Access control models and policies Tuomas Aura T-110.4206 Information security technology
1. Access control 2. Discretionary AC 3. Mandatory AC 4. Other AC models Outline 2
ACCESS CONTROL 3
Access control (AC) Subjects request actions on objects Alice wants to read a file Bob wants to update account balance Process wants to open a socket AC = authentication + authorization authentication = verifying the identity of the subject authorization = checking that the subject has the right to perform the requested action on the subject 4
Reference monitor Audit trail Subjects Access requests Reference monitor Objects Access rules Reference monitor controls access by subjects to objects Grants or denies access requests Logs events to audit trail Follows rules set by administrators (i.e. implements a policy) Trusted computing base (TCB) = all system components that need to be trusted Security kernel = implementation of a reference monitor in an OS But more about the implementation later; now we are talking about policies 5
Access control matrix Access control matrix is the simplest AC model M : Subjects Objects Actions Alice Bob Process 4567 Process 6789 file1.txt read, write read read, write append file2.txt write read - - Socket s - - - open, read, write, close AC matrix represents the protection state of a system 6
Protection systems AC matrix represents the protection state, not the dynamics Subjects and AC matrix cells can also be objects Access to them is controlled by the matrix Protection state transitions Subjects may grant and remove access rights Subjects may create and destroy subjects and objects Early research on computer security studied protection systems with different definitions of state transitions Safety question: given an initial protection state and rules for transitions, can subject s get the access right r? E.g. HRU model (safety undecidable), take-grant model (safety decidable) 7
DISCRETIONARY ACCESS CONTROL 8
Discretionary access control (DAC) Data owners, usually users, set access rights Subjects are trusted to make decisions about sharing access rights with others Users decide who is allowed to access their files User who can read a secret file can also print and email it Process that can read a secret file can also send it to the network DAC is also called identity-based AC Typical in commercial and consumer systems There may be a policy against sharing and access may be audited, but it is not enforced Examples of DAC outside computers: Someone with a key can open the door to others; door keys can be shared and copied Tell your friends a secret on the condition that they do not tell it to anyone else 9
Access control list (ACL) ACL = list of the access rights associated with an object ACLs are another way to represent the AC matrix: one row of the matrix is stored with each object file1.txt ACL: Alice: { read, write }; Bob: { read }; Process 4567: { read, write }; Process 6789: { append }. file2.txt ACL: Alice: { write }; Bob: { read }. Socket s ACL: Process 6789: { open, read, write, close }. ACL examples: card keys, table reservations, Windows file system 10
Capabilities Capability = an access right associated with the subject Capabilities are another way to represent the AC matrix: one column of the matrix is stored with each subject Alice s capabilities: file1.txt: { read, write }; file2.txt: { write }. Bob s capabilities: file1.txt: { read }; file2.txt: { read }. Process 4567 capabilities: file1.txt: { read, write }. Process 6789 capabilities: file1.txt: { append }; Socket s: {open, read, write, close }. Examples of capabilities: metal keys, driver s license, parking permit 11
MANDATORY ACCESS CONTROL 12
Mandatory access control (MAC) Access rights are based on rules (i.e. policy) set by administration The AC policy is enforced and cannot be changed by users Subject that with access is prevented from leaking it to others User can read a secret file but cannot copy, print or email; file viewer application prevents cut-and-paste and screen shots One process can access the Internet, another write files to the disk MAC is also called rule-based AC MAC originates from military policies Intelligence officer may not be allowed to read his own reports Officer can read a secret plan but cannot take a copy out of the room Officer who has contact with foreign agents may lose access to classified information MAC is also needed in DRM and malware isolation Alice can play the music she has purchased, but cannot share it Host firewall may block potential spyware from making outbound connections to the network to prevent information leaks 13
Mandatory access control (MAC) Examples of MAC-like systems outside computers: Biometric authentication cannot be shared, e.g. photo on driver s license or signature on credit card Admit-one event tickets: UC stamps, shredding bracelets In UK, jurors must not read newspapers or watch TV about the case so that they are not influenced by them 14
Clearance and classification Mandatory access control rules are often based on security labels on subjects and objects Subject clearance Top secret Object classification l : (Subects Objects) Labels Secret Label example: Confidential Unclassified Labels depend on the organization but should form a lattice Labels, (i.e. a partial order with join and meet operations) Simple security property: S can read O iff l(s) l(o) 15
Multi-level security Example. military security labels Levels: top secret > secret > confidential > unclassified Categories = { army, navy, air force } Labels = Levels P(Categories) Domination relation: <level1,categories1> <level2,categories2> iff level1 level2 and categories1 categories2 Security based on clearance and classification levels is also called multi-level security (MLS) How to define labels for commercial systems? Theoretical publications often consider only two labels: high > low 16
