the om-am framework and role-based access control · 2018-09-27 · the om-am framework and...

The OM-AM Framework andRole-Based Access Control

Prof. Ravi SandhuGeorge Mason University

www.list.gmu.edu

2© Ravi Sandhu 2000

AUTHORIZATION, TRUST AND RISK

u Information security is fundamentallyabout managing l authorization andl trust

so as to manage risk

3© Ravi Sandhu 2000

THE OM-AM WAY

ObjectivesModel

ArchitectureMechanism

What?

How?

Assurance

4© Ravi Sandhu 2000

LAYERS AND LAYERS

u Multics ringsu Layered abstractionsu Waterfall modelu Network protocol stacksu OM-AM

5© Ravi Sandhu 2000

OM-AM AND MANDATORY ACCESSCONTROL (MAC)

What?

How?

No information leakageLattices (Bell-LaPadula)

Security kernelSecurity labels

Assurance

6© Ravi Sandhu 2000

OM-AM AND DISCRETIONARYACCESS CONTROL (DAC)

What?

How?

Owner-based discretionnumerousnumerous

ACLs, Capabilities, etc

Assurance

7© Ravi Sandhu 2000

OM-AM AND ROLE-BASED ACCESSCONTROL (RBAC)

What?

How?

Policy neutralRBAC96

user-pull, server-pull, etc.certificates, tickets, PACs, etc.

Assurance

Role-Based Access ControlThe RBAC96 Model

9© Ravi Sandhu 2000

ROLE-BASED ACCESSCONTROL (RBAC)

u A user’s permissions are determinedby the user’s rolesl rather than identity or clearancel roles can encode arbitrary attributes

u multi-facetedu ranges from very simple to very

sophisticated

10© Ravi Sandhu 2000

RBAC SECURITYPRINCIPLES

u least privilegeu separation of dutiesu separation of administration and

accessu abstract operations

11© Ravi Sandhu 2000

RBAC96IEEE Computer Feb. 1996

u Policy neutralu can be configured to do MAC

l roles simulate clearances (ESORICS 96)

u can be configured to do DACl roles simulate identity (RBAC98)

12© Ravi Sandhu 2000

RBAC CONUNDRUM

u turn on all roles all the timeu turn on one role only at a timeu turn on a user-specified subset of

roles

13© Ravi Sandhu 2000

RBAC96 FAMILY OFMODELS

RBAC0BASIC RBAC

RBAC3ROLE HIERARCHIES +

CONSTRAINTS

RBAC1ROLE

HIERARCHIES

RBAC2CONSTRAINTS

14© Ravi Sandhu 2000

RBAC0

ROLES

USER-ROLEASSIGNMENT

PERMISSION-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

15© Ravi Sandhu 2000

PERMISSIONS

u Primitive permissionsl read, write, append, execute

u Abstract permissionsl credit, debit, inquiry

u System permissionsl auditor, operator, back-up operator

16© Ravi Sandhu 2000

USERS

u Users arel human beings orl other active agents

u Each individual should be known asexactly one user

17© Ravi Sandhu 2000

RBAC1

ROLES

USER-ROLEASSIGNMENT

PERMISSION-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

18© Ravi Sandhu 2000

HIERARCHICAL ROLES

Health-Care Provider

Physician

Primary-CarePhysician

SpecialistPhysician

19© Ravi Sandhu 2000

HIERARCHICAL ROLES

Engineer

HardwareEngineer

SoftwareEngineer

SupervisingEngineer

20© Ravi Sandhu 2000

PRIVATE ROLES

Engineer

HardwareEngineer

SoftwareEngineer

SupervisingEngineer

HardwareEngineer’

SoftwareEngineer’

21© Ravi Sandhu 2000

EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

22© Ravi Sandhu 2000

EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

23© Ravi Sandhu 2000

EXAMPLE ROLE HIERARCHY

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

24© Ravi Sandhu 2000

EXAMPLE ROLE HIERARCHY

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

25© Ravi Sandhu 2000

RBAC3

ROLES

USER-ROLEASSIGNMENT

PERMISSIONS-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

CONSTRAINTS

26© Ravi Sandhu 2000

CONSTRAINTS

u Mutually Exclusive Rolesl Static Exclusion: The same individual

can never hold both rolesl Dynamic Exclusion: The same

individual can never hold both roles inthe same context

27© Ravi Sandhu 2000

CONSTRAINTS

u Mutually Exclusive Permissionsl Static Exclusion: The same role should

never be assigned both permissionsl Dynamic Exclusion: The same role can

never hold both permissions in thesame context

28© Ravi Sandhu 2000

CONSTRAINTS

u Cardinality Constraints on User-RoleAssignmentl At most k users can belong to the rolel At least k users must belong to the rolel Exactly k users must belong to the role

29© Ravi Sandhu 2000

CONSTRAINTS

u Cardinality Constraints onPermissions-Role Assignmentl At most k roles can get the permissionl At least k roles must get the permissionl Exactly k roles must get the permission

Administrative RBACARBAC97

31© Ravi Sandhu 2000

SCALE AND RATE OFCHANGE

u roles: 100s or 1000su users: 1000s or 10,000s or moreu Frequent changes to

l user-role assignmentl permission-role assignment

u Less frequent changes forl role hierarchy

32© Ravi Sandhu 2000

ADMINISTRATIVE RBAC

ROLES

USERS

PERMISSIONS

...

ADMINROLES

ADMINPERMISSIONS

CAN-MANAGE

33© Ravi Sandhu 2000

ARBAC97 DECENTRALIZES

u user-role assignment (URA97)u permission-role assignment (PRA97)u role-role hierarchy

n groups or user-only roles (extend URA97)n abilities or permission-only roles (extend PRA97)n UP-roles or user-and-permission roles (RRA97)

34© Ravi Sandhu 2000

EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

35© Ravi Sandhu 2000

EXAMPLE ADMINISTRATIVEROLE HIERARCHY

Senior Security Officer (SSO)

Department Security Officer (DSO)

Project SecurityOfficer 1 (PSO1)

Project SecurityOfficer 2 (PSO2)

36© Ravi Sandhu 2000

URA97 GRANT MODEL:can-assign

ARole Prereq Role Role RangePSO1 ED [E1,PL1)PSO2 ED [E2,PL2)DSO ED (ED,DIR)SSO E [ED,ED]SSO ED (ED,DIR]

37© Ravi Sandhu 2000

URA97 GRANT MODEL :can-assign

ARole Prereq Cond Role RangePSO1 ED [E1,E1]PSO1 ED & ¬ P1 [Q1,Q1]PSO1 ED & ¬ Q1 [P1,P1]PSO2 ED [E2,E2]PSO2 ED & ¬ P2 [Q2,Q2]PSO2 ED & ¬ Q2 [P2,P2]

38© Ravi Sandhu 2000

URA97 REVOKE MODEL :can-revoke

ARole Role RangePSO1 [E1,PL1)PSO2 [E2,PL2)DSO (ED,DIR)SSO [ED,DIR]

39© Ravi Sandhu 2000

URA97 REVOKE MODEL

u WEAK REVOCATIONl revokes explicit membership in a rolel independent of who did the assignment

u STRONG REVOCATIONl revokes explicit membership in a role and its

seniorsl authorized only if corresponding weak

revokes are authorized

40© Ravi Sandhu 2000

PERMISSION-ROLEASSIGNMENT

u dual of user-role assignmentu can-assign-permission

can-revoke-permissionu weak revoke strong revoke (propagates down)

41© Ravi Sandhu 2000

PERMISSION-ROLE ASSIGNMENTCAN-ASSIGN-PERMISSION

ARole Prereq Cond Role RangePSO1 PL1 [E1,PL1)PSO2 PL2 [E2,PL2)DSO E1 ∨∨ E2 [ED,ED]SSO PL1 ∨∨ PL2 [ED,ED]SSO ED [E,E]

42© Ravi Sandhu 2000

PERMISSION-ROLE ASSIGNMENTCAN-REVOKE-PERMISSION

ARole Role RangePSO1 [E1,PL1]PSO2 [E2,PL2]DSO (ED,DIR)SSO [ED,DIR]

43© Ravi Sandhu 2000

ARBAC97 DECENTRALIZES

u user-role assignment (URA97)u permission-role assignment (PRA97)u role-role hierarchy

n groups or user-only roles (extend URA97)n abilities or permission-only roles (extend PRA97)n UP-roles or user-and-permission roles (RRA97)

44© Ravi Sandhu 2000

Range Definitions

Range

Create Range

Encap. Range

AuthorityRange

RBAC ARCHITECTURES

46© Ravi Sandhu 2000

OM-AM AND ROLE-BASED ACCESSCONTROL (RBAC)

What?

How?

Policy neutralRBAC96

user-pull, server-pull, etc.certificates, tickets, PACs, etc.

Assurance

47© Ravi Sandhu 2000

CLASS I SYSTEMSENFORCEMENT ARCHITECTURE

Client Server

48© Ravi Sandhu 2000

CLASS I SYSTEMSADMINISTRATION ARCHITECTURE

AdministrativeClient

Server2

Server1

ServerN

AuthorizationCenter

49© Ravi Sandhu 2000

CLASS II SYSTEMSSERVER-PULL

Client Server

AuthorizationServer

AuthenticationServer

50© Ravi Sandhu 2000

CLASS II SYSTEMSUSER-PULL

Client Server

AuthorizationServer

AuthenticationServer

51© Ravi Sandhu 2000

CLASS II SYSTEMSPROXY-BASED SYSTEMS

Client ServerProxy

AuthenticationServer

AuthorizationServer

52© Ravi Sandhu 2000

RBAC MECHANISMS

u These architectures can besupported by means ofl X.509 certificatesl Secure cookiesl Etc.

u Different links can be protected bydifferent means

53© Ravi Sandhu 2000

Related Technologies

u Cookiesl in widespread current use for maintaining

state of HTTPl becoming standardl not secure

u Public-Key Certificates (X.509)l support security on the Web based on PKIl standardl simply, bind users to keysl have the ability to be extended

54© Ravi Sandhu 2000

Cookies

55© Ravi Sandhu 2000

Security Threats to Cookies

u Cookies are not securel No authenticationl No integrityl No confidentiality

u can be easily attacked byl Network Security Threatsl End-System Threatsl Cookie Harvesting Threats

56© Ravi Sandhu 2000

Secure Cookies on the Web

57© Ravi Sandhu 2000

A Set of Secure Cookies

58© Ravi Sandhu 2000

How to Use Secure Cookies

59© Ravi Sandhu 2000

X.509 Certificate

u Digitally signed by a certificate authorityl to confirm the information in the certificate

belongs to the holder of the correspondingprivate key

u Contentsl version, serial number, subject, validity period,

issuer, optional fields (v2)l subject’s public key and algorithm info.l extension fields (v3)l digital signature of CA

u Binding users to keysu Certificate Revocation List (CRL)

60© Ravi Sandhu 2000

X.509 Certificate

61© Ravi Sandhu 2000

Smart Certificates

u Short-Lived Lifetimel More secure

n typical validity period for X.509 is months(years)

n users may leave copies of the correspondingkeys behind

n the longer-lived certificates have a higherprobability of being attacked

l No Certificate Revocation List (CRL)n simple and less expensive PKI

62© Ravi Sandhu 2000

Smart Certificates

u Containing Attributes Securelyl Web servers can use secure attributes for their

purposesl Each authority has independent control on the

corresponding informationn basic certificate (containing identity information)n each attribute can be added, changed, revoked, or re-

issued by the appropriate authority– e.g., role, credit card number, clearance, etc.

l Short-lived certificate can remove CRLs

63© Ravi Sandhu 2000

Separate CAs in a Certificate

64© Ravi Sandhu 2000

Smart Certificates

u Postdated Certificatesl The certificate becomes valid at some time in

the futurel possible to make a smart certificate valid for a

set of durationl supports convenience

u Confidentialityl Sensitive information can be

n encrypted in smart certificates– e.g. passwords, credit card numbers, etc.

65© Ravi Sandhu 2000

A Smart Certificate

66© Ravi Sandhu 2000

Applications of Smart Certificates

u On-Duty Controlu Compatible with X.509u User Authenticationu Electronic Transactionu Eliminating Single-Point Failureu Pay-per-Accessu Attribute-based Access Control

67© Ravi Sandhu 2000

OM-AM AND ROLE-BASED ACCESSCONTROL (RBAC)

What?

How?

Policy neutralRBAC96

user-pull, server-pull, etc.certificates, tickets, PACs, etc.

Assurance