Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why - - PowerPoint PPT Presentation

CEN-5079: 7.March.2019

1

Week 6

Access Control Mechanisms

CEN-5079: 7.March.2019

2

• Following authentication, we need to decide what

the subject can access

Why Access Control

Alice

Bob

F G

Read F

1

Write to F

2

Execute G

3

OK

1’

NO !

2’

OK

3’

• How do we store this information?

CEN-5079: 7.March.2019

3

In this lecture …

• Access matrix model
• Access control lists versus Capabilities
• Role Based Access Control
• File Protection Mechanisms
• Security Policies
• Models of Security
• Some exercises

CEN-5079: 7.March.2019

4

r w x r w x r rights

Access Matrix Model (Lampson 1971)

A B

S u b j e c t s S u b j e c t s S u b j e c t s

F G

Objects (and Subjects)

CEN-5079: 7.March.2019

5

Basic Abstractions

• Subjects
• Objects
• Rights
• The rights in a cell specify the access of the subject

(row) to the object (column)

CEN-5079: 7.March.2019

6

• A subject is a program (application) executing on

behalf of a user

• A user may at any time be idle, or have one or

more subjects executing on her behalf

Users and Subjects

CEN-5079: 7.March.2019

7

USERS SUBJECTS

Users and Subjects: Example

Bob.SECRET

Mail Application Word Processors Database App Spreadsheet

CEN-5079: 7.March.2019

8

• Anything on which a subject can perform
• perations (mediated by rights)
• Usually objects are passive, for example:
• File
• Directory (or Folder)
• Memory segment
• But, objects can also be subjects with operations
• kill
• suspend
• resume

Objects

CEN-5079: 7.March.2019

9

r w x r w x r rights

Access Matrix Model

A B

S u b j e c t s S u b j e c t s S u b j e c t s

F G

Objects (and Subjects)

CEN-5079: 7.March.2019

10

• Access Matrix can be sparse
• Space inefficient
• Access Control Lists
• Capabilities
• Relations

Access Matrix Implementation

CEN-5079: 7.March.2019

11

Each column of the access matrix is stored with the object corresponding to that column

Access Control List - ACL

G: ACL

• Maintained for each object (or subject)
• No entries when no permissions

A

r

B

r

B

w

B

x

CEN-5079: 7.March.2019

12

Capability

• Unforgeable token that gives possesor certain

rights

• Object to which access is permitted
• Right for the object

F r

• How to make it unforgeable

1. Only OS can access capability – user gets a pointer 2. Signed capabilities – access control mechanism has key

Capability giving the right to read object F

CEN-5079: 7.March.2019

13

Transfer Capability

F t

• One access right – transfer/propagate
• Subject can pass copy of capability to others

Capability giving the right to transfer capabilities for object F

Alice

F r F t

Bob

F r F t

Carol

transfer transfer

F r

Carol can no longer transfer !

CEN-5079: 7.March.2019

14

Each row of the access matrix is stored with the subject corresponding to that row

Capability List: C-List

Alice

F r F w F x G r

CEN-5079: 7.March.2019

15

Commonly used in relational database management systems

Access Control Relations

Subject Access Object

A r F A w F A x F A r G B r G B w G B x G

CEN-5079: 7.March.2019

16

In this lecture …

• Access matrix model
• Access control lists versus Capabilities
• Role Based Access Control
• File Protection Mechanisms
• Security Policies
• Models of Security
• Some exercises

CEN-5079: 7.March.2019

17

• ACL's require authentication of subjects
• Capabilities do not require authentication of

subjects, but do require

• Unforgeability
• Control of propagation of capabilities

ACLs vs. Capabilities

CEN-5079: 7.March.2019

18

• ACL's provide for superior access review on a

per-object basis

• Who has access to this object
• But hard to see to what a subject has access
• How would you do that ?
• Capabilities provide for superior access review
• n a per-subject basis
• What capabilities does this subject have
• But hard to see who has access to an object

ACLs vs. Capabilities: Access Review

CEN-5079: 7.March.2019

19

• How do you revoke access of a subject to an object
• ACL's provide for superior revocation facilities on a

per-object basis

1. Scan object’s ACL 2. Remove subject from list (if present)

• But hard to revoke all rights of a subject
• Capabilities provide for superior revocation facilities
• n a per-subject basis
• But hard to revoke all rights on an object (for all subjects)

ACLs vs. Capabilities: Revocation

CEN-5079: 7.March.2019

20

• The per-object basis usually wins
• Most OSs protect files by means of ACL's
• Operations centered on objects
• Unix: use an abbreviated form of ACL's with just

three entries

• owner
• group
• other

ACLs vs. Capabilities: In the Real World

CEN-5079: 7.March.2019

21

In this lecture …

• Access matrix model
• Access control lists versus Capabilities
• Role Based Access Control
• File Protection Mechanisms
• Security Policies
• Models of Security
• Some exercises

CEN-5079: 7.March.2019

22

• A user’s permissions are determined by the user’s

roles

• Rather than identity or clearance
• Roles can encode arbitrary attributes

Role Based Access Control (RBAC)

ROLES User-Role Assignment Permission-Role Assignment USERS PERMISSIONS

CEN-5079: 7.March.2019

23

ROLES User-Role Assignment Permission-Role Assignment USERS PERMISSIONS

...

