Access Control

Access Control • Our working definition: Computer security deals with the prevention and detection of unauthorised actions by users of a computer system. • Computer systems control access to data and shared resources, like memory, printers, etc., more often for reasons of integrity than for confidentiality. • Access control is at the core of computer security. MT5104 - Computer Security - Access Control

Background • Computer systems and their use have changed over the last decades. • Traditional multi-user operating systems provide generic services to a wide variety of users and do not ‘know’ about the meaning of the files they handle. • Modern PC operating systems support individual users in performing their job. Access operations are complex and application specific. Users are not interested in the lower level details of the execution of their programs. • It is often difficult to map high level security requirements to low level security controls. MT5104 - Computer Security - Access Control

The Agenda for Today • Terminology for access control • Basic access control structures: ACLs, capabilities, etc. • New paradigms • Mathematical concepts – partial orderings and lattices • Exercises and further reading MT5104 - Computer Security - Access Control

A Model for Access Control object principal reference monitor do operation source request guard resource Lampson et al.: Authentication in Distributed Systems: Theory and Practice, ACM ToCS, 1992 MT5104 - Computer Security - Access Control

Authentication and Authorisation • If s is a statement authentication answers the question ‘Who said s?’ with a principal. Thus principals make statements; this is what they are for. • Likewise, if o is an object authorisation answers the question ‘Who is trusted to access o?’ with a principal. MT5104 - Computer Security - Access Control

Principals and Subjects • ‘Principal’ and ‘subject’ are both used to denote the active entity in an access operation. • The word ‘principal’ has many different meanings and is the source of much confusion: • Principals are subjects in the TCSEC sense, but not all subjects are principals. [Morrie Gasser, 1989] • Principals are public keys. [SDSI, 1996] • The term principal represents a name associated with a subject. Since subjects may have multiple names, a subject essentially consists of a collection of principals. [Li Gong, 1999] MT5104 - Computer Security - Access Control

My Recommendation • Policy: A principal is an entity that can be granted access to objects or can make statements affecting access control decisions. • System: Subjects operate on behalf of (human users we call) principals, and access is based on the principal’s name bound to the subject in some unforgeable manner at authentication time. MT5104 - Computer Security - Access Control

Basic Terminology • Subject/Principal: active entity – user or process • Object: passive entity – file or resource • Access operations: read, write, ... • Access operations vary from basic memory access to method calls in an object-oriented system. • Comparable systems may use different access operations or attach different meanings to operations which appear to be the same. MT5104 - Computer Security - Access Control

Changing Focus • Subjects and objects provide a different focus of control (first design principle): • What is the subject allowed to do? • What may be done with an object? • Traditionally, multi-user operating systems manage files and resources, i.e. objects. Access control takes the second approach. • Application oriented IT systems, like database management systems, offer services directed to the user and may well control the actions of subjects. MT5104 - Computer Security - Access Control

Access Modes • On the most elementary level, a subject may • observe an object, or • alter an object. • Observe and Alter are called access modes. • At the next level of complexity, we find the access rights of the Bell-LaPadula security model and the access attributes of the Multics operating system. MT5104 - Computer Security - Access Control

Access Rights in BLP • The four Bell LaPadula access rights: • execute • read • append, also called blind write • write • Mapping between access rights and access modes. execute append read write Observe X X Alter X X MT5104 - Computer Security - Access Control

Rationale • In a multi-user O/S, users open files to get access. Files are opened for read access or for write access so that the O/S can avoid conflicts like two users simultaneously writing to the same file. • Write access usually includes read access. A user editing a file should not be asked to open it twice. Hence, the write right includes Observe and Alter mode. • Few systems actually implement append. Allowing users to alter an object without observing its content is rarely useful (exception: audit log). • A file can be used without being opened (read). Example: use of a cryptographic key. This can be expressed by an execute right that includes neither Observe nor Alter mode. MT5104 - Computer Security - Access Control

