ch3 system security
TRANSCRIPT
-
8/16/2019 Ch3 System Security
1/134
Systems Security, ST 2016 © wk - 1 -
Winfried E. KühnhauserCSIIlmenau Technical Universitywww.tu-ilmenau.de
Systems SecurityChapter 3: Security Policies and Models
Winfried E. Kühnhauser Summer Term 2016
-
8/16/2019 Ch3 System Security
2/134
Systems Security, ST 2016 © wk - 2 -
Roadmap
3 Security Policies and Models
Security Mechanisms
Security Policies
Modeling and Specification
Security Architectures
Security Requirements
-
8/16/2019 Ch3 System Security
3/134
Systems Security, ST 2016 © wk - 3 -
3.1 Security Policies
A Traditional Scenario
Same as systems security: threats to valued assets:human life, cargo, ship
The difference: Thousands of years of experience
! we may learn something here
3.1 Security Policies
-
8/16/2019 Ch3 System Security
4/134
Systems Security, ST 2016 © wk - 4 -
What assets support security? Navigation lights : Protection against collisions Cannons : Protection against pirates Reefs, drift anchors : Protection against bad whether
! security mechanisms
Construction of hull (height, stability, position of ballast): Capsizing Placement of security mechanisms (cannons in mast head, nav lights in the hold):
Effectiveness! security architecture
Watch : Protection against collisions The art of sailing, regulations (reefing, running before the wind, setting of drift
anchors): Protection against bad weather! coordinated use of mechanisms! security policies
3.1 Security Policies
-
8/16/2019 Ch3 System Security
5/134
Systems Security, ST 2016 © wk - 5 -
A CS Scenario: Hospital Information Systems
Excerpt from an information flow policy
EPR Anamn. Sympt. Diag Medic. Nursing DietPatId
Brother TuckSister Kathy Paul Bocuse
Dr. Brains
Apothecary CT Lab MR Lab Pathology Citchen Administration
Dr. Bones
Complete IF-Graph:>> 10.000 legal (and necessary!) information flows> 100 obvious conflicts (without transitiveness)> 100 forgotten information flows ! ad-hoc-approaches fail
3.1 Security Policies
-
8/16/2019 Ch3 System Security
6/134
Systems Security, ST 2016 © wk - 6 -
Security Policies: A First Definition
We have: risks Storm, running aground, pirates Violation of confidentiality of EPRs, integrity of bank accounts, "
We infer: security requirements Protection against storm force 12 Permitted information flows
We infer: a security policy
Rules for dealing with storms, watches, pirates Rules for controlling information flows
3.1 Security Policies
-
8/16/2019 Ch3 System Security
7/134
-
8/16/2019 Ch3 System Security
8/134Systems Security, ST 2016 © wk - 8 -
Example 1
Excerpt from the Unix OS Security Policy There are subjects (humans, processes) and objects (files, sockets, ...) Each object has an owner Owners control access permissions for their objects ( ! DAC) There are 3 types of on permissions: r, w, x For each object there are 3 subject classes, owner, group, others , for which
individual permissions can be granted "
!
Result ! identity based, discretionary access control (IBAC + DAC)! high degree of individual freedom! global responsibility, limited horizon (see chapter 2.1.2)
-rw-r--r-- 1 kuehnhauser vsbs 397032 2009-02-19 12:12 paper.pdf
3.1 Security Policies
-
8/16/2019 Ch3 System Security
9/134Systems Security, ST 2016 © wk - 9 -
Example 2
Excerpt from a CSCW Policy
Authentication:1. Each user must be identified based on
key certificates issued by EADS
Authorization:2. Access to ProjectX files is granted only to the project staff (role-based access
control)3. Changes to files are allowed only if both, the responsible engineer as well as the
project leader approve (“second set of eyes” principle, and role-based access
control)4. No information must flow from ProjectX to Sales department (IF)
Communication:5. For protecting integrity, confidentiality and authenticity, every communication is
encrypted
Internet
3.1 Security Policies
-
8/16/2019 Ch3 System Security
10/134Systems Security, ST 2016 © wk - 10 -
Implementation of Security Policies
Alternatives Integrated in system software
! Operating Systems! Data Base Systems! Middleware platforms
Integrated in application systems
3.1 Security Policies
-
8/16/2019 Ch3 System Security
11/134Systems Security, ST 2016 © wk - 11 -
Policy-controlled Operating Systems
Application
Process
Application
Process
Application
Process
Application
Process
OSFile System Policy Server
S= {s 1,s 2 ,s 3}, O={o 1,o2 ,so 3}...command read (s ,o)
if read ! m(s,o )enter (s ,o) in h;
" o i ! O, (o i ,o)! C : delete read from m(s ,oi );" o i ! O, o i ! o: delete write in m(s ,o i );
end ifend
...
3.1 Security Policies
-
8/16/2019 Ch3 System Security
12/134Systems Security, ST 2016 © wk - 12 -
Components Security Server: Policy‘s runtime environment in kernel‘s protection domain
" Interceptors: complete interaction control
SocketsFilesystemsProcess
Management
Application Process Application Process Application Process ApplicationLayer
OSLayer
System-wide Resource Management
ProcessingResources
MemoryResources
CommunicationResources
OS Interface ( Application Programmer‘s Interface ( API ))
OSServices
. . . SecurityServerPolicy
ProcessManagement
Filesystems Sockets
E.g. the SELinux Security Architecture
3.1 Security Policies
-
8/16/2019 Ch3 System Security
13/134Systems Security, ST 2016 © wk - 13 -
Policy Installation in SELinux
System-wide Resource Management
ProcessingResources
MemoryResources
CommunicationResources
OS Interface ( Application Programmer‘s Interface (API))
OSServices Sockets
Dateisysteme . . .Prozesse Sec. ServerProcessMgmtFilesystems Sockets
1 allow sysadm_t insmod_exec_t:file x_file_perms; 2 allow sysadm_t insmod_t:process transition; 3 allow insmod_t insmod_exec_t:process {entrypoint execute};
4 allow insmod_t sysadm_t:fd inherit_fd_perms; 5 allow insmod_t sysadm_t:process sigchld;
Security Policy BinaryPolicy Compiler
3.1 Security Policies
-
8/16/2019 Ch3 System Security
14/134
-
8/16/2019 Ch3 System Security
15/134Systems Security, ST 2016 © wk - 15 -
Policy-controlled ApplicationsEmbedded Policy
S= {s 1,s 2 ,s 3}, O={o 1,o 2 ,so 3}...command read (s ,o )
if read ! m(s,o )enter (s ,o) in h;
" oi ! O, (o i ,o)! C : delete read from m(s ,oi );" oi ! O, o i ! o: delete write in m(s ,oi );
end ifend
...
