230 likes | 465 Views
Policy-Based Systems. System Security. Previous lectures. We have discussed the 4 main models of access control: Discretionary Access Control (DAC) Mandatory Access Control (MAC) Bell- LaPadula for Confidentiality Biba for Integrity Role-based Access Control (RBAC)
E N D
Policy-Based Systems System Security
Previous lectures • We have discussed the 4 main models of access control: • Discretionary Access Control (DAC) • Mandatory Access Control (MAC) • Bell-LaPadulafor Confidentiality • Bibafor Integrity • Role-based Access Control (RBAC) • Usage Control (UCON)
Policy-based Access Control(P-bAC) • A policy is a rule governing the behaviour of a system. • In P-aBC, an authorization policy governs the access rights of subjects over targets • targets and objects have the same meaning
P-bAC Advantages • Policies are specified independently of entities • Provide at a glance a coherent view of the access control in a system • Give a neat separation between access control logic and the enforcement mechanism
P-bACApproaches • There are several approaches that use policies for access control: • XACML • Ponder2 • Policy Description Language (PDL) • REI • Firewall rules
Authorization Policies subject, action, target when condition then decision • Subject: entity that wants to perform an action • Action: an operation on the resources (open, read, write, etc.) • Target: a resource on which a subject wants to operate • Condition: a Boolean expression to represent context • Decision: policy outcome (allow, deny, kill, ask, etc.)
Policy Enforcement Architecture IETF - RFC 2753
Policy Enforcement Point (PEP) • The point where the policy decisions are actually enforced • PEP collects information about: • who the subject is • what action is going to execute • which target is going to be accessed
Example – Intercepting • I want to perform a read operation on foo • The PEP intercepts the action and creates a tuple (Andrew, read, foo) • The PEP passes the tuple to the Policy Decision Point (PDP)
Example – Retrieving Policies • Once the PDP receives the tuple, it retrieves the relevant policies from the PR matching the tuple
Example – Evaluating • Once the PDP receives the tuple, it retrieves the relevant policies from the PR matching the tuple • Ask the PIP for the current time • Now the PDP is able to evaluate the policy • Because the condition part is true, the decision returned by the policy is allow
Example – Enforcing • The PDP informs the PEP that the operation can be allowed • The PEP lets the operation being executed
Fine-grained control thru PEP • Traditionally access control mechanisms are concerned with checking before the access takes place • A finer grained control can be achieved by placing multiple Policy Enforcement Points (PEP) between the subject and target
Policy Combination - I • Both policies matches the tuple from PEP • Both policies are valid when evaluated by the PDP • Which one should be applied?
Policy Combination - II • Both policies matches the tuple from PEP • Both policies are valid when evaluated by the PDP • Which one should be applied?
Conflict Resolution • A robust P-bAC system has to provide a conflict resolution mechanism • The conflict resolution has to be performed at the PDP to return a univocal decision to the PEP • Several conflict resolution techniques: • Policy order • Decision priority • Specificity of policy arguments • …
Ordered Conflict Resolution • The first policy that applies is used • In this case the PDP returns the decision deny • This mechanism is used in Firewall rules
Decision Priority Conflict Resolution • Requires a ordered decision set • In this case the PDP returns the decision allow
Most Specific Policy First • The policy with the most specific arguments takes priority • In this case the PDP returns allow • It might be used in combination with other resolution strategies (e.g., when arguments have similar specificity)
Policy Engineering • A P-bAC mechanism is very flexible but when the number of policies becomes too large it might be difficult to manage • Conflict resolution might help, but still is up to the security admin to be able to manage the life cycle of policies