Presentation is loading. Please wait.

Presentation is loading. Please wait.

LECTURE 1 ACCESS CONTROL Ravi Sandhu.

Published byAlexa Trujillo Modified over 10 years ago

Similar presentations

Presentation on theme: "LECTURE 1 ACCESS CONTROL Ravi Sandhu."— Presentation transcript:

1 LECTURE 1 ACCESS CONTROL Ravi Sandhu

2 OUTLINE Access matrix model Access control lists versus Capabilities
Content and context-based controls Discretionary versus mandatory controls Trojan Horses Bell-LaPadula model Covert channels Beyond MAC and DAC

3 ACCESS MATRIX MODEL Objects (and Subjects) F G r w own S u b j e c t s
V rights

4 ACCESS MATRIX MODEL Basic Abstractions Subjects Objects Rights
The rights in a cell specify the access of the subject (row) to the object (column)

5 the system authenticates the user in context of a particular principal
USERS AND PRINCIPALS USERS PRINCIPALS Real World User Unit of Access Control and Authorization the system authenticates the user in context of a particular principal

6 USERS AND PRINCIPALS JOE.TOP-SECRET JOE.SECRET JOE JOE.CONFIDENTIAL
JOE.UNCLASSIFIED USER PRINCIPALS

7 USERS AND PRINCIPALS JANE.CHAIRPERSON JANE.FACULTY JANE JANE. EMPLOYEE
JANE.SUPER-USER USER PRINCIPALS

8 USERS AND PRINCIPALS There should be a one-to-many mapping from users to principals a user may have many principals, but each principal is associated with an unique user This ensures accountability of a user's actions In other words, shared accounts (principals) are bad for accountability

9 PRINCIPALS AND SUBJECTS
A subject is a program (application) executing on behalf of a principal A principal may at any time be idle, or have one or more subjects executing on its behalf

10 PRINCIPALS AND SUBJECTS
Mail Application Word Processor JOE.TOP-SECRET Spreadsheet Database Application PRINCIPAL SUBJECTS

11 PRINCIPALS AND SUBJECTS
Usually (but not always) each subject is associated with a unique principal all subjects of a principal have identical rights (equal to the rights of the invoking principal) This case can be modeled by a one-to-one mapping between subjects and principals For simplicity, a principal and subject can be treated as identical concepts. On the other hand, a user should always be viewed as multiple principals

12 OBJECTS An object is anything on which a subject can perform operations (mediated by rights) Usually objects are passive, for example: File Directory (or Folder) Memory segment But, subjects can also be objects, with operations kill suspend resume

13 ACCESS MATRIX MODEL Objects (and Subjects) F W r w own S u b j e c t s
parent r w own W

14 IMPLEMENTATION Access Control Lists Capabilities Relations

15 ACCESS CONTROL LISTS (ACLs)
F U:r U:w U:own G U:r V:r V:w V:own each column of the access matrix is stored with the object corresponding to that column

16 CAPABILITY LISTS U F/r, F/w, F/own, G/r V G/r, G/w, G/own
each row of the access matrix is stored with the subject corresponding to that row

17 ACCESS CONTROL TRIPLES
Subject Access Object U r F U w F U own F U r G V r G V w G V own G commonly used in relational database management systems

18 ACL'S VS CAPABILITIES ACL's require authentication of subjects
Capabilities do not require authentication of subjects, but do require unforgeability and control of propagation of capabilities

19 ACL'S VS CAPABILITIES ACCESS REVIEW
ACL's provide for superior access review on a per-object basis Capabilities provide for superior access review on a per-subject basis REVOCATION ACL's provide for superior revocation facilities on a per-object basis Capabilities provide for superior revocation facilities on a per-subject basis

20 ACL'S VS CAPABILITIES The per-object basis usually wins out so most Operating Systems protect files by means of ACL's Many Operating Systems use an abbreviated form of ACL's with just three entries owner group other

21 ACL'S VS CAPABILITIES LEAST PRIVILEGE
Capabilities provide for finer grained least privilege control with respect to subjects, especially dynamic short-lived subjects created for specific tasks

22 CONTENT DEPENDENT CONTROLS
content dependent controls such as you can only see salaries less than 50K, or you can only see salaries of employees who report to you are beyond the scope of Operating Systems and are provided by Database Management Systems

23 CONTEXT DEPENDENT CONTROLS
context dependent controls such as you cannot access classified information via a remote login salary information can be updated only at year end the company's earnings report is confidential until announced at the stockholders meeting can be partially provided by the Operating System and partially by the Database Management System more sophisticated context dependent controls such as based on past history of accesses definitely require Database support

24 DISCRETIONARY VERSUS MANDATORY
Discretionary access controls (DAC) allow access rights to be propagated from one subject to another Possession of an access right by a subject is sufficient to allow access to the object Mandatory access controls (MAC) restrict the access of subjects to objects on the basis of security labels

25 INHERENT WEAKNESS OF DAC
Unrestricted DAC allows information from an object which can be read to any other object which can be written by a subject Suppose our users are trusted not to do this deliberately. It is still possible for Trojan Horses to copy information from one object to another.