SESSIONS

Basic RBAC

CEN-5079: 7.March.2019

24

• Similar to capabilities
• Object on which permission is granted
• Right granted
• Primitive rights
• read, write, append, execute
• Permissions are positive
• No negative permissions or denials

Permissions

CEN-5079: 7.March.2019

25

• A role brings together
• A collection of users and
• A collection of permissions
• Different from groups
• Groups are often defined as …
• A collection of users

Roles as Policy

CEN-5079: 7.March.2019

26

• Human beings or
• Other active agents
• Each individual should be known as exactly one user
• User-Role Assignment
• A user can have many roles
• Each role can be assigned to many users
• Sessions
• A user can invoke multiple sessions
• In each session a user can invoke any subset of roles that the user

is a member of

Users

CEN-5079: 7.March.2019

27

• A permission can be assigned to many roles
• Each role can have many permissions

Permission-Role Assignment

ROLES User-Role Assignment Permission-Role Assignment USERS PERMISSIONS

CEN-5079: 7.March.2019

28

Role Hierarchies

More Complex RBAC: Role Hierarchies

ROLES User-Role Assignment Permission-Role Assignment USERS PERMISSIONS

...

SESSIONS

CEN-5079: 7.March.2019

29

Health-Care Provider Physician Primary-Care Physician Specialist Physician

Role Hierarchy: Example 1

CEN-5079: 7.March.2019

30

Engineer Hardware Engineer Software Engineer Supervising Engineer

Role Hierarchy: Example 2

CEN-5079: 7.March.2019

31

Employee (E) Engineering Department (ED) Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Director (DIR) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2)

PROJECT 2 PROJECT 1

Role Hierarchy: Example 3

CEN-5079: 7.March.2019

32

In this lecture …

• Access matrix model
• Access control lists versus Capabilities
• Role Based Access Control
• File Protection Mechanisms
• Security Policies
• Models of Security
• Some exercises

CEN-5079: 7.March.2019

33

• Multi-user system
• Protect files from other users

1. All-None Protection 2. Group Protection 3. Temporary Acquired Permission

File Protection Mechanisms

CEN-5079: 7.March.2019

34

• Original IBM
• By default, files were public
• Anyone could r, w, del any file
• Users assumed
• Trustworthy
• Know only their files’ names
• Sysadmin could password protect certain files
• So could users
• Main Problem: Lack of trust

All-None Protection

CEN-5079: 7.March.2019

35

• Unix systems: three classes
• The user
• Group of users associated with user - group
• The rest of users – world
• Groups
• Members that share a common interest
• Need to share
• User can only belong to one group
• User belonging to groups A and B
• Can pass files from group A to group B

Group Protection

CEN-5079: 7.March.2019

36

• For each created file, the user
• Assigns permissions for user, group, world
• From the set r, w, x
• Example: rwx rw- r--
• Chmod 764 filename
• Suitable for paper shared by group
• Main Problem: User can belong to one group

Group Protection (cont’d)

CEN-5079: 7.March.2019

37

• Unix systems
• set userid (suid)
• Only for executable files
• If set, the file executes with the permissions of the
• wner, not the executor
• Example:
• passwd – operation that changes user passwd
• Only the system can change passwords – access the

password file

• But users should be able to invoke passwd
• passwd is suid: it executes with system privileges

Temporary Acquired Permissions

CEN-5079: 7.March.2019

38

In this lecture …

• Access matrix model
• Access control lists versus Capabilities
• Role Based Access Control
• File Protection Mechanisms
• Security Policies
• Models of Security
• Exercise

CEN-5079: 7.March.2019

39

• Statement of the security we expect the system to

enforce

• Military Security Policy
• Commercial Security Policies
• Clark-Wilson
• Separation of Duty
• Chinese Wall Security Policy

Security Policies

CEN-5079: 7.March.2019

40

• Each object has a sensitivity level
• rankobject
• Unclassified, restricted, confidential, secret, top secret

