1
PRIVILEGE STATES BASED ACCESS CONTROL FOR
FINE GRAINEDINTRUSION RESPONSE
Ashish Kamra, Elisa BertinoPurdue University
Presenter:Ashish Kundu
3
Motivation
Databases
Anomaly Detection
Anomaly Response
Access Control
4
5
Access Control Decision Semantics
RequestReferenceMonitor
AllowDeny
6
Extended Decision Semantics
RequestReferenceMonitor
AllowDeny
Taint
Suspend
7
Primary Contribution
Mechanism to enhance the
decision semantics of an
access control implementation
8
Why do we want to do that?
9
Support for fine-grained intrusion response
Request
Detectionengine
Responseengine
Anomaly
Drop Reques
t
LogReques
t
2nd factor of authentication
Passive Monitoring
10
Mapping
Passive Monitoring
Taint decision semantic
2nd factor of
authentication
Suspend decision
semantics
11
Privilege States - glue for the mapping
Assign states to privileges
Response system changes privilege state fine-grained response actions
Response : access control decision semantics
12
Privilege States
“state” to every privilege a user or role
Five privilege states
DENY
SUSPEND
TAINT
GRANT
UNASSIGN
13
Privilege State Semantics
“DENY”: negative authorizations
“SUSPEND”: request suspension
“TAINT”: request tainting
“GRANT”: standard SQL GRANT
“UNASSIGN”: standard SQL REVOKE
14
Example
U1 is a member of role R1
DBA assigns SELECT privilege in DENY on T1 to user
U1 SELECT privilege in TAINT on T1 to role
R1
Privilege state of SELECT on T1 for U1 ???
15
Privilege State Dominance
X
means ‘X’ overrides ‘Y’
DENY
SUSPEND
TAINT
UNASSIGN
GRANT
Y
16
Privilege State Transitions
+
/
+
+
??
?
/
/
/
+ /+ grant
deny
? suspend
/
unassign
taint
?
+
TAINT
SUSPEND
DENY
GRANT REVOKE
?
17
Formal model
For details, please refer to the paper …
18
Considering Role Hierarchies
Role hierarchy based on privilege inheritance
What about privileges in “deny”, “suspend” and “taint” states?
R_parent{insert}
R_child{select
}
{select}
19
Privilege Orientation Modes
up
down
neutral
unassign, grant
deny, taint, suspend
20
Privilege Propagation
R8
R5 R6 R7
R2 R3 R4
R1
{select,grant}
{select,grant}
{insert,deny,down}
{insert,deny,down}
Recursive Propagation
21
Implementation in PostgreSQL
New SQL commands TAINT, SUSPEND
Enhanced Access Control Lists To support privilege states and
orientation modes
Re-authentication procedure for a privilege in “suspend” state
22
Access Control Check Overhead No Role Hierarchy
16 32 64 128 256 5120
10
20
30
40
50
60
BASEPSAC
Overh
ead
(m
icro
secon
ds)
ACL Size
23
16 32 64 128 256 5120
20
40
60
80
100
120
BASEPSAC
Overh
ead
(m
icro
secon
ds)
ACL Size
Access Control Check Overhead With Role Hierarchy
24
Conclusions
Fine-granular access control in databases
Anomaly response mechanisms
Facilitates policy development
Formal model and experimental evaluation