Presentation is loading. Please wait.

Presentation is loading. Please wait.

INSTITUTE FOR CYBER SECURITY 1 Access Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at.

Similar presentations


Presentation on theme: "INSTITUTE FOR CYBER SECURITY 1 Access Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at."— Presentation transcript:

1 INSTITUTE FOR CYBER SECURITY 1 Access Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at San Antonio May 2009 ravi.sandhu@utsa.edu www.profsandhu.com © Ravi Sandhu

2 INSTITUTE FOR CYBER SECURITY Outline Discretionary Access Control (DAC) Mandatory Access Control (MAC) Equivalently Lattice-Based Access Control (LBAC) Role-Based Access Control (RBAC) Usage Control (UCON) © Ravi Sandhu2

3 INSTITUTE FOR CYBER SECURITY ACCESS MATRIX MODEL U r w own V F SubjectsSubjects Objects (and Subjects) r w own G r rights © Ravi Sandhu3

4 INSTITUTE FOR CYBER SECURITY ACCESS CONTROL LISTS (ACLs) F U:r U:w U:own G U:r V:r V:w V:own each column of the access matrix is stored with the object corresponding to that column © Ravi Sandhu4

5 INSTITUTE FOR CYBER SECURITY CAPABILITY LISTS each row of the access matrix is stored with the subject corresponding to that row UF/r, F/w, F/own, G/r VG/r, G/w, G/own © Ravi Sandhu5

6 INSTITUTE FOR CYBER SECURITY ACCESS CONTROL TRIPLES SubjectAccessObject UrF UwF UownF UrG VrG VwG VownG commonly used in relational database management systems © Ravi Sandhu6

7 INSTITUTE FOR CYBER SECURITY TROJAN HORSE EXAMPLE File F A:r A:w File G B:r A:w B cannot read file F ACL © Ravi Sandhu7

8 INSTITUTE FOR CYBER SECURITY TROJAN HORSE EXAMPLE File F A:r A:w File G B:r A:w B can read contents of file F copied to file G ACL A Program Goodies Trojan Horse executes read write © Ravi Sandhu8

9 INSTITUTE FOR CYBER SECURITY DAC Summary Traditional DAC does not prevent copies from being made and there is no control over copies Modern approaches to information sharing and trusted computing seek to maintain control over copies (for example, our talk on Friday) Traditional DAC is weak with respect to confidentiality but may have value with respect to integrity © Ravi Sandhu9

10 INSTITUTE FOR CYBER SECURITY LATTICE STRUCTURES Unclassified Confidential Secret Top Secret can-flow dominance © Ravi Sandhu10

11 INSTITUTE FOR CYBER SECURITY BELL LAPADULA (BLP) MODEL SIMPLE-SECURITY Subject S can read object O only if label(S) dominates label(O) STAR-PROPERTY (LIBERAL) Subject S can write object O only if label(O) dominates label(S) STAR-PROPERTY (STRICT) Subject S can write object O only if label(O) equals label(S) © Ravi Sandhu11

12 INSTITUTE FOR CYBER SECURITY LATTICE STRUCTURES {ARMY, CRYPTO} Compartments and Categories {ARMY } {CRYPTO} {} © Ravi Sandhu12

13 INSTITUTE FOR CYBER SECURITY LATTICE STRUCTURES Hierarchical Classes with Compartments TS S {A,B} {} {A} {B} product of 2 lattices is a lattice © Ravi Sandhu13

14 INSTITUTE FOR CYBER SECURITY LATTICE STRUCTURES Hierarchical Classes with Compartments S, {A,B} {} {A}{B} S, TS, {A,B} {} {A} {B} TS, © Ravi Sandhu14

15 INSTITUTE FOR CYBER SECURITY SMITH'S LATTICE TS-W S-W TS S C U S-L S-LW S-A TS-X TS-L TS-K TS-Y TS-QTS-Z TS-X TS-KL TS-KLX TS-KY TS-KQZ TS-AKLQWXYZ © Ravi Sandhu15

16 INSTITUTE FOR CYBER SECURITY EQUIVALENCE OF BLP AND BIBA HI (High Integrity) LI (Low Integrity) BIBA LATTICE EQUIVALENT BLP LATTICE LI (Low Integrity) HI (High Integrity) © Ravi Sandhu16

17 INSTITUTE FOR CYBER SECURITY EQUIVALENCE OF BLP AND BIBA HS (High Secrecy) LS (Low Secrecy) BLP LATTICE EQUIVALENT BIBA LATTICE LS (Low Secrecy) HS (High Secrecy) © Ravi Sandhu17

18 INSTITUTE FOR CYBER SECURITY COMBINATION OF DISTINCT LATTICES HS LS HI LI GIVEN BLP BIBA HS, LI HS, HI LS, LI LS, HI EQUIVALENT BLP LATTICE © Ravi Sandhu18

19 INSTITUTE FOR CYBER SECURITY LIPNER'S LATTICE S:Repair S:Production Users O:Production Data S:Application Programmers O:Development Code and Data S:System Programmers O:System Code in Development O:Repair Code O:System Programs O:Production Code O:Tools S:System Managers O:Audit Trail S:System Control LEGEND S:Subjects O:Objects LEGEND S:Subjects O:Objects © Ravi Sandhu19

20 INSTITUTE FOR CYBER SECURITY CHINESE WALL EXAMPLE BANKS OIL COMPANIES A B XY © Ravi Sandhu20

21 INSTITUTE FOR CYBER SECURITY CHINESE WALL LATTICE A, - B, - -, X-, Y A, X A, Y B, XB, Y SYSHIGH SYSLOW © Ravi Sandhu21

22 INSTITUTE FOR CYBER SECURITY COVERT CHANNELS Low User High Trojan Horse Infected Subject High User Low Trojan Horse Infected Subject COVERT CHANNEL Information is leaked unknown to the high user © Ravi Sandhu22

23 INSTITUTE FOR CYBER SECURITY MAC/LBAC Summary LBAC fails to control covert channels LBAC fails to control inference and aggregation It is too rigid for most commercial applications It has strong mathematical foundations © Ravi Sandhu23

24 INSTITUTE FOR CYBER SECURITY RBAC: Role-Based Access Control Access is determined by roles A users roles are assigned by security administrators A roles permissions are assigned by security administrators First emerged: mid 1970s First models: mid 1990s Is RBAC MAC or DAC or neither? © Ravi Sandhu24

25 INSTITUTE FOR CYBER SECURITY Fundamental Theorem of RBAC RBAC can be configured to do MAC RBAC can be configured to do DAC RBAC is policy neutral RBAC is neither MAC nor DAC! © Ravi Sandhu25

26 INSTITUTE FOR CYBER SECURITY RBAC96 Model ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERS PERMISSIONS... SESSIONS ROLE HIERARCHIES CONSTRAINTS © Ravi Sandhu26

27 INSTITUTE FOR CYBER SECURITY Example Role Hierarchy Engineering Department (ED) Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Director (DIR) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) Employee (E) Inheritance hierarchy © Ravi Sandhu27

28 INSTITUTE FOR CYBER SECURITY Example Role Hierarchy Engineering Department (ED) Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Director (DIR) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) Employee (E) Inheritance and activation hierarchy © Ravi Sandhu28

29 INSTITUTE FOR CYBER SECURITY NIST/ANSI RBAC Standard Model 2004 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERS PERMISSIONS... SESSIONS ROLE HIERARCHIES CONSTRAINTS Permission-role review is advanced requirement Limited to separation of duties Overall formal model is more complete © Ravi Sandhu29

30 INSTITUTE FOR CYBER SECURITY The RBAC Story © Ravi Sandhu30 RBAC96 paper Proposed Standard Adopted

31 INSTITUTE FOR CYBER SECURITY Founding Principles of RBAC96 Abstraction of Privileges Credit is different from Debit even though both require read and write Separation of Administrative Functions Separation of user-role assignment from role- permission assignment Least Privilege Right-size the roles Dont activate all roles all the time Separation of Duty Static separation: purchasing manager versus accounts payable manager Dynamic separation: cash-register clerk versus cash-register manager © Ravi Sandhu31

32 INSTITUTE FOR CYBER SECURITY ASCAA Principles for Future RBAC Abstraction of Privileges Credit vs debit Personalized permissions Separation of Administrative Functions Containment Least Privilege Separation of Duties Usage Limits Automation Revocation Assignment: (i) Self-assignment, (ii) Attribute-based Context and environment adjustment Accountability Re-authentication/Escalated authentication Click-through obligations Notification and alerts © Ravi Sandhu32

33 INSTITUTE FOR CYBER SECURITY Access Control Models Discretionary Access Control (DAC) Owner controls access but only to the original, not to copies Mandatory Access Control (MAC) Access based on security labels Labels propagate to copies Role-Based Access Control (RBAC) Access based on roles Can be configured to do DAC or MAC Attribute-Based Access Control (ABAC) Access based on attributes, to possibly include roles, security labels and whatever © Ravi Sandhu33

34 INSTITUTE FOR CYBER SECURITY Security Objectives 34 INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure USAGE purpose USAGE © Ravi Sandhu

35 INSTITUTE FOR CYBER SECURITY Usage Control Scope © Ravi Sandhu35 Security Objectives Security Architectures

36 INSTITUTE FOR CYBER SECURITY Usage Control Model (UCON) © Ravi Sandhu36 unified model integrating authorization obligation conditions and incorporating continuity of decisions mutability of attributes

37 INSTITUTE FOR CYBER SECURITY Conclusion Discretionary Access Control (DAC) Mandatory Access Control (MAC) Equivalently Lattice-Based Access Control (LBAC) Role-Based Access Control (RBAC) Usage Control (UCON) © Ravi Sandhu37 Models are all important A Policy Language is not a substitute for a good model


Download ppt "INSTITUTE FOR CYBER SECURITY 1 Access Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at."

Similar presentations


Ads by Google