26 TROJAN HORSES A Trojan Horse is rogue software installed, perhaps unwittingly, by duly authorized users A Trojan Horse does what a user expects it to do, but in addition exploits the user's legitimate privileges to cause a security breach

27 Principal B cannot read file F
TROJAN HORSE EXAMPLE ACL File F A:r A:w File G B:r A:w Principal B cannot read file F

28 Principal B can read contents of file F copied to file G
TROJAN HORSE EXAMPLE ACL Principal A executes File F A:r A:w read Program Goodies Trojan Horse File G B:r A:w write Principal B can read contents of file F copied to file G

29 TROJAN HORSES Trojan Horses are the most insidious threat
Viruses and logic bombs are examples of Trojan Horses It is possible to embed Trojan Horses in hardware and firmware It is possible to embed Trojan Horses in critical system software such as compilers and Database Management Systems

30 MULTILEVEL SECURITY TS Lattice of security labels S C Information Flow
Dominance U

31 MULTILEVEL SECURITY S,{A,B} S,{A] S,{B} Lattice of Information
labels Information Flow Dominance S,{}

32 BELL LAPADULA (BLP) MODEL
SIMPLE-SECURITY Subject S can read object O only if label(S) dominates label(O) information can flow from label(O) to label(S) STAR-PROPERTY label(O) dominates label(S) information can flow from label(S) to label(O)

33 STAR-PROPERTY applies to subjects (principals) not to users
users are trusted (must be trusted) not to disclose secret information outside of the computer system subjects are not trusted because they may have Trojan Horses embedded in the code they execute star-property prevents overt leakage of information and does not address the covert channel problem

34 DYNAMIC LABELS IN BLP Tranquility (most common):
label is static for subjects and objects BLP without tranquility may be secure or insecure depending upon the specific dynamics of labelling

35 DYNAMIC LABELS IN BLP High water mark on subjects:
label is static for objects label may increase but not decrease for subjects Is secure and is useful High water mark on objects: label is static for subjects Is insecure due to disappearing objects

36 COVERT CHANNELS A covert channel is a communication channel based on the use of system resources not normally intended for communication between the subjects (processes) in the system

37 Information is leaked unknown to the high principal
COVERT CHANNELS High Trojan Horse Infected Subject High Principal Information is leaked unknown to the high principal COVERT CHANNEL Low Trojan Horse Infected Subject Low Principal

38 COVERT CHANNELS The concern is with subjects not users
users are trusted (must be trusted) not to disclose secret information outside of the computer system subjects are not trusted because they may have Trojan Horses embedded in the code they execute star-property prevents overt leakage of information and does not address the covert channel problem

39 RESOURCE EXHAUSTION CHANNEL
Given 5MB pool of dynamically allocated memory HIGH PROCESS bit = 1 Þ request 5MB of memory bit = 0 Þ request 0MB of memory LOW PROCESS request 5MB of memory if allocated then bit = 0 otherwise bit = 1

40 LOAD SENSING CHANNEL HIGH PROCESS
bit = 1 Þ enter computation intensive loop bit = 0 Þ go to sleep LOW PROCESS perform a task with known computational requirements if completed quickly then bit = 0 otherwise bit = 1

41 COPING WITH COVERT CHANNELS
identification close the channel or slow it down detect attempts to use the channel tolerate its existence

42 COVERT CHANNELS AND THE ORANGE BOOK
C2 No labels B1 Labels with Bell-LaPadula controls, but no need to address covert channels B2 Must address storage channels (such as resource exhaustion channel) B3 Must also address timing channels (such as load sensing channel) A1 Must use formal techniques (where available)

43 BEYOND MAC DAC DAC and MAC are extreme points of a continuum of access controls There are legitimate policies that fall in between, for example: Document release: a document cannot be released by a scientist without first obtaining approvals from a patent-officer and a security-officer Originator control: information in an object should not be propagated without permission of the owner of the object

44 BEYOND MAC DAC There are security models which transcend the black and white MAC-DAC distinction, notably: The HRU model Harrison, M.H., Ruzzo, W.L. and Ullman, J.D. “Protection in Operating Systems.” Communications of ACM, 19(8): (1976). The TAM model Sandhu, R.S. “The Typed Access Matrix Model.“” Proceeding IEEE Symposium on Security and Privacy, Oakland, CA, May 4-6, 1992, pages The RBAC model Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman, “Role-Based Access Control Models.” IEEE Computer, Volume 29, Number 2, February 1996.

45 REFERENCES The access matrix model is discussed in most textbooks on computer security or on operating systems. The user-principal-subject distinction is rarely made as carefully as done here. This has resulted in a lot of unnecessary confusion in the literature.

Download ppt "LECTURE 1 ACCESS CONTROL Ravi Sandhu."

Similar presentations

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.
3rd Annual Plex/2E Worldwide Users Conference 13A Batch Processing in 2E Jeffrey A. Welsh, STAR BASE Consulting, Inc. September 20, 2007.

3rd Annual Plex/2E Worldwide Users Conference 13A Batch Processing in 2E Jeffrey A. Welsh, STAR BASE Consulting, Inc. September 20, 2007.
AP STUDY SESSION 2.

AP STUDY SESSION 2.
1

1
7- Sicurezza delle basi di dati

7- Sicurezza delle basi di dati
George Mason University

George Mason University
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.

INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
ACCESS-CONTROL MODELS

ACCESS-CONTROL MODELS
Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.

Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.

Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.
ROLE-BASED ACCESS CONTROL: A MULTI-DIMENSIONAL VIEW Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman Seta Corporation McLean, VA Ravi Sandhu.

ROLE-BASED ACCESS CONTROL: A MULTI-DIMENSIONAL VIEW Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman Seta Corporation McLean, VA Ravi Sandhu.
Distributed Systems Architectures

Distributed Systems Architectures
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.
Processes and Operating Systems

Processes and Operating Systems
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×

Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×

Similar presentations

Ads by Google