Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008

Overview Common Terminology of Access Control Techniques Introduction to Access Controls Access Control Techniques  Discretionary Access Control  Role-Based Access Control  Mandatory Access Control Sensitivity Labels Clearances Transactions Implementations Conclusion

Common Terminology of Access Control Techniques In any of the three major computer access control models there is a focus on two separate entities acting within the system:  Subjects: the entities that can perform actions in the system. Processes, Threads.  Objects: the entities representing resources to which access may need to be controlled. Files, Directories, TCP/UDP Ports, Shared Memory Segments.  Note: “Both subjects and objects should be considered as software entities, rather than associating them as human users. Any human user only has an effect on the system through the software entities that they control.”

Introduction to Access Controls Access controlling is the ability to permit or deny the use of a specific resource by a specific entity.. Access control models used by current computer systems tend to fall into one of two classes:  A capability-based model A subject holds a reference or capability to an object providing it access to the object (similar to how possession of your debit card gives you access to your account through an ATM). Access is granted or modified to another party by transmitting the access capabilities.  An ACL-based model (access control list) a subject's access to an object depends on whether its identity is on a list associated with the object (similar to how a doorman at a private party checks to see if your name is on the list, to grant you access to the party). Access is granted or modified by editing the list.

Introduction to Access Controls cont. Access control systems provide the essential services of identification and authentication, authorization, and accountability. Identification and Authentication determines who can log on to a system, and then associates the user with any of the software subjects that they are able to control. Authorization determines what a subject can do on the system.  Most operating systems and access control models define sets of permissions based on variations or extensions of the following three basic types of access:  Read (R, 4): grants permission to read a file or list directory contents.  Write (W, 2): grants permission to modify the contents of a file or directory with the following operations: add, create, delete and rename  Execute (X, 1) grants permission to execute the file if it is a program or script. In UNIX systems the Execute attribute allows for directory traversal. Accountability is equivalent to logging or any other form of system audits and keeps an ongoing record of the subjects and the actions performed within the system.

Access Control Techniques Most ACM can be categorized into discretionary or non-discretionary. There are three widely used and recognized models:  Discretionary Access Control (DAC)  Role-Based Access Control (RBAC)  Mandatory Access Control (MAC)  Note: Both Role-Based Access Control and Mandatory Access Control are non-discretionary. Methods used:  Lattice-Based Access Control  Rule-Based Access Control  Others, mostly based on Access Control Listing

Discretionary Access Control DAC is an access policy determined by the owner of an object. As defined by the Trusted Computer System Evaluation Criteria established by the United States Department of Defense DAC is:  "a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject” The two most important concepts to know about DAC are:  Ownership of files and data: Although not specifically defined by the TCSEC; every object in the system has an owner. Example: in UNIX systems policy modification is done with the chmod (change mode) command.  Permissions and access rights: These are the controls that an owner can assign to other subjects for specific resources, such as groups associated with the file, or parent processes and users. Can be either ACL-based or Capability-based.

Role-Based Access Control RBAC is an access policy determined by the system, not the owner. Used in military systems and some commercial systems where multi-level security requirements exist. Similar to MAC, except in a RBAC model permissions can include and almost always exceed the basic Read, Write, and Execute operations. Day to day operations like e- commerce transactions can be included into the model making RBAC a very complex yet specific way of assigning and granting rights within the system. Three specific rules for a RBAC: 1.Role assignment: A subject can execute a transaction only if the subject has selected or been assigned a role. 2.Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized. 3.Transaction authorization: A subject can execute a transaction only if the transaction is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can execute only transactions for which they are authorized.

Mandatory Access Control MAC is an access policy determined by the system, not the owner. It is used in multilevel systems that process highly sensitive data, such as classified government or military information.  Note: The TCSEC defines MAC as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity"  Sensitivity labels: In a MAC-based system, all subjects and objects must have labels assigned to them. A subject's sensitivity label specifies its level of trust. An object's sensitivity label specifies the level of trust required for access. In order to access a given object, the subject must have a sensitivity level equal to or higher than the requested object. These labels are not confined to data within the system, but also for importing and exporting data (such as printers). Sensitivity labels need to be maintained and preserved throughout the data life-cycle so that sensitive information is appropriately protected at all times.

Sensitivity Labels A subject can be cleared to operate at one or more sensitivity level and each sensitivity label contains these following two components:  Classification, also referred to as a level: This component indicates a hierarchical level of security. When applied to people, the classification represents a measure of trust. When applied to data, a classification is the degree of protection that is required. In the U.S. Government, the classifications are TOP SECRET, SECRET, CONFIDENTIAL, and UNCLASSIFIED.  Compartments, also referred to as categories A compartment represents a grouping, such as a work group, department, project, or topic. A classification does not have to have a compartment.

Clearances A clearance determines the highest label at which a subject is permitted to operate.  Generally used as a default permission in multi-level systems set for which the subject can log into and operate, then once in the system can access other labels via workspaces. Sun Microsystems Typical Industry Sensitivity Labels

Transactions  Dominate: must meet these two conditions: The classification component of the first entity's label is equal to the object's classification or is higher than the object's classification. All compartments in the second entity's labels are included in the first entity's label.  Equal: if the labels have the same classification and the same set of compartments. If the labels are equal, the labels dominate each other. Therefore, access is permitted.  Strictly Dominate: must meet these two conditions: The first label has a higher classification than a second label The first label's classification is equal to a second label's classification, the first label includes the second label's compartments, and the first label has additional compartments  Disjoint: if neither label dominates the other label and a ccess is not permitted.

Implementations SELinux  An NSA research project, currently used in Red Had Enterprise Linux and RHEL based distributions (Fedora, Mandriva) AppArmor  Product of Suse Linux (supported by Novell) and used in Ubuntu 7.10 and up. GrSecurity  Linux Kernel patch combining both MAC and RBAC implementations. Not currently included in any current distributions. Windows Server 2008  Incorporates Mandatory Integrity Control. Trusted Solaris and Trusted BSD

Works Cited Trusted Computer System Evaluation Criteria Access Control and XML Encryption Access Control Methods Role Based Access Control (RBAC) and Role Based Security Role Based Access Control - Frequently Asked Questions Trusted Extensions Provides Discretionary and Mandatory Access Control