INTRO TO COMP SECURITY
INTRO TO COMP SECURITY CS 591
Popular in Course
Popular in ComputerScienence
This 20 page Class Notes was uploaded by Orrin Rutherford on Wednesday September 2, 2015. The Class Notes belongs to CS 591 at Portland State University taught by Staff in Fall. Since its upload, it has received 13 views. For similar materials see /class/168288/cs-591-portland-state-university in ComputerScienence at Portland State University.
Reviews for INTRO TO COMP SECURITY
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 09/02/15
CS 591 Introduction to Computer Security Lecture 2 Access Control James Hook 102007 1432 Objectives Introduce the mechanism of Access Control Relate mechanism to Confidentiality Integrity and Availability Introduce the Access Control Matrix Model and Protection State Transitions 102007 1432 Alice and Bob Standard names for agents in a security or crypto scenario Also known as A and B 102007 1432 An Access Control Scenario 0 Alice 0 Bob I NewSecreifoo 2 fcpfooufoo 3 ihenecho success 4 else echo quotfailquot Intent IBob s cp is attempting to violate Alice s expected access policy If cp succeeds then the principle of confidentiality is not satisfied I0z00714az Q Revise scenario to violate availability Characterizing the Violation A New Secret too 31 tpmmo B echo success B echo tail Basic Abstraction States and Transitions Q What are the States What determines if we reach State 2 or 4 from State 1 Q 102007 1432 Q If we reach State 5 was State 1 good Secure and nonSecure States Characterize states in a system as Secure and nonSecure A system is Secure if every transition maps Secure states to Secure states Consequence In the scenario security is compromised if Alice s New secret foo yields a state in which Bob can access foo 102007 1432 Abstraction XTEQMSHT 102007 1432 Protection States An abstraction that focuses on security properties Primarily interested in characterizing Safe states Goal is to prove that all operations in the system preserve security of the protection state Access Control Matrix is our first Protection State model 102007 1432 Access Control Matrix Model Lampson 71 re ned by Graham and Denning 71 72 Concepts Objects the protected entities O Subjects the active entities acting on the objects S Rights the controlled operations subjects can perform on objects R Access Control Matrix A maps Objects and Subjects to sets of Rights State S O A 102007 1432 Inmal Sme Confidentiality Scenario 5 b39 s A3 Olgjieciss O so 00 A0 FA New Secret Foo 11 01 A1 AC Matrix A0 s 01 A1 mpmm 1 01 A1 Rights R WWOwn A New Secreitoo Intended State 1 Subjects 51 AB Objects 01 foo AC Matrix A1 Afoorwown 102007 1432 Bifool Inmal sme Confidentiality Scenario Subjecl39s S0 AB Objec rs 00 AC Ma rrix A0 Righ rs R rwown Is rhere a represen ra rion for Pro rec rion S ra res 4 and 5 A New Secrel loo E3 cpuloo B echo success saes 1 2 and w Subjec rs S1 AB Objec rs 01 foo 39 39 39 AC Ma rrix A1 Afoorwown cnflga Issue Is Bifool deFInIhon 0F lCID 102007 1432 Availability Scenario Inil39ial Sl39al39e 5 beds 5 AB 01 00 A0 FA New Public Foo SI 01 A1 Ac Marix A0 i 1 01 A1 mpmm 4 04 A4 ngh rs R WW0 A New Public loo B echo success S ra re 4 r J r quot S ra re 1 Sub jec rs 5 51 SUbJGC fS 1 A3 Objec rs 0 01 U afoo ObJGC fS 01 1500 AC Ma rrix A4 Afoorwo AC Ma rrix A1 Afoorwo Blfoolm 102007 1432 RhoFD AIGfOOIU B afoorwo Voting Machine How can a voting machine be modeled with subjects objects and rights In what ways do the rights change dynamically 102007 1432 A DomainSpecific Language for Access Control 0 Harrison Ruzzo and Ullman defined a set of primitive commands Create subjects Create object o gods Wquot onguoge Enter r into aso e hO e 2 d Delete r from aso r m wes Destroy subjects he eom e Destroy object o 0 We will use this DSL of primitive commands to model the system in our example 102007 1432 HRU Semantics SI OI A FCreate subjects S U s OI A SI OI A kCreate object 0 SI 0 U 0 A SI OI A FEnter r into aso SI OI A where A so Aso U r SI OI A kDelete r from aso SI OI A where A so Aso r SI OI A FDestroy subjects S 39 s OI AD SI OI A FDestroy object 0 SI 0 39 0 AD where AL is the appropriate restriction of A 102007 1432 Molecules from Atoms This DSL gives us atomic transitions To model a system we combine these atomic operations into commands A system model in this framework is the set of commands that implement the system primitives 102007 1432 Modeling the Example Interface X New Secret ltfgt X New Public ltfgt X Cp ltfgt ltfgt X If ltcommandgt then ltcommandgt else ltcommandgt Assumptions X ranges over AB 102007 1432 Exa m ple Initialize NewPuinc xf create subject A create object f create subject B enter own into axf end enter r into aAf NeWISecret xf enter r into