Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control: Policies and Mechanisms Vinod Ganapathy.

Published byAshlyn Davis Modified over 8 years ago

Similar presentations

Presentation on theme: "Access Control: Policies and Mechanisms Vinod Ganapathy."— Presentation transcript:

1 Access Control: Policies and Mechanisms Vinod Ganapathy

2 Access Control “The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner“ central element of computer security assume have users and groups –authenticate to system –assigned access rights to certain resources on system

3 Access Control Policy: Decides which subject can perform what operations on which object Mechanism: Set of techniques used to enforce the policy

4 Access Control Principles

5 Access Control Elements Subject - entity that can access objects –a process representing user/application –often have 3 classes: owner, group, world Object - access controlled resource –e.g. files, directories, records, programs etc –number/type depend on environment Access right - way in which subject accesses an object –e.g. read, write, execute, delete, create, search

6 Access Control: Overview Protection state of system –Describes current settings, values of system relevant to protection Access control matrix –Describes protection state precisely –Matrix describing rights of subjects –State transitions change elements of matrix

7 14.7 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8th Edition Access Control Matrix

8 Primitive Operations create subject s; create object o –Creates new row, column in ACM; creates new column in ACM destroy subject s; destroy object o –Deletes row, column from ACM; deletes column from ACM enter r into A[s, o] –Adds r rights for subject s over object o delete r from A[s, o] –Removes r rights from subject s over object o

9 Creating File Process p creates file f with r and w permission command createfile(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end

10 Conditional Commands Let p give q r rights over f, if p owns f command grantreadfile1(p, f, q) if own in A[p, f] then enter r into A[q, f]; end

11 Access control structures Access matrix is often sparse Can decompose by either row or column Two implementations, depending on how you decompose: –Access Control Lists –Capabilities

12 12 Computer Science, RutgersCS 416: Operating System Design Storing the Access Control Matrix Access Control List (ACL): associate with each object a list of all the protection domains that may access the object and how In Unix, an ACL defines three protection domains: owner, group and others Capability List (C-list): associate with each process a list of objects that may be accessed along with the operations C-list implementation issues: where/how to store them (hardware, kernel, encrypted in user space) and how to revoke them

13 Access Control Structures

14 14 Computer Science, RutgersCS 416: Operating System Design In practice... Most systems use a combination of access control lists and capabilities. Example: In Unix, an access list is checked when first opening a file. After that, system relies on kernel information (per-process file table) that is established during the open call. This obviates the need for further protection checks.

15 UNIX File Concepts UNIX files administered using inodes –control structure with key info on file attributes, permissions of a single file –may have several names for same inode –have inode table / list for all files on a disk copied to memory when disk mounted directories form a hierarchical tree –may contain files or other directories –are a file of names and inode numbers

16 UNIX File Access Control

17 “set user ID”(SetUID) or “set group ID”(SetGID) –system temporarily uses rights of the file owner / group in addition to the real user’s rights when making access control decisions –enables privileged programs to access files / resources not generally accessible

18 UNIX Access Control Lists modern UNIX systems support ACLs can specify any number of additional users / groups and associated rwx permissions ACLs are optional extensions to std perms group perms also set max ACL perms when access is required –select most appropriate ACL owner, named users, owning / named groups, others –check if have sufficient permissions for access

19 Role-based Access Control Access control matrix so far specified using subjects But what if want to specify access using the role of the subject rather than its identity? For example, any person in doctor role should have access to patient records. Not just a specific doctor. And access should be denied to the doctor when he/she is off-duty (i.e., not in that role)

20 Role- Based Access Control

21 Discretionary Access Control (DAC) In most UNIX implementations, file access control is discretionary –Each file has an owner –Owner decides the access rights on the file and can revoke access by changing permissions

22 Discretionary Access Control (DAC) DAC seems to work for most simple settings, but it has some serious drawbacks. Alternative: Mandatory access control (MAC)

23 Mandatory Access Control (MAC) In MAC, a system-wide access policy is specified by a system administrator. Enforced by the OS on all users of the system. –Even owners of resources cannot override Allows enforcement of powerful policies

24 What is the goal of an access control policy? Policy partitions system states into: –Authorized (secure) These are states the system can enter –Unauthorized (nonsecure) If the system enters any of these states, it’s a security violation Secure system –Starts in authorized state –Never enters unauthorized state

25 Confidentiality X set of entities, I information I has confidentiality property with respect to X if no x  X can obtain information from I I can be disclosed to others Example: –X set of students –I final exam answer key –I is confidential with respect to X if students cannot obtain final exam answer key

26 Integrity X set of entities, I information I has integrity property with respect to X if all x  X trust information in I Types of integrity: –trust I, its conveyance and protection (data integrity) –I information about origin of something or an identity (origin integrity, authentication) –I resource: means resource functions as it should (assurance)

27 Confidentiality Policy Goal: prevent the unauthorized disclosure of information –Deals with information flow –Not concerned with protection of integrity Most popular model: –Bell-LaPadula Model

28 Bell-LaPadula Model, Step 1 Security levels arranged in linear ordering –Top Secret: highest –Secret –Confidential –Unclassified: lowest Levels consist of security clearance L(s) –Objects have security classification L(o)

29 Example objectsubjectsecurity level Telephone Lists Activity Logs E-Mail Files Personnel Files UgoUnclassified CharlesConfidential SamSecret TomTop Secret Tom can read all files Charles cannot read Personnel or E-Mail Files Ugo can only read Telephone Lists

30 Reading Information Information flows up, not down –“Reads up” disallowed, “reads down” allowed Simple Security Condition: –Subject s can read object o iff L(o) ≤ L(s) and s has permission to read o Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) –Sometimes called “no reads up” rule

31 Writing Information Information flows up, not down –“Writes up” allowed, “writes down” disallowed *-Property –Subject s can write object o iff L(s) ≤ L(o) and s has permission to write o Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) –Sometimes called “no writes down” rule

32 Bell-LaPadula guarantee “No reads up, no writes down” If a system is initially in a secure state, and every transition of the system satisfies the simple security condition and the *- property then every state of the system is secure

33 Biba Integrity Model Set of subjects S, objects O, integrity levels I, relation ≤  I  I holding when second dominates first min: I  I  I returns lesser of integrity levels i: S  O  I gives integrity level of entity r: S  O means s  S can read o  O w, x defined similarly

34 Intuition for Integrity Levels The higher the level, the more confidence –That a program will execute correctly –That data is accurate and/or reliable Note relationship between integrity and trustworthiness Important point: integrity levels are not security levels

35 Integrity policies: Biba’s Model “No reads down, no writes up” Similar to Bell-LaPadula model 1. s  S can read o  O iff i(s) ≤ i(o) 2. s  S can write to o  O iff i(o) ≤ i(s)

36 Reflections Bell-LaPadula and Biba often found to be too “rigid” to use in practice. Various relaxations of the model exist: –Clark Wilson: Allow trusted “upgrader” and “downgraders” –Chinese-Wall: Allow collaborations and conflict-of-interest groups.

37 Availability of MAC Until 1990s MAC-based systems were in popular use only in military settings. Currently available even on commodity OSes: SELinux, Trusted BSD –Policies are still somewhat awkward to specify

Download ppt "Access Control: Policies and Mechanisms Vinod Ganapathy."

Similar presentations

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Access Control Methodologies

Access Control Methodologies
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.

1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.

Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.

Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Security Fall 2009McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2009McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Security Fall 2006McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
Sicurezza Informatica Prof. Stefano Bistarelli

Sicurezza Informatica Prof. Stefano Bistarelli
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Similar presentations

Ads by Google