access control - lersse-dl.ece.ubc.ca
TRANSCRIPT
![Page 1: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/1.jpg)
Copyright © 2004-2005 Konstantin Beznosov
Access Control
Secure Application DevelopmentModule 4
Konstantin Beznosov
![Page 2: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/2.jpg)
2
What Do You Already Know?
What are the main elements of accesscontrol mechanisms?
What are the three main types of securitypolicies?
What access control models do you know?
![Page 3: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/3.jpg)
3
Outline Access control mechanisms Access Matrix Security policies
• Confidentiality models• Integrity models• Hybrid models
![Page 4: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/4.jpg)
4
Where We Are
ProtectionAuthorization Accountability Availability
Acc
ess
Con
trol
Dat
a Pr
otec
tion
Audit
Non-Repudiation
Serv
ice
Con
tinui
ty
Dis
aste
r R
ecov
ery
Assurance
Req
uire
men
ts A
ssur
ance
Dev
elop
men
t A
ssur
ance
Ope
ratio
nal A
ssur
ance
Des
ign
Ass
uran
ce
AuthenticationCryptography
![Page 5: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/5.jpg)
5
Authorization Mechanisms:Access Control
Definition: enforcesthe rules, whenrule check ispossible
AuthorizationDecision
Entitlement
SubjectPrincipalUser, ClientInitiator
SecuritySubsystem
AuthorizationEngine
Access DecisionFunction
Reference Monitor
ObjectResource(data/methods/menu item)Target
Mix of terms:Authorization == Access Control DecisionAuthorization Engine == Policy Engine
Action
![Page 6: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/6.jpg)
Copyright © 2004-2005 Konstantin Beznosov
Access Matrix
![Page 7: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/7.jpg)
7
Object System
Subjects are objects Objects are not subjects
OSSubject
1Subject
2Subject
3File 1 File 2 Process 1
Subject1
*ownercontrol
*ownercontrol
*call *owner
*read*write
Subject2
call *read write wakeup
Subject 3
ownercontrol
read *owner
Access Matrix
Subjects Objects
ATo be
protectedHave
access toobjects
![Page 8: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/8.jpg)
8
Access Matrix Structure
objects (entities)
subj
ects
s1s2
…
sn
o1 … om s1 … sn Subjects S = { s1,…,sn } Objects O = { o1,…,om } Rights R = { r1,…,rk }
Entries A[si, oj] ⊆ R A[si, oj] = { rx, …, ry }
means subject si has rightsrx, …, ry over object oj
![Page 9: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/9.jpg)
9
Example
Processes p, q Files f, g Rights r, w, x, a, o
f g p qp rwo r rwxo wq a ro r rwxo
Owner-based Discretionary Access Control (DAC)
![Page 10: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/10.jpg)
10
Matrix Implementation Techniques
objects
subj
ects
s1s2
…
sn
o1 … om s1 … sn Capability list
(c-list)
Access controllist (ACL)
![Page 11: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/11.jpg)
11
Food for Thought
ACLs are good for revoking individual’s access to aparticular file.
• How hard is it to revoke a user’s access to aparticular set of, but not all, files if ACLs areused?
• Compare and contrast this with the problem ofrevocation using capabilities.
![Page 12: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/12.jpg)
12
Access Matrix Summary
Object System• Subjects, objects, access matrix
• Objects are shared
• All subjects are objects• not all objects are subjects
Matrix implementation• Capability lists
• Access control lists
![Page 13: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/13.jpg)
Copyright © 2004-2005 Konstantin Beznosov
Security Policies
![Page 14: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/14.jpg)
14
What’s Security Policy?
Policy partitions system states into:• Authorized (secure)
• These are states the system can enter
• Unauthorized (nonsecure)• If the system enters any of these states, it’s a
security violation
Secure system• Starts in authorized state• Never enters unauthorized state
![Page 15: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/15.jpg)
15
Main Types of Security Policies Confidentiality
• Bell-LaPadula
Integrity• Biba• Clark-Wilson
Availability• ?
