Authorization - PowerPoint PPT Presentation

1 / 24

About This Presentation

Title:

Authorization

Description:

Trusted recovery after system down and relevant documentation. ... External consistency: relation of the internal state of a system to the real ... – PowerPoint PPT presentation

Number of Views:68

Avg rating:3.0/5.0

Slides: 25

Provided by: muk1

Learn more at: https://www.cs.odu.edu

Category:

more less

Transcript and Presenter's Notes

Title: Authorization

1
Authorization
2
What is authorization?

Authentication---who are you?
Authorization---what is a user authroized to
access?
Role-based authorization
Policy-based authorization

3
Access control Models

An access control model defines a computer and/or
network system's rules for user access to
information resources Access control models
protect objects, subjects and operations
Object definition includes terminals,
documents, files
(an object is a passive
entity)
Subject definition includes system-users,
programs, etc.
(a subject is an active
entity)
Operation is the way a subject interacts with
an object
There are three Access Control Models
Discretionary Access Control (DAC) is termed
discretionary because user access rights are
defined by the system administrator based on each
user's needs. This type of access control is
usually identity-based.
Mandatory Access Control (MAC) is found in
military and highly sensitive information systems
and networks. Each object and each subject have
security classification tags (labels) which
define clearance levels for specific operations.
An operation is only permitted when a subject and
object have complimentary clearance levels for
the requested operation. The rules-based
middleware required for mandatory access control
is both complex and expensive.
Non-Discretionary Access Control is usually
role-based (RBAC), centrally administered with
authorization decisions based on the roles
individuals have within an organization (e.g.
bank teller, loan officer, etc. in a banking
model). A system's security administrator grants
and/or revokes system privileges based on a
user's role. This model works well for
corporations with a large turnover of personnel.

4
Reference Monitors

Reference monitors are kernels which mediate
accesses to objects by subjects. A kernel may be
hardware or software.
Bell-LaPadula information does not flow to an
object of less classification
Harrison-Ruzzo-Ullman model
Chinese Wall model
Biba no subject may depend on a less trusted
object or subject
Clark-Wilson no subject may depend on a less
trusted object or subject

5
Bell-Lapadula Model

The Bell-Lapadula Model of protection systems
deals with the control of information flow.
It is a linear non-discretionary model.
It consists of
A set of subjects, a set of objects, and an
access control matrix
Several ordered security levels. Each subject has
a clearance and each object has a classification
which attaches it to a security level. Each
subject also has a current clearance level which
does not exceed its clearance level. Thus a
subject can only change to a clearance level
below its assigned clearance level.
The set of access rights given to a subject are
the following
Read-Only The subject can only read the object.
Write The subject can only write to the object
but it cannot read.
Execute The subject can execute the object but
can neither read nor write.
Read-Write The subject has both read and write
permissions to the object.

6
Bell-Lapadula (Cont.)

The following restrictions are imposed by the
model
Read down A subject has only read access to
objects whose security level is below the
subject's current clearance level. This prevents
a subject from getting access to information
available in security levels higher than its
current clearance level.
Write up A subject has write access to objects
whose security level is higher than its current
clearance level. This prevents a subject from
passing information to levels lower than its
current level.

7
Orange Book

Orange book --- DoDs Trusted computer system
evaluation criteria
The DoD security categories range from D (Minimal
Protection) to A (Verified Protection)
D - Minimal Protection Any system that does not
comply to any other category, or has failed to
receive a higher classification. D-level
certification is very rare.
C - Discretionary Protection (applies to Trusted
Computer Bases (TCBs) with optional object (i.e.
file, directory, devices etc.) protection.
B - Mandatory Protection (TCB protection systems
should be mandatory, not discretionary)
A - Verified Protection (highest security
division)

8
C-Discretionary Protection

C1 - Discretionary Security Protection
Discretionary Access Control, for example Access
Control Lists (ACLs), User/Group/World
protection.
Usually for users who are all on the same
security level.
Username and Password protection and secure
authorisations database (ADB).
Protected operating system and system operations
mode.
Periodic integrity checking of TCB.
Tested security mechanisms with no obvious
bypasses.
Documentation for User Security.
Documentation for Systems Administration
Security.
Documentation for Security Testing.
TCB design documentation.
Typically for users on the same security level
C1 certification is rare. Example systems are
earlier versions of Unix, IBM RACF.
C2 - Controlled Access Protection
As C1, plus
Object protection can be on a single-user basis,
e.g. through an ACL or Trustee database.
Authorisation for access may only be assigned by
authorised users.
Object reuse protection (i.e. to avoid
reallocation of secure deleted objects).
Mandatory identification and authorisation
procedures for users, e.g. Username/Password.