Military Security Policy

Unclassified Restricted

Confidential

Secret Top Secret

• Information at a level is
• More sensitive than level

below

• Less sensitive than level above

CEN-5079: 7.March.2019

41

• Access according to need-to-know rule
• Information is associated to projects
• One or more
• Called compartments
• Example:
• Projects alpha and beta
• Both use secret information
• But staff on alpha does not need access to beta

Military Security Policy (cont’d)

CEN-5079: 7.March.2019

42

• Classification of an object
• <rank; compartments>
• Clearance of subject
• Indication that subject can access information up to a level
• f sensitivity
• <rank; compartments>
• Dominance: s ≥ o (subject dominates object)
• ranks ≥ ranko and
• compartmentso included in compartmentss
• Then s can read o

Dominance

CEN-5079: 7.March.2019

43

• Object classified <secret; {Sweden}>
• Accessible by subject with clearence
• <top secret; {Sweden}> : YES or NO ?
• <secret; {Sweden, Denmark}>: YES or NO ?
• <top secret; {Denmark}>: YES or NO ?

Dominance: Example

CEN-5079: 7.March.2019

44

• Concerns
• Industrial espionage
• Corporate finance leaks
• Clark-Wilson
• Separation of Duty (read P&P: C 5.2 pg. 250-1)
• Chinese Wall Security Policy
• Brewer and Nash ’89

Commercial Security Policies

CEN-5079: 7.March.2019

45

• Handles conflicts of interest in companies
• Person in company obtains sensitive information about

competitors

• Three levels of abstraction
• Objects (e.g., files) – concern a single company
• Company groups – all objects pertaining to a company
• Conflict classes – groups of competing companies
• Each object belongs to a single group
• Each company group belongs to single conflict class

Chinese Wall Security Policy

CEN-5079: 7.March.2019

46

Chinese Wall Security: Example

Suchard Nestle Chocolate Comp. Citicorp Citicorp

Credit Lyonais Deutche Bank

Banks United Airlines Suchard

Credit Lyonnais

United

Fobidden !

• Advertising company with multiple clients
• Rule: no employee knows sensitive information on

competitors

CEN-5079: 7.March.2019

47

Chinese Wall Security: Example

• Advertising company with multiple clients
• Rule: no employee knows sensitive information on

competitors

• Access to object granted only if
• First access to a conflict class
• Object is from same group as a previous access

CEN-5079: 7.March.2019

48

In this lecture …

• Access matrix model
• Access control lists versus Capabilities
• Role Based Access Control
• File Protection Mechanisms
• Security Policies
• Models of Security
• Exercise

CEN-5079: 7.March.2019

49

• Test a policy for completeness and consistency
• Document a policy
• Help conceptualize and design implementation
• Verify implementation meets requirements

Models of Security

CEN-5079: 7.March.2019

50

• Structure of elements with a relation ≤ ≥
• b ≥ a equivalent to a ≤ b
• Properties
• Transitive: a ≤ b and b ≤ c implies a ≤ c
• Antisymmetric: a ≤ b and b ≤ a implies a=b
• Not all elements need to be comparable, but
• There must exist an upper bound
• There must exist a lower bound

Lattice

CEN-5079: 7.March.2019

51

Lattice: Example 1

10 2 5 1 Upper bound Lower bound

• Lattice for divisors of 10

CEN-5079: 7.March.2019

52

Lattice: Example 2

• Military security model is a lattice
• Upper bound is the classification
• <top secret; all compartments>
• Lower bound is
• <unclassified; no compartments>

CEN-5079: 7.March.2019

53

• Formal description of the allowable paths of

information flow in a secure system

• Describes allowable communication between subjects and
• bject
• Formalization of the military security policy

Bell-LaPadula Model

CEN-5079: 7.March.2019

54

• Construct systems that perform simultaneous

accesses at data with different sensitivity

• Example: program A has top secret access, B only

confidential

• A should not leak information to confidential data
• B should not access top secret data

Bell-LaPadula: Example

CEN-5079: 7.March.2019

55

• Set S of subjects: s € S has clearance C(s)
• Set O of objects: o € O has classification C(o)
• Ordered by relation ≤ - dominance
• Simple Security Property: s may read o only if C(o) ≤

C(s)

• Clearance of s dominates classification of o
• Star Property: s who has read access to o may write

to object p only if C(o) ≤ C(p)

• The contents of o can only be written to objects at least

that high

• Prevents write-down

Bell-LaPadula Definition

CEN-5079: 7.March.2019

56

Bell-LaPadula Example

O1 Read Read O2 Write

Write O3 Read Read O4 Write Write O5 O6

Alice Bob

Carol

Write Only if Carol does not have read access to higher level object ! High Low Clearance Sensitivity