access control l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Access Control PowerPoint Presentation
Download Presentation
Access Control

Loading in 2 Seconds...

play fullscreen
1 / 42

Access Control - PowerPoint PPT Presentation


  • 161 Views
  • Uploaded on

Access Control. Our working definition: Computer security deals with the prevention and detection of unauthorised actions by users of a computer system.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Access Control' - tress


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
access control
Access Control
  • Our working definition: Computer security deals with the prevention and detection of unauthorised actions by users of a computer system.
  • Computer systems control access to data and shared resources, like memory, printers, etc., more often for reasons of integrity than for confidentiality.
  • Access control is at the core of computer security.

MT5104 - Computer Security - Access Control

background
Background
  • Computer systems and their use have changed over the last decades.
  • Traditional multi-user operating systems provide generic services to a wide variety of users and do not ‘know’ about the meaning of the files they handle.
  • Modern PC operating systems support individual users in performing their job. Access operations are complex and application specific. Users are not interested in the lower level details of the execution of their programs.
  • It is often difficult to map high level security requirements to low level security controls.

MT5104 - Computer Security - Access Control

the agenda for today
The Agenda for Today
  • Terminology for access control
  • Basic access control structures: ACLs, capabilities, etc.
  • New paradigms
  • Mathematical concepts – partial orderings and lattices
  • Exercises and further reading

MT5104 - Computer Security - Access Control

a model for access control
A Model for Access Control

object

principal

reference

monitor

do operation

source

request

guard

resource

Lampson et al.: Authentication in Distributed Systems:

Theory and Practice, ACM ToCS, 1992

MT5104 - Computer Security - Access Control

authentication and authorisation
Authentication and Authorisation
  • If s is a statement authentication answers the question ‘Who said s?’ with a principal. Thus principals make statements; this is what they are for.
  • Likewise, if o is an object authorisation answers the question ‘Who is trusted to access o?’ with a principal.

MT5104 - Computer Security - Access Control

principals and subjects
Principals and Subjects
  • ‘Principal’ and ‘subject’ are both used to denote the active entity in an access operation.
  • The word ‘principal’ has many different meanings and is the source of much confusion:
    • Principals are subjects in the TCSEC sense, but not all subjects are principals. [Morrie Gasser, 1989]
    • Principals are public keys. [SDSI, 1996]
    • The term principal represents a name associated with a subject. Since subjects may have multiple names, a subject essentially consists of a collection of principals. [Li Gong, 1999]

MT5104 - Computer Security - Access Control

my recommendation
My Recommendation
  • Policy: A principal is an entity that can be granted access to objects or can make statements affecting access control decisions.
  • System: Subjects operate on behalf of (human users we call) principals, and access is based on the principal’s name bound to the subject in some unforgeable manner at authentication time.

MT5104 - Computer Security - Access Control

basic terminology
Basic Terminology
  • Subject/Principal: active entity – user or process
  • Object: passive entity – file or resource
  • Access operations: read, write, ...
  • Access operations vary from basic memory access to method calls in an object-oriented system.
  • Comparable systems may use different access operations or attach different meanings to operations which appear to be the same.

MT5104 - Computer Security - Access Control

changing focus
Changing Focus
  • Subjects and objects provide a different focus of control (first design principle):
    • What is the subject allowed to do?
    • What may be done with an object?
  • Traditionally, multi-user operating systems manage files and resources, i.e. objects. Access control takes the second approach.
  • Application oriented IT systems, like database management systems, offer services directed to the user and may well control the actions of subjects.

MT5104 - Computer Security - Access Control

access modes
Access Modes
  • On the most elementary level, a subject may
      • observe an object, or
      • alter an object.
  • Observe and Alter are called access modes.
  • At the next level of complexity, we find the access rights of the Bell-LaPadula security model and the access attributes of the Multics operating system.

MT5104 - Computer Security - Access Control

access rights in blp
Access Rights in BLP
  • The four Bell LaPadula access rights:
      • execute
      • read
      • append, also called blind write
      • write
  • Mapping between access rights and access modes.

execute

append

read

write

Observe

X

X

Alter

X

X

MT5104 - Computer Security - Access Control

rationale
Rationale
  • In a multi-user O/S, users open files to get access. Files are opened for read access or for write access so that the O/S can avoid conflicts like two users simultaneously writing to the same file.
  • Write access usually includes read access. A user editing a file should not be asked to open it twice. Hence, the write right includes Observe and Alter mode.
  • Few systems actually implement append. Allowing users to alter an object without observing its content is rarely useful (exception: audit log).
  • A file can be used without being opened (read). Example: use of a cryptographic key. This can be expressed by an execute right that includes neither Observe nor Alter mode.

