CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz

advertisement
CMSC 414
Computer (and Network) Security
Lecture 10
Jonathan Katz
Midterm?
 Likely during the week of Oct 20…
 Will announce for certain next class
Back to computer security…
Access control
 State of a system
– Includes, e.g., current memory contents, all
secondary storage, contents of all registers, etc.
 Secure states
– States in which the system is allowed to reside
– Security policy defines the set of secure states
– Security mechanism ensures that system never
leaves secure state
Access control
 Access control matrix
– Characterizes rights of each active entity
(“subject”) with respect to every other entity
 In any secure state, only transitions to other
secure states are allowed
– Often concerned with transitions that affect the
protection state of the system
– I.e., actions which alter the actions a subject is
authorized to take
Access control matrix
 Protected entities: “objects” O
 Active objects: “subjects” S (i.e., users/processes)
– Note that subjects are also objects
 Matrix A contains an entry for every pair (s, o)
– The entry contains the rights for s on o
– Examples: read/write/execute/etc.
 Protection states represented by (S, O, A)
Some examples
 Subjects/objects can be:
– Files
– Processes
– Systems
– Hosts
– Functions/variables (within a program)
– Database entries
– Etc.
More complex access control
 In general, “rights” may be functions
– “Actual” rights depend on the system state
– Equivalently, may depend on system history
 May be more convenient to express in non-
matrix form
– E.g., boolean expression evaluation
Transitions
 Can view transitions that modify the
protection state as transformations of the
access control matrix
–
E.g., create object; add right r to A[s,o]
 Can build more complex commands out of
these basic transformations
–
E.g., create_file:
1. Creates object
2. Gives creator rights to the file
Conditional commands
 Can define even more complex commands
using conditionals
– E.g., grant_read_access
• Only if the function caller “owns” the file!
 Only AND is used
– OR can be replaced by two commands
– NOT is not used
Attenuation of privilege
 Copy right
– Ability to transfer your rights to someone else
– Copier may have to surrender the right
 Own right
– Ability to grant rights on the object to others
 Attenuation of privilege
– “A subject may not give rights it does not
possess”
Final points (for now…)
 Access control matrices can express any
(reasonable) security policy
– In practice, such matrices may not be used
because of complexity, space requirements, etc.
Security policies
Security policy
 View system as finite automaton
– Transition functions change state
 Security policy classifies states as “secure”
or “insecure”
 A secure system starts in a “secure” state
and cannot enter an “insecure” state
– “Breach of security” occurs when a system
enters an “insecure” state
Confidentiality
 I = information; X = entities
 I has the property of confidentiality w.r.t. X
if no member of X can obtain information
about I
– Note differences between “high-level” definition
and “low-level” definition (i.e., encryption)
Integrity (of data or principles)
 Let I = data or resource; X = entities
 I has the property of integrity w.r.t. X if all
members of X “trust” I
– Again, notice differences (why do they trust I?)
– They trust that the information was not
modified and also trust the information itself
Availability
 I = resource; X = entities
 I has the property of availability w.r.t. X if
all members of X can access I
– “Availability” depends on context
• Available in finite, but unbounded, amount of time?
• Available within 3 second delay?
Time-dependence
 Security policy may be time-dependent
– E.g., contractor has the right to access data, but
only as long as she is working for the company
Policies…
 Confidentiality policy identifies states in which
information is leaked to unauthorized entities
 Integrity policy identifies who may alter data, and
how it may be altered
 Availability policy identifies which resources must
be available, and to whom
– If “availability” is precisely defined, this may
also define “quality of service”
Security mechanism
 A security mechanism enforces (part of) the
security policy
– Includes procedural/operational controls, not
just technical controls
• E.g., who may enter the room in which backup tapes
are stored
• How new accounts are established
Security policies
 “Military security policy” is primarily concerned
with confidentiality
– Does not exclude other concerns…
 “Commercial security policy” is primarily
concerned with integrity (think: banking industry)
– E.g., consistent transactions
– The question of “trust” is much harder than the
question of confidentiality
Download