Title: Access Control
1Access Control
2Access Control Example
- Access Control Policy for son Edward
- Allowed access
- House
- Disallowed access
- Automobile
3Access Control Example
- Access Control Policy for son Edward
- Allowed access
- House
- Disallowed access
- Automobile
4Access Control Example
- Access Control policy
- Allowed access
- House
- Disallowed access
- Automobile
- Problem!
- Unauthorized access
5Access Control Example
- Access Control Policy for son Edward
- Allowed access
- House
- Kitchen
- Disallowed access
- Automobile
- Car key
6Access Control Example
- Correct Access Control Policy for son Edward
- Allowed access
- House
- Kitchen
- Disallowed access
- Automobile
- Car key
7Access Control
- Protection objects system resources for which
protection is desirable - Memory, file, directory, hardware resource,
software resources, etc. - Subjects active entities requesting accesses to
resources - User, owner, program, etc.
- Access mode type of access
- Read, write, execute
8Access Control Requirement
- Cannot be bypassed
- Enforce least-privilege and need-to-know
restrictions - Enforce organizational policy
9Access Control
- Access control ensures that all direct accesses
to object are authorized - Protects against accidental and malicious threats
by regulating the reading, writing and execution
of data and programs - Need
- Proper user identification and authentication
- Information specifying the access rights is
protected form modification
10Access Control
- Access control components
- Access control policy specifies the authorized
accesses of a system - Access control mechanism implements and enforces
the policy - Separation of components allows to
- Define access requirements independently from
implementation - Compare different policies
- Implement mechanisms that can enforce a wide
range of policies
11Closed v.s. Open Systems
Closed system
Open System
(minimum privilege)
(maximum privilege)
Access requ.
Access requ.
Allowed accesses
Disallowed accesses
Exists Rule?
Exists Rule?
yes
no
yes
no
Access denied
Access permitted
Access permitted
Access denied
12Authorization Management
- Who can grant and revoke access rights?
- Centralized administration security officer
- Decentralized administration locally autonomous
systems - Hierarchical decentralization security officer gt
departmental system administrator gt Windows NT
administrator - Ownership based owner of data may grant access
to other to his/her data (possibly with grant
option) - Cooperative authorization predefined groups of
users or predefined number of users may access
data
13Access Control Models
All accesses
Discretionary AC
Mandatory AC
Role-Based AC
14Discretionary Access Control
- Access control is based on
- Users identity and
- Access control rules
- Most common administration owner based
- Users can protect what they own
- Owner may grant access to others
- Owner may define the type of access given to
others
15Access Matrix Model
OBJECTS AND SUBJECTS
File 1
File 2
S U B J E C T S
Joe
Sam
16Implementation
File 1 File 2 JoeRead JoeRead JoeWrite SamRea
d JoeOwn SamWrite SamOwn
Access Control List (column)
(ACL)
Capability List (row)
Joe File 1/Read, File 1/Write, File 1/Own, File
2/Read Sam File 2/Read, File 2/Write, File 2/Own
Subject Access Object Joe Read File
1 Joe Write File 1 Joe Own File
1 Joe Read File 2 Sam Read File 2 Sam Write
File 2 Sam Own File 2
Access Control Triples
17ACL v.s. Capabilities
- ACL
- Per object based
- Good for file systems
- Capabilities
- Per subject based
- Good for environment with dynamic, short-lived
subjects
18Access Control Conditions
- Data-dependent conditions access constraints
based on the value of the accessed data - Time-dependent access constraints based on the
time of the data access - Context-dependent access constraints based on
combinations on data which can be accessed - History-dependent access constraints based on
previously accessed data
19Access Control Mechanisms
- Security through Views
- Stored Procedures
- Grant and Revoke
- Query modification
20Security Through Views
- Assign rights to access predefined views
- CREATE VIEW Outstanding-Student
- AS SELECT NAME, COURSE, GRADE
- FROM Student
- WHERE GRADE gt B
-
- Problem
- Difficult to maintain updates.
21Security Through Views
Student relation
22Security Through Views
CREATE VIEW Outstanding-Student AS SELECT NAME,
COURSE, GRADE FROM Student WHERE GRADE gt B
Outstanding-Student
23Security Through Views
CREATE VIEW Fall-Student AS SELECT NAME,
COURSE FROM Student WHERE SEMESTERFall 2000
Fall-Student
24Stored Procedures
- Assign rights to execute compiled programs
- GRANT RUN ON ltprogramgt TO ltusergt
-
- Problem
- Programs may access resources for which the user
who runs the program does not have permission.
25Grant and Revoke
- GRANT ltprivilegegt ON ltrelationgt
- To ltusergt
- WITH GRANT OPTION
- --------------------------------------------------
--------------------------------------------------
-------------------------------- - GRANT SELECT ON Student TO Matthews
- GRANT SELECT , UPDATE(GRADE) ON Student TO
FARKAS - GRANT SELECT(NAME) ON Student TO Brown
- GRANT command applies to base relations as well
as views
26Grant and Revoke
- REVOKE ltprivilegesgt ON ltrelationgt
- FROM ltusergt
- --------------------------------------------------
--------------------------------------------------
--------------------- - REVOKE SELECT ON Student FROM Blue
- REVOKE UPDATE ON Student FROM Black
- REVOKE SELECT(NAME) ON Student FROM Brown
27Non-cascading Revoke
A revokes Ds privileges
E
B
A
F
C
28Cascading Revoke
A revokes Ds privileges
B
A
C
29Positive and Negative Authorization
- Problem
- Contradictory authorizations
- GRANT ltprivilegegt ON X TO ltusergt
- DENY ltprivilegegt ON X TO ltusergt
30Negative Authorization
-
Positive authorization granted By A to D becomes
blocked but NOT deleted.
31Negative Authorization
-
F
What should happen with the privilege given by
D To F? (Blocked but not deleted)
32Query Modification
- GRANT SELECT(NAME) ON Student TO Blue WHERE
COURSECSCE 590 - Blues query
- SELECT
- FROM Student
- Modified query
- SELECT NAME
- FROM Student
- WHERE COURSECSCE 580
33Current Research
- Make cascading optional
- Permit negative authorization
- Flexible policies for resolving conflicts
- Extend to groups and views
34DAC and Trojan Horse
Brown read, write
Employee
Brown
Black, Brown read, write
Blacks Employee
Black
35DAC and Trojan Horse
Brown read, write
Employee
Word Processor
Uses shared program
Brown
Black, Brown read, write
Blacks Employee
Black
36DAC Overview
- Advantages
- Intuitive
- Easy to implement
- Disadvantages
- Inherent vulnerability (look TH example)
- Maintenance of ACL or Capability lists
- Maintenance of Grant/Revoke
- Limited power of negative authorization