1. Access Control Model
SAM-5

2. Objective Limit who can access the system
Limit what people can do once they access the system
control sharing of data and programs between users.
SAM-5

3. In more technical terms:
Access control constrains what a User can do directly, as well as what programs executing on his behalf are allowed to do.
Activity in the system is initiated by entities known as Subjects. Subjects are typically Users or Programs executing on their behalf.
SAM-5

4. In more technical terms:
A User may sign on to the system as different Subjects on different occasions.
Subjects can themselves be Objects. A Subject can create additional Subjects in order to accomplish its task.
SAM-5

5. Subjects and Objects
SAM-5

6. Access Control Model Access Reference Subject request monitor Object
|___________________________|
|_________________________________|
Authentication
Authorization
SAM-5

7. Discretionary Access Control
A Set of Objects (O)
A Set of Subjects (S)
An Access Matrix (A)
SAM-5

8. Discretionary Access Control
SAM-5

9. Discretionary Access Control
Access Control Lists: Storing the matrix by Columns
Capabilities: Storing the matrix by Rows
Element A [i,j] specifies the access which subject i has to object j.
SAM-5

10. ACL and Capability
SAM-5

11. Access Control List
A file used by the access control system to determine who may access what programs and files, in what method and at what time
Different operating systems have different ACL terms
Types of access:
Read/Write/Create/Execute/Modify/Delete/Rename
SAM-5

12. Discretionary Access Control
Access is restricted based on the authorization granted to the user
Orange book C-level
Prime use is to separate and protect users from unauthorized data
Used by Unix, NT, NetWare, Linux, Vines, etc.
Relies on the object owner to control access
SAM-5

13. Drawback of Discretionary Control
Does not provide real assurance on the flow of information in a system.
Does not impose any restriction on the usage of information by a User once the User has received it.
Objects are at the whim or fancy of their owners to grant access to them for other Users.
Information can be copied from one Object to another, so access to a copy is possible even if the owner of the original does not provide access to it.
SAM-5

14. Mandatory Access Control
Subjects and Objects in a System have a certain classification.
Read Up - A Subject's integrity level must be dominated by the integrity level of the Object being read.
Write Down - A Subject's integrity level must dominate the integrity level of the Object being written
SAM-5

15. Mandatory Access Control
SAM-5

16. Mandatory Access Control
Assigns sensitivity levels, AKA labels
Every object is given a sensitivity label & is accessible only to users who are cleared up to that particular level.
Only the administrators, not object owners, make change the object level
Generally more secure than DAC
SAM-5

17. Mandatory Access Control
Orange book B-level
Used in systems where security is critical, i.e., military
Hard to program for and configure & implement
Downgrade in performance
Relies on the system to control access
SAM-5

18. Mandatory Access Control
Example: If a file is classified as confidential, MAC will prevent anyone from writing secret or top secret information into that file.
All output, i.e., print jobs, floppies, other magnetic media must have be labeled as to the sensitivity level
SAM-5

19. Drawback of Mandatory Access Control
Information flow can pass through covert channels in prohibited ways.
There is no solution to the inference problem where high information is deduced by assembling and intelligently combining low information
SAM-5

20. Other mechanisms Group Negative Permission
Subjects assign to one or more groups and common permission can be set groupwise
Negative Permission
Specify who should not have access to some resources. A negative permission would usually override a permission obtained from a group permission
SAM-5

21. Other mechanisms Protection rings Privileges
Assign objects and subjects to inhibit one of the protection ring. If a subject wants to access an object, the ring no. of them is compared
Privileges
Operation that an object perform instead of considering objects. Can be considered as a higher level of access control
SAM-5

22. Role The collection of procedures assigned to a user
A user may have several roles, and might change roles
SAM-5

23. Role Based Access Control
Users are members of Roles.
Permissions are associated with Roles.
Many to many User/Role and Role/Permission relations.
Role Hierarchy
Users can change Roles for each Session
RBAC is used to manage RBAC.
SAM-5

24. Role Based Access Control
SAM-5

25. Advantages of Role Based Access Control
Simple authorization Management
Hierarchical Roles
Least Privilege
Separation of Duties
SAM-5

26. Type Enforcement A mandatory access control mechanism
Provides strong separation of:
Operating system and applications
Applications from each other
Each process in its own domain or cell, can only access resources necessary for the job using the Least Privilege principle
SAM-5

27. Type Enforcement
SAM-5

28. Type Enforcement Barrier
Processes
System Object
Domain
Attribute
Type
Attribute
SAM-5

29. Type Enforcement A fine grained control over processes and objects
Access matrix defines
what types can be executed by each domain
Interaction between domains
Entry point of domain
SAM-5