Presentation is loading. Please wait.

Presentation is loading. Please wait.

Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 14, 2003 Introduction to Computer Security Lecture.

Published bySabina McDonald Modified over 8 years ago

Similar presentations

Presentation on theme: "Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 14, 2003 Introduction to Computer Security Lecture."— Presentation transcript:

1 Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 14, 2003 Introduction to Computer Security Lecture 6 RBAC, Policy Composition Design Principles

2 INFSCI 2935: Introduction to Computer Security2 Permissions RBAC (NIST Standard) UsersRolesOperationsObjects Sessions UA user_sessions (one-to-many) role_sessions (many-to-many) PA An important difference from classical models is that Subject in other models corresponds to a Session in RBAC

3 INFSCI 2935: Introduction to Computer Security3 Core RBAC (relations) Permissions = 2 Operations x Objects Permissions = 2 Operations x Objects UA ⊆ Users x Roles UA ⊆ Users x Roles PA ⊆ Permissions x Roles PA ⊆ Permissions x Roles assigned_users: Roles  2 Users assigned_users: Roles  2 Users assigned_permissions: Roles  2 Permissions assigned_permissions: Roles  2 Permissions Op(p): set of operations associated with permission p Op(p): set of operations associated with permission p Ob(p): set of objects associated with permission p Ob(p): set of objects associated with permission p user_sessions: Users  2 Sessions user_sessions: Users  2 Sessions session_user: Sessions  Users session_user: Sessions  Users session_roles: Sessions  2 Roles session_roles: Sessions  2 Roles  session_roles(s) = {r | (session_user(s), r)  UA)} avail_session_perms: Sessions  2 Permissions avail_session_perms: Sessions  2 Permissions

4 INFSCI 2935: Introduction to Computer Security4 Permissions RBAC with General Role Hierarchy UsersRolesOperationsObjects Sessions UA user_sessions (one-to-many) role_sessions (many-to-many) PA RH (role hierarchy)

5 INFSCI 2935: Introduction to Computer Security5 RBAC with General Role Hierarchy  2 Users authorized_users: Roles  2 Users  authorized_users(r) = {u | r’ ≥ r &(r’, u)  UA)  2 Permissions authorized_permissions: Roles  2 Permissions authorized_users(r) = {p | r’ ≥ r &(p, r’)  PA) ⊆ Roles x Roles RH ⊆ Roles x Roles is a partial order  called the inheritance relation  written as ≥. (r 1 ≥ r 2 )  authorized_users(r 1 ) ⊆ authorized_users(r 2 ) & authorized_permisssions(r 2 ) ⊆ authorized_permisssions(r 1 )

6 INFSCI 2935: Introduction to Computer Security6 Example authorized_users(Employee)? authorized_users(Administrator)? authorized_permissions(Employee)? authorized_permissions(Administrator)? p x, p y p 1, p 2 p a, p b p x, p y e 1, e 2 p x, p y e 3, e 4 p x, p y e5e5 e 6, e 7 p x, p y e 8, e 9 p x, p y e 10 p m, p n popo p

7 INFSCI 2935: Introduction to Computer Security7 Constrained RBAC Permissions UsersRolesOperationsObjects Sessions UA user_sessions (one-to-many) PA RH (role hierarchy) Static Separation of Duty Dynamic Separation of Duty

8 INFSCI 2935: Introduction to Computer Security8 Static Separation of Duty SSD ⊆ 2 Roles x N SSD ⊆ 2 Roles x N In absence of hierarchy In absence of hierarchy  Collection of pairs (RS, n) where RS is a role set, n ≥ 2; for all (RS, n)  SSD, for all t ⊆ RS: |t| ≥ n  ∩ r  t assigned_users(r)=  In presence of hierarchy In presence of hierarchy  Collection of pairs (RS, n) where RS is a role set, n ≥ 2; for all (RS, n)  SSD, for all t ⊆ RS: |t| ≥ n  ∩ r  t authorized_uers(r)= 

9 INFSCI 2935: Introduction to Computer Security9 Dynamic Separation of Duty DSD ⊆ 2 Roles x N DSD ⊆ 2 Roles x N  Collection of pairs (RS, n) where RS is a role set, n ≥ 2;  A user cannot activate n or more roles from RS  What if both SSD and DSD contains (RS, n)? Consider (RS, n) = ({r 1, r 2, r 3 }, 2)? If SSD – can r 1, r 2 and r 3 be assigned to u? If DSD – can r 1, r 2 and r 3 be assigned to u?

