www.alljntuworld.

in

Smartworld.asia Specworld.in

UNIT-2

SECURITY MODEL-1
2.1 ACCESS MATRIX MODEL:

The access matrix model is the policy for user authentication,

and has several implementations such as access control lists (ACLs) and capabilities.
It is used to describe which users have access to what objects.

The access matrix model consists of four major parts:

A list of objects

A list of subjects

A function T which returns an object's type

The matrix itself, with the objects making the columns and the subjects making
the rows In the cells where a subject and object meet lie the rights the subject has
on that object. Some example access rights are read, write, execute, list and delete.
Example Access Matrix:

Objects

Subjects index.htmlfile Java VM

Virtual Machine

John Doe rwld x

Sally Doe rl -

An access matrix has several standard operations associated with it:

pg. 27
Smartzworld.com 1 jntuworldupdates.org

All JNTU World

 www.alljntuworld.in

Smartworld.asia Specworld.in

i. Entry of a right into a specified cell

ii. Removal of a right from a specified cell
iii. Creation of a subject
iv. Creation of an object
v. Removal of an subject
vi. Removal of an object

Implementation:

The two most used implementations are access control lists and capabilities.
Access control lists are achieved by placing on each object a list of users and their
associated rights to that object. An interactive demonstration of access control lists
can be seen here. For example, if we have file1, file2 and file3, and users (subjects)
John and Sally, an access control list might look like:

Objects (Files)

Users File1 File2 File3

John RWX R-X RW-

Sally --- RWX R--

The rights are R (Read), W (Write) and X (Execute). A dash indicates the user does
not have that particular right. Thus, John does not have permission to execute File3,
and Sally has no rights at all on File1.

Users

John file1:RWX file2:R-X file3: RW-

Sally file1: --- file1:RWX file1: R--

Capabilities are accomplished by storing on each subject a list of rights the subject has
for every object. This effectively gives each user a keyring. To remove access to a
particular object, every user (subject) that has access to it must be "touched". A touch
is an examanition of a user's rights to that object and potentially removal of rights.

pg. 28
Smartzworld.com 2 jntuworldupdates.org

All JNTU World

 www.alljntuworld.in

Smartworld.asia Specworld.in

This brings back the problem of sweeping changes in access rights. Here is what an
implementation of capabilities might look like, using the above example:

Access restrictions such as access control lists and capabilities sometimes are not
enough. In some cases, information needs to be tightened further, sometimes by an
authority higher than the owner of the information. For example, the owner of a top
secret document in a government office might deem the information available to
many users, but his manager might know the information should be restricted further
than that. In this case, the flow of information needs to be controlled -- secure
information cannot flow to a less secure user.

2.2 TAKE-GRANT MODEL:

The take-grant protection model is a formal model used in the field

of computer security to establish or disprove the safety of a given computer system
that follows specific rules. It shows that for specific systems the question of safety is
decidable in linear time, which is in general un decidable.

The model represents a system as directed graph, where vertices are either subjects or
objects. The edges between them are labelled and the label indicates the rights that the
source of the edge has over the destination. Two rights occur in every instance of the
model: take and grant. They play a special role in the graph rewriting rules describing
admissible changes of the graph.

There are a total of four such rules:

i. Take rule allows a subject to take rights of another object (add an edge
originating at the subject)
ii. Grant rule allows a subject to grant own rights to another object (add an
edge terminating at the subject)
iii. Create rule allows a subject to create new objects (add a vertex and an
edge from the subject to the new vertex)
iv. Remove rule allows a subject to remove rights it has over on another
object (remove an edge originating at the subject)

pg. 29
Smartzworld.com 3 jntuworldupdates.org

All JNTU World

 www.alljntuworld.in

Smartworld.asia Specworld.in

Preconditions for take(o,p,r): subject s has the right Take for o. object o has the right r
on p.

Preconditions for grant(o,p,r): subject s has the right Grant for o. s has the right r on p.

Using the rules of the take-grant protection model, one can reproduce in which states
a system can change, with respect to the distribution of rights. Therefore one can
show if rights can leak with respect to a given safety model.

The Take-Grant protection model is a formal access control model, which represents
transformation of rights and information between entities inside a protection system.
This model was presented first by Jones et al. [8] to solve the “Safety Problem”. They
showed that using Take-Grant model, the safety problem is decidable and also can be
solved in linear time according to the number of subjects and objects of the system.

In this model the protection state is represented as a directed finite graph. In

the graph, vertices are entities of the system and edges are labeled. Each label
indicates the rights that the source vertex of the corresponding edge has over the
destination vertex. Entities could be subjects (represented by ●), objects (represented
by ) or play the both roles (represented by ⊗). The set of basic access rights is
denoted as R={t,g,r,w} which t, g, r and w respectively stand for take, grant, read, and
write ac- cess rights. To model the rights transfer, Take-Grant protection model uses a
set of rules called de-jure rules. These rules transfer the Take-Grant graph to a new
state which reflects the modification of protection state in an actual system. The de-
jure Network Vulnerability Analysis Through Vulnerability Take-Grant Model
(VTG) rules are take, grant, create and remove. The take and grant rules are
described briefly as:

1. Take rule: Let x, y, and z be three distinct vertices in a protection graph G0 and let
x be a subject. Let there is an edge from x to y labeled γ where t∈ γ, an edge from y to
z labeled β. Then the take rule defines a new graph G1 by adding an edge to the
protection graph from x to z labeled α, where α⊆β. Fig 1.(a) shows the take rule
graphically.

2. Grant rule: Let x, y, and z be three distinct vertices in a protection graph G0 and
let x be a subject. Let there is an edge from x to y labeled β where g∈ γ, an edge from
x to z labeled β. Then the grant rule defines a new graph G1 by adding an edge to the

pg. 30
Smartzworld.com 4 jntuworldupdates.org

All JNTU World

 www.alljntuworld.in

Smartworld.asia Specworld.in

protection graph from y to z labeled α, where α⊆β. Fig.1(b) shows the grant rule
graphically.

Having the take right over another subject or object means that its owner can achieve
all rights of the associated subject or object unconditionally. However, obtaining the
rights through the grant rule requires cooperation of the grantor.

Fig. 1. (a) take rewriting rule. (b) grant rewriting rule.

pg. 31
Smartzworld.com 5 jntuworldupdates.org

All JNTU World