Access control models and policies

Similar documents
Access control models and policies. Tuomas Aura T Information security technology

Access control models and policies

Access Control. Discretionary Access Control

Security Models Trusted Zones SPRING 2018: GANG WANG

CSE Computer Security

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

Access Control Mechanisms

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

Computer Security. Access control. 5 October 2017

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Complex Access Control. Steven M. Bellovin September 10,

Discretionary Vs. Mandatory

CIS433/533 - Introduction to Computer and Network Security. Access Control

Access Control Models

Access Control (slides based Ch. 4 Gollmann)

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

CSE509: (Intro to) Systems Security

Computer Security 3e. Dieter Gollmann. Chapter 5: 1

P1_L6 Mandatory Access Control Page 1

Chapter 7: Hybrid Policies

Policy, Models, and Trust

Advanced Systems Security: Integrity

Summary. Final Week. CNT-4403: 21.April

CSE Computer Security

CCM Lecture 14. Security Models 2: Biba, Chinese Wall, Clark Wilson

May 1: Integrity Models

Chapter 6: Integrity Policies

CS 392/ CS Computer Security. Nasir Memon Polytechnic University Module 7 Security Policies

Module 4: Access Control

Access Control Models Part II

Security Principles and Policies CS 136 Computer Security Peter Reiher January 15, 2008

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Lecture 4: Bell LaPadula

Integrity Policies. Murat Kantarcioglu

CS 591: Introduction to Computer Security. Lecture 3: Policy

Access Control Part 3 CCM 4350

Advanced Access Control. Role-Based Access Control. Common Concepts. General RBAC Rules RBAC96

Information security summary

Fall 2005 Joseph/Tygar/Vazirani/Wagner Final

Access Control Part 1 CCM 4350

Introduction to Security

Information Security Theory vs. Reality

CSE361 Web Security. Access Control. Nick Nikiforakis

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

System design issues

CS 356 Lecture 7 Access Control. Spring 2013

Exercises with solutions, Set 3

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Advanced Systems Security: Integrity

Operating system security

Information Security & Privacy

Asset Analysis -I. 1. Fundamental business processes 2.Critical ICT resources for these processes 3.The impact for the organization if

Introduction p. 1 The purpose and fundamentals of access control p. 2 Authorization versus authentication p. 3 Users, subjects, objects, operations,

Formal methods and access control. Dr. Hale University of Nebraska at Omaha Information Security and Policy Lecture 8

P1L5 Access Control. Controlling Accesses to Resources

Jérôme Kerviel. Dang Thanh Binh

Verifiable Security Goals

CSC 474/574 Information Systems Security

Advanced Systems Security: Integrity

Post-Class Quiz: Access Control Domain

Access Control and Protection

Access Control. Dr George Danezis

Chapter 4: Access Control

Wrapup. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

Operating Systems Security Access Control

Advanced Systems Security: Multics

Access Control. Discretionary Access Control

Access Control. Steven M. Bellovin September 13,

Access Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy

A Survey of Access Control Policies. Amanda Crowell

CSE543 - Computer and Network Security Module: Virtualization

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

IBM Security Identity Manager Version Planning Topics IBM

Labels and Information Flow

Access Control. Steven M. Bellovin September 2,

Advanced Systems Security: Security Goals

Access Control. Tom Chothia Computer Security, Lecture 5

Virginia Commonwealth University School of Medicine Information Security Standard

INFSCI 2935: Introduction of Computer Security 1. Courtesy of Professors Chris Clifton & Matt Bishop. INFSCI 2935: Introduction to Computer Security 2

Secure Programming Lecture 15: Information Leakage

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

General Access Control Model for DAC

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Identity, Authentication and Authorization. John Slankas

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

CSE 565 Computer Security Fall 2018

Involved subjects in this presentation Security and safety in real-time embedded systems Architectural description, AADL Partitioned architectures

COMPUTER SECURITY: THE GOOD, THE BAD, AND THE UGLY (with applications to embedded systems)