Data segments read r execute e, r read and write w write a Directory segments status r search e status & modify w append a Multics Multics has access attributes for data segments and access attributes for directory segments Bell-LaPadula access rights: e, r, a, w MT5104 - Computer Security - Access Control

Access control expressed in terms of three operations: read: read from a file write: write to a file execute: execute a file Applied to a directory, the access operations take this meaning: read: list contents write: create or rename files in the directory execute: search directory Unix These operations differ from the Bell-LaPadula model. E.g., Unix write access does not imply read access. Lesson: Do not use your own intuition when inter-preting access operations someone else has defined! MT5104 - Computer Security - Access Control

More operations • Creation and deletion of files • Change of security parameters: • by default rules • explicit access operations (like grant and revoke) • Exercise: List the access operations in the Windows NTFS file system. MT5104 - Computer Security - Access Control

Creation and Deletion of Files • Can be governed by access control on the directory (Unix) • Can be governed by explicit access operation (OpenVMS, Windows) • When a new object is created, in many operating systems the subject (principal) creating the object becomes its owner. • Ownership is an aspect often considered in access control rules. MT5104 - Computer Security - Access Control

Access Control Structures • Requirements on access control structures: • The access control structure should help to express your desired access control policy. • You should be able to check that your policy has been captured correctly. • Access rights can be defined individually for each combination of subject and object. • For large numbers of subjects and objects, such structures are cumbersome to manage. Intermediate levels of control are preferable. MT5104 - Computer Security - Access Control

Access Control Matrix • Notation • S … set of subjects • O … set of objects • A … set of access operations • Access control matrix: M = (Mso)sS,oO, MsoA. • The entry Mso specifies the operations subject s may perform on object o. bill.doc edit.exe fun.com Alice - {exec} {exec,read} Bob {read,write} {exec} {exec,read,write} MT5104 - Computer Security - Access Control

Access Control Matrix ctd. • The access control matrix is • an abstract concept • not very suitable for direct implementation • not very convenient for managing security • How do you answer the question: Has your security policy been implemented correctly? • Bell LaPadula (and Orange Book): access control matrix defines discretionary access control (DAC). • Warning: ‘discretionary’ is not always used in this particular meaning. MT5104 - Computer Security - Access Control

Capabilities • Focus on the subject • access rights are stored with the subject • capabilities  rows of the access control matrix • Subjects may grant rights to other subjects. Subjects may grant the right to grant rights. • Problems: • How to check who may access a specific object? • How to revoke a capability? • Distributed system security has created renewed interest in capabilities. Alice edit.exe: {exec} fun.com: {exec,read} MT5104 - Computer Security - Access Control

Access Control Lists (ACLs) • Focus on the object • access rights are stored with the object • ACLs  columns of the access control matrix • Access rights are often defined for groups of users. • Unix: owner, group, others • VMS: owner, group, world, system • Problem: How to check access rights of a specific subject? • ACLs are typical for secure operating systems of Orange Book class C2. fun.com Alice: {exec} Bill: {exec,read,write} MT5104 - Computer Security - Access Control

Intermediate Controls • Intermediate controls facilitate better security management. • To deal with complexity, introduce more levels of indirection. users roles procedures data types objects MT5104 - Computer Security - Access Control

Groups and Negative Permissions users • Groups are an intermediate layer between users and objects. • To deal with special cases, negative permissions withdraw rights groups objects users groups objects MT5104 - Computer Security - Access Control

Role Based Access Control (RBAC) • Several intermediate concepts can be inserted between subjects and objects • Roles: collection of procedures assigned to users; a user can have more than one role and more than one user can have the same role. • Procedures: ‘high level’ access control methods with a more complex semantic than read or write; procedures can only be applied to objects of certain data types; example: funds transfer between bank accounts. • Data types: each object is of a certain data type and can be accessed only through procedures defined for this data type. MT5104 - Computer Security - Access Control