Hybrid• Chinese Wall• ORCON• Role-based Access Control (RBAC)
CIA
![Page 16: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/16.jpg)
16
Key Points aboutPolicies and Mechanisms
Policiesdescribe what’s
allowed
Mechanismsenforce policies
![Page 17: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/17.jpg)
Copyright © 2004-2005 Konstantin Beznosov
Confidentiality Policies
![Page 18: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/18.jpg)
18
What’s Confidentiality Policy
Goal: prevent the unauthorized disclosureof information• Deals with information flow• Integrity incidental
examples• Multi-level security (MLS) models
• Bell-LaPadula Model basis for many
![Page 19: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/19.jpg)
19
Bell-LaPadula Model
Object and subject labels
Categories
“dominates” partial-
order relation
Simple security property
• No reads up
*-property
• No writes down
![Page 20: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/20.jpg)
Copyright © 2004-2005 Konstantin Beznosov
Example for Bell-LaPadula:Controlling Access to Course
Online Content
![Page 21: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/21.jpg)
21
Application DescriptionApplication: 10 students: s1 … s10
3 instructors: i1, i2, i3 5 courses: c1, … c5
• C1 = {i1, {s1, s2, s3}}• C2 = {i2, {s3, s4, s5}}• C3 = {i3, {s5, s6, s7}}• C4 = {i1, {s7, s8, s9}}• C5 = {{i2, i3}, {s8, s9, s10}}
Policy:1. Students can
1. read course material andassignment instructions for thecourses they are registered
2. submit (i.e., write) theirassignments for the registeredcourses
2. Instructors can1. read student submitted
assignments for the courses theyteach, and
2. post (i.e., write) course materialand assignment instructions fortheir courses
Develop configuration (i.e., label graph, and clearance and classificationassignments) for access control mechanisms based on Bell-LaPadula model
![Page 22: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/22.jpg)
22
Solution
1. Security level Lattice
2. File classifications
3. User clearances
4. DAC matrix
![Page 23: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/23.jpg)
23
Security level Lattice
S
I
S-C1 S-C2 S-C3 S-C4 S-C5
I-C1 I-C2 I-C3 I-C4 I-C5
I-C1, C2, C3, C4, C5
![Page 24: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/24.jpg)
24
File Classifications
√AS5
√CM5
√AS4
√CM4
√AS3
√CM3
√AS2
√CM2
√AS1
√CM1
I-C1…C5I-C5I-C4I-C3I-C2I-C1IS-C5S-C4S-C3S-C2S-C1S
Course material for course i == CMi
Assignment Submission for course i == ASi
![Page 25: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/25.jpg)
25
User Clearances
√s10
√√s9
√√s8
√√s7
√s6
√√s5
√s4
√√s3
√s2
√s1
√√i3
√√i2
√√i1
I-C1…C5I-C5I-C4I-C3I-C2I-C1IS-C5S-C4S-C3S-C2S-C1S
![Page 26: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/26.jpg)
26
DAC Matrix
RRRRRany
O
R
AS49
O
R
AS48
O
R
AS47
O
R
AS37
s10
s9
s8
s7
Os6
OOs5
Os4
OOs3
Os2
Os1
RRWOi3
RRROOi2
RRROOi1
AS36AS3
5AS25AS2
4AS23AS1
3AS12AS1
1CM5CM4CM3CM2CM1
Assignment Submission for course i by student j == ASij
![Page 27: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/27.jpg)
27
Key Points About ConfidentialityModels
Control information flow Bell-LaPadula Often combine
MAC (relationship of security levels) andDAC (the required permission)
Don’t deal with covert channels
![Page 28: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/28.jpg)
Copyright © 2004-2005 Konstantin Beznosov
Integrity Policies
![Page 29: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/29.jpg)
29
Biba Integrity Model (1977)
Integrity levels instead of securitylevels in MLS
The higher the level, the moreconfidence• That a program will execute correctly• That data is accurate and/or reliable
H
M
L
U
![Page 30: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/30.jpg)
30
Clark-Wilson Model Constrains who can do what
• authorized triples: (user, TP, {CDI})
TPs CDIs
users
transaction procedures (TPs): Procedures that take thesystem from one valid state to another
constrained data items (CDIs): Data subject to integritycontrols
![Page 31: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/31.jpg)
31
Clark-Wilson Model (cont-ed)
Integrity defined by a set of constraints• Data in a consistent or valid state when it satisfies
constraints
Example: Bank• D today’s deposits, W withdrawals, YB yesterday’s
balance, TB today’s balance• Integrity constraint: YB + D –W = TB
Well-formed transaction move system from oneconsistent state to another
![Page 32: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/32.jpg)
32
Key Points About Integrity Models
Integrity policies deal with trust• As trust is hard to quantify, these policies are
hard to evaluate completely• Look for assumptions and trusted users to
find possible weak points in theirimplementation
Biba’s model is based on multilevelintegrity
Clark-Wilson’s focuses on separation ofduty and transactions
![Page 33: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/33.jpg)
Copyright © 2004-2005 Konstantin Beznosov
Hybrid Security Models
![Page 34: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/34.jpg)
Copyright © 2004-2005 Konstantin Beznosov
Chinese Wall Model
![Page 35: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/35.jpg)
35
Chinese Wall Model: Illustration
Bank of America
Citibank Bank of the West
Bank COI Class
Shell Oil
Union ’76
Standard Oil
ARCO
Gasoline Company COI Class
If Anthony reads any Company dataset (CD) in aconflict of interest (COI), he can never readanother CD in that COI
![Page 36: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/36.jpg)
36
ORCON Model
Problem: organization creating documentwants to control its dissemination
Example: Secretary of Agriculture writes amemo for distribution to her immediatesubordinates, and she must givepermission for it to be disseminatedfurther. This is “originator controlled”(here, the “originator” is a person).
