Three Decades of Access Control Models A Brief Review

1
Three Decades of Access Control Models - A Brief
Review

• Dimitrios Sochos
• University of the Aegean

2
Access Control Mechanisms for Collaborative Agent
Environments
3
Thesis Objectives

• Study of Access Control models theory
• Assessment of todays needs
• Theoretical contribution to the field
• Application of the theory to a distributed
  collaborative environment (e.g. Health care)
• Use of Agents to enforce the Access Control
  policies

4
General Terms

• Access control constrains what a User can do
  directly, as well as what programs executing on
  his behalf are allowed to do.
• Activity in the system is initiated by entities
  known as Subjects. Subjects are typically Users
  or Programs executing on their behalf.
• A User may sign on to the system as different
  Subjects on different occasions.
• Subjects can themselves be Objects. A Subject can
  create additional Subjects in order to accomplish
  its task.

5
1970-1985 The early years

• DAC - Discretionary Access Control
• MAC - Mandatory Access Control
• HRU - Harrison, Ruzzo and Ullman Model

6
DAC - The Model

• A Set of Objects (O)
• A Set of Subjects (S)
• An Access Matrix (A)
• Element A i,j specifies the access which
  subject i has to object j.

• ACLs Storing the matrix by Columns
• Capabilities Storing the matrix by Rows

7
DAC - Drawbacks

• Does not provide real assurance on the flow of
  information in a system.
• Does not impose any restriction on the usage of
  information by a User once the User has received
  it.
• Objects are at the whim or fancy of their owners
  to grant access to them for other Users.
• Information can be copied from one Object to
  another, so access to a copy is possible even if
  the owner of the original does not provide access
  to it.

8
MAC - The Model

• Subjects and Objects in a System have a certain
  classification.
• Read Up - A Subject's integrity level must be
  dominated by the integrity level of the Object
  being read.
• Write Down - A Subject's integrity level must
  dominate the integrity level of the Object being
  written.

9
MAC - Drawbacks

• Information flow can pass through covert channels
  in prohibited ways.
• There is no solution to the inference problem
  where high information is deduced by assembling
  and intelligently combining low information.

10
HRU

• The protection system consists of
• a finite set of generic Rights (R)
• a finite set of Commands (C)
• Uses the DAC access matrix
• Six Primitive Commands
• enter R into (S,O) delete R from (S,O)
• create Subject S create Object O
• delete Subject S delete Object O

11
1985-1995 Alternative Models

• Chinese Walls
• Task Based Authorization
• Role Based Access Control (RBAC)

12
Chinese Walls

• Access Control model for the financial segment of
  the commercial sector.
• Prevention of Information Flow which cause
  Conflicts of Interest (COI).

• Access Rule Subject (S) can access Object (O)
  only if
• O is in the same company Data Set as some Object
  previously read by S.
• O belongs to a COI class within which S has not
  read any Object.

13
Task-Based Authorization

• Authorizations of Tasks rather than Subjects and
  Objects.
• Tasks involve other Subtasks.
• Authorization is transient and models the
  organizational structure.
• Transaction control example
• prepare clerk
• 3 approve supervisor
• issue clerk

14
RBAC - The Model

• Users are members of Roles.
• Permissions are associated with Roles.
• Many to many User/Role and Role/Permission
  relations.
• Role Hierarchy
• Users can change Roles for each Session
• RBAC is used to manage RBAC.

• Advantages
• Authorization Management
• Hierarchical Roles
• Least Privilege
• Separation of Duties

15
RBAC - NIST Standard

• Flat RBAC
• Hierarchical RBAC
• General Hierarchical RBAC
• Restricted Hierarchical RBAC
• Constrained RBAC
• Symmetric RBAC

16
RBAC - Open Issues

• How are Roles different from Groups for access
  control purposes?
• Are negative Permissions useful for RBAC?
• Should a User be allowed to take on multiple
  Roles in a single Session and if so, how?
• Should a User be allowed to take on multiple
  simultaneous Sessions?
• How should Roles be delegated?

17
1995-2003 After RBAC

• Generalized Temporal RBAC (GTRBAC)
• Partial Outsourcing
• The Tees Confidentiality Model

18
GTRBAC

• Separate notion of Role enabling and Role
  activation.
• Provides constraints and event expressions for
  enabling and activating a Role.
• Enabled Role - a User can activate it.
• Activated Role - at least one Subject has
  activated the Role
• Constraints
• Temporal on Role enabling/disabling
• Temporal on User-Role and Role-Permission
  assignments
• Activation
• Enabling expressions

19
Partial Outsourcing

• Single Administration, Internal
• Single Administration, External
• Paradigm Shift Partial Outsourcing
• Decentralized administration of Access Control.
• Access control to be handled jointly by different
  parties.
• Policies are motivated by the needs of different
  departments in a company.

20
The Tees Confidentiality Model

• Permissions assignment to Users irrespective of
  Roles.
• Override Definitions for Roles and Permissions.
• Identities, Roles and Collections.
• Confidentiality Permissions with Inheritance.
• Identities Collections.

21
Future Considerations

• Are MAC and DAC still trying to overcome their
  drawbacks?
• Is RBAC a predominant standard over all others?
• Can Task-based Authorizations contest with RBAC?
• Is there going to be a new swift in Access
  Control or just some more RBAC clones?

22
References

• Lampson B. W. Protection. Proc. 5th Princeton
  Symposium on Information Sciences and Systems,
  pp. 437-443, 1971.
• Bell D. and LaPadula L. Secure computer
  systems Unified exposition and Multics
  interpretation. Technical Report ESD-TR-75-306,
  The Mitre Corporation, 1975.
• Denning D. A lattice model of secure
  information flow. Communications of the ACM,
  19(5)236-243, 1976.
• Harrison M., Ruzzo W. and Ullman J. Protection
  in Operating Systems. Communications of the ACM,
  19(8) 461-471, August 1976
• Belding T. The Chinese Wall Security Policy .
  IEEE Symposium on Research in Security and
  Privacy, pp. 206-214, 1989.
• Sandhu R. Lattice-based Enforcement of Chinece
  Walls. Computers and Security, 11(8)753-763,
  December 1992.
• Thomas R. and Sandhu R. Task-Based
  Authorization A Paradigm for Flexible and
  Adaptable Access Control in Distributed
  Applications. Proc 16th NIST-NCSC National
  Computer Security Conference, pp. 409-415, 1993.
• Sandhu R. Issues in RBAC, 1st Workshop on
  Role-based Access Control, pp. 21-24, 1995.
• Sandhu R. et. al. Role-based Access Control
  Models. IEEE Computer, 29(2)38-47 February 1996
• Sandhu R., Ferraiolo D. and Kuhn R. The NIST
  Model for Role-Based Access Control. Towards a
  Unified Standard, 5th Workshop on Role-based
  Access Control, pp. 47-63, 2001.
• Joshi J., Bertino E. and Ghafoor A. Temporal
  Hierarchies and Inheritance Semantics for
  GTRBAC, 7th ACM Symposium on Access Control
  Models, pp. 74-83, 2002
• Abendroth J. and Jensen C. Partial
  Outsourcing A New Paradigm for Access Control,
  ACM Symposium on Access Control Models, pp.
  134-141, 2003
• Longstaff J., Lockyer M. and Nicholas J. The
  Tees Confidentiality Model An Authorisation
  Model for Identities and Roles, 8th ACM
  Symposium on Access Control Models, pp. 125-133,
  2003