li>name position age salary </li></ul><ul><li>Celia teacher 45 $40,000 </li></ul><ul><li>Heidi aide 20 $20,000 </li></ul><ul><li>Holly principal 37 $60,000 </li></ul><ul><li>Leo teacher 50 $50,000 </li></ul><ul><li>Matt teacher 33 $50,000 </li></ul><ul><li>Queries: </li></ul><ul><li>C1 = sum(salary, “position = teacher”) = $140,000 </li></ul><ul><li>C3 = sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Matt’s salary) </li></ul>
  12. 12. Access Controlled by History <ul><li>Database: </li></ul><ul><li>name position age salary </li></ul><ul><li>Celia teacher 45 $40,000 </li></ul><ul><li>Heidi aide 20 $20,000 </li></ul><ul><li>Holly principal 37 $60,000 </li></ul><ul><li>Leo teacher 50 $50,000 </li></ul><ul><li>Matt teacher 33 $50,000 </li></ul><ul><ul><li>O 1 = {Celia, Leo, Matt} </li></ul></ul><ul><ul><li>O 3 = {Celia, Leo} </li></ul></ul><ul><li>Check out [Dobkins/Jones, 1979]. </li></ul>
  13. 13. State Transitions <ul><li>Change the protection state of system </li></ul><ul><li>|- represents transition </li></ul><ul><ul><li>X i |-  X i +1 : command  moves system from state X i to X i +1 </li></ul></ul><ul><ul><li>X i |- * X i +1 : a sequence of commands moves system from state X i to X i +1 </li></ul></ul><ul><li>Commands are often called transformation procedures </li></ul>
  14. 14. Primitive Operations <ul><li>create subject s </li></ul><ul><ul><li>Creates new row, column in ACM; </li></ul></ul><ul><li>create object o </li></ul><ul><ul><li>creates new column in ACM </li></ul></ul><ul><li>destroy subject s </li></ul><ul><ul><li>Deletes row, column from ACM </li></ul></ul><ul><li>destroy object o </li></ul><ul><ul><li>deletes column from ACM </li></ul></ul><ul><li>enter r into A [ s , o ] </li></ul><ul><ul><li>Adds r rights for subject s over object o </li></ul></ul><ul><li>delete r from A [ s , o ] </li></ul><ul><ul><li>Removes r rights from subject s over object o </li></ul></ul>
  15. 15. Create Subject <ul><li>Precondition: s  S </li></ul><ul><li>Primitive command: create subject s </li></ul><ul><li>Postconditions: </li></ul><ul><ul><li>S ´ = S  { s }, O ´ = O  { s } </li></ul></ul><ul><ul><li>(  y  O ´)[ a ´[ s , y ] =  ], (  x  S ´)[ a ´[ x , s ] =  ] </li></ul></ul><ul><ul><li>(  x  S )(  y  O )[ a ´[ x , y ] = a [ x , y ]] </li></ul></ul>
  16. 16. Create Object <ul><li>Precondition: o  O </li></ul><ul><li>Primitive command: create object o </li></ul><ul><li>Postconditions: </li></ul><ul><ul><li>S ´ = S , O ´ = O  { o } </li></ul></ul><ul><ul><li>(  x  S ´)[ a ´[ x , o ] =  ] </li></ul></ul><ul><ul><li>(  x  S )(  y  O )[ a ´[ x , y ] = a [ x , y ]] </li></ul></ul>
  17. 17. Add Right <ul><li>Precondition: s  S , o  O </li></ul><ul><li>Primitive command: enter r into a [ s , o ] </li></ul><ul><li>Postconditions: </li></ul><ul><ul><li>S ´ = S , O ´ = O </li></ul></ul><ul><ul><li>a ´[ s , o ] = a [ s , o ]  { r } </li></ul></ul><ul><ul><li>(  x  S ´ – { s })(  y  O ´ – { o }) </li></ul></ul><ul><ul><li>[ a ´[ x , y ] = a [ x , y ]] </li></ul></ul>
  18. 18. Delete Right <ul><li>Precondition: s  S , o  O </li></ul><ul><li>Primitive command: delete r from a [ s , o ] </li></ul><ul><li>Postconditions: </li></ul><ul><ul><li>S ´ = S , O ´ = O </li></ul></ul><ul><ul><li>a ´[ s , o ] = a [ s , o ] – { r } </li></ul></ul><ul><ul><li>(  x  S ´ – { s })(  y  O ´ – { o }) </li></ul></ul><ul><ul><li>[ a ´[ x , y ] = a [ x , y ]] </li></ul></ul>