Lecture 5: Integrity Models

Introduction to Security in Laserfiche 8.3 and later. White Paper

Week 10 Part A MIS 5214

Computer Security. 02. Operating System Access Control. Paul Krzyzanowski. Rutgers University. Spring 2018

Topics in Systems and Program Security

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Advanced Systems Security: Principles

Access control. Frank Piessens KATHOLIEKE UNIVERSITEIT LEUVEN

Information Security. Structure. Common sense security. Content. Corporate security. Security, why

Transcription:

Access control models and policies Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2013

1. Access control 2. Discretionary AC 3. Mandatory AC 4. Other AC models Outline Models and terminology for thinking about security policies 2

ACCESS CONTROL 3

Access control (AC) Subjects request actions on objects Alice wants to read a file Bob wants to update account balance Process wants to open a socket AC = authentication + authorization authentication = verifying the identity of the subject authorization = checking that the subject has the right to perform the requested action on the subject 4

Reference monitor Audit trail Subjects Access requests Reference monitor Objects Access rules Reference monitor controls access by subjects to objects Grants or denies access requests Logs events to audit trail Follows rules set by administrators (i.e. implements a policy) Trusted computing base (TCB) = all system components that need to be trusted to implement access control Security kernel = implementation of reference monitor in an OS But more about the implementation later; now we are talking about policies 5

Access control matrix Access control matrix is the simplest, most general AC model M : Subjects Objects P(Actions) Subject S is allowed to request action A on object O iff A M(S,O) Alice Bob Process 4567 Process 6789 file1.txt read, write read read, write append file2.txt write read - - Socket s - - - open, read, write, close AC matrix represents the protection state of a system 6

Protection systems AC matrix represents the static protection state Dynamic protection systems are more interesting Subjects and AC matrix cells themselves can be objects Access to them is also controlled by the matrix Protection state transitions Subjects may grant and remove access rights Subjects may create and destroy subjects and objects Early research on computer security studied various different theoretical protection systems Safety question: given an initial state and implementation of transitions, can subject s get the access right r to object o? Background information if you want to read classic computer security literature E.g. HRU model (safety undecidable), take-grant model (safety decidable) Study of protection systems is not so relevant today, but the AC matrix is still a useful way to think about access control 7

DISCRETIONARY ACCESS CONTROL 8

Discretionary access control (DAC) Data owners, usually users, set access rights Subjects are trusted to make decisions about sharing access rights Users decide who is allowed to access their files User or process that can read a secret file can also share it e.g. by email DAC is also called identity-based AC: rights are assigned to users Typical in commercial and consumer systems There may be a policy against sharing and access may be audited, but the policy is not enforced technically Examples of DAC outside computers: Person with a key can open the door to others; door keys can be shared and copied Tell your friend a secret on the condition that he does not tell it to anyone else 9

Access control list (ACL) ACL = list of the access rights associated with an object ACLs are another way to represent the AC matrix: one row of the matrix is stored for each object file1.txt ACL: Alice: { read, write }; Bob: { read }; Process 4567: { read, write }; Process 6789: { append }. file2.txt ACL: Alice: { write }; Bob: { read }. Socket s ACL: Process 6789: { open, read, write, close }. ACL examples: Key cards, table reservations, Windows file system 10

Capabilities Capability = an access right associated with the subject Capabilities are another way to represent the AC matrix: one column is stored for each subject Alice s capabilities: file1.txt: { read, write }; file2.txt: { write }. Bob s capabilities: file1.txt: { read }; file2.txt: { read }. Process 4567 capabilities: file1.txt: { read, write }. Process 6789 capabilities: file1.txt: { append }; Socket s: {open, read, write, close }. Examples of capabilities: metal keys, driver s license, parking permit 11

MANDATORY ACCESS CONTROL 12

Mandatory access control (MAC) Access rights are based on rules (i.e. policy) set by administration The AC policy is enforced and cannot be changed by users Subjects cannot leak access rights to others User can read a secret file but cannot copy, print or email; file viewer application prevents cut-and-paste and screen shots One process can access the Internet, another write files to the disk, neither is allowed to do both MAC is also called rule-based AC MAC originates from military policies Intelligence officer may not be allowed to read his own reports Officer can read a secret document but cannot take a copy out of the room Officer who has had contact with foreign agents may lose access to classified information 13

