860 likes | 974 Views
IS 3957 Doctoral Seminar in Systems and Technology Information Assurance. Introduction James Joshi September 8, 2005. Access Control. Access control Restrict access to system entities to authorized personnel Security Domain
E N D
IS 3957 Doctoral Seminar in Systems and TechnologyInformation Assurance Introduction James Joshi September 8, 2005
Access Control • Access control • Restrict access to system entities to authorized personnel • Security Domain • A bounded group of subjects and objects under a single security policy • Multidomain Secure Environment • Ensuring a secure interaction among participating domains
Current Systems • Single domain systems • Multidomain systems • Open Interconnected Heterogeneous Systems • Web applications, E-Government, Global enterprises
Industry (various ops) • DoDBusiness Operations Environment • Initiate a transaction • Manage a transaction • Manage reference data • Provide performance support • Control access to and protect transaction and reference data • Transmit and translate transactions and reference data DoD Business Operations Environment (Ref: JECPO) Operational View OV-1 Warfighter Operations • Introduction Movement Training Requirements Analysis Maintenance Adjudication T&E Business Protection Environment Auditing Transportation Budget Planning Training Development Construction Mgmt Receiving Program Sch, Dir, Cont Contract Admin Disposal Mgmt Procurement Personnel Admin Engineering Analysis & Approval Payment/ Disbursement Facilities Mgmt Technology Projection Funds Mgmt Inventory Flow Mgmt Oversight Maintenance Planning Health, Safety, Environment Accounting Log Planning DoD Business Operations Business Protection Environment Example
Discretionary Access Control (DAC) • Subjects have ownership over objects • A subject can pass access rights to other subjects at his discretion • Highly flexible and most widely used • Not appropriate for • high assurance systems, e.g., a military system • Many complex commercial security requirements • “Trojan horse” problem
Mandatory Access Control (MAC) • Subjects/objects have security levels forming a lattice • Flow of information is restricted. • Example: (no-readup), (no-writedown) • Well-know MAC model is the Bell-LaPadula model
Some Existing Models • Abstract models • HRU’s Access Control Matrix • Schematic Protection Model and variation • Mandatory • Confidentiality model - Bell-LaPadula • Integrity model • Biba, Lipner’s, Clark-Wilson • Hybrid • Chinese wall
Confidentiality Policy • Also known as information flow policy • Integrity is secondary objective • Eg. Military mission “date” • Bell-LaPadula Model • Formally models military requirements • Information has sensitivity levels or classification • Subjects have clearance • Subjects with clearance are allowed access • Multi-level access control or mandatory access control
Bell-LaPadula: Basics • Mandatory access control • Entities are assigned security levels • Subject has security clearance L(s) = ls • Object has security classification L(o) = lo • Simplest case: Security levels are arranged in a linear order li< li+1 • Example Top secret > Secret > Confidential >Unclassified
“No Read Up” • Information is allowed to flow up, not down • Simple security property: • s can read o if and only if • lo≤ lsand • s has read access to o • Combines mandatory (security levels) and discretionary (permission required) • Prevents subjects from reading objects at higher levels (No Read Up rule)
“No Write Down” • Information is allowed to flow up, not down • *property • s can write o if and only if • ls≤ lo and • s has write access to o • Combines mandatory (security levels) and discretionary (permission required) • Prevents subjects from writing to objects at lower levels (No Write Down rule)
Categories • Total order of classifications not flexible enough • Alice cleared for missiles; Bob cleared for warheads; Both cleared for targets • Solution: Categories • Use set of compartments (from power set of compartments) • Enforce “need to know” principle • Security levels (security level, category set) • (Top Secret, {Nuc, Eur, Asi}) • (Top Secret, {Nuc, Asi}) • Combining with clearance: • (L,C) dominates (L’,C’) L’ ≤L and C’ C • Induces lattice of security levels
Lattice of categories {Nuc, Eur, Us} • Examples of levels • (Top Secret, {Nuc,Asi}) dom (Secret, {Nuc}) • (Secret, {Nuc, Eur}) dom (Confidential, {Nuc,Eur}) • (Top Secret, {Nuc}) dom (Confidential, {Eur}) • Bounds • Greatest lower, • Lowest upper • glbof {X, Nuc, Us} & {X, Eur, Us}? • lubof {X, Nuc, Us} & {X, Eur, Us}? {Nuc, Eur} {Nuc, Us} {Eur, Us} {Us} {Nuc} {Eur} {}
