Access Control Discretionary Access Control 1
Outlines Access Control Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) 2
Access Control Access control is where security engineering meets computer science. Its function is to control which (active) subject have access to a which (passive) object with some specific access operation. Access control policy: specifies which subject can access which object subject Access Operation object 3
Access Control Discretionary Access Control 4
Discretionary Access Control Access to data objects (fi( files, directories, etc.) is permitted based on the identity of users. Explicit access rules that establish who can, or cannot, execute which actions on which resources. Discretionary: users can be given the ability of passing on their privileges to other users,, where granting and revocation of privileges is regulated by an administrative policy. 5
Discretionary Access Control DAC is flexible in terms of policy specification This is the form of access control widely implemented in standard multi-user user platforms Unix, NT, Novell, etc. 6
Discretionary Access Control Using Access Control Matrix for the implementation Access control matrix Describes protection state precisely Matrix describing rights of subjects State transitions change elements of matrix 7
Access Control Matrix Model Firstly identify the objects, subjects and actions/rights. Describes the protection state of a system. State of the system is defined by a triple (S, O, A) S is the set of subject, O is the set of objects, A is the access matrix Access control matrix: Elements indicate the access rights that subjects have on objects Entry A[s, o] of access control matrix is the privilege of s on o 8
Access Control Matrix objects (entities) subjects s 1 s 2 s n o 1 o m Subjects S = { s 1,,s n } Objects O = { o 1,,o m } Rights R = { r 1,,r k } Entries A[s i, o j ] R A[s i, o j ] = { r x,, r y } means subject s i has rights r x,, r y over object o j 9
State of System: Example Subject: Annie Action: Paint Object: Picture Rule: A subject can paint picture if: time.hour 0 and time.hour < 5 10
Example At 3AM, time condition met; ACM is: At 10AM, time condition not met; ACM is: picture picture annie paint annie 11
ACM Implementation ACM is an abstract model Rights may vary depending on the object involved ACM is implemented primarily in three ways Authorization Table Capabilities (rows) Access control lists (columns) 12
Authorization Table Three columns: subjects, actions, objects Generally used in DBMS systems 13
Access Control List (ACL) Matrix is stored by column. Each object is associated with a list Indicate for each subject the actions that the subject can exercise on the object 14
Capability List Matrix is stored by row Each user is associated with a capability list Indicating for each object the access that the user is allow to exercise on the object 15
A simple DAC Access Control matrix Alice File1 File2 File3 File4 File5 Own Read Read Write Read Write Execute Write Execute Bob Execute Read Own Read Write Execute Write Oscar Own Read Write Execute Execute Maco Read Write Own Read Write Execute Execute Mary Read Read Own Read Write Execute 16
A simple DAC - Implement the ACM using the Access Control List - Write a function bool Determine(subject, action, object) returning the decision of the access request 17
ACL vs Capability List Immediate to check the authorization holding on an object with ACL. Immediate to determine the privileges of a subject with Capability list. Distributed system, ACL or Capability list? Authenticate once - access various servers Limited number of groups of users, authorization specified by owner. ACL or Capability list? 18
Basic Operations in Access Control Grant permissions Inserting values in the matrix s entries Revoke permissions Remove values from the matrix s entries Check permissions Verifying whether the entry related to a subject s and an object o contains a given access mode 19
Vulnerabilities of the Discretionary Policies No control on the flow the information Malicious code, i.e., Trojan horse 20
Example Vicky, a top-level manager, is the owner of a file Market on the new products release John, subordinate of Vicky, creates a file called Stolen An application with two hidden operations Read on file Market Write on file Stolen 21
Example 22
Example Restriction should be enforced on the operations that processes themselves can execute. Mandatory policies provide a way to enforce information flow control through the use of labels 23
Mandatory Access Control 24
Mandatory Access Control (MAC) Mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. Mandatory access control, access control policy is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted 25
Mandatory Access Control (MAC) Sometimes called multi level security (MLS) MLS allows users with different classification levels to get different views from the same data MLS cannot allow downward leaking, meaning that a user with a lower classification cannot view data stored with a higher classification 26
Example Classification level TS S C U Information Flow Dominance
Multilevel Security In MLS, access classes can be assigned to: subjects objects Bell LaPadula Model Secrecy-Based Mandatory Policies Biba Model Integrity-based Mandatory Policies
Bell LaPadula Model (BLP) Bell-LaPadula model was developed in 1973 This is an extension of the Access Matrix model with classified data This model has two components: Classification Set of categories
Bell LaPadula Model (BLP) Classification has four values {U, C, S, TS} U = unclassified C = confidential S = secret TS = top secret Classifications are ordered: : TS > S > C > U Set of categories consists of the data environment and the application area,, i.e., Nuclear, Army, Financial, Research Example: In USA, a SECRET clearance involves checking FBI fingerprint files
Bell LaPadula Model (BLP) An access class c1 dominates an access class c2 iff Security level of c1 is greater than or equal to that of c2 The categories of c1 include those of c2
Bell LaPadula Model (BLP) Bell-LaPadula model is based on a subjectobject paradigm Subjects are active elements of the system that execute actions Objects are passive elements of the system that contain information Subjects act on behalf of users who have a security level associated with them (indicating the level of system trust) Subjects and objects are assigned access classes
Bell LaPadula Model (BLP) Subjects execute access modes on objects Access modes are: Read-only Append (writing without reading) Execute Read-write (writing known data)
Bell LaPadula Model (BLP) To protect information confidentiality No-read-up, a subject is allowed a read access to an object only if the access class of the subject dominates the access class of the object No-write-down, a subject is allowed a write access to an object only if the access class of the subject is dominated by the access class of the object
No-read-up & No-write-down Can TS subject write to S object? Can S subject write to U object? How to apply to the Trojan Horse case?
Bell LaPadula Model (BLP) Two main properties of this model for a secure system are: Simple security property Star property Simple security means: a subject at a given security level may not read an object at a higher security level (no read-up) Star property means: a subject at a given security level must not write to any object at a lower security level (no write-down)
BLP: Problem If I can write up, then how about writing files with blanks? Blind writing up may cause integrity problems, but not a confidentiality breach
Bell LaPadula Model This model guarantees secrecy by preventing unauthorized release of information This model does not protect from unauthorized modification of information
The Biba Model A model due to Ken Biba which is often referred to as Bell-LaPadula upside down It deals with integrity alone and ignores confidentiality entirely Each subject and object in the system is assigned an integrity classification Crucial Important Unknown
Integrity Level Integrity level of a user reflects user s trustworthiness for inserting, modifying, or deleting information Integrity level of an object reflects both the degree of trust that can be placed on the info stored in the object, and the potential damage could result from unauthorized modification of info
Two Principles No-read-down: A subject is allowed a read access to an object only if the integrity level of the object dominates the integrity level of the subject No-write-up: A subject is allowed a write access to an object only if the integrity level of the object is dominated by the integrity level of the subject
Two Principles Q: How to control both the secrecy and integrity?
Role-Based Access Control 43
Role-Based Access Control (RBAC) Access control decisions are based on the roles that individual users take on as part of the organization Centrally control and maintain access rights that reflect the organization s protection guidelines. With RBAC, role-permission relationships can be predefined, which makes it simple to assign users to the predefined roles. The combination of users and permissions tend to change over time, the permissions associated with a role are more stable. 44
RBAC Access control in organizations is based on roles that individual users take on as part of the organization A role is is a collection of permissions Users User Role Assignment Roles Hierarchies Roles Role Permission Assignment Permissions Constraints 45
RBAC Access depends on role/function, not identity Example: Allison is bookkeeper for Math Dept. She has access to financial records. If she leaves and Betty is hired as the new bookkeeper, Betty now has access to those records. The role of bookkeeper dictates access, not the identity of the individual 46
RBAC: Role Hierarchies RH Roles x Roles is a partial order called the inheritance relation written as. (r 1 r 2 ) Role Hierarchies user A is assigned to r 1 then A is assigned to r 2 too Project Supervisor Test engineer Programmer Project Member 47
RBAC with General Role Hierarchy RH (role hierarchy) UA PA Users Roles Operations Objects user_sessions (one-to-many) Sessions role_sessions (many-to-many) Permissions 48
Core RBAC (Relations) Permissions = 2Operations x Objects UA Users x Roles PA Permissions x Roles RH Roles x Roles US Users x Sessions RS Roles x Sessions 49
RBAC with General Role Hierarchy How to check if user A is authorized to permission p? Check if there exists a session s and roles r 1, r 2 in which: (A, s) in US, and r 1 r 2 in RH (r 2, s) in RS, and (A, r 2 ) in UA, and (r 2, p) in PA 50