Mandatory access control (MAC) MAC has some uses in commercial systems DRM: Alice can play the music she has purchased, but cannot share it Malware isolation: Host firewall may block potential spyware from making outbound connections to prevent information leaks Examples of MAC-like policies outside computers: Biometric authentication prevents sharing of capabilities, e.g. photo on driver s license or signature on credit card Admit-one event tickets: UV stamps, shredding bracelets In UK, jurors must not read newspapers or watch TV about the case so that they are not influenced by them 14

Clearance and classification Mandatory access control rules are often based on security labels on subjects and objects Subject clearance Object classification l : (Subjects Objects) Labels MAC based on clearance and classification levels is also called multi-level security (MLS) Simple security property: S can read O iff l(s) l(o) Top secret Secret Confidential Unclassified High Low 15

Multi-level security Labels depend on the organization but should form a lattice Labels, (i.e. a partial order with join and meet operations) Example: military security labels Levels: top secret > secret > confidential > unclassified Categories = { army, navy, air force } Labels = Levels P(Categories) Domination relation: <level1,categories1> <level2,categories2> iff level1 level2 and categories1 categories2 Theoretical publications often consider only two labels: high > low How to define labels for commercial systems? 16

Top secret, army Top secret, army & navy Top secret, navy Lattice example Top secret, Secret, army & navy Secret, army Secret, navy Secret, Classified, army & navy Classified, army Classified, navy Classified, Unclassified 17

Labels Finnish government Ministry of finance confidentiality classification: http://www.vm.fi/vm/fi/04_julkaisut_ja_asiakirjat/03_muut_asiakirjat/6206_fi.pdf Not a lattice, sadly Käytössä myös: 18

Bell-LaPadula model Bell-LaPadula (BLP) is a MAC policy for protecting secrets Military security model for computers; military is mostly concerned with protecting secrets Observation: the simple security property is not sufficient to prevent secrets from leaking Bell-LaPadula rules: Simple security property: S can read O iff l(s) l(o) *-property: S can write O iff l(o) l(s) Also called: no read up, no write down 19

Biba model In computer systems, integrity of data and the system is often more important than confidentiality Which is more important in a bank IT system? Biba is a MAC policy for protecting integrity of data Biba rules: S can write O iff l(s) l(o) S can read O iff l(o) l(s) Also called: no write up, no read down 20

Biba examples Integrity policies in commercial computer systems: Web application open in the browser should not write to the file system (or can write only to a low temp folder, e.g. C:/Users/aura/Appdata/LocalLow) Type safety should prevent communication between Java applications or.net applications running in the same runtime environment VM monitor can control and modify virtual machines but not the other way 21

Information flow security BLP and Biba are information flow policies BLP prevents flow of information from high to low Biba prevents flow if information from low to high Information flow policies are the basis for many security proofs. Typical proofs show non-interference: view of one subject is not affected by the data of the other low output does not depend on high input, or high output does not depend on low input high input high output System low input low output How to use BLP and Biba in the same system? 22

High water mark, low water mark How to classify an object that is created combining low and high information? High water mark policy for secrecy: always set the classification to the highest input Low water mark policy for integrity: always set the classification if to the lowest input Problem: Over time, all documents will become top secret with the lowest integrity level 23

Upgrading and downgrading Upgrading, downgrading: In practice, security levels need to be changed by humans E.g. downgrading documents for publication E.g. upgrading intelligence reports that aggregate a lot of low-level data Documents may need to be sanitized i.e. redacted before downgrading E.g. removing personal names from military documents before publication Sanitization may be difficult E.g. US military painting black box over text in PDF; AOL publishing anonymized web search data High subjects can use covert channels to leak data intentionally, e.g. hide data in photos 24