Integrity policy • Requirements different than confidentiality policies • Biba’s models • Low-Water-Mark policy • Ring policy • Strict Integrity policy • Lipner’s model • Combines Bell-LaPadula, Biba for a more practical software development and deployment process • Clark-Wilson model • Transaction integrity • Separation of duty
Biba’s Integrity Policy Model • Based on Bell-LaPadula • Subject, Objects • Integrity Levels with dominance relation • Higher levels • more reliable/trustworthy • More accurate • Information transfer path:Sequence of subjects, objects where • siroi • siwoi+1
Policies • Low-Water-Mark Policy • swo i(o) ≤i(s) prevents writing to higher level • sro i’(s) = min(i(s), i(o)) drops subject’s level • s1xs2 i(s2) ≤i(s1) prevents executing higher level objects • Ring Policy • sro allows any subject to read any object • swo i(o) ≤i(s) (same as above) • s1xs2 i(s2) ≤i(s1) • Biba’s Model: Strict Integrity Policy (dual of Bell-LaPadula) • sro i(s) ≤i(o) (no read-down) • swo i(o) ≤i(s) (no write-up) • s1xs2 i(s2) ≤i(s1) • Theorem for each: • If there is an information transfer path from object o1 to object on+1, then the enforcement of the policy requires that i(on+1) ≤i(o1) for all n>1
Requirements of Commercial Integrity Policies (Lipner) • Users will not write their own programs, but will use existing production programs and databases. • Programmers will develop and test programs on a nonproduction system; if they need access to actual data, they will be given production data via a special process, but will use it on their development system. • A special process must be followed to install a program from the development system onto the production system. • The special process in requirement 3 must be controlled and audited. • The managers and auditors must have access to both the system state and the system logs that are generated.
Integrity Policy: Principles of operation • Requirements induce principles of operation: • Separation of Duty: Single person should not be allowed to carry out all steps of a critical function • Moving a program from Dev. to Prod. system • Developer and Certifier (installer) of a program • Authorizing checks and cashing it • Separation of function • Do not process production data on development system • Auditing • Emphasis on recovery and accountability • Controlled/audited process for updating code on production system
RBAC (NIST Standard) Permissions PA UA Users Roles Operations Objects user_sessions (one-to-many) role_sessions (many-to-many) Sessions An important difference from classical models is that Subject in other models corresponds to a Session in RBAC
Advantages of RBAC • Allows Efficient Security Management • Administrative roles to manage other roles • Role hierarchy allows inheritance of permissions • Principle of least privilege • Minimizes damage • Separation of Duties constraints • Prevents fraud • Grouping Objects • Permissions can be grouped according to a class of objects • Policy-neutrality • Provides generality
Core RBAC (relations) • Permissions = 2Operations x Objects • UA ⊆ Users x Roles • PA ⊆ Permissions x Roles • assigned_users: Roles 2Users • assigned_permissions: Roles 2Permissions • Op(p): set of operations associated with permission p • Ob(p): set of objects associated with permission p • user_sessions: Users 2Sessions • session_user: Sessions Users • session_roles: Sessions 2Roles • session_roles(s) = {r | (session_user(s), r) UA)} • avail_session_perms: Sessions 2Permissions
RBAC with General Role Hierarchy RH (role hierarchy) Permissions PA UA Users Roles Operations Objects user_sessions (one-to-many) role_sessions (many-to-many) Sessions
RBAC with General Role Hierarchy • authorized_users: Roles 2Users authorized_users(r) = {u | r’ ≥ r &(r’, u) UA) • authorized_permissions: Roles 2Permissions authorized_users(r) = {p | r’ ≥ r &(p, r’) PA) • RH ⊆ Roles x Roles is a partial order • called the inheritance relation • written as ≥. (r1 ≥ r2) authorized_users(r1) ⊆ authorized_users(r2) & authorized_permisssions(r2) ⊆ authorized_permisssions(r1)
pp px, py px, py px, py px, py px, py px, py e10 e8, e9 e6, e7 e5 e3, e4 e1, e2 po pa, pb pm, pn px, py p1, p2 Example authorized_users(Employee)? authorized_users(Administrator)? authorized_permissions(Employee)? authorized_permissions(Administrator)?