Application
Process
Application
Process
Application
Process
OS
3.1 Security Policies
-
8/16/2019 Ch3 System Security
16/134Systems Security, ST 2016 © wk - 16 -
Application
Process
Application
Process
Application
Process
OS
Policy-controlled Applications Application-level Policy Servers
Policy ServerS= {s 1,s 2 ,s 3}, O={o 1,o2 ,so 3}...command read (s ,o)
if read ! m(s,o )enter (s ,o) in h;
" o i ! O, (o i ,o)! C : delete read from m(s ,oi );" o i ! O, o i ! o: delete write in m(s ,o i );
end ifend
...
3.1 Security Policies
-
8/16/2019 Ch3 System Security
17/134
-
8/16/2019 Ch3 System Security
18/134Systems Security, ST 2016 © wk - 18 -
Example: Web Services in Apache Axis-2/Tomcat Web Servers
in flow
Handlerm
Handler2
Handler1• • •
AxisEngine
instanciates
out flow
TransportSender
Handler1
Handler2
Handlern• • •
AxisEngine
instanciates
Client
S t u b
SOAP Reply
CoordinatorOutInAxisOperation
instanciates
SOAP Request(by HTTP, JMS ...)
MC req MC resp
MC resp
3.1 Security Policies
-
8/16/2019 Ch3 System Security
19/134Systems Security, ST 2016 © wk - 19 -
out flow
Handlerm
Handler2
Handler1• • •
AxisEngine
in flow
Handler1
Handler2
Handlern• • •
AxisEngine
MC req
MC resp
SOAP Reply
SOAP Request
A x
i s S e r v
l e t
H T T P / J M S
T r a n s p o r
t U t i l i t i e s
Transport
Sender
W e b
S e r v i c e
MessageReceiver
MC req
MC resp
3.1 Security Policies
-
8/16/2019 Ch3 System Security
20/134Systems Security, ST 2016 © wk - 20 -
Messages 3.1
The Part of Security Policies
3.1 Security Policies
RequirementsEngineering
SecurityRequirements
SecurityPolicy
PolicyEngineering
ModelEngineering
ArchitectureEngineering
SecurityModel
Security Architecture
-
8/16/2019 Ch3 System Security
21/134Systems Security, ST 2016 © wk - 21 -
3.2 Security Models
3.2 Security Models
-
8/16/2019 Ch3 System Security
22/134Systems Security, ST 2016 © wk - 22 -
The Linda-Test
! subjective statements colored by individual experience
3.2 Security Models
Linda is a bright and active student, ... , lobbying in the student’s council,... , participating in demonstrations, ...
o Linda works as a bank clerk
o . . .o Linda works as a bank clerk and is an active member in a feminist
groupo . . .
-
8/16/2019 Ch3 System Security
23/134Systems Security, ST 2016 © wk - 23 -
Goal of Formal Security ModelsImpartial, precise representation of security policies
Explanation of (observed) phenomena! “Why is this authorization scheme behaving in that manner?”
Prediction (proof) of behavior and phenomena! “Under this security policy it will never happen that ...”
3.2 Security Models
-
8/16/2019 Ch3 System Security
24/134Systems Security, ST 2016 © wk - 24 -
Methods
Abstraction from (usually too complex) reality: get rid of insignificantdetails! computability and computation complexity
Getting precise : formal description of essentials ! model analysis and implementation
3.2 Security Models
-
8/16/2019 Ch3 System Security
25/134Systems Security, ST 2016 © wk - 25 -
Definition A security model is a precise, in general formal representation of asecurity policy.
The ambition is to analyze the behavior of a security policy and to be ableto prove essential properties
3.2 Security Models
-
8/16/2019 Ch3 System Security
26/134
Systems Security, ST 2016 © wk - 26 -
Model Spectrum
Going by the book, there are Models for access control policies
! Identity based access control (IBAC)! Role based access control (RBAC)! Attribute based access control (ABAC)
Models for information flow policies
! Multilevel security (MLS) Models based on non interference properties
! Noninterference (NI)
In Reality, we frequently see Hybrid models
3.2 Security Models
-
8/16/2019 Ch3 System Security
27/134
Systems Security, ST 2016 © wk - 27 -
3.2.1 Access Control Models
Formal Representations of Permissions to Execute Operations
on Objects Reading files Issuing payments Executing Web services
3.2.1 Access Control Models
-
8/16/2019 Ch3 System Security
28/134
Systems Security, ST 2016 © wk - 28 -
Model Spectrum
Identity-based access control models (IBAC)Rules based on the identity of individual subjects/objects! „ Ann is allowed to change file projectXfile “
Role-based access control models (RBAC)Rules based on roles of subjects in organizations! „Ward physicians are allowed to read patient EPRs of their ward“
Attribute-based access control models (ABAC)
Rules based on attributes of subjects and objects! „Only AAA-classified shares may by bought for Templeton Trust “
Orthogonally, access control can be! Discretionary or mandatory
3.2.1 Access Control Models
-
8/16/2019 Ch3 System Security
29/134
Systems Security, ST 2016 © wk - 29 -
Discretionary Access Control (DAC)Individual users specify access rules to objects within their area ofresponsibility
Example Access control in many OSes (e.g. Unix, Windows)
ConsequenceIndividual users
Enjoy freedom wrt. to granting access rights
Are obliged to maintain conformity to organization’s security policy! competence problem! responsibility problem! malware problem
3.2.1 Access Control Models
-
8/16/2019 Ch3 System Security
30/134
Systems Security, ST 2016 © wk - 30 -
Mandatory Access control (MAC)System-wide rules apply that cannot be sidestepped by individual users
ExampleSee Hospital Information System above
Consequence Limited individual freedom In charge of security policy:
! Clearly identified instance! Competent! Responsible
No responsibility of individuals
3.2.1 Access Control Models
-
8/16/2019 Ch3 System Security
31/134
Systems Security, ST 2016 © wk - 31 -
In Reality we frequently seeHybrid models with discretionary and mandatory components; e.g.
Discretionary: within a project, members individually define thepermissions wrt. documents
Mandatory: only documents authorized by the security policy can beaccessed from outside the project’s security domain
3.2.1 Access Control Models
-
8/16/2019 Ch3 System Security
32/134
Systems Security, ST 2016 © wk - 32 -
3.2.1.1 Identity Based Access Control Models (IBAC)
Basic ParadigmThere are" Subjects : active and identifiable entities that execute" Operations on" Objects
" Access rights! Control execution of operations! Refer to identity of subjects and objects
3.2.1.1 Identity Based Models
Operation " process reading a file" Web server accessing html page" client transfers money from Bank account
ObjectSubject
-
8/16/2019 Ch3 System Security
33/134
Systems Security, ST 2016 © wk - 33 -
3.2.1.1.1 Access Control Functions and Matrices
Access Control Functions (Lampson 1970)
Basic model to define access rights WHO (subject) is allowed to do WHAT (operation) on WHICH object Fundamental to OS access control since 1965 (Multics OS)
Model paradigms: sets and functions
The Model: a Tuple ( S ,O, A,f ) Subjects modeled by a set S (users, processes)
Objects modeled by a set O (files, sockets, EPRs ...) Access operations modeled by a finite set A (actions; read, write, " ) Rights to execute operations modeled by an access control function f :
f : S x O x A ! {granted, denied }
3.2.1.1.1 Access Control Functions and Matrices
-
8/16/2019 Ch3 System Security
34/134
Systems Security, ST 2016 © wk - 34 -
ExampleModeling access rights for Web Services
Model: ( S ,O, A,f ) whereS = {Bosch, VDO, Siemens } as set of subjectsO = {deliveryTime_WS } as set of objects
A = {see, execute, update } as set of operationsf : S x O x A ! {granted, denied } as access control function where e.g.
f (Bosch, deliveryTime_WS, see ) = grantedf (Bosch, deliveryTime_WS, execute ) = granted
f (Bosch, deliveryTime_WS, update ) = deniedf (VDO, ...
