Access Control Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - - - PowerPoint PPT Presentation

Access Control

Cunsheng Ding HKUST, Hong Kong, CHINA

• C. Ding - COMP4631 - L17

1

• C. Ding - COMP4631 - L17

2

Agenda of this Lecture

• The basic concepts of access control,

ACLs, capabilities, etc.

• Two approaches to access control
• Further reading

An Example

• I, the owner of the

home directory, have total control over all files in all directories and subdirectories.

• Everyone else can read

all files in “Public_html”, but should not do other

• perations on the files

in this subdirectory.

• C. Ding - COMP4631 - L17

3

cding Public_html private Question: How do I do the access controls?

• C. Ding - COMP4631 - L17

4

Access Control

• Computer security: it deals with the

prevention and detection of unauthorized actions.

• Computer systems control access to data

and shared resources, like memory, printers, etc, primarily for reasons of integrity, not so much for confidentiality.

• Access control is at the core of computer

security.

Subjects and Objects

• Terminology for access control:

à subject: active entity --- user or process à object: passive entity --- file or resource à access operation: read, write, ...

• Subjects and objects provide a different

focus of control (first design principle)

à What is the subject allowed to do? (1st approach) à What may be done with an object? (2nd approach)

• C. Ding - COMP4631 - L17

5

The Two Approaches in Practice

• Traditionally, multi-user operating systems

manage files and resources, i.e. objects.

• Access control takes the 2nd approach.
• Application-oriented IT systems, like

database management systems, offer services directed to the end user and may well control the actions of subjects.

• Access control takes the 1st approach.
• C. Ding - COMP4631 - L17

6

The Fundamental Model of Access Control

• C. Ding - COMP4631 - L17

7

Subject Access request Security reference monitor Object The security reference monitor will check the access control policy and will grant or reject the request. Real World Examples ?

Access Operations and Access Rights

• C. Ding - COMP4631 - L17

8

Access Operations

• Access operations: No uniform definition. They

differ from system to system.

• Examples: basic memory access, method calls in

an object-oriented system.

• We will look at a few typical sets of access
• perations. On the most elementary level, a

subject may àobserve an object or àalter an object.

• Observe and Alter are called access modes.
• C. Ding - COMP4631 - L17

9

Access Rights

• Access rights of the Bell-LaPadula Access control

model:

• The four Bell LaPadula access rights:

à execute à read à append, also called blind write à write

• Mapping between access rights and access modes.
• C. Ding - COMP4631 - L17

10

write read append execute Observe X X Alter X X

Rationale

• A user has to open a file to get access. Files

can be opened for read access or for write access so that the O/S can avoid potential conflicts.

• Write access usually includes read access. A

user editing a file should not be asked to open it

• twice. Hence, the write right includes Observe and

Alter mode.

• Few systems actually implement append. altering

an object without observing its content is rarely useful (exception: audit log).

• A file can be used without being opened (read).

Example: use of a cryptographic key. This motivates the execute right, which includes neither Observe nor Alter mode.

• C. Ding - COMP4631 - L17

11

Unix

• Access control

policies are expressed in terms of three

• perations:

à read: read from a file à write: write to a file à execute: execute a file

• Applied to a directory,

the access operations take this meaning: à read: list contents à write: create or rename files in the directory à execute: search the directory

• C. Ding - COMP4631 - L17

12

These operations differ from the Bell-LaPadula model. E.G., Unix write access does not imply read access. Creation and deletion of files are governed by access control to the directory.

Windows NT

à read à write à execute à delete à change permission à change ownership

• C. Ding - COMP4631 - L17

13

Access operations in the NTFS (New Technology File System) file system of Windows NT:

• We no longer rely on operations on directories to

handle deletion of files or change of access rights.

• Operations for modifying access rights are another

ingredient you may want to use when setting security policies.

Basic Problems in Access Control

• Who should be in charge of defining access

control policies in your security system?

• How to express and capture your security

policies with a data structure correctly?

• How to store your access control policies in

your security system?

• How to retrieve security policies?
• How to make your access control system very

efficient?

• C. Ding - COMP4631 - L17

14

• C. Ding - COMP4631 - L17

15

Ownership for Manipulating Access Rights

Ownership (1)

• Security policies specify how subjects

are allowed to access objects.

• Who is in charge of setting the policy?

– The owner of a resource decrees who is allowed to have access. Such a policy may be called discretionary as access control is at the owner’s discretion. – A system wide policy decrees who is allowed to have access. Such a policy may be called mandatory.

• C. Ding - COMP4631 - L17

16

• C. Ding - COMP4631 - L17

17

Ownership (2)

• Most operating systems support the

concept of ownership of a resource and consider ownership when making access control decisions.

• Operations for manipulating access rights

are grant and revoke.

• C. Ding - COMP4631 - L17

18

How to Capture and Implement Access Control Policies

• Access decision is based on a set of access control

policies

• What data structure should be used to express the

set of policies?

• How to make an access decision as quickly as possible?