MT5104 - Computer Security - Access Control

multics
Data segments

read r

execute e, r

read and write w

write a

Directory segments

status r

search e

status & modify w

append a

Multics

Multics has access attributes for data segments and access attributes for directory segments

Bell-LaPadula access rights: e, r, a, w

MT5104 - Computer Security - Access Control

slide14
Access control expressed in terms of three operations:

read: read from a file

write: write to a file

execute: execute a file

Applied to a directory, the access operations take this meaning:

read: list contents

write: create or rename files in the directory

execute: search directory

Unix

These operations differ from the Bell-LaPadula model. E.g., Unix write access does not imply read access.

Lesson: Do not use your own intuition when inter-preting access operations someone else has defined!

MT5104 - Computer Security - Access Control

more operations
More operations
  • Creation and deletion of files
  • Change of security parameters:
    • by default rules
    • explicit access operations (like grant and revoke)
  • Exercise: List the access operations in the Windows NTFS file system.

MT5104 - Computer Security - Access Control

creation and deletion of files
Creation and Deletion of Files
  • Can be governed by access control on the directory (Unix)
  • Can be governed by explicit access operation (OpenVMS, Windows)
  • When a new object is created, in many operating systems the subject (principal) creating the object becomes its owner.
  • Ownership is an aspect often considered in access control rules.

MT5104 - Computer Security - Access Control

access control structures
Access Control Structures
  • Requirements on access control structures:
    • The access control structure should help to express your desired access control policy.
    • You should be able to check that your policy has been captured correctly.
  • Access rights can be defined individually for each combination of subject and object.
  • For large numbers of subjects and objects, such structures are cumbersome to manage. Intermediate levels of control are preferable.

MT5104 - Computer Security - Access Control

access control matrix
Access Control Matrix
  • Notation
    • S … set of subjects
    • O … set of objects
    • A … set of access operations
  • Access control matrix: M = (Mso)sS,oO, MsoA.
  • The entry Mso specifies the operations subject s may perform on object o.

bill.doc

edit.exe

fun.com

Alice

-

{exec}

{exec,read}

Bob

{read,write}

{exec}

{exec,read,write}

MT5104 - Computer Security - Access Control

access control matrix ctd
Access Control Matrix ctd.
  • The access control matrix is
    • an abstract concept
    • not very suitable for direct implementation
    • not very convenient for managing security
  • How do you answer the question: Has your security policy been implemented correctly?
  • Bell LaPadula (and Orange Book): access control matrix defines discretionary access control (DAC).
  • Warning: ‘discretionary’ is not always used in this particular meaning.

MT5104 - Computer Security - Access Control

capabilities
Capabilities
  • Focus on the subject
    • access rights are stored with the subject
    • capabilities  rows of the access control matrix
  • Subjects may grant rights to other subjects. Subjects may grant the right to grant rights.
  • Problems:
    • How to check who may access a specific object?
    • How to revoke a capability?
  • Distributed system security has created renewed interest in capabilities.

Alice

edit.exe: {exec}

fun.com: {exec,read}

MT5104 - Computer Security - Access Control

access control lists acls
Access Control Lists (ACLs)
  • Focus on the object
    • access rights are stored with the object
    • ACLs  columns of the access control matrix
  • Access rights are often defined for groups of users.
    • Unix: owner, group, others
    • VMS: owner, group, world, system
  • Problem: How to check access rights of a specific subject?
  • ACLs are typical for secure operating systems of Orange Book class C2.

fun.com

Alice: {exec}

Bill: {exec,read,write}

MT5104 - Computer Security - Access Control

intermediate controls
Intermediate Controls
  • Intermediate controls facilitate better security management.
  • To deal with complexity, introduce more levels of indirection.

users

roles

procedures

data types

objects

MT5104 - Computer Security - Access Control

groups and negative permissions
Groups and Negative Permissions

users

  • Groups are an intermediate layer between users and objects.
  • To deal with special cases, negative permissions withdraw rights

groups

objects

users

groups

objects

MT5104 - Computer Security - Access Control

role based access control rbac
Role Based Access Control (RBAC)
  • Several intermediate concepts can be inserted between subjects and objects
    • Roles: collection of procedures assigned to users; a user can have more than one role and more than one user can have the same role.
    • Procedures: ‘high level’ access control methods with a more complex semantic than read or write; procedures can only be applied to objects of certain data types; example: funds transfer between bank accounts.
    • Data types: each object is of a certain data type and can be accessed only through procedures defined for this data type.

