access control models and policies n.
Skip this Video
Loading SlideShow in 5 Seconds..
Access control models and policies PowerPoint Presentation
Download Presentation
Access control models and policies

Loading in 2 Seconds...

play fullscreen
1 / 30

Access control models and policies - PowerPoint PPT Presentation

  • Uploaded on

Access control models and policies. Aalto University , autumn 2013. Outline. Access control Discretionary AC Mandatory AC Other AC models. Models and terminology for thinking about security policies. Access control. Access control (AC). Subjects request actions on objects

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Access control models and policies' - violet

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
access control models and policies

Access control models and policies

Aalto University, autumn 2013

  • Access control
  • Discretionary AC
  • Mandatory AC
  • Other AC models

Models and terminology for thinking about security policies

access control ac
Access control (AC)
  • Subjects request actions on objects
    • Alice wants to read a file
    • Bob wants to update account balance
    • Process wants to open a socket
  • AC = authentication + authorization
    • authentication = verifying the identity of the subject
    • authorization = checking that the subject has the right to perform the requested action on the subject
reference monitor
Reference monitor

Audit trail

  • Reference monitor controls access by subjects to objects
    • Grants or denies access requests
    • Logs events to audit trail
    • Follows rules set by administrators (i.e. implements a policy)
  • Trusted computing base (TCB) = all system components that need to be trusted to implement access control
    • Security kernel = implementation of reference monitor in an OS
  • But more about the implementation later; now we are talking about policies

Reference monitor




Access rules

access control matrix
Access control matrix
  • Access control matrix is the simplest, most general AC model
  • M : Subjects × Objects → P(Actions)
  • Subject Sis allowed to request action Aon object OiffA ∈ M(S,O)
  • AC matrix represents the protection state of a system
discretionary access control dac
Discretionary access control (DAC)
  • Data owners, usually users, set access rights
  • Subjects are trusted to make decisions about sharing access rights
    • Users decide who is allowed to access their files
    • User or process that can read a secret file can also shareit e.g. by email
  • DAC is also called identity-based AC: rights are assigned to users
  • Typical in commercial and consumer systems
  • There may be a policy against sharing and access may be audited, but the policy is not enforced technically
  • Examples of DAC outside computers:
    • Person with a key can open the door to others; door keys can be shared and copied
    • Tell your friend a secret on the condition that he does not tell it to anyone else
access control list acl
Access control list (ACL)
  • ACL = list of the access rights associated with an object
  • ACLs are another way to represent the AC matrix: one row of the matrix is stored for each object
    • file1.txt ACL:Alice: { read, write }; Bob: { read }; Process 4567: { read, write }; Process 6789: { append }.
    • file2.txt ACL:Alice: { write }; Bob: { read }.
    • Socket s ACL:Process 6789: { open, read, write, close }.
  • ACL examples:
    • Key cards, table reservations, Windows file system
  • Capability = an access right associated with the subject
  • Capabilities are another way to represent the AC matrix: one column is stored for each subject
    • Alice’s capabilities:file1.txt: { read, write }; file2.txt: { write }.
    • Bob’s capabilities:file1.txt: { read };file2.txt: { read }.
    • Process 4567 capabilities:file1.txt: { read, write }.
    • Process 6789 capabilities:file1.txt: { append };Socket s: {open, read, write, close }.
  • Examples of capabilities:
    • metal keys, driver’s license, parking permit
mandatory access control mac
Mandatory access control (MAC)
  • Access rights are based on rules (i.e. policy) set by administration
  • The AC policy is enforced and cannot be changed by users
  • Subjects cannot leak access rights to others
    • User can read a secret file but cannot copy, print or email; file viewer application prevents cut-and-paste and screen shots
    • One process can access the Internet, another write files to the disk, neither is allowed to do both
  • MAC is also called rule-based AC
  • MAC originates from military policies
    • Intelligence officer may not be allowed to read his own reports
    • Officer can read a secret document but cannot take a copy out of the room
    • Officer who has had contact with foreign agents may lose access to classified information
mandatory access control mac1
Mandatory access control (MAC)
  • MAC has some uses in commercial systems
    • DRM: Alice can play the music she has purchased, but cannot share it
    • Malware isolation: Host firewall may block potential spyware from making outbound connections to prevent information leaks
  • Examples of MAC-like policies outside computers:
    • Biometric authentication prevents sharing of capabilities, e.g. photo on driver’s license or signature on credit card
    • Admit-one event tickets: UV stamps, shredding bracelets
    • In UK, jurors must not read newspapers or watch TV about the case so that they are not influenced by them
clearance and classification
Clearance and classification
  • Mandatory access control rules are often based on security labels on subjects and objects
    • Subject clearance
    • Object classification

l : (Subjects ∪ Objects) → Labels

  • MAC based on clearance and classification levels is also called multi-level security (MLS)
  • Simple security property: S can read O iff l(S) ≥ l(O)

Top secret






bell lapadula model
Bell-LaPadula model
  • Bell-LaPadula (BLP) is a MAC policy for protecting secrets
    • Military security model for computers; military is mostly concerned with protecting secrets
    • Observation: the simple security property is not sufficient to prevent secrets from leaking
  • Bell-LaPadula rules:

Simple security property: S can read O iff l(S) ≥ l(O)

*-property: S can write O iff l(O) ≥ l(S)

  • Also called: no read up, no write down
biba model
Biba model
  • In computer systems, integrity of data and the system is often more important than confidentiality
    • Which is more important in a bank IT system?
  • Biba is a MAC policy for protecting integrity of data
  • Biba rules:

S can write O iff l(S) ≥ l(O)

S can read O iff l(O) ≥ l(S)

  • Also called: no write up, no read down
information flow security
Information flow security
  • BLP and Biba are information flow policies
    • BLP prevents flow of information from high to low
    • Biba prevents flow if information from low to high
  • Information flow policies are the basis for many security proofs. Typical proofs show non-interference:
    • view of one subject is not affected by the data of the other
    • low output does not depend on high input, orhigh output does not depend on low input
  • How to use BLP and Biba in the same system?

high input


high output

low input

low output

high water mark low water mark
High water mark, low water mark
  • How to classify an object that is created combining low and high information?