9
B - Mandatory Protection

B1 - Labeled Security Protection
As C2 plus
Mandatory security and access labelling of all
objects, e.g. files, processes, devices etc.
Label integrity checking (e.g. maintenance of
sensitivity labels when data is exported).
Auditing of labelled objects.
Mandatory access control for all operations.
Ability to specify security level printed on
human-readable output (e.g. printers).
Ability to specify security level on any
machine-readable output.
Enhanced auditing.
Enhanced protection of Operating System.
Improved documentation.
Example OSes are HP-UX BLS, Cray Research
Trusted Unicos 8.0, Digital SEVMS, Harris CS/SX,
SGI Trusted IRIX.
B2 - Structured Protection
As B1 plus
Notification of security level changes affecting
interactive users.
Hierarchical device labels.
Mandatory access over all objects and devices.
Trusted path communications between user and
system.
Tracking down of covert storage channels.

B3 - Security Domains
As B2 plus
ACLs additionally based on groups and
identifiers.
Trusted path access and authentication.
Automatic security analysis.
TCB models more formal.
Auditing of security auditing events.
Trusted recovery after system down and relevant
documentation.
Zero design flaws in TCB, and minimum
implementation flaws.
The only B3-certified OS is Getronics/Wang
Federal XTS-300.

11
A - Verified Protection

A1 - Verified Protection
As B3 plus
Formal methods and proof of integrity of TCB.
These are the only A1-certified systems Boeing
MLS LAN, Gemini Trusted Network Processor,
Honeywell SCOMP.
A2 and above
Provision is made for security levels higher than
A2, although these have not yet been formally
defined. No OSes are rated above A1.

12
Harrison-Ruzzo-Ullman Model

Bell-LaPadula model does not state policies for
changing access rights or for creation/deletion
of subjects/objects (authorization system).
HRU subjects (S), objects (O), access rights
(R), access matrix (M)
Primitive operations
Enter r into Mso
Delete r from Mso
Create subject s, delete subject s
Create object o, delete object o
Example (s owner f file p another subject) if
s is the owner of f then grant p the read access
to f.
command grant_read(s,p,f)
if o in Msf
then enter r in Mpf
end

13
Chinese Wall model

Proposed by Brewer and Nash
Models access rules in a consultancy business
where conflicts of interest when dealing with
different competing clients.
Rule There must not be no information flow that
causes a conflict of interest
We need to add the following to Bell-LaPadula
model to incorporate this rule
Companies ( C), Objects (O), Subjects/Analysts
(S) y O ? C maps objects to companies conflict
of interest group for each object x O ? P(C)
security label of an object (x(o), y(o))
sanitized object has x(o)

Conflicts of interest may also arise due to past
accesses Nsotrue if s had access to o in the
past.
Simple security (ss-property) A subject s will
be permitted to access an object o only if for
all objects othat he has already accessed,
y(o)y(o) (i.e., company they belong is the
same) or y(o) is not in x(o)
-property (to control write access) A subject s
is granted write access to an object o, only if s
has no read access to an object o that belongs
to another company and contains unsanitized
information (x(o) )

15
Biba Model

Extends BLP
L Lattice of integrity levels fs S?L fo O?L
To prevent corruption of clean high-level
entities by dirty low level enties information
only flows downwards
No single high-level policies multiple (a
lattice)

16
(No Transcript)
17

ss-property if subject s can modify (alter)
object o, then fs(s) fo(o) (No write-up)
Integrity -property if subject s can read
(observe) object o, then s can have write access
to some other object p only if fo(p) fo(o)
(i.e., if s can read an object, then s can write
only objects with security level greater than or
equal to the read object)
These two polices prevent clean subjects and
objects from being contaminated by dirty
information.

The following integrity properties automatically
adjust the integrity level of an entity if it has
come into contact with low-level information
(Chinese Wall model)
Subject low watermark property s can read an
object o at any integrity level. The new
integrity level of the subject is
inf(fs(s),fo(o)) greatest lower bound of fs(s)
and fo(o)
Object low watermark property subject s can
modify an object o at any integrity level. The
new integrity level of the object is
inf(fs(s),fo(o))

A subject can invoke another subject, e.g., a
software tool, to access an object.
Invoke property subject s1 can invoke subject s
only if fs(s2) fs(s1)

20
Clark-Wilson Model

Address the security requirements of commercial
applications---data integrity---unauthorized
modification of data, fraud, concurrency control,
and errors
Internal consistency properties of the internal
state of a system and can be enforced by the
computing system
External consistency relation of the internal
state of a system to the real world and has to be
enforced by means outside the computing system,
e.g., by auditing

Mechanisms for enforcing integrity
Well-formed transactions data items can be
manipulated only by a specific set of programs
users have access to programs rather than to data
items
Separation of duties users have to collaborate
to manipulate data and to collude to penetrate
the security system (different persons develop,
test, certify, and operate a system. During
operation different persons have to collaborate
to enable a transaction)

Programs are intermediate control layer between
subjects and objects (data items)
Subjects are authorized to execute certain
programs
Programs can access certain data objects
Integrity---being authorized to apply a program
to a data item that may be accessed through this
program
Subjects have to be identified and authenticated
objects can be manipulated only by a restricted
set of programs subjects can only execute a
restricted set of programs proper audit log has
to be kept system has to be certified