240 likes | 478 Views
Access Control. SFS Summer Workshop at UT Chattanooga 2012. Introduction. “Access control” is where security engineering meets computer science. Its function is to control which (active) subject have access to a which (passive) object with some specific access operation. Access
E N D
Access Control SFS Summer Workshop at UT Chattanooga 2012
Introduction • “Access control” is where security engineering meets computer science. • Its function is to control which (active) subject have access to a which (passive) object with some specific access operation. Access Operation object subject
Access Control • Discretionary Access Control (Identity-based) • Role-based Access Control • Mandatory Access Control
Discretionary Access Control • Access to data objects (files, directories, etc.) is permitted based onthe identity of users. • Explicit access rules that establish who can, or cannot, execute which actions on which resources. • Discretionary: users can be given the ability of passing on their privileges to other users, where granting and revocation of privileges is regulated by an administrative policy.
Discretionary Access Control • Access control matrix • Describes protection state precisely • Matrix describing rights of subjects • State transitions change elements of matrix • State of protection system • Describes current settings, values of system relevant to protection
Access Control Matrix Model • Access control matrix • Firstly identify the objects, subjects and actions. • Describes the protection state of a system. • State of the system is defined by a triple (S, O, A) • S is the set of subject, • O is the set of objects, • A is the access matrix • Elements indicate the access rights that subjects have on objects • Entry A[s, o] of access control matrix is the privilege of s on o
Subjects S = { s1,…,sn } Objects O = { o1,…,om } Rights R = { r1,…,rk } Entries A[si, oj] R A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj objects (entities) o1 … oms1 … sn s1 s2 … sn subjects Description
Basic Operations in Access Control • Grantpermissions • Inserting values in the matrix’s entries • Revokepermissions • Remove values from the matrix’s entries • Checkpermissions • Verifying whether the entry related to a subject s and an object o contains a given access mode
Role-based Access Control • Access depends on role/function, not identity • Example: Allison is bookkeeper for Math Dept. She has access to financial records. If she leaves and Betty is hired as the new bookkeeper, Betty now has access to those records. The role of “bookkeeper” dictates access, not the identity of the individual.
Access control in organizations is based on “roles that individual users take on as part of the organization” A role is “is a collection of permissions” Role Based Access Control (RBAC)
Advantages of RBAC • Allows Efficient Security Management • Administrative roles, Role hierarchy • Principle of least privilege allows minimizing damage • Separation of Duties constraints to prevent fraud • Allows grouping of objects
Vulnerabilities of the Discretionary Policies • No control on the flow the information • Malicious code, i.e., Trojan horse
Trojan Horse Example • Vicky, a top-level manager • A file Market on the new products release • John, subordinate of Vicky • A file called “Stolen” • An application with two hidden operations • Read operation on file Market • Write operation on file Stolen
Example (cond) • Restriction should be enforced on the operations that processes themselves can execute. • Mandatory policies provide a way to enforce information flow control through the use of labels
Mandatory Access Control; Multilevel Security (MLS); Label Security • The data has an associated classification and consequently constraints for their access • Users with different classification levels to get different views from the same data • MLS cannot allow downward leaking, meaning that a user with a lower classification views data stored with a higher classification
Definition and need for MLS • MLS adds classification to data as follows:
Bell – LaPadula Model • The model shows how to use Mandatory Access Control to prevent the Trojan Horse • Classification has four values {U, C, S, TS} • U = unclassified • C = confidential • S = secret • TS = top secret • Classifications are ordered: TS > S > C > U
Two Principles • To protect information confidentiality • No-read-up, a subject is allowed a read access to an object only if the access class of the subject dominate the access class of the object • No-write-down, a subject is allowed a write access to an object only if the access class of the subject is dominated by the access class of the object
No-read-up & No-write-down • Can TS subject write to S object? • Can S subject write to U object? • How to apply to the Trojan Horse case?
Solution to Trojan Horse • Possible classification reflecting the access restrictions: • Secret for Vicky and “Market” • Unclassified to John and “Stolen” • If Vicky connect to system as secret, write is blocked • If Vicky connects to system as unclassified, read is blocked • Is Vicky allowed to write to the unclassified object? How?
Project 1: Run Queries • Follow directions in Project#1 Solution • Experience Oracle 11g • Enterprise Manger • Sqldeveloper • SQL&Plus
Project 2: Access Control and Trojan • Read project requirements from Project #2 • Follow directions in Project #2 Solution • Create users, profiles, roles • Grant roles as well • Check enforcement of access control rules • Run TrojanHorse program and observe results
Project 3: Label Security • Read project requirements from Project #3 • Follow directions in Project #3 Solution • Create EMP_ROLE • Create users • Create Label security policy • Create Levels and Data Labels • Authorize users • Apply to Tables • Let Table owners to update classification labels • Test Access Control Rules • Run TrojanHorse code and observe results