Access Control Mechanisms

Similar documents
Summary. Final Week. CNT-4403: 21.April

CIS 5373 Systems Security

Discretionary Access Control (DAC)

The R BAC96 RBAC96 M odel Model Prof. Ravi Sandhu

Access Control. Discretionary Access Control

Discretionary Access Control (DAC)

Security Models Trusted Zones SPRING 2018: GANG WANG

Access control models and policies. Tuomas Aura T Information security technology

Access Control (slides based Ch. 4 Gollmann)

CSC 474/574 Information Systems Security

Information Security Theory vs. Reality

Access Control Models

Access Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy

P1L5 Access Control. Controlling Accesses to Resources

Access control models and policies

Data Security and Privacy. Unix Discretionary Access Control

Discretionary Vs. Mandatory

Policy, Models, and Trust

Access control models and policies

Computer Security. Access control. 5 October 2017

Announcements. is due Monday April 1 needs to include a paragraph write-up about the results of using the two different scheduling algorithms

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

CCM Lecture 14. Security Models 2: Biba, Chinese Wall, Clark Wilson

Computer Security 3e. Dieter Gollmann. Chapter 5: 1

P1_L6 Mandatory Access Control Page 1

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Module 4: Access Control

Unix, History

CS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms

Intrusion Detection Types

Complex Access Control. Steven M. Bellovin September 10,

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

Labels and Information Flow

CSE Computer Security

Chapter 13: Protection. Operating System Concepts Essentials 8 th Edition

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week

Information Security CS 526

Chapter 14: Protection. Operating System Concepts 9 th Edition

Access Control Part 1 CCM 4350

OS Security Basics CS642: Computer Security

CIS433/533 - Introduction to Computer and Network Security. Access Control

Chapter 4 Protection in General-Purpose Operating Systems

CS 356 Lecture 7 Access Control. Spring 2013

Operating systems and security - Overview

Operating systems and security - Overview

Operating system security

Advanced Access Control. Role-Based Access Control. Common Concepts. General RBAC Rules RBAC96

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

CS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms

Secure Architecture Principles

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Chapter 4: Access Control

DATABASE SECURITY AND PRIVACY. Some slides were taken from Database Access Control Tutorial, Lars Olson, UIUC CS463, Computer Security

CSE509: (Intro to) Systems Security

Access Control Part 3 CCM 4350

Multifactor authentication:

Chapter 7: Hybrid Policies

OS Security Basics CS642: Computer Security

INSE 6130 Operating System Security

Secure Architecture Principles

Access Control Models Part II

Access Control for Enterprise Apps. Dominic Duggan Stevens Ins8tute of Technology Based on material by Lars Olson and Ross Anderson

Security Principles and Policies CS 136 Computer Security Peter Reiher January 15, 2008

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Secure Architecture Principles

Access Control CSC WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Fall 2014

Computer Security Operating System Security & Access Control. Dr Chris Willcocks

RBAC: Motivations. Users: Permissions:

CS 591: Introduction to Computer Security. Lecture 3: Policy

CSE361 Web Security. Access Control. Nick Nikiforakis

Discretionary Access Control

Identity, Authentication and Authorization. John Slankas

Programming Project # 2. cs155 Due 5/5/05, 11:59 pm Elizabeth Stinson (Some material from Priyank Patel)

Mandatory access control and information flow control

Lecture 4: Bell LaPadula

Asset Analysis -I. 1. Fundamental business processes 2.Critical ICT resources for these processes 3.The impact for the organization if

Information Security. Structure. Common sense security. Content. Corporate security. Security, why

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

Access Control. Discretionary Access Control

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

Secure Architecture Principles

Storage and File Hierarchy

COS 318: Operating Systems

Protection Kevin Webb Swarthmore College April 19, 2018

Data Warehouse. T rusted Application. P roject. Trusted System. T echnology. System. Trusted Network. Physical Security