3.2.1.1.1 Access Control Functions and Matrices
-
8/16/2019 Ch3 System Security
35/134
Systems Security, ST 2016 © wk - 35 -
Example Access control model of the Unix OS (extremely simplified)
Model: ( S ,O, A,f ) whereS : set of usersO: set of system objects (files, directories, sockets, " )
A: set of system callsf : implemented in system calls e.g. for accessing files:
3.2.1.1.1 Access Control Functions and Matrices
{ s=caller.euid;if (s==o.inode.owner and a_mode in o.inode.ownerRWX) then
return OKelse {
g=caller.egid;if (g==o.inode.group and a_mode in o.inode.groupRWX) then
return OKelse …
-
8/16/2019 Ch3 System Security
36/134
Systems Security, ST 2016 © wk - 36 -
Access Control Matrices
Access Control Functions in Practice
f : S x O x A ! {granted , denied }
# m: S x O ! 2 A where a ! m(s ,o) # f (s ,o,a ) = granted
! Lampson’s access control matrix (ACM): a tuple ( S , O, m)
3.2.1.1.1 Access Control Functions and Matrices
-
8/16/2019 Ch3 System Security
37/134
-
8/16/2019 Ch3 System Security
38/134
Systems Security, ST 2016 © wk - 38 -
Notes
Implementations of ACMs in many OSes Databases Middleware platforms (CORBA, Web Services) Distributed security architectures (Kerberos)
by 2 security mechanisms:
Access Control Lists (ACLs)# columns of an ACM
! Unix, Windows, Mac OS (part of I-Nodes)
Capability Lists# rows of ACMs
! Amoeba OS, Kerberos, CORBA
3.2.1.1.1 Access Control Functions and Matrices
-
8/16/2019 Ch3 System Security
39/134
Systems Security, ST 2016 © wk - 39 -
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
Motivation
An Information Systems Scenario ...
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
EPR Anamn. Sympt. Diag Medic. Nursing DietPatId
Brother TuckSister Kathy Paul Bocuse
Dr. Brains
Apothecary CT Lab MR Lab Pathology Citchen Administration
Dr. Bones
-
8/16/2019 Ch3 System Security
40/134
Systems Security, ST 2016 © wk - 40 -
... modeled by an ACM
S ={Dr.Brains, Dr.Bones, BrotherTuck, PaulBocuse, ...} O={EP.PatId, EP.Diag, EP.Medic, EP.Nursing, ...}
We might do it this way, but "
M EPR .PatId EPR .Diag EPR .Medic EPR.Nursing . . .
Dr .Brains {r ,w } {r ,w } {r ,w } {r ,w }Dr .Bones {r } {r } {r } {}
BrotherTuck {r } {} {r ,w } {r }
Paul Bocuse {r } {} {} {}
. . .
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
41/134
-
8/16/2019 Ch3 System Security
42/134
Systems Security, ST 2016 © wk - 42 -
Goal
Statements about Dynamic behavior of rights Complexity of such an analysis
Idea A security model combining
Lampson’s ACMs! for modeling single protection states (snapshots)
Deterministic automata! for modeling runtime changes of protection state
Approach Snapshot of ACM is state of automaton Runtime changes of ACM caused by state transitions of automaton
Modeled by automaton’s transition function$
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
43/134
Systems Security, ST 2016 © wk - 43 -
Definition HRU Security Model
An HRU model is a deterministic automaton (Q, # , $ , q 0)
whereQ = 2 S x 2O x M is the state space where
S is a (not necessarily finite) set of subjects,O is a (not necessarily finite) set of objects,
M = {m| m : 2 S x 2O ! 2 R } is a set of ACMs with a finite right set R ,# = A x X is a finite set of inputs where
A is a set of operations/actions, X = ( S % O)k is a k -dimensional vector of subjects and objects, the
parameters of the actions,$ : Q x # ! Q is a state transition function,q0 ! Q is the initial state.
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
44/134
Systems Security, ST 2016 © wk - 44 -
Interpretation Each state q =(S q,O q,m q) models a system’s protection state:
! Current subject set S q & S ! Current object set O q & O ! Current ACM m q ! M where m q: S q x Oq ! 2 R
state transitions modeled by $ based on! The current automaton state! An input from # = A x (S % O)k
• Operations (“actions”) modifying S (creating/destroying subjects)! creating users, processes
• Operations modifying O (creating/destroying objects)! creating files, sockets, Web services etc.
• Operations modifying matrix cells! entering/removing rights
! $ is often called the authorization scheme of a model
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
45/134
Systems Security, ST 2016 © wk - 45 -
Example
Modeling a simple system with p users q files Rights r(ead) and w(rite)
! S ={si | 1 ' i' p }, O ={o
i | 1 ' i' q}, R ={r ,w }
Initial state qo =(S o,O o,m o) Subjects and objects: e.g. 1 user, 4 files
! S o={s 1}, O o={o1,o2,o3,o4}
m 0: e.g. ”all users have rights ‚ r‘ und ‚ w ‘ for all objects“! " s ! S o, o ! O o: m o(s ,o)={r , w }
!
! an HRU model of a real-world system is huge!
},{},{},{},{14321
w r w r w r w r s
oooomo
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
46/134
Systems Security, ST 2016 © wk - 46 -
State Transitions: Modeling Operations that Create or destroy subjects (e.g. Unix: fork , exit , kill ) Create or destroy objects ( creat , unlink ) Modify access rights ( chmod , setuid , su )
! Authorization Scheme $ $ : Q x # ! Q# | # = A x X (input = action + parameters) $ : Q x A x X ! Q# | X = (S % O)k (max. k parameters ! S % O ) $ : Q x A x (S % O)k ! Q
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
47/134
Systems Security, ST 2016 © wk - 47 -
Authorization Scheme $ $ : Q x # ! Q is defined by a set of specifications in the normalized form
where! q =(S q,O q,m q) ! Q, " ! A, x ! (S q % Oq)k ! r 1 ... r m ! R ! x s 1 ... x s m ! S q, x o1 ... x om ! Oq where
s 1 ... s m, o1 ... om are vector indices of parameters in x , 1 ' s i ,o i ' k!
p 1 "
p n HRU primitives, see below
( )
fi
;...;
then
,
...
