350 likes | 791 Views
Shuman Guo CSc8320. 8.2 Discretionary Access Control Models. Outline. Discretionary Access Control Model Access Control Matrix (ACM) Distributed Compartments Implementations of ACM Comparison of ACL & CL References. Discretionary Access Control .
E N D
Shuman Guo CSc8320 8.2 Discretionary Access Control Models
Outline • Discretionary Access Control Model • Access Control Matrix (ACM) • Distributed Compartments • Implementations of ACM • Comparison of ACL & CL • References
Discretionary Access Control • Discretionary security models provide access control on an individual basis. • Access control is based on • User’s identity and • Access control rules • Most common administration: owner based • Users can protect what they own • Owner may grant access to others • Owner may define the type of access given to others Source: Randy, 97
Access Control matrix • Access Control Matrix model is perhaps the most fundamental and widely used discretionary access control model for enforcing simple security policies. • Resource and process protection can use separate access control matrices. Source: Randy, 97
Access Control Matrix Source: Randy, 97
Access Control Matrix • Reducing the Size of Access Control Matrix • Subject rows in the ACM that have identical entries i.e subjects that have similar access rights on common objects , could be merged into groups. • If a user belongs to more than one group, its access rights is the union of all access rights of all the groups it belongs to. • Similarly Object columns with same entries could be merged into ‘categories’ Source: Randy, 97
Distributed Compartment • A distributed application with collaborating processes may consists of subject users and object resources crossing the physical boundaries of physical resources. • Here, a logical ACM called a ‘distributed compartment’ that regulates access among the collaborating users would serve a better purpose. • These handles are application oriented and they provide a protective wall around an application and are authenticated by the application Source: Randy, 97
Compartment Access using Distributed Handles Distributed Compartment Collaborating Subjects & Objects across nodes boundaries with application oriented ACM Local Subjects & Objects Local Subjects & Objects A Distributed Compartment Model Source: Randy, 97
Distributed Compartment • The distributed compartment model has a number of advantages • The grouping of subjects and objects is logical and application specific. • The accesses are more transparent since they do not depend on the operating systems and administrative units. • Since the application manages the distributed handles, it allows different security policies to be implemented Source: Randy, 97
Implementations OF ACM • For efficiency and organizational purposes , access control matrices need to be partitioned • The Linked list structure that contains all entries in a column for a particular object is called a Access control List (ACL) for the object. • An ACL specifies the permissible rights that various subjects have on the object • Likewise all entries in a row for a subject is called a Capability List (CL) for the subject . • A CL specifies privileges to various objects held by a subject Source: Randy, 97
Comparison of ACL & CL • Comparison in terms of management functions • Authentication • Reviewing of Access Rights • Propagation of Access Rights • Revocation of Access Rights • Conversion between ACL and CL Source: Randy, 97
AUTHENTICATION • ACL Authenticates subjects, which is performed by the system • While in CL, authentication is performed on capabilities of objects , by the object server. • Objects have knowledge of the capabilities ,but do not know the users or processors. This is one of the reasons why many Distributed implementations favor the CL approach Source: Randy, 97
Review Of Access Rights • To know which subjects are authorized to use a certain objects. • Easier to review ACL, because ACL contains exactly this information. For storage efficiency subject grouping, wildcards ,prohibitive rights could also be used. • It is difficult to review for a CL unless some type of activity log is kept for all subjects that are given the capability Source: Randy, 97
Propagation Of Access Rights • Access rights must be replicatable to facilitate sharing. • Propagation is Duplication of some or all the privileges from one subject to the others. • Propagation is not transfer of rights, it is only duplication. • In ACL, propagation of rights is explicitly initiated by a request to the object server, which modifies or adds an entry to its ACL. Source: Randy, 97
