CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz Midterm? Likely during the week of Oct 20… Will announce for certain next class Back to computer security… Access control State of a system – Includes, e.g., current memory contents, all secondary storage, contents of all registers, etc. Secure states – States in which the system is allowed to reside – Security policy defines the set of secure states – Security mechanism ensures that system never leaves secure state Access control Access control matrix – Characterizes rights of each active entity (“subject”) with respect to every other entity In any secure state, only transitions to other secure states are allowed – Often concerned with transitions that affect the protection state of the system – I.e., actions which alter the actions a subject is authorized to take Access control matrix Protected entities: “objects” O Active objects: “subjects” S (i.e., users/processes) – Note that subjects are also objects Matrix A contains an entry for every pair (s, o) – The entry contains the rights for s on o – Examples: read/write/execute/etc. Protection states represented by (S, O, A) Some examples Subjects/objects can be: – Files – Processes – Systems – Hosts – Functions/variables (within a program) – Database entries – Etc. More complex access control In general, “rights” may be functions – “Actual” rights depend on the system state – Equivalently, may depend on system history May be more convenient to express in non- matrix form – E.g., boolean expression evaluation Transitions Can view transitions that modify the protection state as transformations of the access control matrix – E.g., create object; add right r to A[s,o] Can build more complex commands out of these basic transformations – E.g., create_file: 1. Creates object 2. Gives creator rights to the file Conditional commands Can define even more complex commands using conditionals – E.g., grant_read_access • Only if the function caller “owns” the file! Only AND is used – OR can be replaced by two commands – NOT is not used Attenuation of privilege Copy right – Ability to transfer your rights to someone else – Copier may have to surrender the right Own right – Ability to grant rights on the object to others Attenuation of privilege – “A subject may not give rights it does not possess” Final points (for now…) Access control matrices can express any (reasonable) security policy – In practice, such matrices may not be used because of complexity, space requirements, etc. Security policies Security policy View system as finite automaton – Transition functions change state Security policy classifies states as “secure” or “insecure” A secure system starts in a “secure” state and cannot enter an “insecure” state – “Breach of security” occurs when a system enters an “insecure” state Confidentiality I = information; X = entities I has the property of confidentiality w.r.t. X if no member of X can obtain information about I – Note differences between “high-level” definition and “low-level” definition (i.e., encryption) Integrity (of data or principles) Let I = data or resource; X = entities I has the property of integrity w.r.t. X if all members of X “trust” I – Again, notice differences (why do they trust I?) – They trust that the information was not modified and also trust the information itself Availability I = resource; X = entities I has the property of availability w.r.t. X if all members of X can access I – “Availability” depends on context • Available in finite, but unbounded, amount of time? • Available within 3 second delay? Time-dependence Security policy may be time-dependent – E.g., contractor has the right to access data, but only as long as she is working for the company Policies… Confidentiality policy identifies states in which information is leaked to unauthorized entities Integrity policy identifies who may alter data, and how it may be altered Availability policy identifies which resources must be available, and to whom – If “availability” is precisely defined, this may also define “quality of service” Security mechanism A security mechanism enforces (part of) the security policy – Includes procedural/operational controls, not just technical controls • E.g., who may enter the room in which backup tapes are stored • How new accounts are established Security policies “Military security policy” is primarily concerned with confidentiality – Does not exclude other concerns… “Commercial security policy” is primarily concerned with integrity (think: banking industry) – E.g., consistent transactions – The question of “trust” is much harder than the question of confidentiality