frac: implementing role-based access control for network file systems
DESCRIPTION
FRAC: Implementing Role-Based Access Control for Network File Systems. Aniruddha Bohra, Stephen Smaldone , and Liviu Iftode Department of Computer Science Rutgers University {bohra,smaldone,iftode}@cs.rutgers.edu. Motivation. User A. Time < 5 PM. Developer. Shell scripts cron jobs - PowerPoint PPT PresentationTRANSCRIPT
FRAC: Implementing Role-Based Access FRAC: Implementing Role-Based Access Control for Network File SystemsControl for Network File Systems
Aniruddha Bohra, Stephen Smaldone, and Liviu IftodeDepartment of Computer Science
Rutgers University
{bohra,smaldone,iftode}@cs.rutgers.edu
2
Programmers
MotivationMotivation
User A
Time > 5 PM
Time < 5 PMUser ADeveloper
User AProgramme
r
Shell scriptscron jobsManual
Developers
User A
User B
User C
User A
User D
File F : { Developers, !Programmers }
File F : { User B, User C }
3
Role-Based Access Control (RBAC)Role-Based Access Control (RBAC)
RolesUsers Perms
Users 1
User A
READ WRITE DELETE
ALLOW Users 1 Users 2 Devs
LOG Progs Progs Progs
ALARM Threat Threat Threat
READ WRITE DELETE
ALLOW
LOG
ALARM
Role Hierarchy
Users 2
Devs
Users 1
Progs
4
Benefits of RBACBenefits of RBAC
• Policy Specification– Administrators define system-wide access control policies– Users may query and update portions of the access control system
state– Simplified sharing and protection
• Role Management– Role Hierarchy: Inheritance– Static Separation of Duties (SSD)
• Session Management– Dynamic User to Role Mapping– Dynamic Separation of Duties (DSD)
• Centralized Access Control Policy Enforcement– Enforcement of Principle of Least Privilege (POLP)– Verifiability of policy enforcement: auditing
5
RBAC for Network File Systems?RBAC for Network File Systems?
FS Client File Server
FS Protocol
Modifications
Interface changes
Application changes…
FS Client File Server
ExternalAuthority
User AC Policy Changes require
user agent
Access ControlDecisions
AC Policy Changes
6
FRAC: Network File System RBAC in a MiddleboxFRAC: Network File System RBAC in a Middlebox
FS Client File Server
Middlebox
Access ControlDecisions
Virtual Control Namespace
(VCN)
• Maintained at FRAC and Accessed by Client• Query State of AC System = FS READ• Update Permissions and AC Policies = FS WRITE
VCN
Standard FS Protocol
FRAC
AC Policy Changes
7
OutlineOutline
• Introduction• Design and Implementation
– Background– Permission Evaluation in FRAC– Enforcing Principle of Least Privilege– Virtual Control Namespace (VCN)
• Evaluation• Related Work• Conclusions
8
Design RequirementsDesign Requirements
• Middlebox to Enforce RBAC Policies– Interpose and transform messages
– Understand file system semantics
– Store policies and maintain state
– Evaluate and enforce file system access control policies
• Virtual Control Namespace– Enable users to query and owners to update the access control policy
– Virtualize file system objects
– Handle file system operations for virtual objects
9
Background: FileWallBackground: FileWall
FileWall: A Firewall for Network File System, S. Smaldone, A. Bohra, and L. Iftode. To appear in the Proceedings of the 3rd IEEE International Symposium
on Dependable, Autonomic and Secure Computing (DASC'07)
Scheduler
Forwarder
AccessContext
FileWall Policy
RequestHandler
File Server
…
FS Client
10
Permission Evaluation in FRACPermission Evaluation in FRAC
Forwarder
AccessContext
FRAC
FS ClientFile Server
AC Matrix
DENY
Time
Time > 5 PM ? ALLOW
Scheduler
11
Enforcing Principle of Least PrivilegeEnforcing Principle of Least Privilege
Access Context
SessionID {Active Roles}
(U0, G0) Progs
VFH FH AC Matrix
V0 F0 (READ, Users1)
FS Request
File Handle = V0
UserID = U0
GroupID = G0
Op = READ
Role Hierarchy
Users 2
Devs
Users 1
Progs
Users 1
12
Virtual Control Namespace (VCN)Virtual Control Namespace (VCN)
Root
VCN
Session Shadow
MirroredFS Namespace
FILE METADATA
AC MATRIX
Shadow File Contents
• Active Roles• User -> Role Mappings• Session Control Interface
13
VCN ChallengesVCN Challenges
• Creation of virtual objects– Must create file identifiers for virtual objects
– Must avoid file identifier collisions between virtual and real objects
– Provide virtual identifiers for all objects and store mappings
• Introduce virtual objects in existing namespace– Create virtual namespace under root of real namespace
– Must modify namespace operations (e.g., READDIR, LOOKUP, etc.) to “splice” in virtual namespace
• Handle file system operations to virtual objects– Need to distinguish accesses to virtual objects from those for real
objects
– Demultiplex based on virtual identifier to real identifier mappings
14
VCN Handler
VCN in FRACVCN in FRAC
Forwarder
AccessContext
FRAC
FS ClientFile Server
home
VCN bob
VFH -> FHMap
To Server
To Client
home
bob
Scheduler
15
Prototype ImplementationPrototype Implementation
• Network middlebox– FRAC implemented as a FileWall policy module
– Implements RBAC for NFSv3 protocol
– Direct access limited only to administrators
• Access Context– Berkeley DB: An open source database
• Policy specification– Static configuration using XACML
– Updates supported through VCN for users
16
OutlineOutline
• Introduction• Design and Implementation• Evaluation• Related Work• Conclusions
17
EvaluationEvaluation
• Roles– Arranged as linear chain: highest to lowest privilege level
– Session starts with a role at head of chain (worst case)
• Setup– Systems: Dell Poweredge 2600 SMP systems, 2.4 GHz Xeon II CPU, 2
GB RAM, running Linux 2.6
– Microbenchmark: User-level RPC client
– Application Benchmark: OpenSSH compilation
18
Results - MicrobenchmarkResults - Microbenchmark
Worst case overhead is low!Worst case overhead is low!
0
100
200
300
400
500
600
700
getattr lookup access read write readdir
Res
po
nse
Lat
ency
(m
sec)
NFS FRAC-5 FRAC-50
19
Results - OpenSSH CompilationResults - OpenSSH Compilation
Most expensive data phases have small (<10% & < 15%) overheads!
Most expensive data phases have small (<10% & < 15%) overheads!
0
10
20
30
40
50
60
70
80
untar configure compile install remove
Tim
e (
se
c)
NFS FRAC-5 FRAC-50
20
Related WorkRelated Work
• RBAC Model– RBAC Standards [Ferraiolo’01, ANSI/INCITS’04]
• RBAC for Network File Systems– Protocol Modifications [Gustaffson’97]
– Agent-Based Systems [He’05]
• Virtual and Programmable Namespaces– Plan 9 [Pike’93]
– Semantic File Systems [Sheldon’91]
21
Conclusions and Future WorkConclusions and Future Work
• FRAC: RBAC for network file systems using a middlebox (FileWall)– Requires no client or server modifications
– Virtual Control Namespace eliminates use of specialized agents
– Low overheads: < 15% overhead for up to 50 roles
• Future Work:– Language for Specification and Verification of policies
– Continuous Monitoring of network file system accesses
Thank You!Thank You!
Questions?