Constrained RBAC RH (role hierarchy) Static Separation of Duty Permissions PA UA Users Roles Operations Objects user_sessions (one-to-many) Dynamic Separation of Duty Sessions
Static Separation of Duty • SSD ⊆2Roles x N • In absence of hierarchy • Collection of pairs (RS, n) where RS is a role set, n ≥ 2; for all (RS, n) SSD, for allt ⊆RS: |t| ≥ n ∩rtassigned_users(r)= • In presence of hierarchy • Collection of pairs (RS, n) where RS is a role set, n ≥ 2; for all (RS, n) SSD, for allt ⊆RS: |t| ≥ n ∩rtauthorized_uers(r)=
Dynamic Separation of Duty • DSD ⊆2Roles x N • Collection of pairs (RS, n) where RS is a role set, n ≥ 2; • A user cannot activate n or more roles from RS • What if both SSD and DSD contains (RS, n)? • Consider (RS, n) = ({r1, r2, r3}, 2)? • If SSD – can r1, r2 and r3 be assigned to u? • If DSD – can r1, r2 and r3 be assigned to u?
MAC using RBAC HR LW H Read Roles (same lattice) Write Roles (inverse lattice) M1R M2R M1W M2W M1 M2 BLP LR H L • Transformation rules • R = {L1R, L2R,…, LnR, L1W, L2W,…, LnW} • Two separate hierarchies for {L1R, L2R,…, LnR} and { L1W, L2W,…, LnW} • Each user is assigned to exactly two roles: xR and LW • Each session has exactly two roles yR and yW • Permission (o, r) is assigned to xR iff (o, w) is assigned to xW)
Security for Grid-based Computing SystemsIssues and Challenges
What is a Grid? • Enabling the coordinated use of geographically distributed resources — in the absence of central control, omniscience, strong trust relationships connect distributed heterogeneous high performance computer, computer cluster, large-scale database server and large-scale file server with high-speed interconnection network and integrate them into a transparent virtual high-performance computing environment. — Ian Foster
What is a Grid? • Systems & applications that integrate and manage resources and services distributed across multiple security domains • Large and dynamic pool of users and resources • Sharing is highly controlled & coordinated • Dynamic creation of services • Form virtual organizations (VO) • Collaboration is dynamic, ad-hoc • Resource providers belong to different real organizations employing different policies and mechanisms
What is a Grid? Domain 1 Domain 3 Virtual Organization Policy Domain 2 Domain 4 Essentially a Dynamic Multidomain Environment
Grid Security • Globus Toolkit (GT) includes Grid Security Infrastructure (GSI) • PKI to support identity mapping, single sign-on, delegation • GT2 • X.509 certificate, TLS, SSL protocol • Proxy certificate for delegation • Community Authorization Service • GT3 – Open Grid Services Architecture (OGSA) • Align Grid with web services technologies
Limitation of Classic Globus Authorization • Scalability • Each personnel or policy change requires changing policy at each participating site • Authorization is done at VO as well as in each site • Authorization information needs to be managed by individual local site • Expressivity • Native OS methods may not be expressive enough to support VO policies • Consistency • Native OS methods at different sites may not support the same kinds of policies
Grid Challenges • Individual hosts (resource providers) • Each domain must specify highly dynamic set of access control policies • Challenges • Highly flexible access control framework (attribute-based AC) • Multi-domain problem • Multiple policies need to be integrated • Challenges • Multidomain challenges! • Trust issues and Risk management
Secure interoperation • Challenges • Expressive multi-domain policy specification framework • Automation of the integration of policies • Algorithms to detect violations and compute maximal secure interoperation scalability? Policy negotiation Issues (trust) Delegation Identity/Credential mapping
Security Management • Tools and techniques needed to support efficient administration of Grid security • Grid can scale to Internet size • Dynamically changing resource pool • Protection objects may include • Compute cycle; storage elements • Sophisticate instruments • Data (files and database elements) • Services • High level information knowledge/concepts • Dynamic pool of users with diverse credentials • Identity/credential management • Policies and mechanisms evolve
Trust and Risk Management • Trust management is essential for dynamic collaboration environment • Trust-based authorization • Absolute security is not possible • Single point of failure situation • Security assurance may vary • Grid resources may be very sensitive • Trust and risk issues become very crucial • Impact severity of information leaks? • How to control propagation of risks?