MT5104 - Computer Security - Access Control

rbac continued
RBAC continued
  • RBAC itself does not have a generally accepted meaning, and it is used in different ways by different vendors and users.
  • Controlling access to an object by restricting the procedures that may access this object is a general programming practice. It is a fundamental concept in the theory of abstract data types and object-oriented programming.
  • Examples: user profiles in IBM’s OS/400; global groups and local groups in Windows NT.

MT5104 - Computer Security - Access Control

new paradigms
New Paradigms
  • In today’s IT environment (World Wide Web) the source of a request (applet) is not always a useful access control parameter.
  • New security attributes are:
    • location (network address)
    • code identity,
    • code author (code signing),
    • proof carrying code, …
  • What will become of principals and authentication?

MT5104 - Computer Security - Access Control

who sets the policy
Who Sets the Policy?

Security policies specify how subjects are given access to objects. There are two options for deciding who is in charge of setting the policy:

  • The owner of a resource decrees who is allowed access. Such policies are called discretionary as access control is at the owner’s discretion.
  • A system wide policy decrees who is allowed access. Such policies are called mandatory.

Warning: There exist other interpretations of discretionary and mandatory.

MT5104 - Computer Security - Access Control

protection rings
Protection Rings
  • Every subject and object is assigned a number, depending on its importance.
  • Example: QNX/Neutrino microkernel
    • 0 … Neutrino microkernel resides/executes/runs in ring 0
    • 1 … Neutrino process manager runs in ring 1
    • 3 … all other programs run in ring 3
  • To make an access control decision, compare the numbers of the subject and the object.

0

1

2

3

MT5104 - Computer Security - Access Control

partial orderings
Partial orderings
  • A partial ordering (‘less or equal’) on a set L is relation on LL that is
    • reflexive: for all aL, aa
    • transitive: for all a,b,cL, if ab and bc, then ac
    • antisymmetric: for all a,bL, if ab and ba, then a=b
  • An example for a partial ordering is the subset relation  on a power set P(C).
  • When L is a set of security labels that has a partial ordering, access control decisions can be made by comparing the labels of subjects and objects.

MT5104 - Computer Security - Access Control

abilities in the vsta microkernel
Abilities in the VSTa Microkernel
  • The VSTa microkernel uses (cap)abilities for access control. A VSTa (cap)ability is a data structure of the form .i1.i2.  .in where i1,…,in are integers.
  • Examples for abilities: .1, .1.2, .1.2.3, .4, .10.0.0.5 .
  • Abilities can be ordered through the prefix relation:
    • Ability a2 is a prefix of ability a1 if there exists another ability a3 so that a1 = a2a3. In this case, write a2a1.
  • For example: .1  .1.2  .1.2.3 but not .1  .4 !
  • The empty string  is the prefix of any ability. In a security policy that grants access if the ability of the subject is a prefix of the ability of the object, a subject without an ability has access to every object.

MT5104 - Computer Security - Access Control

towards lattices
Towards Lattices
  • In a partial ordering of security labels, not every pair of labels is comparable.
  • Assume that a subject may observe an object only if the subject’s label is higher than the object’s label.
    • Given two objects with different labels, what is the minimal label a subject must have to be allowed to observe both objects?
    • Given two subjects with different labels, what is the maximal label an object can have so that it still can be observed by both subjects?
  • Lattices are a mathematical structure where these questions have unique answers.

MT5104 - Computer Security - Access Control

the lattice l
The Lattice (L,)
  • A lattice (L,) is a set L with a partial ordering  so that for every two elements a,b  L , there exists
    • a least upper boundu  L: a  u, b  u, and for all v  L: (a  v  b  v) u  v
    • a greatest lower boundl  L: l  a, l  b, and for all k  L: (k  a  k  b) k  l .
  • If a  b, we say ‘a is dominated by b’ or ‘b dominates a’.
  • The label dominated by all other labels is called System Low. The label dominating all other labels is called System High.
  • When L is a finite set, the elements System Low and System High exist and are unique.
  • Further reading: Denning, Chapter 5; Pfleeger, Chapter 7.