 High water mark policy for secrecy: always set the classification to the highest input

 Low water mark policy for integrity: always set the classification if to the lowest input

  • Problem:
    • Over time, all documents will become top secret with the lowest integrity level
upgrading and downgrading
Upgrading and downgrading
  • Upgrading, downgrading:
    • In practice, security levels need to be changed by humans
    • E.g. downgrading documents for publication
    • E.g. upgrading intelligence reports that aggregate a lot of low-level data
  • Documents may need to be sanitized i.e. redacted before downgrading
    • E.g. removing personal names from military documents before publication
  • Sanitization may be difficult
    • E.g. US military painting black box over text in PDF;AOL publishing anonymized web search data
    • High subjects can use covert channels to leak data intentionally, e.g. hide data in photos
clark wilson model
Clark-Wilson model
  • Data integrity cannot always be expressed in terms of MLS, i.e. who has access to what data
    • E.g. transfers between bank accounts must not change the total balance
  • Integrity in many commercial systems depends on following the correct procedures
  • Clark-Wilson model defines rules for commercial systems for how to maintain data integrity:
    • Transactions must transform data items from a consistent state to another consistent state
    • Auditing and procedural controls to enforce this

(The specific rules could be different in each system)

  • Clark-Wilson model has not really been implemented; it is important because of the idea of using accounting rules as a model for security policy
chinese wall model
Chinese Wall model
  • Conflicts of interest are common in business:
    • Consulting company, investment bank, or law office may be advising competing clients and must keep their information separate
    • The clients are assigned to different employees who do not speak to each other
  • To avoid conflicts of interest, the access control policy must take into account the information previously accessed by the subject
  • Chinese Wall model:
    • If subject S has previously accessed an object O1 and the objects O1 and O2 are in a conflict of interest, then S may not access O2
    • Idea: subject can fall to either side of the wall but cannot change sides later
separation of duty
Separation of duty
  • Chinese Wall is an example of separation of duty
  • Other separation of duty policies:
    • Expense claim requires two signatures: the claimant and an authorized approver, e.g. department manager; one person cannot act in both roles for the same expense claim
    • Auditors are often required to be from outside the company
    • Some safes have two locks, and the keys are given to two different persons
    • Lecturers issue grades to students but only study office staff can enter them into the study register
  • Unlike BLP and Biba, separation of duty policies are stateful
groups and roles
Groups and roles
  • Adding structure to policies
  • Group = set of subjects
    • E.g. Administrators, T-110.4206-students
    • Object ACL can list groups in addition to individual users
    • Both group membership and ACLs change over time
  • Role = set of permissions (i.e. permitted actions on objects)
    • E.g. Administrator, T-110.4206-teacher, SCI-professor
    • Roles are usually relatively static; their assignment to users changes
  • Both are forms of indirection






Objects × Actions

Roles orGroups

role based access control rbac
Role-based access control (RBAC)
  • NIST standard
  • Modeling high-level roles in an organization
    • E.g. Doctor, Nurse, Student, Lecturer, Course-assistant
    • Roles defined once; changed infrequently
  • Roles may be parameterized
    • E.g. Treating-doctor of Mr. Smith, Lecturer of T-110.4206, Student of T-110.4206
  • Roles may form a hierarchy with inheritance
    • E.g. Lecturer and Teaching-assistant are Teaching-staff
  • Roles are assigned to users for longer term but activated on demand for each session
  • Constraints on role assignment and activation can implement separation of duty

Example: University of Turku has implemented identity management based on RBACSource: (link broken)

still other access control models
Still other access control models
  • Originator-controlled AC (ORCON)
    • Creator of data retains control over access to it
  • Attribute-based AC
    • Access control is based in subject attributes instead of subject identity
    • AC = attribute verification + authorization
    • E.g. need to be 18 to buy tobacco; need to be an Aalto student to access course material
    • Enables anonymous access
  • Double-blinded review for scientific journals
  • Many other AC models have been proposed
reading material
Reading material
  • Dieter Gollmann: Computer Security, 2nd ed., chapters 4, 8, 9; 3rd ed. chapters 5–6
  • Edward Amoroso: Fundamentals of Computer Security Technology, chapters 6-13
  • Ross Anderson: Security Engineering, 2nd ed., chapter 8
  • What are the subjects, object and actions in Noppa?
  • Can you think of security mechanisms outside computers which would need MAC but actually implement DAC?
  • What security labels and MAC policy would be suitable for Noppa?
  • Give examples of systems that require confidentiality or integrity but not both.
  • Which AC model and what kind of security labels could be used to describe virtual machine isolation? What label would be hypervisor or VM monitor get?
  • Could you define different confidentiality labels and integrity labels and then use both Bell-LaPadula and Biba policies in the same system? Give an example.
  • Define RBAC roles that could be used in the implementations of Noppa.
  • To what extent can your RBAC policy (above) be implemented with groups?