RBAC continued • RBAC itself does not have a generally accepted meaning, and it is used in different ways by different vendors and users. • Controlling access to an object by restricting the procedures that may access this object is a general programming practice. It is a fundamental concept in the theory of abstract data types and object-oriented programming. • Examples: user profiles in IBM’s OS/400; global groups and local groups in Windows NT. MT5104 - Computer Security - Access Control

New Paradigms • In today’s IT environment (World Wide Web) the source of a request (applet) is not always a useful access control parameter. • New security attributes are: • location (network address) • code identity, • code author (code signing), • proof carrying code, … • What will become of principals and authentication? MT5104 - Computer Security - Access Control

Who Sets the Policy? Security policies specify how subjects are given access to objects. There are two options for deciding who is in charge of setting the policy: • The owner of a resource decrees who is allowed access. Such policies are called discretionary as access control is at the owner’s discretion. • A system wide policy decrees who is allowed access. Such policies are called mandatory. Warning: There exist other interpretations of discretionary and mandatory. MT5104 - Computer Security - Access Control

Protection Rings • Every subject and object is assigned a number, depending on its importance. • Example: QNX/Neutrino microkernel • 0 … Neutrino microkernel resides/executes/runs in ring 0 • 1 … Neutrino process manager runs in ring 1 • 3 … all other programs run in ring 3 • To make an access control decision, compare the numbers of the subject and the object. 0 1 2 3 MT5104 - Computer Security - Access Control

Partial orderings • A partial ordering (‘less or equal’) on a set L is relation on LL that is • reflexive: for all aL, aa • transitive: for all a,b,cL, if ab and bc, then ac • antisymmetric: for all a,bL, if ab and ba, then a=b • An example for a partial ordering is the subset relation  on a power set P(C). • When L is a set of security labels that has a partial ordering, access control decisions can be made by comparing the labels of subjects and objects. MT5104 - Computer Security - Access Control

Abilities in the VSTa Microkernel • The VSTa microkernel uses (cap)abilities for access control. A VSTa (cap)ability is a data structure of the form .i1.i2.  .in where i1,…,in are integers. • Examples for abilities: .1, .1.2, .1.2.3, .4, .10.0.0.5 . • Abilities can be ordered through the prefix relation: • Ability a2 is a prefix of ability a1 if there exists another ability a3 so that a1 = a2a3. In this case, write a2a1. • For example: .1  .1.2  .1.2.3 but not .1  .4 ! • The empty string  is the prefix of any ability. In a security policy that grants access if the ability of the subject is a prefix of the ability of the object, a subject without an ability has access to every object. MT5104 - Computer Security - Access Control

Towards Lattices • In a partial ordering of security labels, not every pair of labels is comparable. • Assume that a subject may observe an object only if the subject’s label is higher than the object’s label. • Given two objects with different labels, what is the minimal label a subject must have to be allowed to observe both objects? • Given two subjects with different labels, what is the maximal label an object can have so that it still can be observed by both subjects? • Lattices are a mathematical structure where these questions have unique answers. MT5104 - Computer Security - Access Control

The Lattice (L,) • A lattice (L,) is a set L with a partial ordering  so that for every two elements a,b  L , there exists • a least upper boundu  L: a  u, b  u, and for all v  L: (a  v  b  v) u  v • a greatest lower boundl  L: l  a, l  b, and for all k  L: (k  a  k  b) k  l . • If a  b, we say ‘a is dominated by b’ or ‘b dominates a’. • The label dominated by all other labels is called System Low. The label dominating all other labels is called System High. • When L is a finite set, the elements System Low and System High exist and are unique. • Further reading: Denning, Chapter 5; Pfleeger, Chapter 7. MT5104 - Computer Security - Access Control

Lattices - Example 1 • The integers with the ordering  form a lattice: • The l.u.b. of integers a,b is the maximum of a and b. • The g.l.b. of integers a,b is the minimum of a and b. • There exist no elements System Low or System High • The natural numbers with the ordering ‘divides by’ form a lattice: • The l.u.b. of integers a,b is the least common multiple of a and b. • The g.l.b. of integers a,b is the greatest common divisor of a and b. • There exists an element System Low. MT5104 - Computer Security - Access Control

