8.2 Discretionary Access Control Models

1
8.2 Discretionary Access Control Models

• Shuman Guo
• CSc8320

2
Outline

• Discretionary Access Control Model
• Access Control Matrix (ACM)
• Distributed Compartments
• Implementations of ACM
• Comparison of ACL CL
• References

3
Discretionary Access Control

• Discretionary security models provide access
  control on an individual basis.
• Access control is based on
• Users identity and
• Access control rules
• Most common administration owner based
• Users can protect what they own
• Owner may grant access to others
• Owner may define the type of access given to
  others

Source Randy, 97
4
Access Control matrix

• Access Control Matrix model is perhaps the most
  fundamental and widely used discretionary access
  control model for enforcing simple security
  policies.
• Resource and process protection can use separate
  access control matrices.

5
Access Control Matrix
Source Randy, 97
6
Access Control Matrix

• Reducing the Size of Access Control Matrix
• Subject rows in the ACM that have identical
  entries i.e subjects that have similar access
  rights on common objects , could be merged into
  groups.
• If a user belongs to more than one group, its
  access rights is the union of all access rights
  of all the groups it belongs to.
• Similarly Object columns with same entries could
  be merged into categories

Source Randy, 97
7
Distributed Compartment

• A distributed application with collaborating
  processes may consists of subject users and
  object resources crossing the physical boundaries
  of physical resources.
• Here, a logical ACM called a distributed
  compartment that regulates access among the
  collaborating users would serve a better purpose.
• These handles are application oriented and they
  provide a protective wall around an application
  and are authenticated by the application

Source Randy, 97
8
A Distributed Compartment Model
Source Randy, 97
9
Distributed Compartment

• The distributed compartment model has a number of
  advantages
• The grouping of subjects and objects is logical
  and application specific.
• The accesses are more transparent since they do
  not depend on the operating systems and
  administrative units.
• Since the application manages the distributed
  handles, it allows different security policies to
  be implemented

Source Randy, 97
10
Implementations OF ACM

• For efficiency and organizational purposes ,
  access control matrices need to be partitioned
• The Linked list structure that contains all
  entries in a column for a particular object is
  called a Access control List (ACL) for the
  object.
• An ACL specifies the permissible rights that
  various subjects have on the object
• Likewise all entries in a row for a subject is
  called a Capability List (CL) for the subject .
• A CL specifies privileges to various objects held
  by a subject

Source Randy, 97
11
Comparison of ACL CL

• Comparison in terms of management functions
• Authentication
• Reviewing of Access Rights
• Propagation of Access Rights
• Revocation of Access Rights
• Conversion between ACL and CL

Source Randy, 97
12
Authentication

• ACL Authenticates subjects, which is performed by
  the system
• While in CL, authentication is performed on
  capabilities of objects , by the object server.
• Objects have knowledge of the capabilities ,but
  do not know the users or processors. This is one
  of the reasons why many Distributed
  implementations favor the CL approach

Source Randy, 97
13
Review Of Access Rights

• To know which subjects are authorized to use a
  certain objects.
• Easier to review ACL, because ACL contains
  exactly this information. For storage efficiency
  subject grouping, wildcards ,prohibitive rights
  could also be used.
• It is difficult to review for a CL unless some
  type of activity log is kept for all subjects
  that are given the capability

Source Randy, 97
14
Propagation Of Access Rights

• Access rights must be replicatable to facilitate
  sharing.
• Propagation is Duplication of some or all the
  privileges from one subject to the others.
• Propagation is not transfer of rights, it is only
  duplication.
• In ACL, propagation of rights is explicitly
  initiated by a request to the object server,
  which modifies or adds an entry to its ACL.

Source Randy, 97
15
Propagation Of Access Rights

• Propagation of rights must adhere to the
  principle of least principles.
• i.e. Only the minimum privileges required to
  perform the tasks are given when propagating the
  rights
• In CL, theoretically it is propagate rights
  between subjects without intervention of object
  server.
• This could result in an uncontrollable system and
  hence is avoided.

Source Randy, 97
16
Revocation Of Access Rights

• Revocation is trivial in ACL because it is easy
  to delete subject entries from the ACL.
• It is difficult for CLs to revoke access
  selectively.