,if
1
1 11
n
osqm
osq
p p
x x mr
x x mr ,x q,
mm!
"
"!=# $
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
48/134
Systems Security, ST 2016 © wk - 48 -
Convenient Notation (programming languages style)(assuming q is obvious)
( )
( )
fi;...;
then,
...
,if )(command
1
1 11
n
osqm
osq
p p
x x mr
x x mr
x
mm!
"
"!
=#
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
49/134
-
8/16/2019 Ch3 System Security
50/134
Systems Security, ST 2016 © wk - 50 -
! Definition of a model‘s authorization scheme $ by a set of
partial defs / commands
authorization scheme =$ (q,(create ,s ,o)) = if then fi$ (q,(fork ,s )) = if then fi! ! !
or alternatively
authorization scheme =command create (s ,o) = if then ficommand fork (s ,o) = if then fi! ! !
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
M d l M ki
-
8/16/2019 Ch3 System Security
51/134
Systems Security, ST 2016 © wk - 51 -
Model Making
Steps when Designing an HRU Security Model
1. Model SetsSubjects, objects, operations, rights! definition of sets S , O, A, R , resulting in
• M = {m| m : S x O ! 2 R }• Q = 2 S x 2O x M • # = A x (S % O)k
2. Authorization SchemeDescription of semantics of operations that modify the model state! definition of transition function $ (using normalized form)
3. Initialization! definition of initial state q0 =(S 0, O 0, m 0)
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
52/134
M d l M ki
-
8/16/2019 Ch3 System Security
53/134
Systems Security, ST 2016 © wk - 53 -
Model Making
1. Sets
Subjects, objects, actions, and rights Subjects: students, e.g. S ={s i | i ! ! } Objects: the assignments, e.g. O={o i | i ! ! } Actions:
a) File assignment:writeAssignment (IN student ! S , IN assignment ! O)
b) Read solution:readSolution (IN student ! S , OUT solution ! O)
! A={writeAssignment , readSolution }
Rights: to execute these actions! R isomorphic to A, e.g.
R ={write , read }
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
54/134
Systems Security, ST 2016 © wk - 54 -
2. Authorization Scheme
Effects of actions ! A on model state
2.1 writeAssignment State Change:“The sample solution can be accessed only after filing the assignment”IOW: If the automaton gets some input ( writeAssignment,s,o ) and the conditions are met,then it changes to a state where access to the solution is granted to s :
$ (q,writeAssignment,s ,o) ::= if write ! m(s ,o)
thenenter read into m (s ,o)
fi
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
55/134
Systems Security, ST 2016 © wk - 55 -
2.2 readSolution
State Change:“Assignments can be filed only prior to reading the solution“IOW: If the automaton gets some input ( readSolution,s,o ) and the conditions are met, thenit changes to a state where filing assignments is denied to s :
?
$ (q,readSolution ,s ,o) ::=
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
if read ! m(s ,o) then
delete write from m (s ,o)fi
-
8/16/2019 Ch3 System Security
56/134
Systems Security, ST 2016 © wk - 56 -
3. Initialization
q0 =(S 0, O 0, m 0); e.g. for a course with 3 students:S 0={s 1, s 2, s 3}O0={o1, o2, o3}" i ,1 $ i $ 3: m 0(s i , o i ) = write
Interpretation: Initially there are 3 students s 1... s 3 " with their assignments o1... o3 Initially each student has the right to file his own homework
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
The Works
-
8/16/2019 Ch3 System Security
57/134
Systems Security, ST 2016 © wk - 57 -
Initial ACM State
The Works
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
m0
o1
o2
o3
s1
write
s2
write
s3
write
-
8/16/2019 Ch3 System Security
58/134
The Works
-
8/16/2019 Ch3 System Security
59/134
Systems Security, ST 2016 © wk - 59 -
Initial ACM State
ACM State after writeAssignment (s 3, o3) ACM State after readSolution (s 3, o3)
The Works
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
m0
o1
o2
o3
s1
write
s2
write
s3
read
Example Summary
-
8/16/2019 Ch3 System Security
60/134
Systems Security, ST 2016 © wk - 60 -
Example Summary
The Works The model’s input is a sequence of actions from A together with their
parameters The automaton changes its state according to the authorization scheme
and the semantics of the HRU primitives (here just enter and delete ) In the initial state each s i may (repeatedly) file an assignment o i
Tricks in this Example The solution itself is not represented by some particular object o solution Consequently, the ACM has no column for it We muggled the right to access the solution into the cell of the
assignment
: model enhancements
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
61/134
Systems Security, ST 2016 © wk - 61 -
We now have got An application scenario An informal security policy
1. „The sample solution can be accessed only ...“2. „Assignments can be filed only ...“
A formal security model
(Q=S x O x M, # ={writeAssignment , readSolution } x S x O, $ , q0)
What comes next? Analysis of security properties Model implementation
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
assignmentassignment
writeAssignmentreadSolution
student
AssignmentsServer
SecurityPolicy
student
student
assignment
solution
Analysis of HRU Access Control Models
-
8/16/2019 Ch3 System Security
62/134
Systems Security, ST 2016 © wk - 62 -
Analysis of HRU Access Control Models
Reminder
”For a given security model, is it possible that a specific subject ever mayget a specific permission with respect to a specific object?“
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
EPR Anamn. Sympt. Diag Medic. Nursing DietPatId
Brother TuckSister Kathy Paul Bocuse
Dr. Brains
Apothecary CT Lab MR Lab Pathology Citchen Administration
Dr. Bones
-
8/16/2019 Ch3 System Security
63/134
Systems Security, ST 2016 © wk - 63 -
Analysis of Right Proliferation
Given a state m q and an authorization scheme $
! the HRU-Safety problem
{r }$
?
{r,w } {r,w }
{r } {r } {r }
{}{r } {r,w }
Dr.Brains
Dr.Bones
BrotherTuck
EP.Ident EP.Diag EP.Medic
{r } {r,w } {r,w }
{r } {r } {r }
{}{r } {r,w } {r,w }
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
64/134
Systems Security, ST 2016 © wk - 64 -
{ }bydefinedis : Then, .
sequenceabyfollowedsequence),inputemptytheis( inputsingleaof consisting ,frominputsof sequenceabe Let
***
*
QQa
a
!"#"$
%"$
"
&
' ' (
( !
Input Sequences
What is the effect of an input in a given state?! $
What is the effect of an input sequence in a given state? ! the composition $ *
).),,((),(),(
**
*
aqaq
qq
! " " ! "
# "
=
=
!
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
65/134
Systems Security, ST 2016 © wk - 65 -
Definition HRU-Safety
A state q= (S q,O q,m q) of a given HRU model is called HRU-safe withrespect to a right r ! R iff beginning with q there is no sequence ofcommands that enters r in a matrix cell where it did not exist in q.