  19. 19. Destroy Subject <ul><li>Precondition: s  S </li></ul><ul><li>Primitive command: destroy subject s </li></ul><ul><li>Postconditions: </li></ul><ul><ul><li>S ´ = S – { s }, O ´ = O – { s } </li></ul></ul><ul><ul><li>(  y  O ´)[ a ´[ s , y ] =  ], (  x  S ´)[ a ´[ x , s ] =  ] </li></ul></ul><ul><ul><li>(  x  S ´)(  y  O ´) [ a ´[ x , y ] = a [ x , y ]] </li></ul></ul>
  20. 20. Destroy Object <ul><li>Precondition: o  o </li></ul><ul><li>Primitive command: destroy object o </li></ul><ul><li>Postconditions: </li></ul><ul><ul><li>S ´ = S , O ´ = O – { o } </li></ul></ul><ul><ul><li>(  x  S ´)[ a ´[ x , o ] =  ] </li></ul></ul><ul><ul><li>(  x  S ´)(  y  O ´) [ a ´[ x , y ] = a [ x , y ]] </li></ul></ul>
  21. 21. Creating File <ul><li>Process p creates file f with r and w permission </li></ul><ul><li>command create•file ( p , f ) </li></ul><ul><li>create object f ; </li></ul><ul><li>enter own into A [ p , f ]; </li></ul><ul><li>enter r into A [ p , f ]; </li></ul><ul><li>enter w into A [ p , f ]; </li></ul><ul><li>end </li></ul>
  22. 22. Mono-Operational Commands <ul><li>Single primitive operation in a command </li></ul><ul><li>Example: Make process p the owner of file g </li></ul><ul><ul><li>command make•owner ( p , g ) </li></ul></ul><ul><ul><li>enter own into A [ p , g ]; </li></ul></ul><ul><ul><li>end </li></ul></ul>
  23. 23. Conditional Commands <ul><li>Let p give q r rights over f , if p owns f </li></ul><ul><li>command grant•read•file•1 ( p , f , q ) </li></ul><ul><li>if own in A [ p , f ] </li></ul><ul><li>then </li></ul><ul><li>enter r into A [ q , f ]; </li></ul><ul><li>end </li></ul><ul><li>Mono-conditional command </li></ul><ul><ul><li>Single condition in this command </li></ul></ul>
  24. 24. Multiple Conditions <ul><li>Let p give q r and w rights over f , if p owns f and p has c rights over q </li></ul><ul><li>command grant•read•file•2 ( p , f , q ) </li></ul><ul><li>if own in A [ p , f ] and c in A [ p , q ] </li></ul><ul><li>then </li></ul><ul><li>enter r into A [ q , f ]; </li></ul><ul><li>enter w into A [ q , f ]; </li></ul><ul><li>end </li></ul>
  25. 25. Copy Right <ul><li>Allows possessor to give rights to another </li></ul><ul><li>Often attached to a right, so only applies to that right </li></ul><ul><ul><li>r is read right that cannot be copied </li></ul></ul><ul><ul><li>rc is read right that can be copied </li></ul></ul><ul><li>Is copy flag copied when giving r rights? </li></ul><ul><ul><li>Depends on model, instantiation of model </li></ul></ul>
  26. 26. Own Right <ul><li>Usually allows the possessor to change entries in ACM column </li></ul><ul><ul><li>So owner of object can add, delete rights for others </li></ul></ul><ul><ul><li>May depend on what system allows </li></ul></ul><ul><ul><ul><li>Can’t give rights to specific (set of) users </li></ul></ul></ul><ul><ul><ul><li>Can’t pass copy flag to specific (set of) users </li></ul></ul></ul>
  27. 27. Attenuation of Privilege <ul><li>The principle says you can’t give rights you do not possess. </li></ul><ul><ul><li>Restricts addition of rights within a system </li></ul></ul><ul><ul><li>Usually ignored for owner </li></ul></ul><ul><ul><ul><li>Why? Owner gives herself rights, gives them to others, deletes her rights. </li></ul></ul></ul>
  28. 28. Key Points <ul><li>Access control matrix simplest abstraction mechanism for representing protection state </li></ul><ul><li>Transitions alter protection state </li></ul><ul><li>6 primitive operations alter matrix </li></ul><ul><ul><li>Transitions can be expressed as commands composed of these operations and, possibly, conditions </li></ul></ul>

×