Lattices - Example 2 • The lattice (P({a,b,c}), ), i.e. the power set of {a,b,c}, with the subset relation as partial ordering • least upper bound: union of two sets • greatest lower bound: intersection of two sets {a,b,c} {a,b} {a,c} {b,c} {a} {b} {c} {} MT5104 - Computer Security - Access Control

A lattice for a firewall A ‘flat’ lattice: More Lattices root system high uid1 uid2 uid3 inside outside guest system low MT5104 - Computer Security - Access Control

No upper bound for D and E No unique least upper bound for B and C Not a Lattice F D E D E B C B C A A MT5104 - Computer Security - Access Control

Multi level security (MLS) • MLS: access control based on a partial ordering (or lattice) of security levels (security labels). • Mandatory access control in the BLP model and in the Orange Book is based on such security labels. • Traditional: hierarchical security levels: top secret secret confidential unclassified MT5104 - Computer Security - Access Control

Compartments • In multi-level security, the following lattice is often used. • H is a hierarchical (linear) ordering of security levels. • C is a set of categories, e.g. project names, company divisions, academic departments, etc. • A compartment is a set of categories. • A security label is a pair (h,c), where hH is a security level and cC is a compartment. • The partial ordering  is defined by (h1,c1)  (h2,c2), if and only if h1h2 and c1 c2 . • Such lattices are used to implement need to know policies. MT5104 - Computer Security - Access Control

Compartments - Example • Two hierarchical levels: public, private • Two categories: PERSONNEL, ENGINEERING • The following relations hold: • (public, {PERSONNEL})  (private, {PERSONNEL}) • (public, {PERSONNEL})  (public,{PERSONNEL,ENGINEERING}) • (public, {PERSONNEL}) NOT  (private, {ENGINEERING}) MT5104 - Computer Security - Access Control

State Machine Models • State machines (automata) are a popular tool for modeling many aspects of computing systems. • State machines are the basis for some important security models. • The essential features of a state machine model are the concepts of a state and of state transitions occurring a discrete points in time. • A state is a representation of the system under investigation at one moment in time. It should capture exactly those aspects of the system relevant to the problem. • The state transition (next state)-function defines the next state depending on the present state and the input. An output may also be produced. MT5104 - Computer Security - Access Control

Exercises • How are access control lists set up in Windows 2000? • What are the differences between groups and roles, if there are any differences at all? • Explain why our partial ordering of abilities does not constitute a lattice. Convert the partial ordering into a lattice by adding to the set of abilities any further elements you need. • Construct the lattice of security labels for the security levels public, confidential, and strictly confidential, and for the categories ADMIN, LECTURERS, and STUDENTS. Which objects are visible to a subject with security label (confidential,{STUDENTS}) in a need-to-know policy? How many labels can be constructed from n security levels and m categories? For illustration, consider the values n=16 and m=64. MT5104 - Computer Security - Access Control

Further reading • Denning, D.E.: Cryptography and Security, Addison-Wesley, 1982 • Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in Distributed Systems: Theory and Practice, ACM Transactions on Computer Systems, vol. 10, 1992, pages 265-310 • Sandhu, R.S. and Coyne, E.J. and Feinstein, H.L. Youman, C.E.: Role-Based Access Control Models, IEEE Computer, vol. 29, February 1996 , pages 38-47 • Sandhu, R.S.: Lattice-Based Access Control Models, IEEE Computer, vol. 26, November 1993, pages 9-19 • www.qnx.com/literature/nto_sysarch/nto_sysarch.html • www.zendo.com/vsta/vsta_intro.html MT5104 - Computer Security - Access Control

Access Control

Access Control

Presentation Transcript

Access Control

Access Control

Access Control

Access Control

Access Control

Access Control

Access Control

Access Control

Access Control

Access Control

Access Control

Access control

Access Control

Access Control

Access Control

Access Control

Access Control

Access control

ACCESS CONTROL

Access Control

Access Control