10 INFSCI 2935: Introduction to Computer Security10 MAC using RBAC L M1 H M2 LR M1R HR M2R H M1W LW M2W Read Roles (same lattice) Write Roles (inverse lattice) Transformation rules R = {L 1 R, L 2 R,…, L n R, L 1 W, L 2 W,…, L n W} Two separate hierarchies for {L 1 R, L 2 R,…, L n R} and { L 1 W, L 2 W,…, L n W} Each user is assigned to exactly two roles: xR and LW Each session has exactly two roles yR and yW Permission (o, r) is assigned to xR iff (o, w) is assigned to xW) Transformation rules R = {L 1 R, L 2 R,…, L n R, L 1 W, L 2 W,…, L n W} Two separate hierarchies for {L 1 R, L 2 R,…, L n R} and { L 1 W, L 2 W,…, L n W} Each user is assigned to exactly two roles: xR and LW Each session has exactly two roles yR and yW Permission (o, r) is assigned to xR iff (o, w) is assigned to xW) BLP

11 INFSCI 2935: Introduction to Computer Security11 RBAC’s Benefits

12 INFSCI 2935: Introduction to Computer Security12 Cost Benefits Saves about 7.01 minutes per employee, per year in administrative functions  Average IT amin salary - $59.27 per hour  The annual cost saving is: $6,924/1000; $692,471/100,000 Reduced Employee downtime  if new transitioning employees receive their system privileges faster, their productivity is increased  26.4 hours for non-RBAC; 14.7 hours for RBAC  For average employee wage of $39.29/hour, the annual productivity cost savings yielded by an RBAC system: $75000/1000; $7.4M/100,000

13 INFSCI 2935: Introduction to Computer Security13 Time-based Access Control Requirement Organizational functions and services with temporal requirements Organizational functions and services with temporal requirements  A part-time staff is authorized to work only between 9am-2pm on weekdays  A day doctor must be able to perform his/her duties between 8am-8pm  An external auditor needs access to organizational financial data for a period of three months  A video library allows access to a subscriber to view at most three movies every week  In an insurance company, an agent needs access to patient history until a claim has been settled

14 INFSCI 2935: Introduction to Computer Security14 Generalized Temporal RBAC Triggers and Events Triggers and Events Temporal constraints Temporal constraints  Roles, user-role and role-permission assignment constraints  Activation constraints (cardinality, active duration,..) Temporal role hierarchy Temporal role hierarchy Time-based Separation of duty constraints Time-based Separation of duty constraints

15 INFSCI 2935: Introduction to Computer Security15 States of a Role in GTRBAC Enabled Active Disabled

16 INFSCI 2935: Introduction to Computer Security16 Event and Trigger Simple events Simple events  enable r disable r  assign U r to u deassign U r to u  assign P p to r deassign P p to r  activate r for u deactivate r for u Prioritized event pr:E, where pr  Prios Prioritized event pr:E, where pr  Prios Status Status  Role, assignment status – e.g.. enabled( r ); p_assigned( p, r ) Triggers: E 1,…, E n, C 1,…, C k  pr:E after ∆ t, where E i are events, C i are status expressions Triggers: E 1,…, E n, C 1,…, C k  pr:E after ∆ t, where E i are events, C i are status expressionsExample: enable DayDoctor  enable DoctorInTraining after 1 hour User/administrator run-time request: pr:E after ∆ t User/administrator run-time request: pr:E after ∆ t

