310 likes | 564 Views
Access control models and policies. Aalto University , autumn 2013. Outline. Access control Discretionary AC Mandatory AC Other AC models. Models and terminology for thinking about security policies. Access control. Access control (AC). Subjects request actions on objects
E N D
Access control models and policies Aalto University, autumn 2013
Outline • Access control • Discretionary AC • Mandatory AC • Other AC models Models and terminology for thinking about security policies
Access control (AC) • Subjects request actions on objects • Alice wants to read a file • Bob wants to update account balance • Process wants to open a socket • AC = authentication + authorization • authentication = verifying the identity of the subject • authorization = checking that the subject has the right to perform the requested action on the subject
Reference monitor Audit trail • Reference monitor controls access by subjects to objects • Grants or denies access requests • Logs events to audit trail • Follows rules set by administrators (i.e. implements a policy) • Trusted computing base (TCB) = all system components that need to be trusted to implement access control • Security kernel = implementation of reference monitor in an OS • But more about the implementation later; now we are talking about policies Reference monitor Subjects Objects Accessrequests Access rules
Access control matrix • Access control matrix is the simplest, most general AC model • M : Subjects × Objects → P(Actions) • Subject Sis allowed to request action Aon object OiffA ∈ M(S,O) • AC matrix represents the protection state of a system
Discretionary access control (DAC) • Data owners, usually users, set access rights • Subjects are trusted to make decisions about sharing access rights • Users decide who is allowed to access their files • User or process that can read a secret file can also shareit e.g. by email • DAC is also called identity-based AC: rights are assigned to users • Typical in commercial and consumer systems • There may be a policy against sharing and access may be audited, but the policy is not enforced technically • Examples of DAC outside computers: • Person with a key can open the door to others; door keys can be shared and copied • Tell your friend a secret on the condition that he does not tell it to anyone else
Access control list (ACL) • ACL = list of the access rights associated with an object • ACLs are another way to represent the AC matrix: one row of the matrix is stored for each object • file1.txt ACL:Alice: { read, write }; Bob: { read }; Process 4567: { read, write }; Process 6789: { append }. • file2.txt ACL:Alice: { write }; Bob: { read }. • Socket s ACL:Process 6789: { open, read, write, close }. • ACL examples: • Key cards, table reservations, Windows file system
Capabilities • Capability = an access right associated with the subject • Capabilities are another way to represent the AC matrix: one column is stored for each subject • Alice’s capabilities:file1.txt: { read, write }; file2.txt: { write }. • Bob’s capabilities:file1.txt: { read };file2.txt: { read }. • Process 4567 capabilities:file1.txt: { read, write }. • Process 6789 capabilities:file1.txt: { append };Socket s: {open, read, write, close }. • Examples of capabilities: • metal keys, driver’s license, parking permit
Mandatory access control (MAC) • Access rights are based on rules (i.e. policy) set by administration • The AC policy is enforced and cannot be changed by users • Subjects cannot leak access rights to others • User can read a secret file but cannot copy, print or email; file viewer application prevents cut-and-paste and screen shots • One process can access the Internet, another write files to the disk, neither is allowed to do both • MAC is also called rule-based AC • MAC originates from military policies • Intelligence officer may not be allowed to read his own reports • Officer can read a secret document but cannot take a copy out of the room • Officer who has had contact with foreign agents may lose access to classified information
Mandatory access control (MAC) • MAC has some uses in commercial systems • DRM: Alice can play the music she has purchased, but cannot share it • Malware isolation: Host firewall may block potential spyware from making outbound connections to prevent information leaks • Examples of MAC-like policies outside computers: • Biometric authentication prevents sharing of capabilities, e.g. photo on driver’s license or signature on credit card • Admit-one event tickets: UV stamps, shredding bracelets • In UK, jurors must not read newspapers or watch TV about the case so that they are not influenced by them
Clearance and classification • Mandatory access control rules are often based on security labels on subjects and objects • Subject clearance • Object classification l : (Subjects ∪ Objects) → Labels • MAC based on clearance and classification levels is also called multi-level security (MLS) • Simple security property: S can read O iff l(S) ≥ l(O) Top secret High Secret Low Confidential Unclassified
Bell-LaPadula model • Bell-LaPadula (BLP) is a MAC policy for protecting secrets • Military security model for computers; military is mostly concerned with protecting secrets • Observation: the simple security property is not sufficient to prevent secrets from leaking • Bell-LaPadula rules: Simple security property: S can read O iff l(S) ≥ l(O) *-property: S can write O iff l(O) ≥ l(S) • Also called: no read up, no write down
Biba model • In computer systems, integrity of data and the system is often more important than confidentiality • Which is more important in a bank IT system? • Biba is a MAC policy for protecting integrity of data • Biba rules: S can write O iff l(S) ≥ l(O) S can read O iff l(O) ≥ l(S) • Also called: no write up, no read down
