220 likes | 409 Views
FRAC: Implementing Role-Based Access Control for Network File Systems. Aniruddha Bohra, Stephen Smaldone , and Liviu Iftode Department of Computer Science Rutgers University {bohra,smaldone,iftode}@cs.rutgers.edu. Motivation. User A. Time < 5 PM. Developer. Shell scripts cron jobs
E N D
FRAC: Implementing Role-Based Access Control for Network File Systems Aniruddha Bohra, Stephen Smaldone, and Liviu Iftode Department of Computer Science Rutgers University {bohra,smaldone,iftode}@cs.rutgers.edu
Motivation User A Time < 5 PM Developer Shell scripts cron jobs Manual User A User A Time > 5 PM Programmer Developers Programmers User A User A User B User D File F : { User B, User C } User C File F : { Developers, !Programmers }
Role-Based Access Control (RBAC) Role Hierarchy Progs Users 1 Devs User A Users 1 Users 2 Roles Users Perms
Benefits of RBAC • Policy Specification • Administrators define system-wide access control policies • Users may query and update portions of the access control system state • Simplified sharing and protection • Role Management • Role Hierarchy: Inheritance • Static Separation of Duties (SSD) • Session Management • Dynamic User to Role Mapping • Dynamic Separation of Duties (DSD) • Centralized Access Control Policy Enforcement • Enforcement of Principle of Least Privilege (POLP) • Verifiability of policy enforcement: auditing
RBAC for Network File Systems? Interface changes Application changes … AC Policy Changes Access Control Decisions User AC Policy Changes require user agent FS Protocol FS Client Modifications File Server External Authority FS Client File Server
FRAC: Network File System RBAC in a Middlebox AC Policy Changes Access Control Decisions Standard FS Protocol FRAC Middlebox Virtual Control Namespace (VCN) FS Client File Server VCN • Maintained at FRAC and Accessed by Client • Query State of AC System = FS READ • Update Permissions and AC Policies = FS WRITE
Outline • Introduction • Design and Implementation • Background • Permission Evaluation in FRAC • Enforcing Principle of Least Privilege • Virtual Control Namespace (VCN) • Evaluation • Related Work • Conclusions
Design Requirements • Middlebox to Enforce RBAC Policies • Interpose and transform messages • Understand file system semantics • Store policies and maintain state • Evaluate and enforce file system access control policies • Virtual Control Namespace • Enable users to query and owners to update the access control policy • Virtualize file system objects • Handle file system operations for virtual objects
Background: FileWall Scheduler File Server FS Client Forwarder Request Handler … Access Context FileWallPolicy FileWall: A Firewall for Network File System, S. Smaldone, A. Bohra, and L. Iftode. To appear in the Proceedings of the 3rd IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC'07)
Permission Evaluation in FRAC Scheduler File Server FS Client Forwarder Time > 5 PM ? ALLOW Access Context DENY FRAC Time AC Matrix
Enforcing Principle of Least Privilege FS Request Op = READ File Handle = V0 UserID = U0 GroupID = G0 Access Context Role Hierarchy Progs Devs Users 2 Users 1 Users 1
Virtual Control Namespace (VCN) Shadow Shadow File Contents FILE METADATA AC MATRIX Mirrored FS Namespace Root VCN • Active Roles • User -> Role Mappings • Session Control Interface Session
VCN Challenges • Creation of virtual objects • Must create file identifiers for virtual objects • Must avoid file identifier collisions between virtual and real objects • Provide virtual identifiers for all objects and store mappings • Introduce virtual objects in existing namespace • Create virtual namespace under root of real namespace • Must modify namespace operations (e.g., READDIR, LOOKUP, etc.) to “splice” in virtual namespace • Handle file system operations to virtual objects • Need to distinguish accesses to virtual objects from those for real objects • Demultiplex based on virtual identifier to real identifier mappings
VCN in FRAC Scheduler File Server FS Client Forwarder VCN Handler home home To Server bob VCN bob Access Context To Client FRAC VFH -> FH Map
Prototype Implementation • Network middlebox • FRAC implemented as a FileWall policy module • Implements RBAC for NFSv3 protocol • Direct access limited only to administrators • Access Context • Berkeley DB: An open source database • Policy specification • Static configuration using XACML • Updates supported through VCN for users
Outline • Introduction • Design and Implementation • Evaluation • Related Work • Conclusions
Evaluation • Roles • Arranged as linear chain: highest to lowest privilege level • Session starts with a role at head of chain (worst case) • Setup • Systems: Dell Poweredge 2600 SMP systems, 2.4 GHz Xeon II CPU, 2 GB RAM, running Linux 2.6 • Microbenchmark: User-level RPC client • Application Benchmark: OpenSSH compilation
Results - Microbenchmark Worst case overhead is low!
Results - OpenSSH Compilation Most expensive data phases have small (<10% & < 15%) overheads!
Related Work • RBAC Model • RBAC Standards [Ferraiolo’01, ANSI/INCITS’04] • RBAC for Network File Systems • Protocol Modifications [Gustaffson’97] • Agent-Based Systems [He’05] • Virtual and Programmable Namespaces • Plan 9 [Pike’93] • Semantic File Systems [Sheldon’91]
Conclusions and Future Work • FRAC: RBAC for network file systems using a middlebox (FileWall) • Requires no client or server modifications • Virtual Control Namespace eliminates use of specialized agents • Low overheads: < 15% overhead for up to 50 roles • Future Work: • Language for Specification and Verification of policies • Continuous Monitoring of network file system accesses
Thank You! Questions?