Access Control Structures

• Several options for defining access control:

– The access control structure should allow you to express the access control policy you want to enforce. – You should be able to check that your policy has been captured correctly.

• Access rights can be defined individually for each

combination of subject and object.

• For large numbers of subjects and objects, such

structures are cumbersome to manage. Intermediate levels of control are preferable.

• C. Ding - COMP4631 - L17

19

Access Control Matrix

• Notation:

– S … set of subjects – O … set of objects – A … set of access operations

• Access control matrix: M = (Mso)sÎS,oÎO, MsoÍA.
• The entry Mso specifies the operations subject s

may perform on object o.

• C. Ding - COMP4631 - L17

20

Alice Bob

• {read,write}

bill.doc {exec} {exec} edit.exe {exec,read} {exec,read,write} fun.com

Access Control Matrix ctd.

• The access control matrix is

– an abstract concept – not very suitable for direct implementation – not very convenient for managing security

• C. Ding - COMP4631 - L17

21

Capabilities

• Focus on the subject

– access rights are stored with the subject – capabilities º rows of the access control matrix

• Subjects may grant rights to other subjects.

Subjects may grant the right to grant rights.

• Problems:

– How to check who may access a specific object? – How to revoke a capability?

• Distributed system security has created renewed

interest in capabilities.

• C. Ding - COMP4631 - L17

22

Alice edit.exe: {exec} fun.com: {exec,read}

Access Control with Capability in HKUST

Room 001 Computer 111 Printer 1234 …………… TV 999 Yes No Yes ………. No

• C. Ding - COMP4631 - L17

23

Capability for Cunsheng Ding in HKUST

Access Control Lists (ACLs)

• Focus on the object

– access rights are stored with the object – ACLs º columns of the access control matrix

• Access rights are defined for groups of users.

– Unix: owner, group, others

• Problem: How to check access rights of a specific

subject?

• ACLs are typical for certain secure operating

systems.

• C. Ding - COMP4631 - L17

24

fun.com Alice: {exec} Bill: {exec,read,write}

• C. Ding - COMP4631 - L17

25

Access Control with ACL in HKUST

ACL for Color Printer 111111

Cunsheng Ding Yes

John Wong No Paul Wu Yes ………. ……. Alice Fu No

• C. Ding - COMP4631 - L17

26

How to Make Access Control Efficiently?

• C. Ding - COMP4631 - L17

27

• Groups are an intermediate layer between users & objects.
• To deal with special cases, negative permissions withdraw rights

users groups

• bjects

users groups

• bjects

Intermediate Controls - Groups

• C. Ding - COMP4631 - L17

28

• A partial ordering £ (`less or equal’) on a set L is

relation on L (i.e., subset of L x L) that is – reflexive: for all aÎL, a£a – transitive: for all a,b,cÎL, if a£b and b£c, then a£c – antisymmetric: for all a,bÎL, if a£b and b£a, then a=b

• An example for a partial ordering is the subset

relation Í on a power set P(C).

• REMARK: A partial order may be used to define an

access control policy.

Partial orderings

Excess Control by Abilities: Example

• An ability is a data structure of the form .i1.i2.

××× .in where i1,…,in are integers.

• Examples for abilities: .1.2.3, .4, or .10.0.0.5 .
• Abilities can be ordered through the prefix

relation – Ability a2 is a prefix of ability a1 if there exists another ability a3 so that a1 = a2a3. In this case, we write a2 £ a1.

• For example: .1 £ .1.2 £ .1.2.3 but not .1 £ .4 !
• Remark: £ is a partial order.
• C. Ding - COMP4631 - L17

29

• C. Ding - COMP4631 - L17

30

Excess Control by Abilities: Example

• With this prefix ordering, an access

control policy may be: A subject has access to an object if its ability is a prefix of the ability of the

• bject.

The empty string e is the prefix of any ability, so a subject without an ability has access to every object.

• C. Ding - COMP4631 - L17

31

Access Control in UST

This is used to illustrate the access control idea and model of Windows NT security.

• C. Ding - COMP4631 - L17

32

The Access Token: ID Card

• Name: Cunsheng Ding
• ID No. 008672
• AGroup: Academic staff
• DGroup: Computer Science
• SGroup: School of Engineering
• ATitle: Associate Professor
• MTitle: None

Photo

• C. Ding - COMP4631 - L17

33

Access Control in UST using ACLs

Read: all member

UST Libarary

Borrow: academic and stud. Badminton: staffs, stud. Basketball: acad. staffs, and their family memb.

UST Sport Facility CSD color printer Academic staffs Postgradautes Any other object in UST

Access Control List

Who can access? What are you allowed to do?

Access Control on Personal Information at HKUST

• Question: The Personnel Office of the

HKUST has personal data of each (teaching and administrative) staff, which contains salary information. What kind of access control policy would you suggest for UST?

• C. Ding - COMP4631 - L17

34

Further reading

• Denning, D.E., "Cryptography and Security",

Addison-Wesley, 1982

• Lampson, B., "Protection", ACM Operating

Systems Reviews, vol. 8, 1974

• C. Ding - COMP4631 - L17

35