Access Control Matrix

1
Access Control Matrix
2
Outline

• Overview
• Access Control Matrix Model
• Boolean Expression Evaluation
• History
• Protection State Transitions
• Commands
• Conditional Commands
• Special Rights
• Principle of Attenuation of Privilege

3
Overview

• State
• The collection of the current values of all
  memory locations, all secondary storage, and all
  registers and other components of the system.
• Protection state of system
• a subset of the states that are relevant to
  protection
• Access control matrix
• A tool that can describe protection state
• Matrix describing rights of subjects
• State transitions change elements of matrix

4
Overview

• Access control matrix model
• The most precise model used to describe a
  protection state
• It characterizes the rights of each subject with
  respect to every other entity, which can be
  active or passive.
• The set of objects the set of all protected
  entities
• The set of subjects the set of active objects,
  such as processes and users.
• The ACM captures the relationships between the
  subjects and the objects.
• When a command changes the state of the system, a
  state transition occurs.

5
Description

• Subjects S s1,,sn
• Objects O o1,,om
• Rights R r1,,rk
• Entries Asi, oj ? R
• Asi, oj rx, , ry means subject si has
  rights rx, , ry over object oj

Asn, om
6
Example 1

• Processes p, q
• Files f, g
• Rights r, w, x (execute), a(ppend), o(wn)
• f g p q
• p rwo r rwxo w
• q a ro r rwxo

7
Example 2

• Procedures inc_ctr, dec_ctr, manage
• Variable counter
• Rights , , call
• counter inc_ctr dec_ctr manage
• inc_ctr
• dec_ctr
• manage call call call

8
Boolean Expression Evaluation

• ACM may be used for control of access to database
  fields
• ACM controls access to database fields
• Subjects have attributes (e.g., name, role,
  groups, programs, etc.)
• Verbs define type of access (e.g., read, write,
  paint, temp_ctl)
• Rules associated with (objects, verb) pair (e.g.,
  object recipes verb write rule creative
  in subject.group)
• Subject attempts to access object
• Rule for (object, verb) evaluated, grants or
  denies access

9
Example of rules

• Subject annie
• Attributes role (artist), groups (creative)
• Verb paint
• Default 0 (deny unless explicitly granted)
• Object picture
• A sample rule
• paint artist in subject.role and
• creative in subject.groups and
• time.hour gt 17 and time.hour lt 20

10
ACM at 3AM and 10AM
At 18 PM, time condition met ACM is
At 10AM, time condition not met ACM is
picture
picture
paint
annie
annie
11
Access Controlled by History

• Query-set-overlap-control to prevent
  deduction/inference attack
• Database
• name position age salary
• Celia teacher 45 40,000
• Heidi aide 20 20,000
• Holly principal 37 60,000
• Leo teacher 50 50,000
• Matt teacher 33 50,000
• Queries
• C1 sum(salary, position teacher)
  140,000
• C3 sum(salary, age gt 40 position
  teacher) should not be answered (deduce Matts
  salary)

12
Access Controlled by History

• Database
• name position age salary
• Celia teacher 45 40,000
• Heidi aide 20 20,000
• Holly principal 37 60,000
• Leo teacher 50 50,000
• Matt teacher 33 50,000
• O1 Celia, Leo, Matt
• O3 Celia, Leo
• Check out Dobkins/Jones, 1979.

13
State Transitions

• Change the protection state of system
• - represents transition
• Xi - t Xi1 command t moves system from state
  Xi to Xi1
• Xi - Xi1 a sequence of commands moves system
  from state Xi to Xi1
• Commands are often called transformation
  procedures

14
Primitive Operations

• create subject s
• Creates new row, column in ACM
• create object o
• creates new column in ACM
• destroy subject s
• Deletes row, column from ACM
• destroy object o
• deletes column from ACM
• enter r into As,o
• Adds r rights for subject s over object o
• delete r from As,o
• Removes r rights from subject s over object o

15
Create Subject

• Precondition s ? S
• Primitive command create subject s
• Postconditions
• S S ? s , O O ? s
• (?y ? O)as, y ?, (?x ? S)ax, s ?
• (?x ? S)(?y ? O)ax, y ax, y

16
Create Object

• Precondition o ? O
• Primitive command create object o
• Postconditions
• S S, O O ? o
• (?x ? S)ax, o ?
• (?x ? S)(?y ? O)ax, y ax, y

17
Add Right

• Precondition s ? S, o ? O
• Primitive command enter r into as, o
• Postconditions
• S S, O O
• as, o as, o ? r
• (?x ? S s )(?y ? O o )
• ax, y ax, y

18
Delete Right

• Precondition s ? S, o ? O
• Primitive command delete r from as, o
• Postconditions
• S S, O O
• as, o as, o r
• (?x ? S s )(?y ? O o )
• ax, y ax, y

19
Destroy Subject

• Precondition s ? S
• Primitive command destroy subject s
• Postconditions
• S S s , O O s
• (?y ? O)as, y ?, (?x ? S)ax, s ?
• (?x ? S)(?y ? O) ax, y ax, y

20
Destroy Object

• Precondition o ? o
• Primitive command destroy object o
• Postconditions
• S S, O O o
• (?x ? S)ax, o ?
• (?x ? S)(?y ? O) ax, y ax, y

21
Creating File

• Process p creates file f with r and w permission
• command createfile(p, f)
• create object f
• enter own into Ap, f
• enter r into Ap, f
• enter w into Ap, f
• end

22
Mono-Operational Commands

• Single primitive operation in a command
• Example Make process p the owner of file g
• command makeowner(p, g)
• enter own into Ap, g
• end

23
Conditional Commands

• Let p give q r rights over f, if p owns f
• command grantreadfile1(p, f, q)
• if own in Ap, f
• then
• enter r into Aq, f
• end
• Mono-conditional command
• Single condition in this command

24
Multiple Conditions

• Let p give q r and w rights over f, if p owns f
  and p has c rights over q
• command grantreadfile2(p, f, q)
• if own in Ap, f and c in Ap, q
• then
• enter r into Aq, f
• enter w into Aq, f
• end

25
Copy Right

• Allows possessor to give rights to another
• Often attached to a right, so only applies to
  that right
• r is read right that cannot be copied
• rc is read right that can be copied
• Is copy flag copied when giving r rights?
• Depends on model, instantiation of model

26
Own Right

• Usually allows the possessor to change entries in
  ACM column
• So owner of object can add, delete rights for
  others
• May depend on what system allows
• Cant give rights to specific (set of) users
• Cant pass copy flag to specific (set of) users

27
Attenuation of Privilege

• The principle says you cant give rights you do
  not possess.
• Restricts addition of rights within a system
• Usually ignored for owner
• Why? Owner gives herself rights, gives them to
  others, deletes her rights.

28
Key Points

• Access control matrix simplest abstraction
  mechanism for representing protection state
• Transitions alter protection state
• 6 primitive operations alter matrix
• Transitions can be expressed as commands composed
  of these operations and, possibly, conditions