Formally:q is safe wrt. r #
).,(' where),(),(:,, *'* aqqosmr osmr aOoS s qqqq ! ="#"$%%%&
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
Safety-Decidability
-
8/16/2019 Ch3 System Security
66/134
Systems Security, ST 2016 © wk - 66 - 3.2.1.1.2 Harrison, Ruzzo, Ullman Model
Safety Decidability
Theorem 1 (HRU, 1976):
For general HRU models, HRU-Safety is not decidable
Theorem 2 (HRU, 1976):HRU-Safety is decidable for mono-operational HRU models
! q, a,x ( )( ) := if r 1 ! m x s 1 , x o 1( ) "
... "
r m
! m x s
m
, x o
m( )
then
p 1; ... ; p nfi
Mono-operational HRU model:Each operation in the authorization scheme has the pattern
-
8/16/2019 Ch3 System Security
67/134
Systems Security, ST 2016 © wk - 67 -
Proof Theorem 2
(Decidability of safety for mono-operational HRU models)
Interesting, because Insights into the operational principles of HRU models
Demonstrates a method to prove safety properties for a given model
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
Proof Theorem 2 1/9
-
8/16/2019 Ch3 System Security
68/134
Systems Security, ST 2016 © wk - 68 -
Proof Theorem 2, 1/9
Proof Sketch
1. Find an upper bound for the length of all input sequences with different effects on state QIf there is one ( ) only a finite number of inputs with different effect
2. Test all input sequences whether they violate safetyTest algorithm terminates because
! Each input sequence is finite! There is only a finite number of different sequences
( safety decidable
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
Proof Theorem 2, 2/9
-
8/16/2019 Ch3 System Security
69/134
Systems Security, ST 2016 © wk - 69 -
Proof Theorem 2, 2/9
Let ! 1, ... , ! n be some sequence of commands ! # * that violates the safetyn be some sequence of commands ! # * that violates the safety
of q wrt. r (leaks r to some matrix cell)
ClaimFor each such sequence, there is a corresponding finite sequence that
Consists only of enter primitives together with 2 initial create primitives Still leaks r
In other words: For each input sequence an equivalent finite input sequence exists
ProofBy constructing these finite input sequences !
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
70/134
Proof Theorem 2, 4/9
-
8/16/2019 Ch3 System Security
71/134
Systems Security, ST 2016 © wk - 71 -
Proof Theorem 2, 4/9
2. Add an initial create subject s init operation at the begin of the sequence. Thischanges nothing, because the sequence does not contain any reference to s init
create subject s init create subject x 2 create object x 5 enter r 1 into m(x 2 ,x 5 )enter r 2 into m(x 2 ,x 5 )create subject x
7
delete r 1 from m(x 2 ,x 5 )destroy subject x 2 enter r 1 into m(x 7 ,x 5 )...
create subject x 2 create object x 5 enter r 1 into m(x 2 ,x 5 )enter r 2 into m(x 2 ,x 5 ) ! create subject x 7 delete r
1 from m(x
2 ,x
5 )
destroy subject x 2 enter r 1 into m(x 7 ,x 5 )...
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
Example
Proof Theorem 2, 5/9
-
8/16/2019 Ch3 System Security
72/134
Systems Security, ST 2016 © wk - 72 -
,
3. Remove the last create subject operation in the sequence and substitute eachfollowing reference to this subject by a reference to s init
Repeat until all create subject operations are removed (apart from the initialcreate subject s init operation)
create subject s init create subject x 2 create object x 5 enter r 1 into m(x 2 ,x 5 )enter r 2 into m(x 2 ,x 5 ) ! create subject x
7
delete r 1 from m(x 2 ,x 5 )destroy subject x 2 enter r 1 into m(x 7 ,x 5 )...
create subject s init create subject x 2 create object x 5 enter r 1 into m(x 2 ,x 5 )enter r 2 into m(x 2 ,x 5 ) ! create subject x
7
delete r 1 from m(x 2 ,x 5 )destroy subject x 2 enter r 1 into m( s init ,x 5 )...
create subject s init create subject x 2 create object x 5 enter r 1 into m( s init ,x 5 )enter r 2 into m( s init ,x 5 )create subject x
7
delete r 1 from m( s init ,x 5 )destroy subject x 2 enter r 1 into m( s init ,x 5 )...
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
Example
Proof Theorem 2, 6/9
-
8/16/2019 Ch3 System Security
73/134
Systems Security, ST 2016 © wk - 73 -
,
Note
After step 3, Apart from s init , the sequence no longer creates any subjects All rights of the formerly created subjects accumulate in s init The sequence is “more finite”
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
Proof Theorem 2, 7/9
-
8/16/2019 Ch3 System Security
74/134
Systems Security, ST 2016 © wk - 74 -
,
4. Same as steps 2 and 3 for objects
create subject s init create subject x 2 create object x 5 enter r 1 into m( s init ,x 5 )enter r 2 into m( s init ,x 5 ) ! create subject x
7
delete r 1 from m( s init ,x 5 )destroy subject x 2 enter r 1 into m( s init ,x 5 )...
create subject s init create object o init create subject x 2 create object x 5 enter r 1 into m( s init , o init )enter r
2 into m( s
init , o
init )
create subject x 7 delete r 1 from m( s init ,x 5 )destroy subject x 2 enter r 1 into m( s init , o init )...
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
Example
Proof Theorem 2, 8/9
-
8/16/2019 Ch3 System Security
75/134
Systems Security, ST 2016 © wk - 75 -
,
5. Remove all redundant enter primitives that enter a right in a cell that is alreadypresent
create subject s init create object o init create subject x 2 create object x 5 enter r 1 into m( s init , o init )enter r
2 into m( s
init , o
init ) !
create subject x 7 delete r 1 from m( s init ,x 5 )destroy subject x 2 enter r 1 into m( s init , o init )...
create subject s init create object o init create subject x 2 create object x 5 enter r 1 into m( s init , o init )enter r
2 into m( s
init , o
init )
create subject x 7 delete r 1 from m( s init ,x 5 )destroy subject x 2 enter r 1 into m( s init , o init )...
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
Example
Proof Theorem 2, 9/9
-
8/16/2019 Ch3 System Security
76/134
Systems Security, ST 2016 © wk - 76 -
,
This sequence still leaks r , but its length it at most
(|S q |+1) • (| Oq |+1) • | R | + 2 ,because
Each enter primitive Operation now enters a new right into a cell The number of cells is = (| S q |+1) • (| O q|+1)
q.e.d. Proof Theorem 1:(Non-decidability of safety for general HRU models)
Sketch Computational power of general HRU model equivalent to Turing
machine Safety problem equivalent to halting problem
w.y.h.t.b.
