1
PRIVILEGE STATES BASED ACCESS CONTROL FOR
FINE GRAINEDINTRUSION RESPONSE
Ashish Kamra, Elisa BertinoPurdue University
Presenter:Ashish Kundu
3
Motivation
Databases
Anomaly Detection
Anomaly Response
Access Control
4
5
Access Control Decision Semantics
RequestReferenceMonitor
AllowDeny
6
Extended Decision Semantics
RequestReferenceMonitor
AllowDeny
TaintSuspend
7
Primary Contribution
Mechanism to enhance the
decision semantics of an
access control implementation
8
Why do we want to do that?
9
Support for fine-grained intrusion response
Request
Detectionengine
Responseengine
Anomaly
Drop Reques
t
LogReques
t
2nd factor of authentication
Passive Monitoring
10
Mapping
Passive Monitoring
Taint decision semantic
2nd factor of
authentication
Suspend decision
semantics
11
Privilege States - glue for the mapping Assign states to privileges
Response system changes privilege state fine-grained response actions
Response : access control decision semantics
12
Privilege States “state” to every privilege
a user or role Five privilege states
DENYSUSPEND
TAINTGRANT
UNASSIGN
13
Privilege State Semantics “DENY”: negative authorizations
“SUSPEND”: request suspension
“TAINT”: request tainting
“GRANT”: standard SQL GRANT
“UNASSIGN”: standard SQL REVOKE
14
Example
U1 is a member of role R1
DBA assigns SELECT privilege in DENY on T1 to user
U1 SELECT privilege in TAINT on T1 to role
R1
Privilege state of SELECT on T1 for U1 ???
15
Privilege State Dominance
Xmeans ‘X’ overrides ‘Y’
DENY
SUSPEND
TAINT
UNASSIGN
GRANT
Y
16
Privilege State Transitions
+
/
+
+
??
?
/
/
/
+ /+ grant
deny
? suspend
/
unassign
taint
?
+
TAINT
SUSPEND
DENY
GRANT REVOKE
?
17
Formal model
For details, please refer to the paper …
18
Considering Role Hierarchies
Role hierarchy based on privilege inheritance
What about privileges in “deny”, “suspend” and “taint” states?
R_parent{insert}
R_child{select
}
{select}
19
Privilege Orientation Modes
up
down
neutral
unassign, grant
deny, taint, suspend
20
Privilege Propagation R8
R5 R6 R7
R2 R3 R4
R1
{select,grant}
{select,grant}
{insert,deny,down}
{insert,deny,down}
Recursive Propagation
21
Implementation in PostgreSQL
New SQL commands TAINT, SUSPEND
Enhanced Access Control Lists To support privilege states and
orientation modes
Re-authentication procedure for a privilege in “suspend” state
22
Access Control Check Overhead No Role Hierarchy
16 32 64 128 256 5120
10
20
30
40
50
60
BASEPSAC
Ove
rhea
d (m
icro
seco
nds)
ACL Size
23
16 32 64 128 256 5120
20
40
60
80
100
120
BASEPSAC
Ove
rhea
d (m
icro
seco
nds)
ACL Size
Access Control Check Overhead With Role Hierarchy
24
Conclusions
Fine-granular access control in databases
Anomaly response mechanisms
Facilitates policy development
Formal model and experimental evaluation