Download presentation
Presentation is loading. Please wait.
1
Access Control Prof. Ravi Sandhu Executive Director and Endowed Chair
Institute for Cyber Security University of Texas at San Antonio May 2009 © Ravi Sandhu
2
Discretionary Access Control (DAC) Mandatory Access Control (MAC)
Outline Discretionary Access Control (DAC) Mandatory Access Control (MAC) Equivalently Lattice-Based Access Control (LBAC) Role-Based Access Control (RBAC) Usage Control (UCON) © Ravi Sandhu
3
ACCESS MATRIX MODEL Objects (and Subjects) F G r w S r U own u b j e c
V rights © Ravi Sandhu 3
4
ACCESS CONTROL LISTS (ACLs)
F U:r U:w U:own G U:r V:r V:w V:own each column of the access matrix is stored with the object corresponding to that column © Ravi Sandhu 4
5
CAPABILITY LISTS U F/r, F/w, F/own, G/r V G/r, G/w, G/own each row of the access matrix is stored with the subject corresponding to that row © Ravi Sandhu 5
6
ACCESS CONTROL TRIPLES
Subject Access Object U r F U w F U own F U r G V r G V w G V own G commonly used in relational database management systems © Ravi Sandhu 6
7
TROJAN HORSE EXAMPLE ACL A:r File F A:w B:r File G A:w
B cannot read file F © Ravi Sandhu 7
8
B can read contents of file F copied to file G
TROJAN HORSE EXAMPLE A ACL executes File F A:r A:w read Program Goodies Trojan Horse File G B:r A:w write B can read contents of file F copied to file G © Ravi Sandhu 8
9
DAC Summary Traditional DAC does not prevent copies from being made and there is no control over copies Modern approaches to information sharing and trusted computing seek to maintain control over copies (for example, our talk on Friday) Traditional DAC is weak with respect to confidentiality but may have value with respect to integrity © Ravi Sandhu 9
10
LATTICE STRUCTURES Top Secret Secret Confidential Unclassified
dominance can-flow © Ravi Sandhu 10
11
BELL LAPADULA (BLP) MODEL
SIMPLE-SECURITY Subject S can read object O only if label(S) dominates label(O) STAR-PROPERTY (LIBERAL) Subject S can write object O only if label(O) dominates label(S) STAR-PROPERTY (STRICT) label(O) equals label(S) © Ravi Sandhu 11
12
LATTICE STRUCTURES Compartments and Categories {ARMY, CRYPTO} {ARMY }
{} © Ravi Sandhu 12
13
product of 2 lattices is a lattice
LATTICE STRUCTURES Hierarchical Classes with Compartments {A,B} TS {A} {B} {} S product of 2 lattices is a lattice © Ravi Sandhu 13
14
LATTICE STRUCTURES TS, {A,B} Hierarchical Classes with Compartments
{} S, {A,B} S, {A} S, {B} S, {} © Ravi Sandhu 14
15
SMITH'S LATTICE TS-AKLQWXYZ TS-KLX TS-KY TS-KQZ TS-KL TS-W TS-X TS-X
TS-Q TS-Z TS-L TS-K TS-Y S-LW S-L TS S-A S-W S C © Ravi Sandhu U 15
16
EQUIVALENCE OF BLP AND BIBA
HI (High Integrity) LI (Low Integrity) LI (Low Integrity) HI (High Integrity) BIBA LATTICE EQUIVALENT BLP LATTICE © Ravi Sandhu 16
17
EQUIVALENCE OF BLP AND BIBA
HS (High Secrecy) LS (Low Secrecy) LS (Low Secrecy) HS (High Secrecy) BLP LATTICE EQUIVALENT BIBA LATTICE © Ravi Sandhu 17
18
COMBINATION OF DISTINCT LATTICES
HS HI HS, LI HS, HI LS, LI LS LI LS, HI BLP BIBA GIVEN EQUIVALENT BLP LATTICE © Ravi Sandhu 18
19
LIPNER'S LATTICE S: System Managers O: Audit Trail LEGEND S: Subjects
O: Objects S: System Control S: Application Programmers O: Development Code and Data S: System Programmers O: System Code in Development S: Repair S: Production Users O: Production Data O: Repair Code O: Production Code O: Tools O: System Programs © Ravi Sandhu 19
20
CHINESE WALL EXAMPLE BANKS OIL COMPANIES A B X Y © Ravi Sandhu 20
21
CHINESE WALL LATTICE SYSHIGH A, X A, Y B, X B, Y A, - -, X -, Y B, -
SYSLOW © Ravi Sandhu 21
22
Information is leaked unknown to the high user
COVERT CHANNELS High Trojan Horse Infected Subject High User Information is leaked unknown to the high user COVERT CHANNEL Low Trojan Horse Infected Subject Low User © Ravi Sandhu 22
23
LBAC fails to control covert channels
MAC/LBAC Summary LBAC fails to control covert channels LBAC fails to control inference and aggregation It is too rigid for most commercial applications It has strong mathematical foundations © Ravi Sandhu 23
24
RBAC: Role-Based Access Control
Access is determined by roles A user’s roles are assigned by security administrators A role’s permissions are assigned by security administrators First emerged: mid 1970s First models: mid 1990s Is RBAC MAC or DAC or neither? © Ravi Sandhu 24
25
Fundamental Theorem of RBAC
RBAC can be configured to do MAC RBAC can be configured to do DAC RBAC is policy neutral RBAC is neither MAC nor DAC! © Ravi Sandhu 25
26
... RBAC96 Model ROLE HIERARCHIES USER-ROLE ASSIGNMENT
PERMISSIONS-ROLE ASSIGNMENT USERS ROLES PERMISSIONS ... SESSIONS This is a somewhat busy slide It shows a bird’s eye view of RBAC There are many details that need to be debated and filled in Some of these will be discussed in the subsequent panel For our purpose the bird’s eye view will suffice CONSTRAINTS © Ravi Sandhu 26
27
Example Role Hierarchy
Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) Engineering Department (ED) Inheritance hierarchy Employee (E) © Ravi Sandhu 27
28
Example Role Hierarchy
Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) Engineering Department (ED) Inheritance and activation hierarchy Employee (E) © Ravi Sandhu 28
29
NIST/ANSI RBAC Standard Model 2004
Permission-role review is advanced requirement ROLE HIERARCHIES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERS ROLES PERMISSIONS Limited to separation of duties ... Overall formal model is more complete SESSIONS This is a somewhat busy slide It shows a bird’s eye view of RBAC There are many details that need to be debated and filled in Some of these will be discussed in the subsequent panel For our purpose the bird’s eye view will suffice CONSTRAINTS © Ravi Sandhu 29
30
The RBAC Story Standard Adopted Proposed Standard RBAC96 paper
© Ravi Sandhu 30
31
Founding Principles of RBAC96
Abstraction of Privileges Credit is different from Debit even though both require read and write Separation of Administrative Functions Separation of user-role assignment from role- permission assignment Least Privilege Right-size the roles Don’t activate all roles all the time Separation of Duty Static separation: purchasing manager versus accounts payable manager Dynamic separation: cash-register clerk versus cash-register manager © Ravi Sandhu 31
32
ASCAA Principles for Future RBAC
Abstraction of Privileges Credit vs debit Personalized permissions Separation of Administrative Functions Containment Least Privilege Separation of Duties Usage Limits Automation Revocation Assignment: (i) Self-assignment, (ii) Attribute-based Context and environment adjustment Accountability Re-authentication/Escalated authentication Click-through obligations Notification and alerts © Ravi Sandhu 32
33
Access Control Models Discretionary Access Control (DAC)
Owner controls access but only to the original, not to copies Mandatory Access Control (MAC) Access based on security labels Labels propagate to copies Role-Based Access Control (RBAC) Access based on roles Can be configured to do DAC or MAC Attribute-Based Access Control (ABAC) Access based on attributes, to possibly include roles, security labels and whatever © Ravi Sandhu 33
34
Security Objectives USAGE purpose USAGE INTEGRITY modification
AVAILABILITY access CONFIDENTIALITY disclosure © Ravi Sandhu 34
35
Security Architectures
Usage Control Scope Security Objectives Security Architectures © Ravi Sandhu 35
36
Usage Control Model (UCON)
unified model integrating authorization obligation conditions and incorporating continuity of decisions mutability of attributes © Ravi Sandhu 36
37
Discretionary Access Control (DAC) Mandatory Access Control (MAC)
Conclusion Discretionary Access Control (DAC) Mandatory Access Control (MAC) Equivalently Lattice-Based Access Control (LBAC) Role-Based Access Control (RBAC) Usage Control (UCON) Models are all important A Policy Language is not a substitute for a good model © Ravi Sandhu 37
Similar presentations
