Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz

advertisement 
CMSC 414
Computer (and Network) Security
Lecture 10
Jonathan Katz
Midterm?
 Likely during the week of Oct 20…
 Will announce for certain next class
Back to computer security…
Access control
 State of a system
– Includes, e.g., current memory contents, all
secondary storage, contents of all registers, etc.
 Secure states
– States in which the system is allowed to reside
– Security policy defines the set of secure states
– Security mechanism ensures that system never
leaves secure state
Access control
 Access control matrix
– Characterizes rights of each active entity
(“subject”) with respect to every other entity
 In any secure state, only transitions to other
secure states are allowed
– Often concerned with transitions that affect the
protection state of the system
– I.e., actions which alter the actions a subject is
authorized to take
Access control matrix
 Protected entities: “objects” O
 Active objects: “subjects” S (i.e., users/processes)
– Note that subjects are also objects
 Matrix A contains an entry for every pair (s, o)
– The entry contains the rights for s on o
– Examples: read/write/execute/etc.
 Protection states represented by (S, O, A)
Some examples
 Subjects/objects can be:
– Files
– Processes
– Systems
– Hosts
– Functions/variables (within a program)
– Database entries
– Etc.
More complex access control
 In general, “rights” may be functions
– “Actual” rights depend on the system state
– Equivalently, may depend on system history
 May be more convenient to express in non-
matrix form
– E.g., boolean expression evaluation
Transitions
 Can view transitions that modify the
protection state as transformations of the
access control matrix
–
E.g., create object; add right r to A[s,o]
 Can build more complex commands out of
these basic transformations
–
E.g., create_file:
1. Creates object
2. Gives creator rights to the file
Conditional commands
 Can define even more complex commands
using conditionals
– E.g., grant_read_access
• Only if the function caller “owns” the file!
 Only AND is used
– OR can be replaced by two commands
– NOT is not used
Attenuation of privilege
 Copy right
– Ability to transfer your rights to someone else
– Copier may have to surrender the right
 Own right
– Ability to grant rights on the object to others
 Attenuation of privilege
– “A subject may not give rights it does not
possess”
Final points (for now…)
 Access control matrices can express any
(reasonable) security policy
– In practice, such matrices may not be used
because of complexity, space requirements, etc.
Security policies
Security policy
 View system as finite automaton
– Transition functions change state
 Security policy classifies states as “secure”
or “insecure”
 A secure system starts in a “secure” state
and cannot enter an “insecure” state
– “Breach of security” occurs when a system
enters an “insecure” state
Confidentiality
 I = information; X = entities
 I has the property of confidentiality w.r.t. X
if no member of X can obtain information
about I
– Note differences between “high-level” definition
and “low-level” definition (i.e., encryption)
Integrity (of data or principles)
 Let I = data or resource; X = entities
 I has the property of integrity w.r.t. X if all
members of X “trust” I
– Again, notice differences (why do they trust I?)
– They trust that the information was not
modified and also trust the information itself
Availability
 I = resource; X = entities
 I has the property of availability w.r.t. X if
all members of X can access I
– “Availability” depends on context
• Available in finite, but unbounded, amount of time?
• Available within 3 second delay?
Time-dependence
 Security policy may be time-dependent
– E.g., contractor has the right to access data, but
only as long as she is working for the company
Policies…
 Confidentiality policy identifies states in which
information is leaked to unauthorized entities
 Integrity policy identifies who may alter data, and
how it may be altered
 Availability policy identifies which resources must
be available, and to whom
– If “availability” is precisely defined, this may
also define “quality of service”
Security mechanism
 A security mechanism enforces (part of) the
security policy
– Includes procedural/operational controls, not
just technical controls
• E.g., who may enter the room in which backup tapes
are stored
• How new accounts are established
Security policies
 “Military security policy” is primarily concerned
with confidentiality
– Does not exclude other concerns…
 “Commercial security policy” is primarily
concerned with integrity (think: banking industry)
– E.g., consistent transactions
– The question of “trust” is much harder than the
question of confidentiality
Related documents
There are conditions under which confidentiality may be breached. ... wanting to harm yourself or someone else, the experimenter will... LIMITS OF CONFIDENTIALITY
There are conditions under which confidentiality may be breached. ... wanting to harm yourself or someone else, the experimenter will... LIMITS OF CONFIDENTIALITY
Observation of Associate Teacher by Student Teacher
Observation of Associate Teacher by Student Teacher
Download
advertisement