MT5104 - Computer Security - Access Control

lattices example 1
Lattices - Example 1
  • The integers with the ordering  form a lattice:
    • The l.u.b. of integers a,b is the maximum of a and b.
    • The g.l.b. of integers a,b is the minimum of a and b.
    • There exist no elements System Low or System High
  • The natural numbers with the ordering ‘divides by’ form a lattice:
    • The l.u.b. of integers a,b is the least common multiple of a and b.
    • The g.l.b. of integers a,b is the greatest common divisor of a and b.
    • There exists an element System Low.

MT5104 - Computer Security - Access Control

lattices example 2
Lattices - Example 2
  • The lattice (P({a,b,c}), ), i.e. the power set of {a,b,c}, with the subset relation as partial ordering
    • least upper bound: union of two sets
    • greatest lower bound: intersection of two sets

{a,b,c}

{a,b}

{a,c}

{b,c}

{a}

{b}

{c}

{}

MT5104 - Computer Security - Access Control

more lattices
A lattice for a firewall

A ‘flat’ lattice:

More Lattices

root

system high

uid1

uid2

uid3

inside

outside

guest

system low

MT5104 - Computer Security - Access Control

not a lattice
No upper bound for D and E

No unique least upper bound for B and C

Not a Lattice

F

D

E

D

E

B

C

B

C

A

A

MT5104 - Computer Security - Access Control

multi level security mls
Multi level security (MLS)
  • MLS: access control based on a partial ordering (or lattice) of security levels (security labels).
  • Mandatory access control in the BLP model and in the Orange Book is based on such security labels.
  • Traditional: hierarchical

security levels:

top secret

secret

confidential

unclassified

MT5104 - Computer Security - Access Control

compartments
Compartments
  • In multi-level security, the following lattice is often used.
    • H is a hierarchical (linear) ordering of security levels.
    • C is a set of categories, e.g. project names, company divisions, academic departments, etc.
    • A compartment is a set of categories.
    • A security label is a pair (h,c), where hH is a security level and cC is a compartment.
    • The partial ordering  is defined by (h1,c1)  (h2,c2), if and only if h1h2 and c1 c2 .
  • Such lattices are used to implement need to know policies.

MT5104 - Computer Security - Access Control

compartments example
Compartments - Example
  • Two hierarchical levels: public, private
  • Two categories: PERSONNEL, ENGINEERING
  • The following relations hold:
    • (public, {PERSONNEL}) 

(private, {PERSONNEL})

    • (public, {PERSONNEL}) 

(public,{PERSONNEL,ENGINEERING})

    • (public, {PERSONNEL}) NOT 

(private, {ENGINEERING})

MT5104 - Computer Security - Access Control

state machine models
State Machine Models
  • State machines (automata) are a popular tool for modeling many aspects of computing systems.
  • State machines are the basis for some important security models.
  • The essential features of a state machine model are the concepts of a state and of state transitions occurring a discrete points in time.
  • A state is a representation of the system under investigation at one moment in time. It should capture exactly those aspects of the system relevant to the problem.
  • The state transition (next state)-function defines the next state depending on the present state and the input. An output may also be produced.

MT5104 - Computer Security - Access Control

exercises
Exercises
  • How are access control lists set up in Windows 2000?
  • What are the differences between groups and roles, if there are any differences at all?
  • Explain why our partial ordering of abilities does not constitute a lattice. Convert the partial ordering into a lattice by adding to the set of abilities any further elements you need.
  • Construct the lattice of security labels for the security levels public, confidential, and strictly confidential, and for the categories ADMIN, LECTURERS, and STUDENTS. Which objects are visible to a subject with security label (confidential,{STUDENTS}) in a need-to-know policy? How many labels can be constructed from n security levels and m categories? For illustration, consider the values n=16 and m=64.

MT5104 - Computer Security - Access Control

further reading
Further reading
  • Denning, D.E.: Cryptography and Security, Addison-Wesley, 1982
  • Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in Distributed Systems: Theory and Practice, ACM Transactions on Computer Systems, vol. 10, 1992, pages 265-310
  • Sandhu, R.S. and Coyne, E.J. and Feinstein, H.L. Youman, C.E.: Role-Based Access Control Models, IEEE Computer, vol. 29, February 1996 , pages 38-47
  • Sandhu, R.S.: Lattice-Based Access Control Models, IEEE Computer, vol. 26, November 1993, pages 9-19
  • www.qnx.com/literature/nto_sysarch/nto_sysarch.html
  • www.zendo.com/vsta/vsta_intro.html

MT5104 - Computer Security - Access Control