aBf2 create object f enter W 39nto ax39 enter own into axf End enter r into axf enter w into axf end 102007 1432 Example cont Conditional command Cp srcdest i r e axsrc then create object dest enter own into axdest enter w into axdest 392 End Modeling helps us be precise Is the new le public or secret 102007 1432 Modeling if 0 How do we model the if statement in our scenario 0 We assumed Unix like exit statusquot 0 Could enrich model to have statements have value 0 Does that add value 102007 1432 Modeling if cont To establish system security we must model all sequences of commands What matters is that cp won t reveal Alice s secret Since we are considering all sequences of non conditional commands we don t need to model If c1 then c2 else c3 since we model both c1 c2 c1 c3 Why doesn t this argument apply to primitive commands 102007 1432 Conditional Commands To obtain results in Chapter 3 we place technical restrictions on HRU conditional commands Condition must be positive r E aso Cf negative r aso Conjunctions of conditions are allowed r E aso r E as o Disjunctions are unnecessary All atomic actions are idempotent if thhen C E if then C ifwthen C 102007 1432 Access Control Matrix Very high fidelity model Every user and process can be modeled as a subject Every file and process can be modeled as an object Does it scale Is it useful 102007 1432 Access Control Matrix 0 The access control matrix model is a critical reference point most systems can be modeled within the framework most mechanisms are an imperfect approximation of the Access Control Matrix 102007 1432 Foundational Results Can we use an algorithm to test if a system is secure What do we mean by system What do we mean by secure 102007 1432 Aside Safety and Liveness Safety property A bad thing does not happen Eg A memory safe program will not dereference a bad pointer Liveness property A good thing will happen eventually Eg Every runnable process will eventually be scheduled 102007 1432 Security safe or live 0 Availability is often a liveness property 0 Confidentiality is often cast as a safety property 0 Integrity can be both The processor will execute the instruction stream is a liveness property All memory will be accessed consistent with the protection state is a safety property 102007 1432 Bounding the Problem 0 Monooperational commands If each system level command in the modeled system is implemented by a single HRU primitive the system is monooperational 0 General case In the general case the commands of the system being modeled are implemented by arbitrary combinations of HRU primitives 0 Cast Problem as Safety Property Bad things don t happen 102007 1432 What is secure 0 Must designate a bad thingquot and then prove it doesn t happen 0 Definition A right r is leaked if it is added to an element of the access control matrix that does not already contain it In our example new secret foo leaks rights own r and w if foo did not already exist 0 Definition A system is safe with respect to right r if it does not leak the right r 102007 1432 Follow Bishop If time permits in this lecture jump to Bishop s slide 03 04 102007 1432 Conclusion 0 Modeling is the process of abstracting to the essence of the property of concern 0 Security Modeling exploits protection statequot abstractions 0 Access Control Matrix is a best model for file and process granularity modeling 0 With virtually any realistic system the general security question will be undecidable 102007 1432 Looking Forward Next Week Jim Binkley will lecture on Crypto Bishop 8 9 10 Anderson 2 5 Following Week Bishop 1 2 3 4 5 7 Anderson 1 7 102007 1432 Backup Materials 102007 1432 A scenario from the text 0 Bishop models a language with interface Create lepf Spawnprocesspq Makeownerpf Grantreadfile1pfq Grantreadfile2pfq Grantwrite le1pfq Grantwrite le2pfq 0 Some of his examples follow 102007 1432 Commands Command createfie pf create object f enter own into apf enter r into apf enter w into apf end 102007 1432 Commands cont Command spawnprocesspq create subject q enter own into apq enter r into apq enter w into apq enter r into aqp enter w into aqp End 102007 1432 Conditional Commands Command grantreadfie1pfq if own in apf then enter r into aqf End 102007 1432 Root Agent Create subjects voter taIIyAgent reporter Create objects vote state tally voterCard Initialize tay0 Enter 102007 1432 Voter Agent Repeat Indefinitely Present credential If credential accepted then Prepare ballot Confirm vote Withdraw credential 102007 1432 Tally Agent While mode election do On credential presented do If credential valid then Enable voting On vote commit do atomic add vote to tally invalidate credential 102007 1432 20
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'