Access Control

Computer Security

Dept. of Computer Science,

College of Computer and Information Sciences

King Saud University

Prepared by Yuan Tian

Access Control

Access control, the basic problem: Efficient

representation of access rights

• Simply listing, per subject and object, what

access is allowed and/or denied is very

inefficient

• We need a structured approach

• The approach needs to be

– efficient

– flexible

– testable

Access control concepts

• Principals and subjects (users, processes etc.)

– Active, access something

• Objects (les, devices, storage areas, services, etc.)

– Passive, are accessed

• Operations (what subjects do)

– Observe, alter, use

– Read, write, append, execute

Terminology

• “Permission" is usually used for direct access rights to

objects

• Privilege" is sometimes used for more basic rights to

system resources

• There is no fixed, “correct" terminology

Principals and subjects

• A principal is an entity that has an authenticated identity

• A subject is an entity that acts on behalf of a principal,

within a computer system

• Example of principal: a user identity

• Example of subject: a process running under a user identity

Subjects and objects

• A subject is an entity that acts on behalf of a principal,

within a computer system

• An object is an entity that is acted upon

• Example of subject: a process running under a user identity

• Example of object: a text file

Observe/alter/use

• To observe is simply to look at the contents of an

object

• To alter is to change the contents of an object,

alternatively to add contents to an object

• It is also possible to use functionality of an object

without extracting its contents (example: smart

card signatures)

More on subjects

• To simplify access control handling, the special subject

“group" is often used

• A system often has a special group, “administrators," that

can access all (or many) resources of the system

The special subject “owner“

• In computers, the owner can grant access or revoke it, and

decide what type of access

– This is called “discretionary" access control

– The opposite, “mandatory" access control mostly occurs in the

defence sector, that handles classfied data

More on operations

• Usually “read", “write" and “execute" are used

Does write imply read permissions? Or does it

not?

• Does “write" mean “alter contents", “add

contents", “delete"? If not all, what are the others

called?

• What does “execute" mean for non-code objects?

• There can also be special arrangements for the

“create“ and “delete" operations

More on objects

• “Subjects" are active parties, such as users,

processes etc; they access

• “Objects" are passive entities, resources such as

data, equipment etc; they are accessed

• When checking if access is allowed, both subject

and object must be identified

• Identities must be unique within their domain

Access Control Matrix

• Lists what users are allowed to do with resources like files

• Has one row (or column) per user

• Has one column (or row) per resource

• An abstract concept, not something used in actual storage,

because that would be extremely inefficient

Representing the Access Matrix Mechanisms

• Access Control Lists: Per object what rights the

listed subjects have to the object (a simple version

is permission bits)

• Capability Lists: Per subject what rights the

subject has to the listed objects

Representing the Access Matrix Mechanisms

• Access Control Lists: Per object what rights the

listed subjects have to the object (a simple version

is permission bits)

• Capability Lists: Per subject what rights the

subject has to the listed objects

ACLs in simple form: Permission Bits

• Very simple

• Fixed set of rights, fixed set of subjects

• Very inflexible

• Efficient to determine permission for a given object

• No lists to search, registered directly with the objects

Three subject types per

object:

• Owner

• Group

• Others

Three types of rights per

subject type:

• Read

• Write

• eXecute

In UNIX these have different meaning for

different objects

• Files

– Read: read from a file

– Write: write to a file

– eXecute: execute a (program) file

• Directories

– Read: list directory contents

– Write: create, rename, or delete files

– eXecute: access file contents and metadata (but not

name)

Access Control Lists (ACLs) in general

• More general ACLs do list per object what rights the listed

subjects have to the object

• Easy answer to the question “who has what kind of access

to this object”

• May be inefficient, since determining rights for one user

may require searching a long list

• Revoking permissions for one user needs searching

through the whole set of ACLs

• Doesn't always work well in distributed systems, since

permissions are stored together with objects

Access Control Lists (ACLs) in general

• More general ACLs do list per object what rights the listed

subjects have to the object

• Easy answer to the question “who has what kind of access

to this object”

• Popular despite its shortcomings

• Simple to implement

• Natural in systems with discretionary access control

• Unix-based systems and Windows (although the later is

more complicated)

ACCESS CONTROL ADMINISTRATION

• Administration of Privileges

– Unrestricted Discretion

Unrestricted Discretion

• If a subject U has ownership (own) right on an

object C, then U can confer any right on object C

to any other subject, say V, including ownership

right.

• If V gets ownership right from U then V, in turn,

can confer any right on object C to itself and to

any other subject, say W.

– W, in turn, can do the same. Thus the right on C is

propagated without restriction.

Propagation of Access

Constrained Discretion - Copy Flag

Constrained Discretion - Copy Flag

• If a subject U has a read-copy (rc) right on an

object C, and U has ownership right on C, then U

can confer the read-copy right on object C to any

other subject, say V.

• V, in turn, can then confer the read right on C to

any other subject, say W. However, V cannot

propagate the read-copy right to W. Thus W is

prevented from propagating the access right on

object C, any further.

• write-copy (wc) has similar semantics

Role-Based Access Control (RBAC)

• DAC systems define the access rights of individual users

and groups of users.

• RBAC is based on the roles that users assume in a system

rather than the user’s identity.

• RBAC models define a role as a job function within an

organization. RBAC systems assign access rights to roles

instead of individual users.

• Users are assigned to different roles, either statically or

dynamically, according to their responsibilities.

NIST classification of RBAC levels

• Flat RBAC: As on last slide, adding user-role reviews,

which would tell a user if her role has changed

• Hierarchical RBAC: adds role hierarchies, with more

senior (or powerful) roles

• Constrained RBAC: adds separation-of-duties, so that

users cannot have two roles that are unsuitable to share

• Symmetric RBAC: adds permission-role reviews, in more

complicated situations, to find roles with specific

permissions

• Unfortunately, RBAC does not have a generally accepted

meaning

UNIX File Access Control Users, Roles, and

Resources

• The relationship of users to roles is many to many, as is the

relationship of roles to resources, or system objects

Hierarchical Roles

• Guests are lower in the hierarchy than students

• Guests do not have a natural relation to students (unless it's

your mum)

Role Hierarchies

• A Family of Role-Based Access

Control ModelsRBAC0 is the

minimum requirement for an

RBAC system. RBAC1 adds

role hierarchies and

RBAC2 adds constraints.

RBAC3includes RBAC1 and

RBAC2

Models Hierarchies Constraints

RBAC0 No No

RBAC1 Yes No

RBAC2 No Yes

RBAC3 Yes Yes

RBAC Model

UNIX File Access Control Access Control Matrix

Representation of RBAC

Access Control Models

Discretionary Access Control

– Access Matrix Models

– HRU and TAM

– Recent Trends in DAC

– DAC in Database Systems

Mandatory Access Control

- Bell LaPadula Model

- Information Flow Model

Access Control Models for Security in Commercial Sector

- Mandatory Access Control for Integrity - Biba Model

- Lippner’s Integrity Matrix Model

- Chinese Wall for Confidentiality

- Clark-Wilson Model

Role-based Access Control

Discretionary Access Control (DAC)

• If an individual user can set an access control mechanism to

allow or deny access to an object, that mechanism is a

discretionary access control (DAC), also called an identity-

based access control (IBAC).

DAC (cont’d)

• DAC policies govern the access of subjects to objects on the

basis of subjects’ identity, objects’ identity and permissions

• When an access request is submitted to the system, the access

control mechanism verifies whether there is a permission

authorizing the access

• Such mechanisms are discretionary in that they allow

subjects to grant other subjects authorization to access their

objects at their discretion

Mandatory Access Control (MAC)

• We must have access control at the system level

that is more fundamental than anything

determined by a subject

• Definition: When a system mechanism controls

access to an object and an individual user cannot

alter that access, the control is a mandatory access

control (MAC) [occasionally called a rule-based

access control.]

Bell-LaPadula (BLP) Model

• Proposed by Bell and LaPadula of the Mitre

corporation in 1976

• Model based on military requirements where

subjects are provided with security clearances and

objects are classified to security levels and access

by subjects to objects is provided on a need to

know basis

BLP Model – Basic Idea

• Subjects are assigned clearance levels and they

can operate at a level up to and including their

clearance levels

• Objects are assigned sensitivity levels

• The clearance levels as well as the sensitivity

levels are called access classes

• An access class consists of two components

– security level

– category set

Bell-LaPadula Model

• One of the first models created ..

• Confidentiality policy

• Yields a secure model (if it’s implemented

correctly)

• Military classifications (objects) and clearances

(subjects)

• Top Secret (TS) personal files

• Secret (S) e-mail files

• Confidential (C) log files

• Unclassified (U) phone directory

Objects have classifications

+ objects can be categorized: for example {army,

navy, air} etc.

Bell-LaPadula Model

• for each subject / object, the model defines the clearance level and the classification

• the information consist of the clearance level for the entity + a set of authorized categories:

– Alice has (TS, {army, navy} )

– Bob has (C, {air} )

– Tom has (U, {army, navy, air})

– Document_A has (S, {navy})

– Document_B has (S, {air})

in general: (L, C) where L is the clearance Level and C is a set of Categories

Bell-LaPadula Model

• we define “dominates” relationship:

(L, C) dom (L’, C’) iff

L’ ≤ L and C’ C

also ~dom (does not dominate)

• for example

Alice dom Document_A

Bob ~dom Document_A

Tom ~dom Document_A

Bell-LaPadula Model

• Deals with write/read permissions

– can be extended to other permissions

• two conditions for achieving a “secure system”

• 1) simple security condition (no read up)

• A subject at a given security level may not read an object

at a higher security level

– Subject S can read object O iff S dom O and S has

discretionary access to O

– examples:

• Alice can read Document_A

• Bob cannot read Document_A

Bell-LaPadula Model

• 2) *-property (no write down)

• A subject at a given security level must not write

to any object at a lower security level

– Subject S can write object O iff O dom S and S has

discretionary access to O

– examples:

• Alice cannot write to Document_B

• Bob can write to Document_B

• Tom cannot write to Document_B

• if the two conditions are met; then we have a

secure system (all transactions will not lead to an

insecure state) with regards to confidentiality.

Bell-LaPadula Model

• A problem with this model is it does not deal with the integrity of data.

• The star property makes it is possible for a lower level subject to write to a higher classified object.

Bell-LaPadula Model

• Biba to deal with integrity of data

• The Biba model addresses the problem with the star property of the Bell-LaPadula model, which does not restrict a subject from writing to a more trusted object.

Bell-LaPadula Model