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
Assessment of Theorems
-
8/16/2019 Ch3 System Security
77/134
Systems Security, ST 2016 © wk - 77 -
Results show Dilemma
(General) HRU models! Have strong expressiveness
! broad spectrum of access control models! Are weak wrt. analysis
! tools to analyze safety properties difficult to design
Mono-operational HRU models! Have weak expressiveness
! to the point of being useless (see modeling of Unix creat -function: canonly create empty ACM columns)
! Are strong wrt. analysis ! safety decidable, automated tools
Consequences Restricted calculus fragments Heuristic analysis methods
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
78/134
-
8/16/2019 Ch3 System Security
79/134
Systems Security, ST 2016 © wk - 79 -
Finite subject set! Safety decidable, but huge computational complexity
HRU + restricted authorization scheme: e.g. Take-Grant model! Tailored to OS access control models
! Safety decidable in linear (!) time
HRU + strong typing : Typed Access Matrix Model (TAM , see below)
! Safety decidable in polynomial time for ternary and acyclic subclass! Pretty high expressiveness
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
Heuristic Analysis Methods
-
8/16/2019 Ch3 System Security
80/134
Systems Security, ST 2016 © wk - 80 -
Problem of Restricted Calculus Fragments
Often too weak for modeling real-world scenarios
Problem of General HRU Calculus Safety not decidable
! Exploration of state space by model simulation State transitions triggered by inputs ! # Input sequence generated by heuristics
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
81/134
-
8/16/2019 Ch3 System Security
82/134
-
8/16/2019 Ch3 System Security
83/134
Systems Security, ST 2016 © wk - 83 -
For the HRU Safety property analysis, Heuristics "
Exploit semi-decidability of the HRU-Safety problem Search for right leaks Assess a state sequence‘s probability to leak a right Accordingly channel the growth of state space (tree with root q)
q
q‘
q i
q i‘
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
84/134
Systems Security, ST 2016 © wk - 84 -
Heuristic-based Decisions
Simulation step: $ (q i,e ), e =(* , x )! choice of state q i ! choice of action * ! choice of parameters x
q
q‘
q i
q i‘
$(q i,e )
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
85/134
Systems Security, ST 2016 © wk - 85 -
Example: The DepSearch Heuristic
Goal To prove that a given state q is not safe wrt. a given right r
Approach To find an input sequence ((command, parameter)-tuples) that leaks r
Idea Step-by-step establishment of necessary conditions for entering r in a
matrix cell
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
86/134
-
8/16/2019 Ch3 System Security
87/134
-
8/16/2019 Ch3 System Security
88/134
Summary HRU Models
-
8/16/2019 Ch3 System Security
89/134
Systems Security, ST 2016 © wk - 89 -
Goal
Analysis of right proliferation Computability of such analyses
Method
Combination of ACMs and deterministic automata
ResultsSafety not decidable in general!
HRU model family, domain-specific calculus fragments! heuristic based analysis methods
3.2.1.1.2 Harrison, Ruzzo, Ullman Model
-
8/16/2019 Ch3 System Security
90/134
-
8/16/2019 Ch3 System Security
91/134
Systems Security, ST 2016 © wk - 91 -
How it works:
Foundation of a TAM model is an HRU model (Q,#
, $ , q0) whereQ = 2 S x 2O x M However, S & O; objects in O-S : “pure“ objects
Each o ! O is assigned a type from a type set T by t : O ! T (consequently, each subject also is typed)
An HRU model is a special case of a TAM model: T = {subject , object } " s ! S : t (s )=subject, " o ! O-S : t (o)=object
3.2.1.1.3 The Typed Access Matrix Model
m s 1 s 2 o1 o2 o3s 1s 2
Object set O
-
8/16/2019 Ch3 System Security
92/134
-
8/16/2019 Ch3 System Security
93/134
Systems Security, ST 2016 © wk - 93 -
The Authorization Scheme
$ : Q x#
!
Q is defined by a set of expressions in the pattern
where! q =(S q,O q,m q) ! Q, " ! A
! x ! (S q % O q)k x ! {(o, t o)| o ! O q, t o ! T , t (o)=t o}k ! r 1 ... r m ! R! x s i ! S q, x o i ! O q-S q where
s 1 ... s m, o1 ... om are vector indices of the parameters in x , 1 ' s i ,o i ' k! p 1 " p n TAM primitive operations, see below
3.2.1.1.3 The Typed Access Matrix Model
( )
fi
;...;then
,
...
,if
1
1 11
n
osqm
osq
p p
x x mr
x x mr ,x q,
mm!
"
"!=# $
-
8/16/2019 Ch3 System Security
94/134
Systems Security, ST 2016 © wk - 94 -
Implicit Addendum to Authorization Scheme: Type Checking
( )
fi
;...;
then
,
...,
1
1 11
n
osqm
osq
p p
x x mr
x x mr
mm!
""!
!=
!
!==
k x k
x
t x t
t x t ,x q,
)(...
)(if :11
" #
3.2.1.1.3 The Typed Access Matrix Model
-
8/16/2019 Ch3 System Security
95/134
-
8/16/2019 Ch3 System Security
96/134
Systems Security, ST 2016 © wk - 96 -
TAM Primitives
enter r into m(x s ,x o ) delete r from m(x s ,x o )
create subject x s of type t s create object x o of type t o
destroy subject x s destroy object x o
(with their obvious semantics)
Note:Because S and O are dynamic, t is – in so far – dynamic, too
3.2.1.1.3 The Typed Access Matrix Model
The Works
-
8/16/2019 Ch3 System Security
97/134
Systems Security, ST 2016 © wk - 97 -
Example: The ORCON Policy
(ORCON = ORiginator CONtrolled access rights) Illustrates expressive power and usefulness of TAM Problem is sub-problem in larger policy Information flow confinement (tricky in HRU)
3.2.1.1.3 The Typed Access Matrix Model
-
8/16/2019 Ch3 System Security
98/134
-
8/16/2019 Ch3 System Security
99/134
Systems Security, ST 2016 © wk - 99 -
The TAM Solution
Basic Idea A “confined subject” type that never may do anything but read
Model Sets Rights R ={own, read, write, cread, parent } Subjects S ={ Ann, Bob, C hris} Objects O=S % {ProjectXFile } Types T ={s, cs, co } (= regular subject, confined sub/object) where
t ( Ann ) = st (Bob ) = st (Chris ) = cst (ProjectXFile ) = co
3.2.1.1.3 The Typed Access Matrix Model
-
8/16/2019 Ch3 System Security
100/134
Systems Security, ST 2016 © wk - 100 -
The Works
Step 1: Ann creates ORCON object ProjectXFile(protection scheme command createOrconObject , see below)
m Ann: s Bob: s ProjectXFile : co
Ann: s own, read, write
Bob: s
3.2.1.1.3 The Typed Access Matrix Model
SalesFlyer
R&D
Sales
Chris
Ann
Bob
owns
no information flow
ProjectXFiles
-
8/16/2019 Ch3 System Security
