Access Control Mechanisms

Transcription

1 Access Control Mechanisms Week 11 P&P: Ch 4.5, 5.2, 5.3 CNT-4403: 26.March

2 In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security CNT-4403: 26.March

3 Access Matrix Model (Lampson 1971) Objects (and Subjects) F G S u b j e c t s A B r w own r r w own rights CNT-4403: 26.March

4 Basic Abstractions Subjects Objects Rights The rights in a cell specify the access of the subject (row) to the object (column) CNT-4403: 26.March

5 Users and Principals Alice USERS Real World User PRINCIPALS Unit of Access Control and Authorization The system authenticates the user in context of a particular principal CNT-4403: 26.March

6 Users and Principals: Example 1 Alice.CHAIRPERSON Alice.FACULTY Alice Alice. EMPLOYEE Alice.SUPER-USER USER PRINCIPALS CNT-4403: 26.March

7 Users and Principals: Example 2 Bob.TOP-SECRET Bob.SECRET Bob B Bob.CONFIDENTIAL Bob.UNCLASSIFIED USER PRINCIPALS CNT-4403: 26.March

8 More Users and Principals There should be a one-to-many mapping from users to principals A user may have many principals, but Each principal is associated with an unique user This ensures accountability of a user's actions Shared accounts (principals) are bad for accountability CNT-4403: 26.March

9 Principals and Subjects A subject is a program (application) executing on behalf of a principal A principal may at any time be idle, or have one or more subjects executing on its behalf CNT-4403: 26.March

10 Principals and Subjects: Example Mail Application Word Processors Bob.SECRET Spreadsheet Database App PRINCIPAL SUBJECTS CNT-4403: 26.March

11 Principals and Subjects Usually (but not always) Each subject is associated with a unique principal All subjects of a principal have identical rights (equal to the rights of the invoking principal) This case can be modeled by a one-to-one mapping between subjects and principals For simplicity, a principal and subject can be treated as identical concepts. CNT-4403: 26.March

12 Objects Anything on which a subject can perform operations (mediated by rights) Usually objects are passive, for example: File Directory (or Folder) Memory segment But, objects can also be subjects with operations kill suspend resume CNT-4403: 26.March

13 Access Matrix Model Objects (and Subjects) F G S u b j e c t s A B r w own r r w own rights CNT-4403: 26.March

14 Access Matrix Implementation Access Matrix can be sparse Space inefficient Instead Access Control Lists Capabilities Relations CNT-4403: 26.March

15 Access Control List - ACL Maintained for each object (or subject) No entries when no permissions G: ACL A r B r B w B own Each column of the access matrix is stored with the object corresponding to that column CNT-4403: 26.March

16 Capability Unforgeable token that gives possesor certain rights Object to which access is permitted Right for the object F How to make it unforgeable r Capability giving the right to read object F 1. Only OS can access capability user gets a pointer 2. Encrypted capabilities access control mechanism has key CNT-4403: 26.March

17 Capability List: C-List F r F w F own G r Alice Each row of the access matrix is stored with the subject corresponding to that row CNT-4403: 26.March

18 Access Control Relations Subject Access Object A r F A w F A own F A r G B r G B w G B own G Commonly used in relational database management systems CNT-4403: 26.March

19 In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security Some exercises CNT-4403: 26.March

20 ACLs vs. Capabilities ACL's require authentication of subjects Capabilities do not require authentication of subjects, but do require Unforgeability Control of propagation of capabilities CNT-4403: 26.March

21 ACLs vs. Capabilities: Access Review ACL's provide for superior access review on a per-object basis Who has access to this object But hard to see to what a subject has access How would you do that? Capabilities provide for superior access review on a per-subject basis What capabilities does this subject have But hard to see who has access to an object CNT-4403: 26.March

22 ACLs vs. Capabilities: Revocation How do you revoke access of a subject to an object ACL's provide for superior revocation facilities on a per-object basis 1. Scan object s ACL 2. Remove subject from list (if present) But hard to revoke all rights of a subject Capabilities provide for superior revocation facilities on a per-subject basis But hard to revoke all rights on an object (for all subjects) CNT-4403: 26.March

23 ACLs vs. Capabilities: In the Real World The per-object basis usually wins Most OSs protect files by means of ACL's Operations centered on objects Unix: use an abbreviated form of ACL's with just three entries owner group other CNT-4403: 26.March

24 In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security Some exercises CNT-4403: 26.March

25 Role Based Access Control (RBAC) User-Role Assignment Permission-Role Assignment USERS ROLES PERMISSIONS A user s permissions are determined by the user s roles Rather than identity or clearance Roles can encode arbitrary attributes CNT-4403: 26.March

26 Basic RBAC User-Role Assignment Permission-Role Assignment USERS ROLES PERMISSIONS... SESSIONS CNT-4403: 26.March

27 Permissions Similar to capabilities Object on which permission is granted Right granted Primitive rights read, write, append, execute Permissions are positive No negative permissions or denials CNT-4403: 26.March

28 Roles as Policy A role brings together A collection of users and A collection of permissions Different from groups Groups are often defined as A collection of users CNT-4403: 26.March

29 Users Human beings or Other active agents Each individual should be known as exactly one user User-Role Assignment A user can have many roles Each role can be assigned to many users Sessions A user can invoke multiple sessions In each session a user can invoke any subset of roles that the user is a member of CNT-4403: 26.March