Introduction p. 1 The purpose and fundamentals of access control p. 2 Authorization versus authentication p. 3 Users, subjects, objects, operations,

Access Control. Steven M. Bellovin September 2,

Chapter 6: Integrity Policies

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Hardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users

CS 425 / ECE 428 Distributed Systems Fall 2017

Operating Systems Security Access Control

Network Security: Kerberos. Tuomas Aura

Information Security CS 526

Transcription:

Access Control Mechanisms Week 11 P&P: Ch 4.5, 5.2, 5.3 CNT-4403: 26.March.2015 1

In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security CNT-4403: 26.March.2015 2

Access Matrix Model (Lampson 1971) Objects (and Subjects) F G S u b j e c t s A B r w own r r w own rights CNT-4403: 26.March.2015 3

Basic Abstractions Subjects Objects Rights The rights in a cell specify the access of the subject (row) to the object (column) CNT-4403: 26.March.2015 4

Users and Principals Alice USERS Real World User PRINCIPALS Unit of Access Control and Authorization The system authenticates the user in context of a particular principal CNT-4403: 26.March.2015 5

Users and Principals: Example 1 Alice.CHAIRPERSON Alice.FACULTY Alice Alice. EMPLOYEE Alice.SUPER-USER USER PRINCIPALS CNT-4403: 26.March.2015 6

Users and Principals: Example 2 Bob.TOP-SECRET Bob.SECRET Bob B Bob.CONFIDENTIAL Bob.UNCLASSIFIED USER PRINCIPALS CNT-4403: 26.March.2015 7

More Users and Principals There should be a one-to-many mapping from users to principals A user may have many principals, but Each principal is associated with an unique user This ensures accountability of a user's actions Shared accounts (principals) are bad for accountability CNT-4403: 26.March.2015 8

Principals and Subjects A subject is a program (application) executing on behalf of a principal A principal may at any time be idle, or have one or more subjects executing on its behalf CNT-4403: 26.March.2015 9

Principals and Subjects: Example Mail Application Word Processors Bob.SECRET Spreadsheet Database App PRINCIPAL SUBJECTS CNT-4403: 26.March.2015 10

Principals and Subjects Usually (but not always) Each subject is associated with a unique principal All subjects of a principal have identical rights (equal to the rights of the invoking principal) This case can be modeled by a one-to-one mapping between subjects and principals For simplicity, a principal and subject can be treated as identical concepts. CNT-4403: 26.March.2015 11

Objects Anything on which a subject can perform operations (mediated by rights) Usually objects are passive, for example: File Directory (or Folder) Memory segment But, objects can also be subjects with operations kill suspend resume CNT-4403: 26.March.2015 12

Access Matrix Model Objects (and Subjects) F G S u b j e c t s A B r w own r r w own rights CNT-4403: 26.March.2015 13

Access Matrix Implementation Access Matrix can be sparse Space inefficient Instead Access Control Lists Capabilities Relations CNT-4403: 26.March.2015 14

Access Control List - ACL Maintained for each object (or subject) No entries when no permissions G: ACL A r B r B w B own Each column of the access matrix is stored with the object corresponding to that column CNT-4403: 26.March.2015 15

Capability Unforgeable token that gives possesor certain rights Object to which access is permitted Right for the object F How to make it unforgeable r Capability giving the right to read object F 1. Only OS can access capability user gets a pointer 2. Encrypted capabilities access control mechanism has key CNT-4403: 26.March.2015 16

Capability List: C-List F r F w F own G r Alice Each row of the access matrix is stored with the subject corresponding to that row CNT-4403: 26.March.2015 17

Access Control Relations Subject Access Object A r F A w F A own F A r G B r G B w G B own G Commonly used in relational database management systems CNT-4403: 26.March.2015 18

In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security Some exercises CNT-4403: 26.March.2015 19