101/134
-
8/16/2019 Ch3 System Security
102/134
Systems Security, ST 2016 © wk - 102 -
Step 3:Bob uses cread right to create confined subject Chris with permission toread ProjectXFiles(protection scheme command useCRead )
m Ann: s Bob: s ProjectXFile : co Chris: cs
Ann: s own, read, write
Bob: s cread parent
Chris: cs read
3.2.1.1.3 The Typed Access Matrix Model
SalesFlyer
R&D
Sales
Chris
Ann
Bob
owns
no information flow
ProjectXFiles
-
8/16/2019 Ch3 System Security
103/134
Systems Security, ST 2016 © wk - 103 -
The Protection Scheme
(a) command createOrconObject (s 1: s , o: co )create object o of type co ;enter own in m (s 1,o); enter read in m (s 1,o);
enter write in m (s 1,o);end
(b) command grantCRead (s 1: s , s 2: s , o: co )
if own ! m(s 1,o) then enter cread in m (s 2,o);
fiend
3.2.1.1.3 The Typed Access Matrix Model
-
8/16/2019 Ch3 System Security
104/134
-
8/16/2019 Ch3 System Security
105/134
Systems Security, ST 2016 © wk - 105 -
(d) command revokeCRead (s 1: s , s 2: s , o: co ) (Ann revokes cread from Bob)if own ! m(s
1,o) then
delete cread from m(s 2,o);fi
end
(e) command destroyOrconObject (s 1: s , o: co ) (Ann destroys CO ProjectXFile)if own ! m(s 1,o) then
destroy object o;fi
end
3.2.1.1.3 The Typed Access Matrix Model
SalesFlyer
R&D
Sales
Chris
Ann
Bob
owns
no information flow
ProjectXFiles
-
8/16/2019 Ch3 System Security
106/134
Systems Security, ST 2016 © wk - 106 -
(f) command revokeRead (s 1: s , s 3: cs , o: co ) (Ann destroys CS Chris)if own ! m(s
1,o) , read ! m(s
3,o) then
destroy subject s 3;fi
end
(g) command finishOrconRead (s 2: s , s 3: cs ) (Bob destroys CS Chris) if parent ! m(s 2,s 3) then
destroy subject s 3;fi
end
3.2.1.1.3 The Typed Access Matrix Model
SalesFlyer
R&D
Sales
Chris
Ann
Bob
owns
no information flow
ProjectXFiles
-
8/16/2019 Ch3 System Security
107/134
Systems Security, ST 2016 © wk - 107 -
What do we gain? ! Results
TAM models! safety still not decidable (obviously)
MTAM (monotonous TAM; AS without delete and destroy operations)! Safety not decidable from bi-conditional upwards
Acyclic (see below) MTAM models! Safety decidable, but NP-hard
Ternary acyclic MTAM models (max. 3 parameters)
! same computational power as acyclic MTAM! Safety decidable, in polynomial time
3.2.1.1.3 The Typed Access Matrix Model
-
8/16/2019 Ch3 System Security
108/134
Systems Security, ST 2016 © wk - 108 -
Characterization of Acyclic TAM Models
Type Creation Graphs:Relation canCreate : (u,v ) ! canCreate # subjects of type u can create objects of type v
t i ! {t 1" t k } is called child type in * ! A # t i is type of a subject or object created in * (else t i is called parent type )
Type Creation Graph: reflects parent/child relations Vertices: T
An edge ( t,u ) ! T x T exists # ) * ! A: t is parent , u is child
A TAM model is called acyclic # its type creation graph is acyclic
3.2.1.1.3 The Typed Access Matrix Model
-
8/16/2019 Ch3 System Security
109/134
Systems Security, ST 2016 © wk - 109 -
Expressive Power
MTAM: inherits expressive power from monotonic HRU! cannot model! Transfer of rights ( enter r into " ; delete r from " )! Countdown rights ( r can be used only a fixed number of times)
ORCON example! Non-monotonic commands (d)-(g) can be ignored for safety analysis
" because they1. just remove rights and2. are reversible; e.g.
• (d) can be undone by (b)• (g) can be compensated by (c) where the new subject takes role of
destroyed one
3.2.1.1.3 The Typed Access Matrix Model
-
8/16/2019 Ch3 System Security
110/134
Systems Security, ST 2016 © wk - 110 -
Professional TAM Model Applications
Types in SELinux security policies reflect domain association:„Processes in this domain are allowed to ...“ processes have same type! Scalability
3.2.1.1.3 The Typed Access Matrix Model
IBAC Summary
-
8/16/2019 Ch3 System Security
111/134
Systems Security, ST 2016 © wk - 111 -
We Now Can
Model identity-based AC policies Analyze them wrt. basic security properties (right proliferation) Infer implementations
in order to minimize Specification errors Implementation errors
Approach Objectification by precise calculus Prediction and proof of properties Derivation of implementations
3.2.1.1 Identity Based Models
-
8/16/2019 Ch3 System Security
112/134
Systems Security, ST 2016 © wk - 112 -
Model Spectrum
Static models:! Access control functions f : S x O x A ! {granted, denied}! Access control matrices: m: S x O ! 2 A
! analysis: hidden information flow, informational equivalence classes! implementation: access control lists (Unix, Windows, DBMSs)
Dynamic models: HRU calculus, restricted calculus fragments! ACM
• Plus automaton• Plus type system
! analysis of dynamic behavior: HRU safetyMajor problem: decidability! restricted calculus fragments (monotonous, static, ..., typed models)! heuristic analysis algorithms
3.2.1.1 Identity Based Models
-
8/16/2019 Ch3 System Security
113/134
Systems Security, ST 2016 © wk - 113 -
However
IBAC models indeed are fundamental But not necessarily universal! Mobile devices (smartphones): single user
! fundamental model paradigm inadequate! Large information systems: too many users
! scalability! Access decisions just based on subjects, objects, operations
! small und inflexible
3.2.1.1 Identity Based Models
3.2.1.2 Role-based Access Control Models
-
8/16/2019 Ch3 System Security
114/134
Systems Security, ST 2016 © wk - 114 -
Problems of IBAC Models
Scalability wrt. number of entities! Individual rules for each subject and object
• “Ann is allowed to read projectXFiles “! above file server example: >10 6 access control rules
! Large and complex models
Level of abstraction! System-, not problem-oriented (processes and files)
Goals of Role-based Access Control
Scalability Manageability Application-oriented: roles % functions in organizations
3.2.1.2 Role-based Access Control Models
-
8/16/2019 Ch3 System Security
115/134
Idea
-
8/16/2019 Ch3 System Security
116/134
Systems Security, ST 2016 © wk - 116 -
Models include role abstractions Role engineering based on organizational structure
! Responsibilities! Competences
Access control rules based on roles! “All ward physicians are allowed to read EPRs“
Dr. Brains
Dr. Bones
Brother Tuck
Nurse Kathy
read EPRs
write EPRs
read medications
write check records
WardPhys.