Grid Challenges • Individual hosts (resource providers) • flexible access control framework • Multi-domain problem • Semantic heterogeneity & secure interoperability • Security management • Trust issues and Risk management
Local Policy Base Local Policy Base Access Control Module Local Policy Base Multidomain Security Application (e.g., workflow) Application (e.g., workflow) Lightly-coupled Access Control Module Access Control Module Trust-based Application (e.g. workflow) User’s access requests User’s authorization Access Control Module Global Policy Base Application (e.g., workflow) Application (e.g., workflow) Tightly-coupled (Federated system) Access Control Module Local Policy Base
Semantic heterogeneity • Different systems may use different security policies • e.g., DAC, MAC, Chinese wall, Integrity policies etc. • Variations of the same policies • e.g., BLP model and its several variations • Naming conflict on security attributes • Similar roles with different names • Similar permission sets with different role names • Structural conflict • different multilevel lattices / role hierarchies
Secure Interoperability • Principles of secure interoperation Principle of autonomy • If an access is permitted within an individual system, it must also be permitted under secure interoperation in a multi-domain environment. Principle of security • If an access is not permitted within an individual system, it must not be permitted under secure interoperation. • Interoperation of secure systems can create new security breaches
Unsecure Interoperability A X A X d c a a Y Y B C B C b b D Z D Z 2 1 2 1 F12 = {a, b, c, d} F12 = {a, b} (1) F12 = {a, b, d} Direct access (2) F12 = {c} F12 - permitted access between systems 1 and 2
Challenges in Secure Interoperability • How to ensure autonomy and security principles? • Determining inconsistencies/incompleteness in security rules. • Identifying security holes • Selecting optimality criteria for secure interoperability: maximizing number of domains, direct accesses
Assurance and Risk Propagation & Security Management • Assurance and Risk propagation • Breach in one domain can render the whole environment insecure • Cascading problem • Security Management • Centralized/Decentralized • Managing global metapolicy • Managing policy evolution
Approaches to Multidomain Problem • Policy-Metapolicy specification framework • Ad-hoc, Formal models: lattice merging, RBAC • Agent based approach (Policy agents) • Architectural approaches (CORBA, DCE)
A Multi-Domain Access Control Framework • A Multi-Phase Framework • Based on RBAC model Pre-integration Policy Comparison Policy Conformance Merging/ Restructuring Need external mediation policy to handle conflicts/incompleteness Consistent, complete and optimal specification
Pre-integration Phase • Requires RBAC representation of arbitrary policies. A policy mapping technique is needed for non-RBAC systems. • Uses an information base • Semantic information about domains including policies, roles and attributes • Integration/merging strategies to generate the overall configuration of the multi-domain environment.
Policy Comparison and Conformance • Tools & techniques for detecting • Semantic conflicts • Naming conflicts • Structural conflicts • Rule conflicts • Mediation policies are needed for resolution • Predefined meta-policies • Domain cooperation by administrators • Tradeoffs • Determine optimal/heuristic solutions secure interoperability
[De] Merging/Restructuring • Merging/integrating policies • Restructure domain policies according to the selected optimal criteria • Generate integrated global policy • Repeat policy conformance step • Re-evaluation and restructuring of meta-policy