Source Randy, 97
17
Conversion Between ACL CL

• Interactions among processes involving different
  Access control models would require gateways for
  conversions.
• Conversion to ACL is straightforward.
• Consider example of processes in a CL requiring
  to access remote objects in ACL
• Gateway Authenticates the process identifier.
• It Then verifies the operation in the capability
  list.
• The request is then converted to ACL and is
  presented to the remote host

Source Randy, 97
18
Conversion Between ACL CL

• Converting a ACL request to CL is slightly more
  complex
• Requires a database with resource capabilities
  for the interacting processes
• Gateway validates the ACL request
• obtains the resource capability from the database
  server
• Capability is then presented to capability based
  object server.
• A system utilizing both ACL and CL suffers the
  drawback of both approaches
• Furthermore the conversions causes additional
  security hazards

Source Randy, 97
19
Related research

• Information Flow Control in Object-Oriented
  Systems 2 1997
• In this paper, Samarati describes a high
  assurance discretionary access control model for
  object-oriented systems. The model not only
  ensures protection against Trojan horses leaking
  information, but provides the flexibility of
  discretionary access control at the same time.

20
Contd

• Access Control Model in Object-Oriented Systems
  Izaki ,2000
• The authors discuss a discretionary access
  control model to realize secure object-oriented
  systems. An object is manipulated only through
  methods supported by the object. Classes and
  objects are hierarchically structured in
  generalization (is-a) and aggregation (part-of)
  relations. They discuss how to authorize and
  inherit access rights on classes and objects in
  the hierarchical structure.

21
Contd

• A layered design of discretionary access controls
  with decidable safety properties Solworth,2004
• Solworth present a general access control model
  which can be parameterized at the second layer to
  implement (express) any of the standard
  Discretionary Access Control (DAC) models. They
  show that the safety problem is decidable for any
  access control model implemented using our
  general access control model. Until now, all
  general access control models that were known to
  be sufficiently expressive to implement the full
  range of DAC models had an undecidable safety
  problem. Thus, given our model all of the
  standard DAC models (plus many others) can be
  implemented in a system in which their safety
  properties are decidable.

22
Contd

• Managing Information Flows on Discretionary
  Access Control Models Lin,2006
• In 1989, Brewer and Nash (BN) presented a
  fascinating idea, called Chinese wall security
  policy model, for commercial security. Their idea
  was based on the analysis of the notion, Conflict
  of Interest binary Relation (CIR). Unfortunately,
  their formalization did not fully catch the
  appropriate properties of CIR. In this paper, Lin
  present a theory based on granulation that has
  captured the essence of BN's intuitive idea. The
  results are more than the Chinese wall models
  Malicious Trojan horses in certain DAC Model
  (discretionary access control) can be controlled
  or confined.

23
References

• 1 Randy Chow Theodore Johnson,
  1997,Distributed Operating Systems
  Algorithms, (Addison-Wesley), p. 271 to 278
• 2 Samarati, P. Bertino, E. Ciampichetti, A.
  Jajodia, S. Information flow control in
  object-oriented systems. Knowledge and Data
  Engineering, IEEE Transactions on Volume 9, 
  Issue 4,  July-Aug. 1997 Page(s)524 - 538
• 3 Izaki, K. Tanaka, K. Takizawa, M. Access
  control model in object-oriented systems
  Parallel and Distributed Systems Workshops,
  Seventh International Conference on, 2000 4-7
  July 2000 Page(s)69 - 74
• 4 Lin, Tsau Young (T. Y.) Managing
  Information Flows on Discretionary Access Control
  Models Systems, Man and Cybernetics, 2006. ICSMC
  '06. IEEE International Conference onVolume 6, 
  8-11 Oct. 2006 Page(s)4759 - 4762
• 5 Solworth, J.A. Sloan, R.H. A layered
  design of discretionary access controls with
  decidable safety properties Security and
  Privacy, 2004. Proceedings. 2004 IEEE Symposium
  on 9-12 May 2004 Page(s)56 - 67

24
QUESTIONS ?

• Thank you!