access control mac. csce 522 - farkas 2 lecture 17 reading assignments required for access control...
TRANSCRIPT
Access ControlMAC
CSCE 522 - Farkas 2Lecture 17
Reading assignments Required for access control classes:
Ravi Sandhu and P. Samarati, Access Control: Principles and Practice, IEEE Communications, Volume 32, Number 9, September 1994 http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.30.5029
Ravi Sandhu, Lattice-Based Access Control Models, IEEE Computer, Volume 26, Number 11 (Cover Article), November 1993 http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.54.8395
CSCE 522 - Farkas 3Lecture 17
Mandatory Access Control
Objects: security classification e.g., grades=(confidential, {student-info})
Subjects: security clearancese.g., Joe=(confidential, {student-info})
Access rules: defined by comparing the security classification of the requested objects with the security clearance of the subject e.g., subject can read object only if label(subject) dominates label(object)
CSCE 522 - Farkas 4Lecture 17
Mandatory Access Control
If access control rules are satisfied, access is permittede.g., Joe wants to read grades.label(Joe)=(confidential,{student-info})label(grades)=(confidential,{student-info})Joe is permitted to read grades
Granularity of access rights!
CSCE 522 - Farkas 5Lecture 17
Mandatory Access Control
Security Classes (labels): (A,C) A – total order authority level C – set of categories
e.g., A = confidential > public , C = {student-info, dept-info}
(confidential,{ })
(confidential,{dept-info})
(confidential,{student-info,dept-info})
(confidential,{student-info})
(public,{student-info,dept-info})
(public,{,dept-info})
(public,{ })
(public,{student-info})
CSCE 522 - Farkas 6Lecture 17
Mandatory Access Control
Dominance (): label l=(A,C) dominates l’=(A’,C’) iff A A’ and C C’
e.g., (confidential,{student-info}) (public,{student-info})BUT
(confidential, {student-info}) (public,{student-info, department-info})
CSCE 522 - Farkas 7Lecture 17
Bell- LaPadula (BLP) Model
Confidentiality protection Lattice-based access control
SubjectsObjectsSecurity labels
Supports decentralized administration
CSCE 522 - Farkas 8Lecture 17
BLP Reference Monitor
All accesses are controlled by the reference monitor
Cannot be bypassed Access is allowed iff the resulting system
state satisfies all security properties Trusted subjects: subjects trusted not to
compromise security
CSCE 522 - Farkas 9Lecture 17
BLP Axioms 1.
Simple-security property: a subject s is allowed to read an object o only if the security label of s dominates the security label of oNo read upApplies to all subjects
CSCE 522 - Farkas 10Lecture 17
*-property: a subject s is allowed to write an object o only if the security label of o dominates the security label of s
No write down
Applies to un-trusted subjects only
BLP Axioms 2.
CSCE 522 - Farkas 11Lecture 17
Blind Writes
Improper modification of data Most implementations disallow blind writes
CSCE 522 - Farkas 12Lecture 17
Tranquility
Read and write accesses mediated based on the security labels of objects and subjects
Read and write accesses are not atomic, i.e., sequences of operations that may or may not be interrupted
Example: secret subject requests a read to a secret object. While the request is being processed, the subjects lowers its level to unclassified => unclassified subject gained read access to secret object
CSCE 522 - Farkas 13Lecture 17
Tranquility
Tranquility: changing security labels Strong tranquility: security labels of
subjects and objects never change during an operation
Advantage: system state always satisfies security requirements
Disadvantage: not flexible
CSCE 522 - Farkas 14Lecture 17
Tranquility
Weak tranquility: security labels of subjects and objects never change such a way as to violate the security policy
High watermark on subject: during read a subject may upgrade its security clearance
High watermark on objects: during write an object’s security classification may be upgraded.
CSCE 522 - Farkas 15Lecture 17
Discretionary Security Property
Every current access must be in the access matrix
CSCE 522 - Farkas 16Lecture 17
Trojan Horse and BLP
Employee
Black’s Employee
Brown: read, write
Black, Brown: read, writeBrown
Black
Word Processor
TH
Insert Trojan HorseInto shared program
Use shared programReadEmployee
CopyEmployeeTo Black’sEmployee
Secret
Public
Secret PublicPublic
Secret
Reference Monitor
CSCE 522 - Farkas 17Lecture 17
Biba Model – Integrity Protection
Integrity protection
Lattice-based access control Subjects Objects Integrity labels
Access Control List
CSCE 522 - Farkas 18Lecture 17
Integrity Labels
Hierarchical integrity levels: e.g.,
Crucial > Very important > Important Non-hierarchical categories: e.g.,
{medical, personal, administrative}
CSCE 522 - Farkas 19Lecture 17
Strict Integrity Policy
Integrity *-property: a subject s can modify an object o only if the integrity level of the subject dominates the integrity level of the object (no write up)
Simple integrity property: a subject s can observe an object o only if the integrity label of s is dominated by the integrity label of o (no read down)
Invocation property: a subject s1 can invoke a subject s2 only if the integrity label of s1 dominates the integrity label of s2
CSCE 522 - Farkas 20Lecture 17
Next Class: Database Security