![Page 37: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/37.jpg)
Copyright © 2004-2005 Konstantin Beznosov
Role-based Access Control(RBAC)
![Page 38: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/38.jpg)
38
RBAC
Access depends on role, not identity orlabel• Example:
• Allison, administrator for a department, has accessto financial records.
• She leaves.• Betty hired as the new administrator, so she now
has access to those records
• The role of “administrator” dictates access,not the identity of the individual.
![Page 39: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/39.jpg)
39
Permissions
RBAC (NIST Standard)
Users Roles Operations Objects
Sessions
UA
user_sessions(one-to-many)
role_sessions(many-to-many)
PA
![Page 40: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/40.jpg)
40
Permissions
RBAC withGeneral Role Hierarchy
Users Roles Operations Objects
Sessions
UA
user_sessions(one-to-many)
role_sessions(many-to-many)
PA
RH(role hierarchy)
![Page 41: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/41.jpg)
41
Example
Administrator
Employee
Engineer
SeniorEngineer
SeniorAdministrator
Manager
px, pye1, e2
px, pye3, e4
px, pye5
px, pye6, e7
px, pye8, e9
px, pye10
px, py
p1, p2
pa, pb
pm, pn
po
pp
![Page 42: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/42.jpg)
42
Constrained RBAC
Permissions
Users Roles Operations Objects
Sessions
UA
user_sessions(one-to-many)
PA
RH(role hierarchy)Static
Separation of Duty
DynamicSeparation
of Duty
![Page 43: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/43.jpg)
43
Sample System
Psychiatrist
Physician
PhysicianAssistant
Nurse
Caregiver
RegistrationClerk Technician
![Page 44: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/44.jpg)
44
Application DescriptionApplication: 10 students: s1 … s10
3 instructors: i1, i2, i3 5 courses: c1, … c5
• C1 = {i1, {s1, s2, s3}}• C2 = {i2, {s3, s4, s5}}• C3 = {i3, {s5, s6, s7}}• C4 = {i1, {s7, s8, s9}}• C5 = {{i2, i3}, {s8, s9, s10}}
Policy:1. Students can
1. read course material and assignmentinstructions for the courses they areregistered
2. submit (i.e., write) their assignmentsfor the registered courses
2. Instructors can1. read student submitted assignments
for the courses they teach, and2. post (i.e., write) course material and
assignment instructions for theircourses
Develop configuration (i.e., UA, PA, Role hierarchy) foraccess control mechanisms based on RBAC model
![Page 45: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/45.jpg)
45
Key Points on Hybrid Models deal with both confidentiality and integrity ORCON model neither MAC nor DAC
• Actually, a combination
RBAC model controls access based on subject’s role(s)
![Page 46: Access Control - lersse-dl.ece.ubc.ca](https://reader031.vdocuments.us/reader031/viewer/2022020623/61f0b278c8536b4b6148966c/html5/thumbnails/46.jpg)
46
Summary
Access control mechanisms Access Matrix Security policies
• Confidentiality models• Bell LaPadula confidentiality model
• Integrity models• Biba integrity model• Clark-Wilson
• Hybrid models• Chinese Wall model• ORCON model• RBAC model