30 Permission-Role Assignment User-Role Assignment Permission-Role Assignment USERS ROLES PERMISSIONS A permission can be assigned to many roles Each role can have many permissions CNT-4403: 26.March

31 More Complex RBAC: Role Hierarchies Role Hierarchies User-Role Assignment Permission-Role Assignment USERS ROLES PERMISSIONS... SESSIONS CNT-4403: 26.March

32 Role Hierarchy: Example 1 Primary-Care Physician Specialist Physician Physician Health-Care Provider CNT-4403: 26.March

33 Role Hierarchy: Example 2 Supervising Engineer Hardware Engineer Software Engineer Engineer CNT-4403: 26.March

34 Role Hierarchy: Example 3 Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) PROJECT 1 Engineering Department (ED) PROJECT 2 Employee (E) CNT-4403: 26.March

35 In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security Some exercises CNT-4403: 26.March

36 File Protection Mechanisms Multi-user system Protect files from other users 1. All-None Protection 2. Group Protection 3. Temporary Acquired Permission CNT-4403: 26.March

37 All-None Protection Original IBM By default, files were public Anyone could r, w, del any file Users assumed Trustworthy Know only their files names Sysadmin could password protect certain files So could users Main Problem: Lack of trust CNT-4403: 26.March

38 Group Protection Unix systems: three classes The user Group of users associated with user - group The rest of users world Groups Members that share a common interest Need to share User can only belong to one group User belonging to groups A and B Can pass files from group A to group B CNT-4403: 26.March

39 Group Protection (cont d) For each created file, the user Assigns permissions for user, group, world From the set r, w, x Example: rwx rw- r-- Chmod 764 filename Suitable for paper shared by group Main Problem: User can belong to one group CNT-4403: 26.March

40 Temporary Acquired Permissions Unix systems set userid (suid) Only for executable files If set, the file executes with the permissions of the owner, not the executor Example: passwd operation that changes user passwd Only the system can change passwords access the password file But users should be able to invoke passwd passwd is suid: it executes with system privileges CNT-4403: 26.March

41 In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security CNT-4403: 26.March

42 Security Policies Statement of the security we expect the system to enforce Military Security Policy Commercial Security Policies Clark-Wilson Separation of Duty Chinese Wall Security Policy CNT-4403: 26.March

43 Military Security Policy Each object has a sensitivity level rank object Unclassified, restricted, confidential, secret, top secret Top Secret Information at a level is More sensitive than level below Less sensitive than level above Secret Confidential Restricted Unclassified CNT-4403: 26.March

44 Military Security Policy (cont d) Access according to need-to-know rule Information is associated to projects One or more Called compartments Example: Projects alpha and beta Both use secret information But staff on alpha does not need access to beta CNT-4403: 26.March

45 Dominance Classification of an object <rank; compartments> Clearance of subject Indication that subject can access information up to a level of sensitivity <rank; compartments> Dominance: s o (subject dominates object) rank s rank o and compartments o included in compartments s Then s can read o CNT-4403: 26.March

46 Dominance: Example Object classified <secret; {Sweden}> Accessible by subject with clearence <top secret; {Sweden}> : YES or NO? <secret; {Sweden, Denmark}>: YES or NO? <top secret; {Denmark}>: YES or NO? CNT-4403: 26.March

47 Commercial Security Policies Concerns Industrial espionage Corporate finance leaks Clark-Wilson Separation of Duty (read P&P: C 5.2 pg ) Chinese Wall Security Policy Brewer and Nash 89 CNT-4403: 26.March

48 Chinese Wall Security Policy Handles conflicts of interest in companies Person in company obtains sensitive information about competitors Three levels of abstraction Objects (e.g., files) concern a single company Company groups all objects pertaining to a company Conflict classes groups of competing companies Each object belongs to a single group Each company group belongs to single conflict class CNT-4403: 26.March

49 Chinese Wall Security: Example Advertising company with multiple clients Rule: no employee knows sensitive information on competitors Fobidden! Chocolate Comp. Banks Citicorp Airlines Suchard Credit Lyonais Lyonnais United Nestle Deutche Bank CNT-4403: 26.March

50 Chinese Wall Security: Example Advertising company with multiple clients Rule: no employee knows sensitive information on competitors Access to object granted only if First access to a conflict class Object is from same group as a previous access CNT-4403: 26.March

51 In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security CNT-4403: 26.March

52 Bell-LaPadula Model Formal description of the allowable paths of information flow in a secure system Describes allowable communication between subjects and object Formalization of the military security policy CNT-4403: 26.March

53 Bell-LaPadula: Example Construct systems that perform simultaneous accesses at data with different sensitivity Example: program A has top secret access, B only confidential A should not leak information to confidential data B should not access top secret data CNT-4403: 26.March

54 Bell-LaPadula Definition Set S of subjects: s S has clearance C(s) Set O of objects: o O has classification C(o) Ordered by relation - dominance Simple Security Property: s may read o only if C(o) C(s) Clearance of s dominates classification of o Star Property: s who has read access to o may write to object p only if C(o) C(p) The contents of o can only be written to objects at least that high Prevents write-down CNT-4403: 26.March

55 Bell-LaPadula Example High Write O 5 Write Clearance Sensitivity Read Bob Read O 4 Only if Carol does not have read access to higher level object! Write O 3 Write O2 Carol Write Read Alice Read O 6 O1 Low CNT-4403: 26.March