Access Control Mechanisms Week 11 P&P: Ch 4.5, 5.2, 5.3 CNT-4403: 26.March.2015 1
In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security CNT-4403: 26.March.2015 2
Access Matrix Model (Lampson 1971) Objects (and Subjects) F G S u b j e c t s A B r w own r r w own rights CNT-4403: 26.March.2015 3
Basic Abstractions Subjects Objects Rights The rights in a cell specify the access of the subject (row) to the object (column) CNT-4403: 26.March.2015 4
Users and Principals Alice USERS Real World User PRINCIPALS Unit of Access Control and Authorization The system authenticates the user in context of a particular principal CNT-4403: 26.March.2015 5
Users and Principals: Example 1 Alice.CHAIRPERSON Alice.FACULTY Alice Alice. EMPLOYEE Alice.SUPER-USER USER PRINCIPALS CNT-4403: 26.March.2015 6
Users and Principals: Example 2 Bob.TOP-SECRET Bob.SECRET Bob B Bob.CONFIDENTIAL Bob.UNCLASSIFIED USER PRINCIPALS CNT-4403: 26.March.2015 7
More Users and Principals There should be a one-to-many mapping from users to principals A user may have many principals, but Each principal is associated with an unique user This ensures accountability of a user's actions Shared accounts (principals) are bad for accountability CNT-4403: 26.March.2015 8
Principals and Subjects A subject is a program (application) executing on behalf of a principal A principal may at any time be idle, or have one or more subjects executing on its behalf CNT-4403: 26.March.2015 9
Principals and Subjects: Example Mail Application Word Processors Bob.SECRET Spreadsheet Database App PRINCIPAL SUBJECTS CNT-4403: 26.March.2015 10
Principals and Subjects Usually (but not always) Each subject is associated with a unique principal All subjects of a principal have identical rights (equal to the rights of the invoking principal) This case can be modeled by a one-to-one mapping between subjects and principals For simplicity, a principal and subject can be treated as identical concepts. CNT-4403: 26.March.2015 11
Objects Anything on which a subject can perform operations (mediated by rights) Usually objects are passive, for example: File Directory (or Folder) Memory segment But, objects can also be subjects with operations kill suspend resume CNT-4403: 26.March.2015 12
Access Matrix Model Objects (and Subjects) F G S u b j e c t s A B r w own r r w own rights CNT-4403: 26.March.2015 13
Access Matrix Implementation Access Matrix can be sparse Space inefficient Instead Access Control Lists Capabilities Relations CNT-4403: 26.March.2015 14
Access Control List - ACL Maintained for each object (or subject) No entries when no permissions G: ACL A r B r B w B own Each column of the access matrix is stored with the object corresponding to that column CNT-4403: 26.March.2015 15
Capability Unforgeable token that gives possesor certain rights Object to which access is permitted Right for the object F How to make it unforgeable r Capability giving the right to read object F 1. Only OS can access capability user gets a pointer 2. Encrypted capabilities access control mechanism has key CNT-4403: 26.March.2015 16
Capability List: C-List F r F w F own G r Alice Each row of the access matrix is stored with the subject corresponding to that row CNT-4403: 26.March.2015 17
Access Control Relations Subject Access Object A r F A w F A own F A r G B r G B w G B own G Commonly used in relational database management systems CNT-4403: 26.March.2015 18
In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security Some exercises CNT-4403: 26.March.2015 19
ACLs vs. Capabilities ACL's require authentication of subjects Capabilities do not require authentication of subjects, but do require Unforgeability Control of propagation of capabilities CNT-4403: 26.March.2015 20
ACLs vs. Capabilities: Access Review ACL's provide for superior access review on a per-object basis Who has access to this object But hard to see to what a subject has access How would you do that? Capabilities provide for superior access review on a per-subject basis What capabilities does this subject have But hard to see who has access to an object CNT-4403: 26.March.2015 21
ACLs vs. Capabilities: Revocation How do you revoke access of a subject to an object ACL's provide for superior revocation facilities on a per-object basis 1. Scan object s ACL 2. Remove subject from list (if present) But hard to revoke all rights of a subject Capabilities provide for superior revocation facilities on a per-subject basis But hard to revoke all rights on an object (for all subjects) CNT-4403: 26.March.2015 22
ACLs vs. Capabilities: In the Real World The per-object basis usually wins Most OSs protect files by means of ACL's Operations centered on objects Unix: use an abbreviated form of ACL's with just three entries owner group other CNT-4403: 26.March.2015 23
In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security Some exercises CNT-4403: 26.March.2015 24
Role Based Access Control (RBAC) User-Role Assignment Permission-Role Assignment USERS ROLES PERMISSIONS A user s permissions are determined by the user s roles Rather than identity or clearance Roles can encode arbitrary attributes CNT-4403: 26.March.2015 25
Basic RBAC User-Role Assignment Permission-Role Assignment USERS ROLES PERMISSIONS... SESSIONS CNT-4403: 26.March.2015 26
Permissions Similar to capabilities Object on which permission is granted Right granted Primitive rights read, write, append, execute Permissions are positive No negative permissions or denials CNT-4403: 26.March.2015 27
Roles as Policy A role brings together A collection of users and A collection of permissions Different from groups Groups are often defined as A collection of users CNT-4403: 26.March.2015 28
Users Human beings or Other active agents Each individual should be known as exactly one user User-Role Assignment A user can have many roles Each role can be assigned to many users Sessions A user can invoke multiple sessions In each session a user can invoke any subset of roles that the user is a member of CNT-4403: 26.March.2015 29
Permission-Role Assignment User-Role Assignment Permission-Role Assignment USERS ROLES PERMISSIONS A permission can be assigned to many roles Each role can have many permissions CNT-4403: 26.March.2015 30
More Complex RBAC: Role Hierarchies Role Hierarchies User-Role Assignment Permission-Role Assignment USERS ROLES PERMISSIONS... SESSIONS CNT-4403: 26.March.2015 31
Role Hierarchy: Example 1 Primary-Care Physician Specialist Physician Physician Health-Care Provider CNT-4403: 26.March.2015 32
Role Hierarchy: Example 2 Supervising Engineer Hardware Engineer Software Engineer Engineer CNT-4403: 26.March.2015 33
Role Hierarchy: Example 3 Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) PROJECT 1 Engineering Department (ED) PROJECT 2 Employee (E) CNT-4403: 26.March.2015 34
In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security Some exercises CNT-4403: 26.March.2015 35
File Protection Mechanisms Multi-user system Protect files from other users 1. All-None Protection 2. Group Protection 3. Temporary Acquired Permission CNT-4403: 26.March.2015 36
All-None Protection Original IBM By default, files were public Anyone could r, w, del any file Users assumed Trustworthy Know only their files names Sysadmin could password protect certain files So could users Main Problem: Lack of trust CNT-4403: 26.March.2015 37
Group Protection Unix systems: three classes The user Group of users associated with user - group The rest of users world Groups Members that share a common interest Need to share User can only belong to one group User belonging to groups A and B Can pass files from group A to group B CNT-4403: 26.March.2015 38
Group Protection (cont d) For each created file, the user Assigns permissions for user, group, world From the set r, w, x Example: rwx rw- r-- Chmod 764 filename Suitable for paper shared by group Main Problem: User can belong to one group CNT-4403: 26.March.2015 39
Temporary Acquired Permissions Unix systems set userid (suid) Only for executable files If set, the file executes with the permissions of the owner, not the executor Example: passwd operation that changes user passwd Only the system can change passwords access the password file But users should be able to invoke passwd passwd is suid: it executes with system privileges CNT-4403: 26.March.2015 40
In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security CNT-4403: 26.March.2015 41
Security Policies Statement of the security we expect the system to enforce Military Security Policy Commercial Security Policies Clark-Wilson Separation of Duty Chinese Wall Security Policy CNT-4403: 26.March.2015 42
Military Security Policy Each object has a sensitivity level rank object Unclassified, restricted, confidential, secret, top secret Top Secret Information at a level is More sensitive than level below Less sensitive than level above Secret Confidential Restricted Unclassified CNT-4403: 26.March.2015 43
Military Security Policy (cont d) Access according to need-to-know rule Information is associated to projects One or more Called compartments Example: Projects alpha and beta Both use secret information But staff on alpha does not need access to beta CNT-4403: 26.March.2015 44
Dominance Classification of an object <rank; compartments> Clearance of subject Indication that subject can access information up to a level of sensitivity <rank; compartments> Dominance: s o (subject dominates object) rank s rank o and compartments o included in compartments s Then s can read o CNT-4403: 26.March.2015 45
Dominance: Example Object classified <secret; {Sweden}> Accessible by subject with clearence <top secret; {Sweden}> : YES or NO? <secret; {Sweden, Denmark}>: YES or NO? <top secret; {Denmark}>: YES or NO? CNT-4403: 26.March.2015 46
Commercial Security Policies Concerns Industrial espionage Corporate finance leaks Clark-Wilson Separation of Duty (read P&P: C 5.2 pg. 250-1) Chinese Wall Security Policy Brewer and Nash 89 CNT-4403: 26.March.2015 47
Chinese Wall Security Policy Handles conflicts of interest in companies Person in company obtains sensitive information about competitors Three levels of abstraction Objects (e.g., files) concern a single company Company groups all objects pertaining to a company Conflict classes groups of competing companies Each object belongs to a single group Each company group belongs to single conflict class CNT-4403: 26.March.2015 48
Chinese Wall Security: Example Advertising company with multiple clients Rule: no employee knows sensitive information on competitors Fobidden! Chocolate Comp. Banks Citicorp Airlines Suchard Credit Lyonais Lyonnais United Nestle Deutche Bank CNT-4403: 26.March.2015 49
Chinese Wall Security: Example Advertising company with multiple clients Rule: no employee knows sensitive information on competitors Access to object granted only if First access to a conflict class Object is from same group as a previous access CNT-4403: 26.March.2015 50
In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security CNT-4403: 26.March.2015 51
Bell-LaPadula Model Formal description of the allowable paths of information flow in a secure system Describes allowable communication between subjects and object Formalization of the military security policy CNT-4403: 26.March.2015 52
Bell-LaPadula: Example Construct systems that perform simultaneous accesses at data with different sensitivity Example: program A has top secret access, B only confidential A should not leak information to confidential data B should not access top secret data CNT-4403: 26.March.2015 53
Bell-LaPadula Definition Set S of subjects: s S has clearance C(s) Set O of objects: o O has classification C(o) Ordered by relation - dominance Simple Security Property: s may read o only if C(o) C(s) Clearance of s dominates classification of o Star Property: s who has read access to o may write to object p only if C(o) C(p) The contents of o can only be written to objects at least that high Prevents write-down CNT-4403: 26.March.2015 54
Bell-LaPadula Example High Write O 5 Write Clearance Sensitivity Read Bob Read O 4 Only if Carol does not have read access to higher level object! Write O 3 Write O2 Carol Write Read Alice Read O 6 O1 Low CNT-4403: 26.March.2015 55