355 Resource Security

authorization

bad resource calls dont happen

availability

good resource calls do happen

resource constraints

security properties in an OS or computer system

resource

whatever we compete for

one way function

easy to use, hard to come by

object used in computation or social interaction

resource examples

territory, food, CPU, printer, energy

asset

resource that can be secured: resources + security

subjects S, objects O

what a computer system consists of

privately owned assets

requires authorization i.e: home, account

publicly shared assets

require availability i.e: printer, path, internet

resource usage in systems

based on complex combinations of owning and sharing

economy ⊆ security

an asset is only an asset if it can be secured

security ⊆ economy

an asset is only an asset if it is cost effective

privately owned resources

can be traded, jointly owned, partially shared

permission matrix

given sets:

S of subjects

O of objects

A of actions/accesses

at state q is an assignment S × O Mq→ ℘A

of pairs <u,i> in S x O 

to the sets of actions Mq ui subset of A

which the subject u is permitted to execute on object i.

access matrix

For the given sets

S of subjects

O of objects

A of actions

an access matrix at a state q is an assignment

S × O Bq→ ℘A

of the pairs 〈u, i〉 ∈ S × O to

to the sets (possibly empty) of actions Bq ui ⊆ A

which the subject u attempts to execute on the object i

preventing accesses in Bq ui that are not permitted in Mq ui

access control is enforced by this

security model

consists of the following data for each

state q ∈ Q

◮ a permission matrix Mq : S × O → ℘A

◮ an access matrix Bq : S × O → ℘A

◮ a clearance map cℓq : S → L

◮ a location map pℓq : S ∪ O → L

secure state

conditions: authorization, clearance, no-read-up, no-write-down are satisfied for all subjects u in S and objects i in O

no-read-up

only a subject cleared to enter the vault can “read” an object from there

no-write-down

cannot give (“write”) the object out of the vault while in the vault

no-write-down

only a subject outside the vault can give (write)

security models vs secure states

a system that has a security model may be insecure

there are models where formally secure states permit obvious attacks

declassification

security operation, should not be prevented but controlled

discretionary access control

authorizations can be delegated

mandatory access control

where authorizations are centrally managed

liveness

performs the functions of life, a security requirement

safety

protect from natural hazards, a security requirementse

security

prevent from intentional attacks, a safety requirement

data

things we know

can copy and giveaway

things

what we have, can giveaway, cant copy

traits

what we are, cant copy or giveaway

protocol

assigns roles to actors

honesty, trust, privacy

security vs privacy

security is REQUIRED

privacy is a RIGHT

resource security system

authorization: bad resource calls dont happen

availabilty: good calls do happen

information security system

secrecy: bad info flows dont happen

authenticity: good info flows do happen

social choice and market economy systems

neutrality: bad data aggregations dont happen

fairness: good aggs. do happen