1

����� ������ � �

���������

���������� ��� ������ � �

•� � �����•����� �����•�����•� ��� ��! ��•�"��

–��#���•���� ��$�•�" ����•�%����

���������� ��� ���� �� � � &2

•� � (�) *�"+� (�����–� �,��� :Logical view–-����.) � � �,���–� � -����� �/0�1

•� � �2,"����)�,��� ��/0�1(•����� �5���

–��.% 6�+"7�–��.% ��89–��.% :�;<�

� &View

•*�#9 � •��� ����� � •������ �� �����

CREATE VIEW failed-studentsON STUDENTSWHERE STUDENTS.Average < 10.

���� ������ ���

� ��� ��� ���� � �� ����� ����� ������ �� ���:

1��� ���!� :"��#� $�% �� "�&'(� )'�*� �� � +�,-.� ��/��0 .

2�3��� :4 +��56 $�% �� "�&'(� )'�*� �� � +�,-.� ��/��0 +�7-8� .

3�"��:� ;�� � :3 ��� $�% �� "�&'(� )'�*� �� � ��< �=> �?��# "��<�4� �� ��/��0 .

=���>9 �"���� ������ � �

•��>�–��2� �#�5? �@ ��A–��01� �+� � ��B�C�7 ��01�–�����B �7�D7�

•��.%– ������ !�E�–�$�+"� F���%

•��B� •����B

2

"=���� "�?�� @�*7���� ������

��� �G� C�E7� �! ��>)�� H��9 � � ���� !� �I��A:1&���"� ��"�L :M���� �"D�� �9�%2?� N���� �� �����L ���"�

�� ��"�L �$�B O�7��P �).2&R�"�"�� ��"�L :=�%2?� !� �7���;� =�%2?� R�"�"�� !� ���S���

���� !�E�)����T � � ����(3&��#��� ����� � :

&��� ��� �5�"V� ���SW&����9 !� � ��"�� �� ��7��X&�0E9 ��G��7 )Atomicity(

"=���� "�?�� @�*7���� ������ �2

4&��#��� �9���.% � � ��&���� ��7��.�&��� ����G�&F�P ���GS

5&��#��� ���>�� �� � � &� ��;� ��� �"�#���6&���7 ���� ������DA )Accountability &

Auditing(

"=���� "�?�� @�*7���� ������ �3

7&M�89 �<�$� ������8&���� � � !� �I��A ���� ��DA9&�I��A �;����_

10&�!�� ��;� � � �"���B�7 ��,"7� � O�� !� �� ���7�� M�?

&��><�7�� !�E�&��><�7�� �a1�A ��&��><�7�� ��+�

��><�"�� �"���� !� M�? �9����P� ����

1& ��� ��"�L :�"D�� �����L O���� =�%2?� ��� Wb�� O� � �� ��"�L �).!� �7��B W2c� XO")�7 ���� Y.��.�� :C�% ��� -�$ ���.d � (��� �� =�%2?� e��)� �".�

��) �I��A.&� �#P��� O�% F,"�� =�%2?� �.7 �/�� �) �f0� � =�%2?� !� �=�%2?� !� �"1�S�� : ��� �9�%2?� �f0� )Partial Flow

Control(&=�7��� !�E� ��� ��%�P � g+V� ����7�) .��# ���

����DA e��)� � �) g+V� �/�� 0�.9 e��)� �D�_.

��><�"�� �"���� !� M�? �9����P� ����2&R�"�"�� ��"�� :�a�A !� �� � � !� g�+V9 ��h ��,"D� .Y

= f(X) W��# ��T ���� Y!�M�? X.��7�� ���"�"��:

2&1���"� ��,"D���h:�� �>�9 ����� XMA���"� �� ���,� i<�Y�� �� �.>1 ��.

- SELECT X FROM r WHERE Y = value. �R� � ���� �� ����� �� ��� 25P �j7T ���V� �<� MA �����

���7 ��7T O"D7� !

��><�"�� �"���� !� M�? �9����P� ����

2&2� � ����� �� H59�� :Z= T * KMA �>�9 ����� �� ���"� �� T�K �� �� .

2&3� � ��� l��� � ��V7 �f��� m�� � ��� )Missing (���>� ����� � �.>1 ��� ��DA ��"D�_!

2&4R�"�"�� ����T :!�M�? N���9 ����T SQL����,� :�� � � � �2"B�)Perturbation(

�� � ��� ��"�� )� n�� ��� 2c�O����!��7� (

3

��><�"�� �"���� !� M�? �9����P� ����

3&��"�� ���"� : ���.?� !� �/�� �.� ���"� ��� ��,"D� �� �� � � �,�P �I��"� HB �� �V� �"������� .

•�"D�� ��"�� ���"� F��) –�%�.E���HB � �%��P !� �V� ��� ���"� –�%�.E������ !� ��� �<�"��

��"�����"�

Access Request

Security Policies

Access Rules

Control Procedures

Access Denied

Access Permitted

Request Modification

HB�V� ��� ���"�

•*�#9 =���d ������ ��� �5���•HB�V� ��� ��$� ��;� � �!�� ���"� :

–FP��A !�E�–�c���A !�E�

•�"D�� ��� �"D�)F/)1.7(•�"D�� ��� !�� )F/)1.8(•HB�V� ��� ���� �� !�E� !! ��MA O"1�S o� � � MA

p ��

HB�V� ��� ���"� &2•���� HB �V� �"���� :

–0��."�–N!�9 ��)–0��."��7 ��D�� �59���–�"�/<�� :m<�����"B� �� .–���"B� �#.�)q�� !� m�� �� �1 ��.89 ���7��S(

•�"D�� ��� �"���� ��_ �;�� �>7T � �� ��� �9�%2?� ��.�� ����� .–���5�� :F/)1.9–����"B� :r��S o�!�� os� � ��V"7� �/��!!

•��9 O")�7 � �7��B �� � t�) �� t�) m !� i9�%2?� ��� �/�� � � F��% m H ����9 ���7��.

– �� ��� 0�7 iV� HB � u���9 �/��

HB�V� ��� ���"� &3•=���d*�#9 ��>�2� �"���� � �� F��% e��)�.•� �Sv� �2� �"���� e�):

–� � -�� ����)i9�%2?� r��";� ����� o/#��:(•2c� � �% W�7���;� W��� W��/� ���

–��A�7 ������)�"��–category (W���� Wi<�� Wr�� � W2c� F��) W=���B Wi�1 ....

• SC = (A , C), SC’ = (A’ , C’)• SC ≤ SC’ iff A ≤ A and C ⊆ C’

•��c�

•m os� W �) �� � � �5D7 �"���� �2� m e�) �� � F��% �� �� ��$� ��� )axiom (���� �� ��"�� �� e��)� �� �� F��% ���"� .

•F/) �� n�.#� i"���� ��%�P m<s, o, t, p> �� ��� pO/.� �B �)�� �")� x���� i��;� r����y"� �� ��� .

•C�1<a, s, o, t, p, f> � �<a, s, o, t, p, f, {Ci, APi}>

a : authorizerf: flag of transfer

Ci: Condition of executing a procedureAPi: Auxiliary Procedure

4

•��"D� �� iV� HB � i"���� �%��P !�� � ��� i"���� r�� C0�7�/� .•���"�

–�������)i��"� ��"�� r�� C0�7�/� (i"��� r�� ��� W��01� C�7 W��01� �+�–����)IDS, Audit (��"D� .

•r!�� � ��� C0�7�/� � iV� HB r!����� =���d :–�>7T i"�� � �>7T r!�� � ��� !� F,"D� i��"� �%��P z;�–*�"+� r�� r!�� � ��� � � *�"+� r�� iV� HB �D�,�–*�"+� r�� iV� HB r!�� � ��� r��� r�>�0�7�/� (�?

• �) i� z%�� ��� �7 r!�� � ��� r��B :–� !�E� i��"� i�7 –��) Oh�P i��"� �!���

�� C0�7�/� ��� �•=���DB �.7 ���.� {�� �� i���B r�� C0�7�/� :

–b�V"h� i��.�–r�#� =���DB i��.�–����9 r�� ��� �.7 ����1

•F��) i�B� r�� C0�7�/� :–�<�$� !��A�

•��� �� i1�#� �� ����� �j7T)W�� W��5% �.��(...• �� ����� �j7T•����� i/0�1 =�8+V�

–i��"� ��"��–iS���� � r���� r�>�0�7�/�

•r��7 ���� ��A��•b��0S ��A��

Security Axioms

Security Classes of Subjects/Objects

Access request

Does the request satisfy the axioms of the mandatory

policy?

Access Permitted

Access Denied

NoYes

Mandatory Access Control

Authorization Rules

Access request

Does the request satisfy the

Authorization Rules?

Access Permitted

Access Denied

NoYes

Discretionary Access Control

Is the ‘P’ predicate of the rule satisfied?

NoYes

Access Permitted

� ���� ������

5

��><�� �"����

•{�� :��<�9 m��� ���>�� �� ��01� C�7 !� F,"D� Wn�� -�� W �� g+V� !� x��)�>���!��7) �.7 g+V����!��7 �"I��A(

• ��#9���D� � �! ��� �"���� ��) (��� N���� � ���

•m�"� ���� ��� :–��><�� ����"B� –��><�� ���5��

��><�� �"����&2

•��><�� ����"B�)Dis. Sec Model (���� ������) � ����� ��%��P �� ���� x�7 ����� �� ���"� b�g+V� �� ��/�� W���"� �� ���� ��/��.

•�� ����� !�E� e��%� �/�� �� ��� O/.� ����� �B H��9 W.•|�� O�9 C�1 ���� HB W�V� �� �B MA m<�� �� ��� �7�/<��

�� �� ��%� ��/�� �o� ����.•o�9�� ��"�� ���"� Wm�f��� b�� O���� ��� .•��,� ��><�� ����"B� ��D� �� O���"D� b�� .

��><�� �"����&3

•��><�� ���5��)Man. Sec Model (� � ���� ������ � �� F��%e��)� ���"� �� ���� ��/��.

•e��)���"D� ��#1 �� F��% � F#��� .•�� � F��% �� �� e�) Wm�2� ���"� ��� ���.� .����� �S�

�8+V�)��� ���� ���"���� (O�� � F��% � � e�) W�)�� ���P�� ���"� � � �!��� � O/.� �� �) .

•���Bell & Lapadula ���� �f��� O���� b�� .

����� A=� B� "�C��

�� ����������� ���

��� �#���������� �� �

•F��%��•e��)�•=n�A���"� )Access modes(:x�7 ���"� ��� ��

�� F��%e�) �� .•HB�V� ��•��!�E�•:�,A�"���•��$�)Axioms :( �) e�d�� �"D�� � ��� �� i$��B .�����

����.>7 }��;� :�,A ���y9 �� � �� �"D��.

What is Access Control?

• Quote from Security Engineering by Ross Anderson:

Its function is to control which principals (persons, processes, machines, …) have access to which resources in the system --- which files they can read, which programs they can execute, and how they share data with other principals, and so on.

6

Access Control is Pervasive

•Application•� business applications

•� Middleware•� DBMS

•� Operating System–� controlling access to files, ports

•� Hardware• � memory protection, privilege levels

Access Control is Important

• � Quote from Security Engineering• � Access control is the traditional center of• gravity of computer security. It is where• security engineering meets computer• science.• � TCSEC evaluates security of computer• systems based on access control• features + assurance

Access Control is Interesting

• Has (relatively) well-developed theories• � 30+ years history• � some (quite involved) theory (apparently) not• useful for other fields• � Many interesting and deep results• � Many misconceptions and debates• � A large percentage of published works• contain serious errors• � Corollary: Be skeptical, don’t believe too much• what others have said, try form your own opinions

Military Wants Confidentiality

•� Mandatory access control•� Label-based access control•� Bell-LaPadula (1973+)•� Covert channel•� Verifying security•� Security kernels•� TCSEC (1983)

Why is Access ControlComplex?

•Objects are often complex•� Objects may be structured:•� directories/files•� database, table, row, column, view•� XML documents•� Identifying objects may be hard

7

Subjects are complex

•� What are subjects?•� human users•� principals (e.g., accounts, public keys)•� processes•� What are the relationships among•subjects?•� whose authority to use?•� On what basis does one grant access?

Systems may be large

• Number of subjects may be hundreds of thousands

The Access Matrix Model

•History•� Lampson’1971•� “Protection”•� Refined by Graham and Denning’1972•� “Protection---Principles and Practice”•� Harrison, Ruzzo, and Ullman’1976•� “Protection in Operating Systems”

Access Matrix•� A set of subjects S•� A set of objects O•� A set of rights R•� An access control matrix•� one row for each subject•� one column for each subject/object•� elements are right of subject on another

subject•or object

The Graham-Denning Work

•� Based on access matrices•� Focuses on access control within an

operating•system•� Explores various possibilities of

discretionary•access control

Seven Levels of Protection /Separation

•1. No sharing at all•2. Sharing copies of programs or data files•3. Sharing originals of programs or data files•4. Sharing programming systems or subsystems•5. Permitting the cooperation of mutually

suspicious•subsystems, e.g., debugging or proprietary•subsystems•6. Providing memory-less subsystems•7. Providing “certified” subsystems

8

Elements in Graham-Denning•� Objects: have unique identifier•� Subjects•� a subject is a pair (process, domain)•� forging a subject identifier is impossible

(authentication)•� Protection state•� modeled using an access matrix (can also be

represented as•a graph)•� No modeling of actual accesses (only access•permissions)•� whether this is sufficient depends on the properties to

be•studied

Special Rights in Graham-Denning Model

• � Each subject/object has an owner• � Each subject has a controller (which may be

itself)• � A right may be transferable or nontransferable

Eight Commands in Graham-Denning Model

• 1. subject x creates object o• � no precondition• � add column for o• � place `owner’ in A[x,o]• 2. subject x creates subject s• � no precondition• � add row and column for s• � place control, `owner’ in A[x,s]• 3. subject x destroys object o• � precondition: `owner’ in A[x,o]• � delete column o• 4. subject x destroys subject s• � precondition: `owner’ in A[x,s]• � delete row and column for s

• 5. subject x grants a right r/r* on object o to subject s• � precondition: `owner’ in A[x,o]• � stores r/r* in A[s,o]• 6. subject x transfers a right r/r* on object o to subject s• � precondition: r* in A[x,o]• � stores r/r* in A[s,o]• 7. subject x deletes right r/r* on object o from subject s• � precondition: `control’ in A[x,s] or `owner’ in A[x,o]• � delete r/r* from A[s,o]• 8. subject x checks what rights subject s has on object o [w := read

s,o]• � precondition: `control’ in A[x,s] OR `owner’ in A[x,o]• � copy A[s,o] to w• This does not affect the protection state.• � policy review functions• � useful when analyzing external behaviors of the protection

system, not clear why needed in this paper

Details• � Some requirements place additional• constraints on state-transitions• � Each subject is owner or controlled by at most one• other subject• � cannot transfer/grant owner right• � It is undesirable for a subject to be `owner’ of• itself, for then it can delete other subjects’ access• to itself• � [The relation “owner” defines naturally a tree• hierarchy on subjects.]• � What does it take to maintain the hierarchy?

Other possible extensions• � Transfer-only copy flags• � Limited-use access attributes• � needs to model access• � Allow a subject to obtain a right that its• subordinate has.• � The notion of “indirect” right• � S2 has indirect right over S means that S2 can• access anything that S is allowed to access, but S2• cann’t take right from S• � differs from basic notion of an access matrix

9

How to Analyze SecurityProperties?

• � “To prove that a protection model, or an• implementation of it, is correct, one must• show that a subject can never access an• object except in an unauthorized manner”• � any action by a subject cannot be an

authorized• access• � any action that changes the protection state• cannot lead to a new state in which some

subject• has unauthorized access

Issues of Trust• � Trusted vs. trustworthy• � minimize trusted things• � maximize trustworthy things• � A subject who has read* to an object can• grant read to anyone• � such a subject often needs to be trusted• � similar issue: multiple owners of an object• � Someone having read access to an object can• make copies of the object: read = read*

Approaches to the Trust Issue

• � Trust human users, but not subjects• � Enable the analysis and understanding of• trust• � for a particular security property, who are

trusted?• � example: simple safety analysis [ (o,r)-safety ]• � whether in a future state, a particular subject

can• get access to a particular object

Implementation Issues• � Storing the access matrix• � by rows: capability lists• � by column: access control lists• � through indirection:• � e.g., key and lock list• � e.g., groups, roles, multiple level of indirections,• multiple locks• � How to do indirection correctly and• conveniently is the key to management of• access control.

Objectives of the HRU Work

• Provide a model that is sufficiently powerful to encode several access control approaches, and precise enough so that security properties can be analyzed

• Introduce the “safety problem”• Show that the safety problem

– is decidable in certain cases– is undecidable in general– is undecidable in monotonic case

10

Extension to the Model

• Data Dependent• Time Dependent• Context Dependent• History Dependent

Protection Systems

• A protection system has– a finite set R of generic rights– a finite set C of commands

• A protection system is a state-transition system• To model a system, specify the following

constants:– set of all possible subjects– set of all possible objects– R

The State of A ProtectionSystem

• A set O of objects• A set S of subjects that is a subset of O• An access control matrix

– one row for each subject– one column for each object– each cell contains a set of rights

Commands: Examples

• command GRANT_read(x1,x2,y)– if `own’ in [x1,y]– then enter `read’ into [x2,y]

• end• command CREATE_object (x,y)

– create object y– enter `own’ into [x,y]

• end

Syntax of a Command• A command has the form

– command a(X1, X2, …, Xk)ifr1 in (Xs1, Xo1) and … and rm in (Xsm, Xom)

thenop1 … opn

end• X1,…,Xk are formal parameters

Six Primitive Operations

• enter r into ( Xs, Xo)– Condition: Xs S and Xo O– r may already exist in ( Xs, Xo)

• delete r from ( Xs, Xo)– Condition: Xs S and Xo O– r does not need to exist in ( Xs, Xo)

11

• � create subject Xs– Condition: Xs ∉ S

• � create object Xo– Condition: Xo ∉ O

• � delete subject Xs– Condition: Xs S

• � delete object Xo– Condition: Xo O and Xo ∉ S

How Does State TransitionWork?

• Given a protection system (R, C), state z1 can reach state z2 iff there is an instance of a command in C, so that all conditions are true at state z1 and executing the primitive operations one by one results in state z2

• a command is executed as a whole (similar to a transaction), if one step fails, then nothing changes

Example

• � Given the following command– command α (x, y, z)

enter r1 into (x,x)destroy subject xenter r2 into (y,z)

end• One can never use α(s,s,o) to change a

state

Definition of the Safety Problem in [HRU]• Given a protection system and generic

right r, we say that the initial configuration Q0 is unsafe for r (or leaks r) if there is a configuration Q and a command α such that– Q is reachable from Q0– α leaks r from Q

• We say Q0 is safe for r if Q0 is not unsafe for r.

Definition of Right Leakage in[HRU]

• We say that a command α(x1,…,xk) leaks generic right r from Q if α, when run on Q, can execute a primitive operation which enters r into a cell of the access matrix which did not previously contain r.

Take-Grant Model

• Jones 1976• As an extension to the Access Matrix

model• A graph representing the authorization in

the system• Authorization state (S, O , G)• S: subjects (active); users, processes,

programs • O: Objects (passive)

12

TG• G: the graph

– Nodes: » Subjects (filled-in circle) or » Objects (white circle) » Both (barred circle)

– Edges: rights– G = (S, O, E), where V= S ∪ O is the set of

vertexes, and S ∩ O = {}• Four Privileges:• R, w , t, g

The Take-Grant Model

• Two special rights `take’ and `grant’• The state is represented by a graph• The take rule: if x has `take’ right over z,

and z has right r over y, then x can get right r over y

• The grant rule: if z has `grant’ right over x, and z has right r over y, then x can get right r over y

TG

TG TG

•

13

TG Example – next slide• G is as in (a)• Create object {r,w} (S1, O1)• Grant (r, S1, O1, O2)• Take (r, S2, O1, O2)• Remove {w} (S1, O2)

Restrictions of the model• Non-selectivity of administrative rights

(t, g).• No control on propagation of authorization• Non locality, a model is local if the privileges flow from,

or to, a given domain is possible only if authorized by privileges existing in this domain. TG is non-local, as some privileges may be taken ….

• Reversibility of the privileges transport flow: if the rights can be transferred from subject x to subject y, a possible opposite flow cannot be prevented! Next slide

Example of Reversibility!

• Create {g,t}(S1, O)• Grant (g, S1, S2, O)

Extension to the model

• Janes later on extended the model to have a more restrict take and grant

• The new object procedure and the right fork for invoking procedures.

• Lockman and Minsky extended the model to eliminate the problem of reversibility:: introduction of the Take-Receive model.