OTHER ACCESS CONTROL MODELS 25

Clark-Wilson model Data integrity cannot always be expressed in terms of MLS, i.e. who has access to what data E.g. transfers between bank accounts must not change the total balance Integrity in many commercial systems depends on following the correct procedures Clark-Wilson model defines rules for commercial systems for how to maintain data integrity: Transactions must transform data items from a consistent state to another consistent state Auditing and procedural controls to enforce this (The specific rules could be different in each system) Clark-Wilson model has not really been implemented; it is important because of the idea of using accounting rules as a model for security policy 26

Chinese Wall model Conflicts of interest are common in business: Consulting company, investment bank, or law office may be advising competing clients and must keep their information separate The clients are assigned to different employees who do not speak to each other To avoid conflicts of interest, the access control policy must take into account the information previously accessed by the subject Chinese Wall model: If subject S has previously accessed an object O1 and the objects O1 and O2 are in a conflict of interest, then S may not access O2 Idea: subject can fall to either side of the wall but cannot change sides later 27

Separation of duty Chinese Wall is an example of separation of duty Other separation of duty policies: Expense claim requires two signatures: the claimant and an authorized approver, e.g. department manager; one person cannot act in both roles for the same expense claim Auditors are often required to be from outside the company Some safes have two locks, and the keys are given to two different persons Lecturers issue grades to students but only study office staff can enter them into the study register Unlike BLP and Biba, separation of duty policies are stateful 28

ROLE-BASED ACCESSS CONTROL 29

Groups and roles Adding structure to policies Group = set of subjects E.g. Administrators, T-110.4206-students Object ACL can list groups in addition to individual users Both group membership and ACLs change over time Role = set of permissions (i.e. permitted actions on objects) E.g. Administrator, T-110.4206-teacher, SCI-professor Roles are usually relatively static; their assignment to users changes Both are forms of indirection Subjects * * Roles or * * Groups Objects Actions 30

Role-based access control (RBAC) NIST standard Modeling high-level roles in an organization E.g. Doctor, Nurse, Student, Lecturer, Course-assistant Roles defined once; changed infrequently Roles may be parameterized E.g. Treating-doctor of Mr. Smith, Lecturer of T-110.4206, Student of T-110.4206 Roles may form a hierarchy with inheritance E.g. Lecturer and Teaching-assistant are Teaching-staff Roles are assigned to users for longer term but activated on demand for each session Constraints on role assignment and activation can implement separation of duty 31

Example: University of Turku has implemented identity management based on RBAC Source: http://www.come.uw.edu.pl/eunis/pandp/paper/kmiika_rbac-in-prodution.doc (link broken) 32

Still other access control models Originator-controlled AC (ORCON) Creator of data retains control over access to it Attribute-based AC Access control is based in subject attributes instead of subject identity AC = attribute verification + authorization E.g. need to be 18 to buy tobacco; need to be an Aalto student to access course material Enables anonymous access Double-blinded review for scientific journals Many other AC models have been proposed 33

Why study these AC models? The abstract models help to recognize common patterns between different products and implementations E.g. how many different user interfaces have you seen that implement an ACL? They also help to understand the expressiveness and limitations of the technologies E.g. a stateless AC system cannot implement separation of duty, while one separation-of-duty policy can often be used to implement others Some models presented in this lecture are unrealistic! Nevertheless, they can be useful as tools for thinking about security policies 34

Reading material Dieter Gollmann: Computer Security, 2nd ed., chapters 4, 8, 9; 3rd ed. chapters 5 6 Edward Amoroso: Fundamentals of Computer Security Technology, chapters 6-13 Ross Anderson: Security Engineering, 2nd ed., chapter 8 35

Exercises What are the subjects, object and actions in Noppa? Can you think of security mechanisms outside computers which would need MAC but actually implement DAC? What security labels and MAC policy would be suitable for Noppa? Give examples of systems that require confidentiality or integrity but not both. Which AC model and what kind of security labels could be used to describe virtual machine isolation? What label would be hypervisor or VM monitor get? Could you define different confidentiality labels and integrity labels and then use both Bell-LaPadula and Biba policies in the same system? Give an example. Define RBAC roles that could be used in the implementations of Noppa. To what extent can your RBAC policy (above) be implemented with groups? 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback