Download presentation
Presentation is loading. Please wait.
Published byJeremiah Snyder Modified over 10 years ago
1
© 2004 Ravi Sandhu www.list.gmu.edu A Perspective on Graphs and Access Control Models Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu
2
© 2004 Ravi Sandhu www.list.gmu.edu 2 Outline A perspective on security A perspective on access control The safety problem in access control Looking ahead Discussion
3
© 2004 Ravi Sandhu www.list.gmu.edu 3 Security Confusion INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure USAGE purpose electronic commerce, electronic business digital rights management, client- side controls
4
© 2004 Ravi Sandhu www.list.gmu.edu 4 Good enough security EASY SECURE COST Security geeksReal-world users System owner whose security perception or reality of security end users operations staff help desk system cost operational cost opportunity cost cost of fraud Business models will dominate security models
5
© 2004 Ravi Sandhu www.list.gmu.edu 5 Good enough security RISKRISK COST H M L LMH 1 2 3 2 3 4 3 4 5 Entrepreneurial mindset Academic mindset
6
© 2004 Ravi Sandhu www.list.gmu.edu 6 Access Control Models Authentication AuthorizationEnforcement who is trying to access a protected resource? who should be allowed to access which protected resources? who should be allowed to change the access? how does the system enforce the specified authorization Access Control ModelsAccess Control Architecture
7
© 2004 Ravi Sandhu www.list.gmu.edu 7 The OM-AM Way Objectives Models Architectures Mechanisms What? How? AssuranceAssurance
8
© 2004 Ravi Sandhu www.list.gmu.edu 8 Access Control Status Ten years ago Emphasis on –Cryptography and intrusion detection –Access control relegated to back burner Ravi Sandhu, Access Control: The Neglected Frontier. Proc. First Australasian Conference on Information Security and Privacy, LNCS, 1996. Today Strong industry interest Growing need Growing research
9
© 2004 Ravi Sandhu www.list.gmu.edu 9 Safety in Access Control Authentication AuthorizationEnforcement who is trying to access a protected resource? who should be allowed to access which protected resources? who should be allowed to change the access? how does the system enforce the specified authorization Access Control ModelsAccess Control Architecture The Safety Problem
10
© 2004 Ravi Sandhu www.list.gmu.edu 10 The HRU (Harrison-Ruzzo-Ullman) Model, 1976 Ur w V F G r
11
© 2004 Ravi Sandhu www.list.gmu.edu 11 The HRU (Harrison-Ruzzo-Ullman) Model, 1976 UF r, w VG r
12
© 2004 Ravi Sandhu www.list.gmu.edu 12 The HRU (Harrison-Ruzzo-Ullman) Model, 1976 UF r, w VG r
13
© 2004 Ravi Sandhu www.list.gmu.edu 13 HRU Commands and Operations command α(X1, X2,..., Xk) if rl in (Xs1, Xo1) and r2 in (Xs2, Xo2) and ri in (Xsi, Xoi) then op1; op2; … opn end enter r into (Xs, Xo) delete r from (Xs, Xo) create subject Xs create object Xo destroy subject Xs destroy object Xo
14
© 2004 Ravi Sandhu www.list.gmu.edu 14 HRU as Graph Rules (from Koch et al 2002)
15
© 2004 Ravi Sandhu www.list.gmu.edu 15 Safety in HRU (late 1970s) Safety Problem: Is there a reachable state with edge labeled z from X to Y? Undecidable in general HRU unable to find interesting decidable cases. Mono-operational: decidable but uninteresting Monotonic: undecidable Bi-conditional monotonic: undecidable Mono-conditional monotonic: decidable but uninteresting
16
© 2004 Ravi Sandhu www.list.gmu.edu 16 The Safety Problem HRU 1976: It would be nice if we could provide for protection systems an algorithm which decided safety for a wide class of systems, especially if it included all or most of the systems that people seriously contemplate. Unfortunately, our one result along these lines involves a class of systems called mono- operational, which are not terribly realistic. Our attempts to extend these results have not succeeded, and the problem of giving a decision algorithm for a class of protection systems as useful as the LR(k) class is to grammar theory appears very difficult. 2004: Considerable progress has been made but much remains to be done and practical application of known results is essentially non-existent. –Progress includes: Take-Grant Model (Jones, Lipton, Snyder, Denning, Bishop; late 79s early 80s), Schematic Protection Model (Sandhu, 80s), Typed Access Matrix Model (Sandhu, 1990s), Graph Transformations (Koch, Mancini, Parisi- Pressice 2000s)
17
© 2004 Ravi Sandhu www.list.gmu.edu 17 Safety with Types Typed Access Matrix or TAM model (Sandhu 1992) Safety is polynomial-decidable for monotonic ternary TAM with acyclic create-graph Typed Graphs (Koch et al 2002) Safety is decidable for transformations that are either expanding or deleting The given algorithm is exponential but actual complexity remains an open question
18
© 2004 Ravi Sandhu www.list.gmu.edu 18 The Take-Grant Model (late 70s, early 80s) AB t (a) B/t Є dom(A) AB g (b) B/g Є dom(A) Original graph representation, late 70s
19
© 2004 Ravi Sandhu www.list.gmu.edu 19 The Take-Grant Model (late 70s, early 80s) AB t (a) B/t Є dom(A) AB g (b) B/g Є dom(A) Lockman-Minsky representation, 1982
20
© 2004 Ravi Sandhu www.list.gmu.edu 20 Creation in Take-Grant A A tg (a) The Original View A A tg (b) The Lockman-Minsky View
21
© 2004 Ravi Sandhu www.list.gmu.edu 21 Reversal of Take-Grant Flow: case t AB t A tg g t
22
© 2004 Ravi Sandhu www.list.gmu.edu 22 Reversal of Take-Grant Flow: case g AB g A tg g t, g
23
© 2004 Ravi Sandhu www.list.gmu.edu 23 Reversal of Grant-Only Flow AB g A gg g g
24
© 2004 Ravi Sandhu www.list.gmu.edu 24 Non-Reversal of Take-Only Flow AB t A tt t
25
© 2004 Ravi Sandhu www.list.gmu.edu 25 Safety in more recent (and practical) models RBAC96 (foundation of a new NIST/ANSI/ISO standard) Safety is undecidable in general –Sandhu, Munawer, Crampton, 1998 Decidable cases exist –Li, Mitchell, Winsborough, Solworth, Sloan, 2000s UCON (Usage Control Models) Safety is undecidable in general Decidable cases exist –Park, Sandhu, Zhang, Parisi-Pressice 2000s
26
© 2004 Ravi Sandhu www.list.gmu.edu 26 Looking ahead Security lags information technology applications Information technology applications are moving extremely rapidly The need for decentralized and automatic authorization is growing very rapidly The safety problem of access control remains a critical path problem Challenges –Develop new real-world relevant theory –Apply old and new theory Can theory of graph transformations help us?
27
© 2004 Ravi Sandhu www.list.gmu.edu 27 RBAC96 model (Currently foundation of a NIST/ANSI/ISO standard) ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE HIERARCHIES CONSTRAINTS
28
© 2004 Ravi Sandhu www.list.gmu.edu 28 UCON (Usage Control) Models ongoingN/A
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.