Labels Finnish government Asetus viranomaisten toiminnan julkisuudesta ja hyvästä tiedonhallintatavasta 12.11.1999/1030 http://www.finlex.fi/fi/laki/ajantasa/1999/19991030 17
Bell-LaPadula model Bell-LaPadula (BLP) is a MAC policy for protecting secrets Military security model for computers; military is mostly concerned with protecting secrets Observation: the simple security property is not sufficient to prevent secrets from leaking Bell-LaPadula: Simple security property: S can read O iff l(s) l(o) *-property: S can write O iff l(o) l(s) Also called: no read up, no write down 18
Biba model In computer systems, integrity of data and the system is often more important than confidentiality Which is more important in a bank IT systems? Hackers, malware, backdoors and root kits Biba is a MAC policy for protecting integrity of data Biba is the dual of Bell-LaPadula: S can write O iff l(s) l(o) S can read O iff l(o) l(s) Also called: no write up, no read down Examples: Web application open in browser should not write to the file system Type safety should prevent communication between Java or.net applications running in the same runtime environment 19
Information flow security BLP and Biba are information flow policies BLP prevents flow of information from high to low Biba prevents flow if information from low to high Information flow policies are the basis for many security proofs. Typical proofs show non-interference: view of one subject is not affected by the data of the other low output does not depend on high input, or high output does not depend on low input high input high output System low input low output How to combine BLP and Biba? 20
High water mark, low water mark What happens to classification when you combine low and high information? High water mark policy for secrecy: always set the classification to the highest input Low water mark policy for integrity: always set the classification if to the lowest input Problem: Over time, all document will become top secret with the lowest integrity level 21
Upgrading and downgrading Upgrading, downgrading: In practice, security levels need to be changed E.g. downgrading documents for publication, upgrade conclusions produced from low data E.g. upgrading intelligence reports that aggregate a lot of low-level data Documents may need to be sanitized (i.e. redacted) before downgrading Sanitization may be difficult, e.g. painting black box over text in PDF with Acrobat 22
OTHER ACCESS CONTROL MODELS 23
Clark-Wilson model Data integrity cannot always be expressed in terms of MLS, i.e. who has access to what data E.g. transfers between bank accounts must not change the total balance Integrity in many commercial systems depends on following the correct procedures Clark-Wilson model defines rules for commercial systems for how to maintain data integrity: Transactions must transform data items from a consistent state to another consistent state Auditing and procedural controls to enforce this (The specific rules could be different in each system) Accounting rules as a mode for security policy 24
Chinese Wall model Conflicts of interest are common in the commercial world: Consulting company, investment house, or law office may be advising competing clients and must keep their information separate The clients are assigned to different employees who do not exchange information between them To avoid conflicts of interest, the access control policy must take into account the information previously accessed by the subject Chinese Wall model: If subject S has previously accessed an object O and the objects O and O are in a conflict of interest, then S may not access O Subject can fall to one side of the wall or the other, but cannot change sides later 25
Separation of duty Chinese Wall is an example of separation of duty Other separation of duty policies: Expense claim requires two signatures: the claimant and an authorized approver, e.g. department manager, but nobody is allowed to approve their own expenses Auditors are often required to be outsiders Keys to a safe may be given to two different persons Unlike BLP and Biba, separation of duty policies are stateful 26
Groups and roles Adding structure to policies Group = set of subjects, e.g. Administrators, T-110.4206-students Role = set of permissions (i.e. permitted actions on objects) Both are forms of indirection Subjects * * Roles or * * groups Objects x Actions Role-based access control (RBAC): Modeling high-level roles in an organization e.g. Doctor, Nurse, Student Lecturer, Course-assistant Roles may be parameterized: Treating doctor of Mr. Smith, Lecturer or Student of T-110.4206 Roles are assigned for longer term but activated on demand for each session Constraints on assignment and activation implement separation of duty 27
Other access control models Originator-controlled AC (ORCON) Creator of data retains control over access to it Attribute-based AC Access control is based in subject attributes instead of subject identity AC = attribute verification + authorization E.g. need to be 18 to buy tobacco; need to be an Aalto student to access course material Enables anonymous access Double-blinded review for scientific journals Many other AC models have been proposed 28
Reading material Dieter Gollmann: Computer Security, 2nd ed., chapters 4, 8, 9 Matt Bishop: Introduction to computer security, chapters 2-7 Edward Amoroso: Fundamentals of Computer Security Technology, chapters 6-13 Ross Anderson: Security Engineering, 2nd ed., chapter 8 29
Exercises What different ways are there to combine Bell-LaPadula and Biba policies to protect both confidentiality and integrity of data? What problems arise? What security labels and MAC policy would be suitable for Noppa? Define RBAC roles that could be used in the implementations of Noppa. To what extent can your RBAC policy (see above) be implemented with groups? 30