PROPAGATION OF ACCESS RIGHTS… • Propagation of rights must adhere to the principle of least principles. • i.e. Only the minimum privileges required to perform the tasks are given when propagating the rights • In CL, theoretically it is propagate rights between subjects without intervention of object server. • This could result in an uncontrollable system and hence is avoided. Source: Randy, 97
Revocation Of Access Rights • Revocation is trivial in ACL because it is easy to delete subject entries from the ACL. • It is difficult for CL’s to revoke access selectively. Source: Randy, 97
Conversion Between ACL & CL • Interactions among processes involving different Access control models would require gateways for conversions. • Conversion to ACL is straightforward. • Consider example of processes in a CL requiring to access remote objects in ACL • Gateway Authenticates the process identifier. • It Then verifies the operation in the capability list. • The request is then converted to ACL and is presented to the remote host Source: Randy, 97
Conversion Between ACL & CL • Converting a ACL request to CL is slightly more complex • Requires a database with resource capabilities for the interacting processes • Gateway validates the ACL request • obtains the resource capability from the database server • Capability is then presented to capability based object server. • A system utilizing both ACL and CL suffers the drawback of both approaches • Furthermore the conversions causes additional security hazards Source: Randy, 97
Related research • Information Flow Control in Object-Oriented Systems [2] [1997] • In this paper, Samarati describes a high assurance discretionary access control model for object-oriented systems. The model not only ensures protection against Trojan horses leaking information, but provides the flexibility of discretionary access control at the same time.
CONT’D • Access Control Model in Object-Oriented Systems [Izaki ,2000] • The authors discuss a discretionary access control model to realize secure object-oriented systems. An object is manipulated only through methods supported by the object. Classes and objects are hierarchically structured in generalization (is-a) and aggregation (part-of) relations. They discuss how to authorize and inherit access rights on classes and objects in the hierarchical structure.
CONT’D • A layered design of discretionary access controls with decidable safety properties [Solworth,2004] • Solworth present a general access control model which can be parameterized at the second layer to implement (express) any of the standard Discretionary Access Control (DAC) models. They show that the safety problem is decidable for any access control model implemented using our general access control model. Until now, all general access control models that were known to be sufficiently expressive to implement the full range of DAC models had an undecidable safety problem. Thus, given our model all of the standard DAC models (plus many others) can be implemented in a system in which their safety properties are decidable.
CONT’D • Managing Information Flows on Discretionary Access Control Models [Lin,2006] • In 1989, Brewer and Nash (BN) presented a fascinating idea, called Chinese wall security policy model, for commercial security. Their idea was based on the analysis of the notion, Conflict of Interest binary Relation (CIR). Unfortunately, their formalization did not fully catch the appropriate properties of CIR. In this paper, Lin present a theory based on granulation that has captured the essence of BN's intuitive idea. The results are more than the Chinese wall models: Malicious Trojan horses in certain DAC Model (discretionary access control) can be controlled or confined.
References [1] Randy Chow & Theodore Johnson, 1997,“Distributed Operating Systems & Algorithms”, (Addison-Wesley), p. 271 to 278 [2]Samarati, P.; Bertino, E.; Ciampichetti, A.; Jajodia, S.; “Information flow control in object-oriented systems”. Knowledge and Data Engineering, IEEE Transactions on Volume 9, Issue 4, July-Aug. 1997 Page(s):524 - 538 [3]Izaki, K.; Tanaka, K.; Takizawa, M.;“Access control model in object-oriented systems” Parallel and Distributed Systems: Workshops, Seventh International Conference on, 2000 4-7 July 2000 Page(s):69 - 74 [4]Lin, Tsau Young (T. Y.); “Managing Information Flows on Discretionary Access Control Models” Systems, Man and Cybernetics, 2006. ICSMC '06. IEEE International Conference onVolume 6, 8-11 Oct. 2006 Page(s):4759 - 4762 [5]Solworth, J.A.; Sloan, R.H.;“A layered design of discretionary access controls with decidable safety properties” Security and Privacy, 2004. Proceedings. 2004 IEEE Symposium on 9-12 May 2004 Page(s):56 - 67
QUESTIONS ? Thank you!