ACLs vs. Capabilities ACL's require authentication of subjects Capabilities do not require authentication of subjects, but do require Unforgeability Control of propagation of capabilities CNT-4403: 26.March.2015 20

ACLs vs. Capabilities: Access Review ACL's provide for superior access review on a per-object basis Who has access to this object But hard to see to what a subject has access How would you do that? Capabilities provide for superior access review on a per-subject basis What capabilities does this subject have But hard to see who has access to an object CNT-4403: 26.March.2015 21

ACLs vs. Capabilities: Revocation How do you revoke access of a subject to an object ACL's provide for superior revocation facilities on a per-object basis 1. Scan object s ACL 2. Remove subject from list (if present) But hard to revoke all rights of a subject Capabilities provide for superior revocation facilities on a per-subject basis But hard to revoke all rights on an object (for all subjects) CNT-4403: 26.March.2015 22

ACLs vs. Capabilities: In the Real World The per-object basis usually wins Most OSs protect files by means of ACL's Operations centered on objects Unix: use an abbreviated form of ACL's with just three entries owner group other CNT-4403: 26.March.2015 23

In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security Some exercises CNT-4403: 26.March.2015 24

Role Based Access Control (RBAC) User-Role Assignment Permission-Role Assignment USERS ROLES PERMISSIONS A user s permissions are determined by the user s roles Rather than identity or clearance Roles can encode arbitrary attributes CNT-4403: 26.March.2015 25

Basic RBAC User-Role Assignment Permission-Role Assignment USERS ROLES PERMISSIONS... SESSIONS CNT-4403: 26.March.2015 26

Permissions Similar to capabilities Object on which permission is granted Right granted Primitive rights read, write, append, execute Permissions are positive No negative permissions or denials CNT-4403: 26.March.2015 27

Roles as Policy A role brings together A collection of users and A collection of permissions Different from groups Groups are often defined as A collection of users CNT-4403: 26.March.2015 28

Users Human beings or Other active agents Each individual should be known as exactly one user User-Role Assignment A user can have many roles Each role can be assigned to many users Sessions A user can invoke multiple sessions In each session a user can invoke any subset of roles that the user is a member of CNT-4403: 26.March.2015 29

Permission-Role Assignment User-Role Assignment Permission-Role Assignment USERS ROLES PERMISSIONS A permission can be assigned to many roles Each role can have many permissions CNT-4403: 26.March.2015 30

More Complex RBAC: Role Hierarchies Role Hierarchies User-Role Assignment Permission-Role Assignment USERS ROLES PERMISSIONS... SESSIONS CNT-4403: 26.March.2015 31

Role Hierarchy: Example 1 Primary-Care Physician Specialist Physician Physician Health-Care Provider CNT-4403: 26.March.2015 32

Role Hierarchy: Example 2 Supervising Engineer Hardware Engineer Software Engineer Engineer CNT-4403: 26.March.2015 33

Role Hierarchy: Example 3 Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) PROJECT 1 Engineering Department (ED) PROJECT 2 Employee (E) CNT-4403: 26.March.2015 34

In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security Some exercises CNT-4403: 26.March.2015 35

File Protection Mechanisms Multi-user system Protect files from other users 1. All-None Protection 2. Group Protection 3. Temporary Acquired Permission CNT-4403: 26.March.2015 36

All-None Protection Original IBM By default, files were public Anyone could r, w, del any file Users assumed Trustworthy Know only their files names Sysadmin could password protect certain files So could users Main Problem: Lack of trust CNT-4403: 26.March.2015 37

Group Protection Unix systems: three classes The user Group of users associated with user - group The rest of users world Groups Members that share a common interest Need to share User can only belong to one group User belonging to groups A and B Can pass files from group A to group B CNT-4403: 26.March.2015 38

Group Protection (cont d) For each created file, the user Assigns permissions for user, group, world From the set r, w, x Example: rwx rw- r-- Chmod 764 filename Suitable for paper shared by group Main Problem: User can belong to one group CNT-4403: 26.March.2015 39

