Access Control. Discretionary Access Control

Similar documents
Access Control. Discretionary Access Control

Discretionary Vs. Mandatory

Security Models Trusted Zones SPRING 2018: GANG WANG

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

Access Control Models

Access control models and policies. Tuomas Aura T Information security technology

Introduction to Security

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Access Control Mechanisms

Information Security & Privacy

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

CIS433/533 - Introduction to Computer and Network Security. Access Control

Access control models and policies

Computer Security. Access control. 5 October 2017

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Access control models and policies

Access Control (slides based Ch. 4 Gollmann)

Chapter 4: Access Control

CS 356 Lecture 7 Access Control. Spring 2013

Mandatory access control and information flow control

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

CSE509: (Intro to) Systems Security

Intrusion Detection Types

Discretionary Access Control (DAC)

Access Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy

Chapter 7: Hybrid Policies

Access Control Models Part II

Policy, Models, and Trust

DATABASE SECURITY AND PRIVACY. Some slides were taken from Database Access Control Tutorial, Lars Olson, UIUC CS463, Computer Security

A Survey of Access Control Policies. Amanda Crowell

CSE Computer Security

Computer Security 3e. Dieter Gollmann. Chapter 5: 1

Module 4: Access Control

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Complex Access Control. Steven M. Bellovin September 10,

Access Control Part 1 CCM 4350

Advanced Systems Security: Ordinary Operating Systems

Access control. Frank Piessens KATHOLIEKE UNIVERSITEIT LEUVEN

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

P1L5 Access Control. Controlling Accesses to Resources

Access Control. Chester Rebeiro. Indian Institute of Technology Madras

Access Control Part 3 CCM 4350

RBAC: Motivations. Users: Permissions:

General Access Control Model for DAC

Advanced Systems Security: Multics

Dion Model. Objects and their classification

Access Control and Protection

Chapter 6: Integrity Policies

Discretionary Access Control (DAC)

System design issues

Access control. Frank Piessens KATHOLIEKE UNIVERSITEIT LEUVEN

Verifiable Security Goals

P1_L6 Mandatory Access Control Page 1

Mandatory Access Control

Information Security Theory vs. Reality

CSE361 Web Security. Access Control. Nick Nikiforakis

May 1: Integrity Models

INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control

Lecture 4: Bell LaPadula

Operating Systems Security Access Control

Core Role Based Access Control (RBAC) mechanism for MySQL

Identity, Authentication and Authorization. John Slankas

Formal methods and access control. Dr. Hale University of Nebraska at Omaha Information Security and Policy Lecture 8

Security Principles and Policies CS 136 Computer Security Peter Reiher January 15, 2008

Access Control. Protects against accidental and malicious threats by

Database Security. Authentification: verifying the id of a user. Authorization: checking the access privileges

Instructor: Jinze Liu. Fall 2008

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Advanced Systems Security: Integrity

INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control

CSN11111 Network Security

CSC 474/574 Information Systems Security

Access Control. Steven M. Bellovin September 13,

Access Control. Access control: ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions

8.3 Mandatory Flow Control Models

Access Control. Steven M. Bellovin September 2,

Discretionary Vs. Mandatory

CCM Lecture 14. Security Models 2: Biba, Chinese Wall, Clark Wilson

Outline. INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

Security and Authorization

Multilevel relations: Schema and multiple instances based on each access class. A multilevel relation consists of two parts:

IBM Security Identity Manager Version Planning Topics IBM

Content-based Management of Document Access. Control

Access Control for Enterprise Apps. Dominic Duggan Stevens Ins8tute of Technology Based on material by Lars Olson and Ross Anderson

Multifactor authentication:

A GUIDE TO UNDERSTANDING DISCRETIONARY ACCESS CONTROL IN TRUSTED SYSTEMS

Labels and Information Flow

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Advanced Systems Security: Security Goals

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

CS 392/ CS Computer Security. Nasir Memon Polytechnic University Module 7 Security Policies

Summary. Final Week. CNT-4403: 21.April

Integrity Policies. Murat Kantarcioglu

Chapter 13: Design Principles

Report Documentation Page

Advanced Systems Security: Integrity

Week 10 Part A MIS 5214

Transcription:

Access Control Discretionary Access Control 1

Outlines Access Control Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) 2

Access Control Access control is where security engineering meets computer science. Its function is to control which (active) subject have access to a which (passive) object with some specific access operation. Access control policy: specifies which subject can access which object subject Access Operation object 3

Access Control Discretionary Access Control 4

Discretionary Access Control Access to data objects (fi( files, directories, etc.) is permitted based on the identity of users. Explicit access rules that establish who can, or cannot, execute which actions on which resources. Discretionary: users can be given the ability of passing on their privileges to other users,, where granting and revocation of privileges is regulated by an administrative policy. 5

Discretionary Access Control DAC is flexible in terms of policy specification This is the form of access control widely implemented in standard multi-user user platforms Unix, NT, Novell, etc. 6

Discretionary Access Control Using Access Control Matrix for the implementation Access control matrix Describes protection state precisely Matrix describing rights of subjects State transitions change elements of matrix 7

Access Control Matrix Model Firstly identify the objects, subjects and actions/rights. Describes the protection state of a system. State of the system is defined by a triple (S, O, A) S is the set of subject, O is the set of objects, A is the access matrix Access control matrix: Elements indicate the access rights that subjects have on objects Entry A[s, o] of access control matrix is the privilege of s on o 8

Access Control Matrix objects (entities) subjects s 1 s 2 s n o 1 o m Subjects S = { s 1,,s n } Objects O = { o 1,,o m } Rights R = { r 1,,r k } Entries A[s i, o j ] R A[s i, o j ] = { r x,, r y } means subject s i has rights r x,, r y over object o j 9

State of System: Example Subject: Annie Action: Paint Object: Picture Rule: A subject can paint picture if: time.hour 0 and time.hour < 5 10

Example At 3AM, time condition met; ACM is: At 10AM, time condition not met; ACM is: picture picture annie paint annie 11

ACM Implementation ACM is an abstract model Rights may vary depending on the object involved ACM is implemented primarily in three ways Authorization Table Capabilities (rows) Access control lists (columns) 12

Authorization Table Three columns: subjects, actions, objects Generally used in DBMS systems 13

Access Control List (ACL) Matrix is stored by column. Each object is associated with a list Indicate for each subject the actions that the subject can exercise on the object 14

Capability List Matrix is stored by row Each user is associated with a capability list Indicating for each object the access that the user is allow to exercise on the object 15

A simple DAC Access Control matrix Alice File1 File2 File3 File4 File5 Own Read Read Write Read Write Execute Write Execute Bob Execute Read Own Read Write Execute Write Oscar Own Read Write Execute Execute Maco Read Write Own Read Write Execute Execute Mary Read Read Own Read Write Execute 16

A simple DAC - Implement the ACM using the Access Control List - Write a function bool Determine(subject, action, object) returning the decision of the access request 17

ACL vs Capability List Immediate to check the authorization holding on an object with ACL. Immediate to determine the privileges of a subject with Capability list. Distributed system, ACL or Capability list? Authenticate once - access various servers Limited number of groups of users, authorization specified by owner. ACL or Capability list? 18

Basic Operations in Access Control Grant permissions Inserting values in the matrix s entries Revoke permissions Remove values from the matrix s entries Check permissions Verifying whether the entry related to a subject s and an object o contains a given access mode 19

Vulnerabilities of the Discretionary Policies No control on the flow the information Malicious code, i.e., Trojan horse 20

Example Vicky, a top-level manager, is the owner of a file Market on the new products release John, subordinate of Vicky, creates a file called Stolen An application with two hidden operations Read on file Market Write on file Stolen 21

Example 22

Example Restriction should be enforced on the operations that processes themselves can execute. Mandatory policies provide a way to enforce information flow control through the use of labels 23

Mandatory Access Control 24

Mandatory Access Control (MAC) Mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. Mandatory access control, access control policy is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted 25

Mandatory Access Control (MAC) Sometimes called multi level security (MLS) MLS allows users with different classification levels to get different views from the same data MLS cannot allow downward leaking, meaning that a user with a lower classification cannot view data stored with a higher classification 26

Example Classification level TS S C U Information Flow Dominance

Multilevel Security In MLS, access classes can be assigned to: subjects objects Bell LaPadula Model Secrecy-Based Mandatory Policies Biba Model Integrity-based Mandatory Policies

Bell LaPadula Model (BLP) Bell-LaPadula model was developed in 1973 This is an extension of the Access Matrix model with classified data This model has two components: Classification Set of categories

Bell LaPadula Model (BLP) Classification has four values {U, C, S, TS} U = unclassified C = confidential S = secret TS = top secret Classifications are ordered: : TS > S > C > U Set of categories consists of the data environment and the application area,, i.e., Nuclear, Army, Financial, Research Example: In USA, a SECRET clearance involves checking FBI fingerprint files

Bell LaPadula Model (BLP) An access class c1 dominates an access class c2 iff Security level of c1 is greater than or equal to that of c2 The categories of c1 include those of c2

Bell LaPadula Model (BLP) Bell-LaPadula model is based on a subjectobject paradigm Subjects are active elements of the system that execute actions Objects are passive elements of the system that contain information Subjects act on behalf of users who have a security level associated with them (indicating the level of system trust) Subjects and objects are assigned access classes

Bell LaPadula Model (BLP) Subjects execute access modes on objects Access modes are: Read-only Append (writing without reading) Execute Read-write (writing known data)

Bell LaPadula Model (BLP) To protect information confidentiality No-read-up, a subject is allowed a read access to an object only if the access class of the subject dominates the access class of the object No-write-down, a subject is allowed a write access to an object only if the access class of the subject is dominated by the access class of the object

No-read-up & No-write-down Can TS subject write to S object? Can S subject write to U object? How to apply to the Trojan Horse case?

Bell LaPadula Model (BLP) Two main properties of this model for a secure system are: Simple security property Star property Simple security means: a subject at a given security level may not read an object at a higher security level (no read-up) Star property means: a subject at a given security level must not write to any object at a lower security level (no write-down)

BLP: Problem If I can write up, then how about writing files with blanks? Blind writing up may cause integrity problems, but not a confidentiality breach

Bell LaPadula Model This model guarantees secrecy by preventing unauthorized release of information This model does not protect from unauthorized modification of information

The Biba Model A model due to Ken Biba which is often referred to as Bell-LaPadula upside down It deals with integrity alone and ignores confidentiality entirely Each subject and object in the system is assigned an integrity classification Crucial Important Unknown

Integrity Level Integrity level of a user reflects user s trustworthiness for inserting, modifying, or deleting information Integrity level of an object reflects both the degree of trust that can be placed on the info stored in the object, and the potential damage could result from unauthorized modification of info

Two Principles No-read-down: A subject is allowed a read access to an object only if the integrity level of the object dominates the integrity level of the subject No-write-up: A subject is allowed a write access to an object only if the integrity level of the object is dominated by the integrity level of the subject

Two Principles Q: How to control both the secrecy and integrity?

Role-Based Access Control 43

Role-Based Access Control (RBAC) Access control decisions are based on the roles that individual users take on as part of the organization Centrally control and maintain access rights that reflect the organization s protection guidelines. With RBAC, role-permission relationships can be predefined, which makes it simple to assign users to the predefined roles. The combination of users and permissions tend to change over time, the permissions associated with a role are more stable. 44

RBAC Access control in organizations is based on roles that individual users take on as part of the organization A role is is a collection of permissions Users User Role Assignment Roles Hierarchies Roles Role Permission Assignment Permissions Constraints 45

RBAC Access depends on role/function, not identity Example: Allison is bookkeeper for Math Dept. She has access to financial records. If she leaves and Betty is hired as the new bookkeeper, Betty now has access to those records. The role of bookkeeper dictates access, not the identity of the individual 46

RBAC: Role Hierarchies RH Roles x Roles is a partial order called the inheritance relation written as. (r 1 r 2 ) Role Hierarchies user A is assigned to r 1 then A is assigned to r 2 too Project Supervisor Test engineer Programmer Project Member 47

RBAC with General Role Hierarchy RH (role hierarchy) UA PA Users Roles Operations Objects user_sessions (one-to-many) Sessions role_sessions (many-to-many) Permissions 48

Core RBAC (Relations) Permissions = 2Operations x Objects UA Users x Roles PA Permissions x Roles RH Roles x Roles US Users x Sessions RS Roles x Sessions 49

RBAC with General Role Hierarchy How to check if user A is authorized to permission p? Check if there exists a session s and roles r 1, r 2 in which: (A, s) in US, and r 1 r 2 in RH (r 2, s) in RS, and (A, r 2 ) in UA, and (r 2, p) in PA 50

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback