computer security - ksucsc429.files.wordpress.com · computer security dept. of computer science,...
TRANSCRIPT
Access Control
Computer Security
Dept. of Computer Science,
College of Computer and Information Sciences
King Saud University
Prepared by Yuan Tian
Access Control
Access control, the basic problem: Efficient
representation of access rights
• Simply listing, per subject and object, what
access is allowed and/or denied is very
inefficient
• We need a structured approach
• The approach needs to be
– efficient
– flexible
– testable
Access control concepts
• Principals and subjects (users, processes etc.)
– Active, access something
• Objects (les, devices, storage areas, services, etc.)
– Passive, are accessed
• Operations (what subjects do)
– Observe, alter, use
– Read, write, append, execute
Terminology
• “Permission" is usually used for direct access rights to
objects
• Privilege" is sometimes used for more basic rights to
system resources
• There is no fixed, “correct" terminology
Principals and subjects
• A principal is an entity that has an authenticated identity
• A subject is an entity that acts on behalf of a principal,
within a computer system
• Example of principal: a user identity
• Example of subject: a process running under a user identity
Subjects and objects
• A subject is an entity that acts on behalf of a principal,
within a computer system
• An object is an entity that is acted upon
• Example of subject: a process running under a user identity
• Example of object: a text file
Observe/alter/use
• To observe is simply to look at the contents of an
object
• To alter is to change the contents of an object,
alternatively to add contents to an object
• It is also possible to use functionality of an object
without extracting its contents (example: smart
card signatures)
More on subjects
• To simplify access control handling, the special subject
“group" is often used
• A system often has a special group, “administrators," that
can access all (or many) resources of the system
The special subject “owner“
• In computers, the owner can grant access or revoke it, and
decide what type of access
– This is called “discretionary" access control
– The opposite, “mandatory" access control mostly occurs in the
defence sector, that handles classfied data
More on operations
• Usually “read", “write" and “execute" are used
Does write imply read permissions? Or does it
not?
• Does “write" mean “alter contents", “add
contents", “delete"? If not all, what are the others
called?
• What does “execute" mean for non-code objects?
• There can also be special arrangements for the
“create“ and “delete" operations
More on objects
• “Subjects" are active parties, such as users,
processes etc; they access
• “Objects" are passive entities, resources such as
data, equipment etc; they are accessed
• When checking if access is allowed, both subject
and object must be identified
• Identities must be unique within their domain
Access Control Matrix
• Lists what users are allowed to do with resources like files
• Has one row (or column) per user
• Has one column (or row) per resource
• An abstract concept, not something used in actual storage,
because that would be extremely inefficient
Representing the Access Matrix Mechanisms
• Access Control Lists: Per object what rights the
listed subjects have to the object (a simple version
is permission bits)
• Capability Lists: Per subject what rights the
subject has to the listed objects
Representing the Access Matrix Mechanisms
• Access Control Lists: Per object what rights the
listed subjects have to the object (a simple version
is permission bits)
• Capability Lists: Per subject what rights the
subject has to the listed objects
ACLs in simple form: Permission Bits
• Very simple
• Fixed set of rights, fixed set of subjects
• Very inflexible
• Efficient to determine permission for a given object
• No lists to search, registered directly with the objects
Three subject types per
object:
• Owner
• Group
• Others
Three types of rights per
subject type:
• Read
• Write
• eXecute
In UNIX these have different meaning for
different objects
• Files
– Read: read from a file
– Write: write to a file
– eXecute: execute a (program) file
• Directories
– Read: list directory contents
– Write: create, rename, or delete files
– eXecute: access file contents and metadata (but not
name)
Access Control Lists (ACLs) in general
• More general ACLs do list per object what rights the listed
subjects have to the object
• Easy answer to the question “who has what kind of access
to this object”
• May be inefficient, since determining rights for one user
may require searching a long list
• Revoking permissions for one user needs searching
through the whole set of ACLs
• Doesn't always work well in distributed systems, since
permissions are stored together with objects
Access Control Lists (ACLs) in general
• More general ACLs do list per object what rights the listed
subjects have to the object
• Easy answer to the question “who has what kind of access
to this object”
• Popular despite its shortcomings
• Simple to implement
• Natural in systems with discretionary access control
• Unix-based systems and Windows (although the later is
more complicated)
ACCESS CONTROL ADMINISTRATION
• Administration of Privileges
– Unrestricted Discretion
Unrestricted Discretion
• If a subject U has ownership (own) right on an
object C, then U can confer any right on object C
to any other subject, say V, including ownership
right.
• If V gets ownership right from U then V, in turn,
can confer any right on object C to itself and to
any other subject, say W.
– W, in turn, can do the same. Thus the right on C is
propagated without restriction.
Propagation of Access
Constrained Discretion - Copy Flag
Constrained Discretion - Copy Flag
• If a subject U has a read-copy (rc) right on an
object C, and U has ownership right on C, then U
can confer the read-copy right on object C to any
other subject, say V.
• V, in turn, can then confer the read right on C to
any other subject, say W. However, V cannot
propagate the read-copy right to W. Thus W is
prevented from propagating the access right on
object C, any further.
• write-copy (wc) has similar semantics
Role-Based Access Control (RBAC)
• DAC systems define the access rights of individual users
and groups of users.
• RBAC is based on the roles that users assume in a system
rather than the user’s identity.
• RBAC models define a role as a job function within an
organization. RBAC systems assign access rights to roles
instead of individual users.
• Users are assigned to different roles, either statically or
dynamically, according to their responsibilities.
NIST classification of RBAC levels
• Flat RBAC: As on last slide, adding user-role reviews,
which would tell a user if her role has changed
• Hierarchical RBAC: adds role hierarchies, with more
senior (or powerful) roles
• Constrained RBAC: adds separation-of-duties, so that
users cannot have two roles that are unsuitable to share
• Symmetric RBAC: adds permission-role reviews, in more
complicated situations, to find roles with specific
permissions
• Unfortunately, RBAC does not have a generally accepted
meaning
UNIX File Access Control Users, Roles, and
Resources
• The relationship of users to roles is many to many, as is the
relationship of roles to resources, or system objects
Hierarchical Roles
• Guests are lower in the hierarchy than students
• Guests do not have a natural relation to students (unless it's
your mum)
Role Hierarchies
• A Family of Role-Based Access
Control ModelsRBAC0 is the
minimum requirement for an
RBAC system. RBAC1 adds
role hierarchies and
RBAC2 adds constraints.
RBAC3includes RBAC1 and
RBAC2
Models Hierarchies Constraints
RBAC0 No No
RBAC1 Yes No
RBAC2 No Yes
RBAC3 Yes Yes
RBAC Model
UNIX File Access Control Access Control Matrix
Representation of RBAC
Access Control Models
Discretionary Access Control
– Access Matrix Models
– HRU and TAM
– Recent Trends in DAC
– DAC in Database Systems
Mandatory Access Control
- Bell LaPadula Model
- Information Flow Model
Access Control Models for Security in Commercial Sector
- Mandatory Access Control for Integrity - Biba Model
- Lippner’s Integrity Matrix Model
- Chinese Wall for Confidentiality
- Clark-Wilson Model
Role-based Access Control
Discretionary Access Control (DAC)
• If an individual user can set an access control mechanism to
allow or deny access to an object, that mechanism is a
discretionary access control (DAC), also called an identity-
based access control (IBAC).
DAC (cont’d)
• DAC policies govern the access of subjects to objects on the
basis of subjects’ identity, objects’ identity and permissions
• When an access request is submitted to the system, the access
control mechanism verifies whether there is a permission
authorizing the access
• Such mechanisms are discretionary in that they allow
subjects to grant other subjects authorization to access their
objects at their discretion
Mandatory Access Control (MAC)
• We must have access control at the system level
that is more fundamental than anything
determined by a subject
• Definition: When a system mechanism controls
access to an object and an individual user cannot
alter that access, the control is a mandatory access
control (MAC) [occasionally called a rule-based
access control.]
Bell-LaPadula (BLP) Model
• Proposed by Bell and LaPadula of the Mitre
corporation in 1976
• Model based on military requirements where
subjects are provided with security clearances and
objects are classified to security levels and access
by subjects to objects is provided on a need to
know basis
BLP Model – Basic Idea
• Subjects are assigned clearance levels and they
can operate at a level up to and including their
clearance levels
• Objects are assigned sensitivity levels
• The clearance levels as well as the sensitivity
levels are called access classes
• An access class consists of two components
– security level
– category set
Bell-LaPadula Model
• One of the first models created ..
• Confidentiality policy
• Yields a secure model (if it’s implemented
correctly)
• Military classifications (objects) and clearances
(subjects)
• Top Secret (TS) personal files
• Secret (S) e-mail files
• Confidential (C) log files
• Unclassified (U) phone directory
Objects have classifications
+ objects can be categorized: for example {army,
navy, air} etc.
Bell-LaPadula Model
• for each subject / object, the model defines the clearance level and the classification
• the information consist of the clearance level for the entity + a set of authorized categories:
– Alice has (TS, {army, navy} )
– Bob has (C, {air} )
– Tom has (U, {army, navy, air})
– Document_A has (S, {navy})
– Document_B has (S, {air})
in general: (L, C) where L is the clearance Level and C is a set of Categories
Bell-LaPadula Model
• we define “dominates” relationship:
(L, C) dom (L’, C’) iff
L’ ≤ L and C’ C
also ~dom (does not dominate)
• for example
Alice dom Document_A
Bob ~dom Document_A
Tom ~dom Document_A
Bell-LaPadula Model
• Deals with write/read permissions
– can be extended to other permissions
• two conditions for achieving a “secure system”
• 1) simple security condition (no read up)
• A subject at a given security level may not read an object
at a higher security level
– Subject S can read object O iff S dom O and S has
discretionary access to O
– examples:
• Alice can read Document_A
• Bob cannot read Document_A
Bell-LaPadula Model
• 2) *-property (no write down)
• A subject at a given security level must not write
to any object at a lower security level
– Subject S can write object O iff O dom S and S has
discretionary access to O
– examples:
• Alice cannot write to Document_B
• Bob can write to Document_B
• Tom cannot write to Document_B
• if the two conditions are met; then we have a
secure system (all transactions will not lead to an
insecure state) with regards to confidentiality.
Bell-LaPadula Model
• A problem with this model is it does not deal with the integrity of data.
• The star property makes it is possible for a lower level subject to write to a higher classified object.
Bell-LaPadula Model
• Biba to deal with integrity of data
• The Biba model addresses the problem with the star property of the Bell-LaPadula model, which does not restrict a subject from writing to a more trusted object.
Bell-LaPadula Model