Information flow security • BLP and Biba are information flow policies • BLP prevents flow of information from high to low • Biba prevents flow if information from low to high • Information flow policies are the basis for many security proofs. Typical proofs show non-interference: • view of one subject is not affected by the data of the other • low output does not depend on high input, orhigh output does not depend on low input • How to use BLP and Biba in the same system? high input System high output low input low output
High water mark, low water mark • How to classify an object that is created combining low and high information? High water mark policy for secrecy: always set the classification to the highest input Low water mark policy for integrity: always set the classification if to the lowest input • Problem: • Over time, all documents will become top secret with the lowest integrity level
Upgrading and downgrading • Upgrading, downgrading: • In practice, security levels need to be changed by humans • E.g. downgrading documents for publication • E.g. upgrading intelligence reports that aggregate a lot of low-level data • Documents may need to be sanitized i.e. redacted before downgrading • E.g. removing personal names from military documents before publication • Sanitization may be difficult • E.g. US military painting black box over text in PDF;AOL publishing anonymized web search data • High subjects can use covert channels to leak data intentionally, e.g. hide data in photos
Clark-Wilson model • Data integrity cannot always be expressed in terms of MLS, i.e. who has access to what data • E.g. transfers between bank accounts must not change the total balance • Integrity in many commercial systems depends on following the correct procedures • Clark-Wilson model defines rules for commercial systems for how to maintain data integrity: • Transactions must transform data items from a consistent state to another consistent state • Auditing and procedural controls to enforce this (The specific rules could be different in each system) • Clark-Wilson model has not really been implemented; it is important because of the idea of using accounting rules as a model for security policy
Chinese Wall model • Conflicts of interest are common in business: • Consulting company, investment bank, or law office may be advising competing clients and must keep their information separate • The clients are assigned to different employees who do not speak to each other • To avoid conflicts of interest, the access control policy must take into account the information previously accessed by the subject • Chinese Wall model: • If subject S has previously accessed an object O1 and the objects O1 and O2 are in a conflict of interest, then S may not access O2 • Idea: subject can fall to either side of the wall but cannot change sides later
Separation of duty • Chinese Wall is an example of separation of duty • Other separation of duty policies: • Expense claim requires two signatures: the claimant and an authorized approver, e.g. department manager; one person cannot act in both roles for the same expense claim • Auditors are often required to be from outside the company • Some safes have two locks, and the keys are given to two different persons • Lecturers issue grades to students but only study office staff can enter them into the study register • Unlike BLP and Biba, separation of duty policies are stateful
Groups and roles • Adding structure to policies • Group = set of subjects • E.g. Administrators, T-110.4206-students • Object ACL can list groups in addition to individual users • Both group membership and ACLs change over time • Role = set of permissions (i.e. permitted actions on objects) • E.g. Administrator, T-110.4206-teacher, SCI-professor • Roles are usually relatively static; their assignment to users changes • Both are forms of indirection * * * * Subjects Objects × Actions Roles orGroups
Role-based access control (RBAC) • NIST standard • Modeling high-level roles in an organization • E.g. Doctor, Nurse, Student, Lecturer, Course-assistant • Roles defined once; changed infrequently • Roles may be parameterized • E.g. Treating-doctor of Mr. Smith, Lecturer of T-110.4206, Student of T-110.4206 • Roles may form a hierarchy with inheritance • E.g. Lecturer and Teaching-assistant are Teaching-staff • Roles are assigned to users for longer term but activated on demand for each session • Constraints on role assignment and activation can implement separation of duty
Example: University of Turku has implemented identity management based on RBACSource: http://www.come.uw.edu.pl/eunis/pandp/paper/kmiika_RBAC-In-Prodution.doc (link broken)
Still other access control models • Originator-controlled AC (ORCON) • Creator of data retains control over access to it • Attribute-based AC • Access control is based in subject attributes instead of subject identity • AC = attribute verification + authorization • E.g. need to be 18 to buy tobacco; need to be an Aalto student to access course material • Enables anonymous access • Double-blinded review for scientific journals • Many other AC models have been proposed
Reading material • Dieter Gollmann: Computer Security, 2nd ed., chapters 4, 8, 9; 3rd ed. chapters 5–6 • Edward Amoroso: Fundamentals of Computer Security Technology, chapters 6-13 • Ross Anderson: Security Engineering, 2nd ed., chapter 8
Exercises • What are the subjects, object and actions in Noppa? • Can you think of security mechanisms outside computers which would need MAC but actually implement DAC? • What security labels and MAC policy would be suitable for Noppa? • Give examples of systems that require confidentiality or integrity but not both. • Which AC model and what kind of security labels could be used to describe virtual machine isolation? What label would be hypervisor or VM monitor get? • Could you define different confidentiality labels and integrity labels and then use both Bell-LaPadula and Biba policies in the same system? Give an example. • Define RBAC roles that could be used in the implementations of Noppa. • To what extent can your RBAC policy (above) be implemented with groups?