Lecture 10, April 22

Discussion Problem. You discover a security flaw in the operating system on your company's computer. The flaw enables any user to read any other user's files, regardless of their protection. You have several choices: you can keep quiet and hope no-one else discovers the flaw, or tell the company, or tell the system vendor, or announce it on the Internet.

1. Suppose an exploitation of the vulnerability could be prevented by proper system configuration. Which of the above courses of action would you take, and why?
2. If an exploitation of the vulnerability could be detected (but not prevented) by system administrators, how would this change your answer to the first question?
3. Now suppose no exploitation of the vulnerability can be detected or prevented. Would this change your answer, and if so, how?

Lecture outline.

1. Access Control Matrix
   1. Subjects, objects, and rights
   2. Primitive commands: create subject/object, enter right, delete right, destroy subject/object
   3. Commands and conditions: create-file, various flavors of grant-right to show conditions and nested commands
   4. Copy flag
   5. Attenuation of privileges
2. HRU Result
   1. Notion of leakage in terms of ACM
   2. Determining security of a generic system with generic rights and mono-operational commands is decidable
   3. Determining security of a generic system with generic rights is undecidable
   4. Meaning: can’t derive a generic algorithm; must look at (sets of) individual case
3. Policy
   1. Sets of authorized, unauthorized states
   2. Secure systems in terms of states
   3. Mechanism vs. policy
4. Types of Policies
   1. Military/government vs. confidentiality
   2. Commercial vs. integrity
5. Types of Access Control
   1. Mandatory access control
   2. Discretionary access control
   3. Originator-controlled access control