Nurse
user-to-role relation role-to-right relation
& &
3.2.1.2 Role-based Access Control Models
IBAC& RBAC
-
8/16/2019 Ch3 System Security
117/134
Systems Security, ST 2016 © wk - 117 -
IBAC Subjects, objects, rights for executing operations Access rules based on identifications of subjects and objects
Operation
Subject Object?
SO
3.2.1.2 Role-based Access Control Models
-
8/16/2019 Ch3 System Security
118/134
-
8/16/2019 Ch3 System Security
119/134
-
8/16/2019 Ch3 System Security
120/134
Systems Security, ST 2016 © wk - 120 -
Interpretation
Users U model people, or (software-)agents (e.g. processes) Roles R model tasks, functions, or areas of responsibility in organizations Permissions P : read documents, transfer money, ...
3.2.1.2 Role-based Access Control Models
Users Roles Permis-sions
-
8/16/2019 Ch3 System Security
121/134
Systems Security, ST 2016 © wk - 121 -
user-to-role relation UA & U x R describes the roles available to users(static)! “Bob may act as project leader, as department head, ...”
permission-to-role relation PA & P x R describes the permissionsassociated to roles (static)! “Each project leader is allowed to ...“
Users Roles Permis-sions
UA PA
3.2.1.2 Role-based Access Control Models
-
8/16/2019 Ch3 System Security
122/134
Systems Security, ST 2016 © wk - 122 -
Sessions reflect dynamic role assignments: a session s ! S is createdwhen a user logs in
! session-to-user assignment user : S ! U associates a session with auser
! session-to-roles assignment roles : S ! 2 R associates a session witha set of roles (that are active in a session)
Users RolesUA PA
static
dynamic
Operation
Subject Object?
3.2.1.2 Role-based Access Control Models
Permis-sions
Session rolesuser
-
8/16/2019 Ch3 System Security
123/134
Systems Security, ST 2016 © wk - 123 -
Access Control Function f With OP, set of operations,
“A role r exists that contains the permission to execute op on o, and thisrole is currently assigned to a session s that is active for user u”
User
Role
PA
Session
roles
user
Session
Session
Role
Role
Permission
3.2.1.2 Role-based Access Control Models
Permission
Permission
f : U ! O ! OP " {true ,false }
f (u ,o,op ) !true | #r $ R ,s $ S : u = user (s ), r $ roles (s ), ( o,op ), r ( ) $ PAfalse | else
%&'
('
RBAC FamilySandhu 1996
-
8/16/2019 Ch3 System Security
124/134
Systems Security, ST 2016 © wk - 124 -
RBAC 0: basic model
RBAC 1: RBAC 0 plus role hierarchies RBAC 2: RBAC 0 plus constraints RBAC 3: consolidation; RBAC 0 plus RBAC 1 plus RBAC 2
RBAC 1 RBAC 2
RBAC 3
RBAC 0
3.2.1.2 Role-based Access Control Models
RBAC 1: Role Hierarchies
-
8/16/2019 Ch3 System Security
125/134
Systems Security, ST 2016 © wk - 125 -
Observation Roles within an organization often overlap
! users in different roles share permissionsExample:
Permissions of project member are part of permissions of project manager! role definitions in RBAC 0 contain redundancy
! Permissions must be defined in each such role
GoalTo eliminate redundancy
ApproachRole hierarchy: Permission inheritance between roles
3.2.1.2 Role-based Access Control Models
-
8/16/2019 Ch3 System Security
126/134
Systems Security, ST 2016 © wk - 126 -
Examples
Project manager
Tester Programmer
Project staff
Head physician
Ward physiciansurgery
Ward physicianENT
Apprentice physician
Nursing staff
Physician
3.2.1.2 Role-based Access Control Models
-
8/16/2019 Ch3 System Security
127/134
Systems Security, ST 2016 © wk - 127 -
Hierarchy Modeling:
Lattices and Dominance Relations
Lattice: a tuple ( C , ' ) Class set C Partial ordering ” ' “
Properties Reflexive: " c ! C : c ' c Anti-symmetric: " c,d ! C : c ' d and d ' c ( c = d Transitive: " c,d,e ! C : c ' d and d ' e ( c ' e
Examples (! , ' ) (2 X , &), X arbitrary set
3.2.1.2 Role-based Access Control Models
-
8/16/2019 Ch3 System Security
128/134
Systems Security, ST 2016 © wk - 128 -
Role Hierarchy Modeling Class set R (roles) Hierarchy relation” ' “:
r 1 ' r 2 # r 1 passes permissions to r 2
Interpretation Reflexivity: a role inherits its own permissions
" r ! R : r ' r Anti-symmetry: roles that mutually inherit permissions are identical:
" r 1, r 2 ! R : r 1 ' r 2 and r 2 ' r 1 ( r 1 = r 2
Transitivity:
" r 1, r 2, r 3 ! R : r 1 ' r 2 and r 2 ' r 3 ( r 1 ' r 3
3.2.1.2 Role-based Access Control Models
-
8/16/2019 Ch3 System Security
129/134
Systems Security, ST 2016 © wk - 129 -
Example
Project staff ' TesterProject staff ' ProgrammerTester ' Project managerProgrammer ' Project manager
#
3.2.1.2 Role-based Access Control Models
Project manager
Tester Programmer
Project staffpasses
permissions
passespermissions
-
8/16/2019 Ch3 System Security
130/134
-
8/16/2019 Ch3 System Security
131/134
RBAC 2: Constraints
-
8/16/2019 Ch3 System Security
132/134
Systems Security, ST 2016 © wk - 132 -
Observation People may not assume certain roles at the same time
! mission- and security criticalExample: “purchasing manager” and “head of internal controlling”
! separation of duty ! Avoid risks! Find errors („second set of eyes“)
Goal Representation of constraints
Approach Attach conditions to model components
3.2.1.2 Role-based Access Control Models
-
8/16/2019 Ch3 System Security
133/134
Systems Security, ST 2016 © wk - 133 -
Examples for Constraints Separation of duty
! e.g. mutual exclusion of roles Quantitative restrictions
! e.g. to avoid accumulation of offices! Maximum number of users per role (e.g. head of department)! Maximum number of permissions per role (e.g. critical permissions)
Factual restrictions! Permission may only be assigned to role if another permission is already
granted (permission to delegate X only if X is permitted)
Model(U , R , P , S , UA, PA , user , roles, RE ) where RE models restrictions on othermodel components such as UA, PA , user , or roles
3.2.1.2 Role-based Access Control Models
RBAC Summary
-
8/16/2019 Ch3 System Security
134/134
Pros Scalability Application-oriented model abstractions Standardized
! tool support (e.g. for role engineering)
Cons OS support weak (few systems, e.g. Trusted BSD, SELinux)
! application-level integration (e.g. in information systems, DBMS) Weak analytical power
see HRU models: safety properties! next step: combine RBAC models with HRU calculus