Temporary Acquired Permissions Unix systems set userid (suid) Only for executable files If set, the file executes with the permissions of the owner, not the executor Example: passwd operation that changes user passwd Only the system can change passwords access the password file But users should be able to invoke passwd passwd is suid: it executes with system privileges CNT-4403: 26.March.2015 40

In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security CNT-4403: 26.March.2015 41

Security Policies Statement of the security we expect the system to enforce Military Security Policy Commercial Security Policies Clark-Wilson Separation of Duty Chinese Wall Security Policy CNT-4403: 26.March.2015 42

Military Security Policy Each object has a sensitivity level rank object Unclassified, restricted, confidential, secret, top secret Top Secret Information at a level is More sensitive than level below Less sensitive than level above Secret Confidential Restricted Unclassified CNT-4403: 26.March.2015 43

Military Security Policy (cont d) Access according to need-to-know rule Information is associated to projects One or more Called compartments Example: Projects alpha and beta Both use secret information But staff on alpha does not need access to beta CNT-4403: 26.March.2015 44

Dominance Classification of an object <rank; compartments> Clearance of subject Indication that subject can access information up to a level of sensitivity <rank; compartments> Dominance: s o (subject dominates object) rank s rank o and compartments o included in compartments s Then s can read o CNT-4403: 26.March.2015 45

Dominance: Example Object classified <secret; {Sweden}> Accessible by subject with clearence <top secret; {Sweden}> : YES or NO? <secret; {Sweden, Denmark}>: YES or NO? <top secret; {Denmark}>: YES or NO? CNT-4403: 26.March.2015 46

Commercial Security Policies Concerns Industrial espionage Corporate finance leaks Clark-Wilson Separation of Duty (read P&P: C 5.2 pg. 250-1) Chinese Wall Security Policy Brewer and Nash 89 CNT-4403: 26.March.2015 47

Chinese Wall Security Policy Handles conflicts of interest in companies Person in company obtains sensitive information about competitors Three levels of abstraction Objects (e.g., files) concern a single company Company groups all objects pertaining to a company Conflict classes groups of competing companies Each object belongs to a single group Each company group belongs to single conflict class CNT-4403: 26.March.2015 48

Chinese Wall Security: Example Advertising company with multiple clients Rule: no employee knows sensitive information on competitors Fobidden! Chocolate Comp. Banks Citicorp Airlines Suchard Credit Lyonais Lyonnais United Nestle Deutche Bank CNT-4403: 26.March.2015 49

Chinese Wall Security: Example Advertising company with multiple clients Rule: no employee knows sensitive information on competitors Access to object granted only if First access to a conflict class Object is from same group as a previous access CNT-4403: 26.March.2015 50

In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection Mechanisms Security Policies Models of Security CNT-4403: 26.March.2015 51

Bell-LaPadula Model Formal description of the allowable paths of information flow in a secure system Describes allowable communication between subjects and object Formalization of the military security policy CNT-4403: 26.March.2015 52

Bell-LaPadula: Example Construct systems that perform simultaneous accesses at data with different sensitivity Example: program A has top secret access, B only confidential A should not leak information to confidential data B should not access top secret data CNT-4403: 26.March.2015 53

Bell-LaPadula Definition Set S of subjects: s S has clearance C(s) Set O of objects: o O has classification C(o) Ordered by relation - dominance Simple Security Property: s may read o only if C(o) C(s) Clearance of s dominates classification of o Star Property: s who has read access to o may write to object p only if C(o) C(p) The contents of o can only be written to objects at least that high Prevents write-down CNT-4403: 26.March.2015 54

Bell-LaPadula Example High Write O 5 Write Clearance Sensitivity Read Bob Read O 4 Only if Carol does not have read access to higher level object! Write O 3 Write O2 Carol Write Read Alice Read O 6 O1 Low CNT-4403: 26.March.2015 55

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback