Lecture 10, April 22
Reading: §2; 3.1–3.2
Due: Homework #2, due April 26, 2013 at 11:55pm
Discussion Problem. You discover a security flaw in the operating system on your company's computer. The flaw enables any user to read any other user's files, regardless of their protection. You have several choices: you can keep quiet and hope no-one else discovers the flaw, or tell the company, or tell the system vendor, or announce it on the Internet.
- Suppose an exploitation of the vulnerability could be prevented by proper system configuration. Which of the above courses of action would you take, and why?
- If an exploitation of the vulnerability could be detected (but not prevented) by system administrators, how would this change your answer to the first question?
- Now suppose no exploitation of the vulnerability can be detected or prevented. Would this change your answer, and if so, how?
- Access Control Matrix
- Subjects, objects, and rights
- Primitive commands: create subject/object, enter right, delete right, destroy subject/object
- Commands and conditions: create-file, various flavors of grant-right to show conditions and nested commands
- Copy flag
- Attenuation of privileges
- HRU Result
- Notion of leakage in terms of ACM
- Determining security of a generic system with generic rights and mono-operational commands is decidable
- Determining security of a generic system with generic rights is undecidable
- Meaning: can’t derive a generic algorithm; must look at (sets of) individual case
- Sets of authorized, unauthorized states
- Secure systems in terms of states
- Mechanism vs. policy
- Types of Policies
- Military/government vs. confidentiality
- Commercial vs. integrity
- Types of Access Control
- Mandatory access control
- Discretionary access control
- Originator-controlled access control