17 INFSCI 2935: Introduction to Computer Security17 Temporal Constraints: Roles, User-role and Role-permission Assignments Periodic time Periodic time  (I, P) :  [ begin, end ], P  is a set of intervals  P is an infinite set of recurring intervals Calendars: Calendars:  Hours, Days, Weeks, Months, Years Examples Examples all.Weeks + {2, …, 6}.Days + 10.Hours ⊲ 12.hours - Daytime (9am to 9pm) of working days all.Weeks + {2, …, 6}.Days - Working days

18 INFSCI 2935: Introduction to Computer Security18 Temporal Constraints: Roles, User-role and Role-permission Assignments Periodicity: (I, P, pr:E) Periodicity: (I, P, pr:E)  ([1/1/2001,  ], Daytime, enable DayDoctor)  ([1/1/2000,  ], {Mon,Wed}, assign U DayDoctor to Smith) Duration constraint: (D, pr:E) Duration constraint: (D, pr:E)  (Five hours, enable DoctorInTraining)  activate DayDoctor for Smith  enable DoctorInTraining after 1 hour Cardinality constraint: ([I, P], N, assign U r ) Cardinality constraint: ([I, P], N, assign U r )  ([1/1/2000,  ], {Mon, Wed}, 5, assign U DayDoctor)

19 INFSCI 2935: Introduction to Computer Security19 Activation Time Constraints Active role duration Active role duration  Total duration for role activation 1.Per role: D active, [D default ], active R_total r 2.Per user role:D uactive, u, active UR_total r  Max active role duration per activation C 1.Per role: D max, active R_max r 2.Per user role: D umax, u, active UR_max r Cardinality Cardinality  Total number of role activations 1.Per role:N active, [N default ], active R_n r 2.Per user role:N uactive, u, active UR_n r  Max number of concurrent activations C 1.Per role: N max, [N default ], active R_con r 2.Per user role:N umax, u, active UR_con r

20 INFSCI 2935: Introduction to Computer Security20 Example of Activation Time Constraint Video library offers 600 hours of total time per week Video library offers 600 hours of total time per week A, B and C subscribe for 100 hours each A, B and C subscribe for 100 hours each D subscribes for 250 hours D subscribes for 250 hours E subscribes for 50 hours E subscribes for 50 hours B D E (Weekly, 300, 100, active R_total MV1) (Weekly, 250, active R_total MV2) (Weekly, 50, active R_total MV3) C A MV3 MV2 MV1 Video Database

21 INFSCI 2935: Introduction to Computer Security21 Role Hierarchy in GTRBAC GTRABC-based temporal role hierarchies allow GTRABC-based temporal role hierarchies allow  Separation of permission inheritance and role activation semantics that facilitate management of access control  Capturing the effect of the presence of temporal constraints on hierarchically related roles and therefore allowing fine-grained access control

22 INFSCI 2935: Introduction to Computer Security22 Types of Role Hierarchy Permission-Inheritance hierarchy (I-hierarchy) Permission-Inheritance hierarchy (I-hierarchy)  Senior inherits juniors’ permission  User assigned to senior cannot activate juniors Role-Activation hierarchy (A-hierarchy) Role-Activation hierarchy (A-hierarchy)  Senior does not inherit juniors’ permissions  User assigned to senior can activate juniors  Advantage: SOD constraints can be defined hierarchically related roles General Inheritance hierarchy (IA-hierarchy) General Inheritance hierarchy (IA-hierarchy)  Senior inherits juniors’ permission  User assigned to senior can activate juniors

23 INFSCI 2935: Introduction to Computer Security23 Types of Role Hierarchy Programmer (a) IA Hierarchy(c) I Hierarchy Software Engineer Software Engineer Combination of roles that can be activated by u : { (Software Engineer)} Combination of roles that can be activated by u {(Software Engineer), (Software Engineer, Programmer), (Programmer) } u assigned to Programmer Software Engineer (b) A Hierarchy u assigned to

24 INFSCI 2935: Introduction to Computer Security24 Weakly Restricted and Strongly Restricted Temporal Role Hierarchies I-hierarchy: (assume x is senior of y ) I-hierarchy: (assume x is senior of y )  Weakly restricted hierarchy x inherits y ’s permissions y need not be enabled  Strongly restricted hierarchy x inherits y ’s permissions only when both x and y enabled A-hierarchy: (assume x is senior of y and u is assigned to x ) A-hierarchy: (assume x is senior of y and u is assigned to x )  Weakly restricted hierarchy u can activate y x need not be enabled  Strongly restricted hierarchy u can activate y only when both x and y are enabled IA-hierarchy: x and y are related by both I-hierarchy and A-hierarchy IA-hierarchy: x and y are related by both I-hierarchy and A-hierarchy

25 INFSCI 2935: Introduction to Computer Security25 Temporal Role Hierarchy Example DayDoctor (9am-9pm) NightDoctor (9pm-9am) PartTimeDoctor {(3pm-6pm), (7am-10am)} IsIs IsIs 9am9pm9am9pm NightDoctorDayDoctor 7am10am PartTimeDoctor

26 Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security26 Policy Composition

27 INFSCI 2935: Introduction to Computer Security27 Problem: Consistent Policies Policies defined by different organizations Policies defined by different organizations  Different needs  But sometimes subjects/objects overlap Can all policies be met? Can all policies be met?  Different categories Build lattice combining them  Different security levels Need to be levels – thus must be able to order  What if different DAC and MAC policies need to be integrated?

28 INFSCI 2935: Introduction to Computer Security28 Multidomain Environments Heterogeneity exists at several levels Heterogeneity exists at several levels -Availability -Bibaintegrity model -Multilevel etc. -UN -Federal -Local -EC etc. -MLS DBMS -MLS OS etc. Security goals Constituent organizational units Constituent systems

29 INFSCI 2935: Introduction to Computer Security29 Multidomain Challenges Key challenges Semantic heterogeneity Semantic heterogeneity Secure interoperation Secure interoperation Assurance and risk propagation Assurance and risk propagation Security Management Security Management

30 INFSCI 2935: Introduction to Computer Security30 Semantic heterogeneity Different systems use different security policies Different systems use different security policies  e.g., Chinese wall, BLP policies etc. Variations of the same policies Variations of the same policies  e.g., BLP model and its variations Naming conflict on security attributes Naming conflict on security attributes  Similar roles with different names  Similar permission sets with different role names Structural conflict Structural conflict  different multilevel lattices / role hierarchies Different Commercial-Off-The-Self (COTS) products Different Commercial-Off-The-Self (COTS) products

31 INFSCI 2935: Introduction to Computer Security31 Secure Interoperability Principles of secure interoperation [Gong, 96] Principles of secure interoperation [Gong, 96] Principle of autonomy If an access is permitted within an individual system, it must also be permitted under secure interoperation Principle of security If an access is not permitted within an individual system, it must not be permitted under secure interoperation Interoperation of secure systems can create new security breaches Interoperation of secure systems can create new security breaches

32 INFSCI 2935: Introduction to Computer Security32 a b c a b Secure Interoperability (Example) X Y Z A BC D X Y Z A BC D d F 12 = {a, b} F 12 = {a, b, c, d} 1 122 (1) F 12 = {a, b, d} Direct access (2) F 12 = {c} Indirect access F 12 - permitted access between systems 1 and 2

33 INFSCI 2935: Introduction to Computer Security33 Assurance and Risk Propagation & Security Management Assurance and Risk propagation Assurance and Risk propagation  A breach in one component affects the whole environment  Cascading problem Management Management  Centralized/Decentralized  Managing metapolicy  Managing policy evolution

34 Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security34 Design Principles

35 INFSCI 2935: Introduction to Computer Security35 Design Principles for Security Mechanisms Principles Principles  Least Privilege  Fail-Safe Defaults  Economy of Mechanism  Complete Mediation  Open Design  Separation of Privilege  Least Common Mechanism  Psychological Acceptability Based on the idea of simplicity and restriction Based on the idea of simplicity and restriction

36 INFSCI 2935: Introduction to Computer Security36 Overview Simplicity Simplicity  Less to go wrong  Fewer possible inconsistencies  Easy to understand Restriction Restriction  Minimize access power (need to know)  Inhibit communication

37 INFSCI 2935: Introduction to Computer Security37 Least Privilege A subject should be given only those privileges necessary to complete its task A subject should be given only those privileges necessary to complete its task  Function, not identity, controls RBAC!  Rights added as needed, discarded after use Active sessions and dynamic separation of duty  Minimal protection domain A subject should not have a right if the task does not need it

38 INFSCI 2935: Introduction to Computer Security38 Fail-Safe Defaults Default action is to deny access Default action is to deny access If action fails, system as secure as when action began If action fails, system as secure as when action began  Undo changes if actions do not complete  Transactions (commit)

39 INFSCI 2935: Introduction to Computer Security39 Economy of Mechanism Keep the design and implementation as simple as possible Keep the design and implementation as simple as possible  KISS Principle (Keep It Simple, Silly!) Simpler means less can go wrong Simpler means less can go wrong  And when errors occur, they are easier to understand and fix Interfaces and interactions Interfaces and interactions

40 INFSCI 2935: Introduction to Computer Security40 Complete Mediation Check every access to an object to ensure that access is allowed Check every access to an object to ensure that access is allowed Usually done once, on first action Usually done once, on first action  UNIX: Access checked on open, not checked thereafter If permissions change after, may get unauthorized access If permissions change after, may get unauthorized access

41 INFSCI 2935: Introduction to Computer Security41 Open Design Security should not depend on secrecy of design or implementation Security should not depend on secrecy of design or implementation  Popularly misunderstood to mean that source code should be public  “Security through obscurity”  Does not apply to information such as passwords or cryptographic keys

42 INFSCI 2935: Introduction to Computer Security42 Separation of Privilege Require multiple conditions to grant privilege Require multiple conditions to grant privilege  Example: Checks of $70000 must be signed by two people  Separation of duty  Defense in depth Multiple levels of protection

43 INFSCI 2935: Introduction to Computer Security43 Least Common Mechanism Mechanisms should not be shared Mechanisms should not be shared  Information can flow along shared channels  Covert channels Isolation Isolation  Virtual machines  Sandboxes

44 INFSCI 2935: Introduction to Computer Security44 Psychological Acceptability Security mechanisms should not add to difficulty of accessing resource Security mechanisms should not add to difficulty of accessing resource  Hide complexity introduced by security mechanisms  Ease of installation, configuration, use  Human factors critical here

Download ppt "Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 14, 2003 Introduction to Computer Security Lecture."

Similar presentations

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
Operating System Security

Operating System Security
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.
Access Control RBAC Database Activity Monitoring.

Access Control RBAC Database Activity Monitoring.
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.

RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
Access Control Discretionary Access Control Lecture 4 1.

Access Control Discretionary Access Control Lecture 4 1.
Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies (2000) Author: Sylvia Osborn, Ravi Sandhu,Qamar Munawer.

Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies (2000) Author: Sylvia Osborn, Ravi Sandhu,Qamar Munawer.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群

Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Role-Based Access Control (RBAC) Approach for Defense-in-Depth Peter Leight and Richard.

Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Role-Based Access Control (RBAC) Approach for Defense-in-Depth Peter Leight and Richard.
1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.

1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (http://cups.cs.cmu.edu/course-guide/)

Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.

April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.
Software Connectors. Attach adapter to A Maintain multiple versions of A or B Make B multilingual Role and Challenge of Software Connectors Change A’s.

Software Connectors. Attach adapter to A Maintain multiple versions of A or B Make B multilingual Role and Challenge of Software Connectors Change A’s.
Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.

Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏

(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

Similar presentations

Ads by Google