170 likes | 703 Views
Access Control. A Meta-Model. Motivation. Goal: develop a general and semantically well grounded model of access control from which specific access control systems can be expressed by specialization of the model’s elements. Advantages: Explicates the fundamental principles of access control
E N D
Access Control A Meta-Model Dennis Kafura – CS5204 – Operating Systems
Motivation • Goal: develop a general and semantically well grounded model of access control from which specific access control systems can be expressed by specialization of the model’s elements. • Advantages: • Explicates the fundamental principles of access control • Provides a common basis for specifying access control and understanding relationship among access control models • Facilitates sharing of access control policy information across models • Is the basis for developing policy languages with solid semantic foundation Steve Barker King’s College London (Deceased: Jan 2012) Dennis Kafura – CS5204 – Operating Systems
Fundamental Concepts • Elements (all countable sets) • Categories, C, denoted co, c1, … • Principals, P, denoted po, p1, … • Actions, A, denoted ao, a1, … • Resource identifiers, R, denoted ro, r1, … • Situational identifiers, S, denoted so, s1, … • Event identifiers, E, denoted eo, e1, … • Meaning • Categories represent groups or classes sharing, for example, a common attribute, a similar level of trust, or the same security clearance. • Principals are individuals or agents • Actions are operations that can be performed on Resources • Situations are contexts and Events are significant occurrences Dennis Kafura – CS5204 – Operating Systems
Fundamental Concepts • Relations Dennis Kafura – CS5204 – Operating Systems
Fundamental Concepts (p) PCA (a,r): permission C (p,a,r) (p,a,r): authorization ARCA (a,r) C’ • Meta-model, M • core axiom: • By choosing different definitions of pca, contains, and arca the model M can be specialized to define different access control models Dennis Kafura – CS5204 – Operating Systems
Defining the PCA Relation • Form • where Pi is a condition, Li is a literal, and Ci is a constraint • Example “Principals are assigned to the pref(erred) category if they are categorized as being loyal and their current account balance is greater than 1000 Euro (which causes them to be categorized as members of the goodbalance category).” Dennis Kafura – CS5204 – Operating Systems
Defining the PCA Relation • Conditions and literals • may also be defined “remotely” (by another authority) • written as: • Example “Principals that are categorized by having a clean driving license (CDL) according to the Driving Vehicle Licensing Authority database (dvla) or have preferred status (ps) are assigned to the “most-valued” customer (NVC) category. “ Dennis Kafura – CS5204 – Operating Systems
Specializing contains and par Relations • Hierarchical RBAC • Each role is represented by a category • The contains relation is defined as a partial order between pairs of categories (roles) • The RBAC model can then be expressed as: • Note: this is just the core axiom for a particular interpretation of categories and containment Dennis Kafura – CS5204 – Operating Systems
Specializing contains and par Relations • The Bell-LaPadula (multilevel security) model • Relations • The categories are interpreted as security level (e.g., public, classified, secret, top secret) • The contains relation is an ordering of categories consistent with the notion of security level (e.g., contains(top secret, secret). • The par relation is defined as: • The first rule is “no read up” and the second is “write at same level” Dennis Kafura – CS5204 – Operating Systems
Specializing the arca Relation • Example: • Policy: A principal’s request to buy gold is permitted provided that the amount of gold requested is not greater than the current stock level recorded in v1. In a gold market that is currently categorized as “volatile”, according to the source v2, a principal is permitted to buy a maximum of 50 units of gold. All principals are permitted provided that the principal is not in the “debtor” category • Rules: Dennis Kafura – CS5204 – Operating Systems
Other Expressions • Time dependent expressions • For a time interval [Tstart, Tstop] • Relations may be defined as • and Dennis Kafura – CS5204 – Operating Systems
Other Expressions Note: me(C,C’) means mutually exclusive. • Trust third-party claims (aka, certificates) • A claim/certificate issued by v can be expressed as • Composition • The authorizations of two models can be combined as • Inconsistencies • Single assignment: • Separation of duties: • Prerequisites: Dennis Kafura – CS5204 – Operating Systems
Examples • Example • No principal that v1says is a debtor can be given anything other than unclassified clearance by v2 • Example • A resource may not be read more than once per day (useful to satisfy Principle of Least Privilege) by a given principal Dennis Kafura – CS5204 – Operating Systems
Practical Benefits • Facilitates sharing of access control information • Across applications • Across models • Aids policy administrators/authors • Via specialization of general axioms • Rapid prototyping of access control policies • Supports development of policy languages • Various syntaxes built on top of precise semantics • E.g., can be represented in RuleML Dennis Kafura – CS5204 – Operating Systems