Access Control Models

1
Access Control Models

• What is Access Control?
• Discretionary Access Control (DAC)

2
Operating Systems Manage Resources

• Resources managed
• Memory, CPU, programs, data, networks, etc.
• Evaluation criteria
• Efficiency
• Utilization
• Protection!!!

3
Separation vs. Sharing

• Separation of resources
• Keep different users resources separate
• Physical, temporal, logical, cryptographic
• Sharing of resources
• Users/processes may need/want to share files,
  programs, data, etc.
• Access control
• Inherent conflict between separation and sharing

4
Memory and Address Protection

• Fence/fence register
• Relocation
• Base/bounds register
• Tagged architecture
• Segmentation
• Paging

5
File Protection

• All or nothing protection (private, public)
• Group protection (private, group, public)
• Defining groups
• Maintaining groups
• Handling overlapping groups
• Password protection

6
Access Control

• A trusted operating system needs to provide
  controlled access to resources so that only
  appropriate users can access resources
• What are the resources?
• Who are the users?
• What is an appropriate access?
• Need access control policies and models

7
Access Control

• Protection objects system resources for which
  protection is desirable
• Memory, file, directory, hardware resource,
  software resources, etc.
• Subjects active entities requesting accesses to
  resources
• User, owner, program, etc.
• Access mode type of access
• Read, write, execute

8
Access Control Example

• ?

• Access Control Policy for son Edward
• Allowed access
• House
• Disallowed access
• Automobile

9
Access Control Example

• Access Control Policy for son Edward
• Allowed access
• House
• Disallowed access
• Automobile

10
Access Control Example

• Access Control policy
• Allowed access
• House
• Disallowed access
• Automobile
• Problem!
• Unauthorized access

• ?

11
Access Control Example

• Access Control Policy for son Edward
• Allowed access
• House
• Kitchen
• Disallowed access
• Automobile
• Car key

12
Access Control Example

• Correct Access Control Policy for son Edward
• Allowed access
• House
• Kitchen
• Disallowed access
• Automobile
• Car key

• ?

13
Access Control

• Protection objects system resources for which
  protection is desirable
• Memory, file, directory, hardware resource,
  software resources, etc.
• Subjects active entities requesting accesses to
  resources
• User, owner, program, etc.
• Access mode type of access
• Read, write, execute

14
Access Control Requirements

• Cannot be bypassed
• Enforce least-privilege and need-to-know
  restrictions
• Enforce organizational policy

15
Access Control

• Access control ensures that all direct accesses
  to object are authorized
• Protects against accidental and malicious threats
  by regulating the reading, writing and execution
  of data and programs
• Need
• Proper user identification and authentication
• Information specifying the access rights is
  protected from modification

16
Access Control

• Access control components
• Access control policy specifies the authorized
  accesses of a system
• Access control mechanism implements and enforces
  the policy
• Separation of components allows us to
• Define access requirements independently from
  implementation
• Compare different policies
• Implement mechanisms that can enforce a wide
  range of policies

17
Closed v.s. Open Systems
Closed system
Open System
(minimum privilege)
(maximum privilege)
Access request
Access request
Allowed accesses
Disallowed accesses
Rule exists?
Rule exists?
yes
no
yes
no
Access denied
Access permitted
Access permitted
Access denied
18
Authorization Management

• Who can grant and revoke access rights?
• Centralized administration security officer
• Decentralized administration locally autonomous
  systems
• Hierarchical decentralization security officer gt
  departmental system administrator gt Windows NT
  administrator
• Ownership based owner of data may grant access
  to other to his/her data (possibly with grant
  option)
• Cooperative authorization predefined groups of
  users or predefined number of users may access
  data

19
Access Control Models
All accesses
Discretionary AC
Mandatory AC
Role-Based AC
20
Discretionary Access Control

• Access control is based on
• Users identity and
• Access control rules
• Most common administration owner based
• Users can protect what they own
• Owner may grant access to others
• Owner may define the type of access given to
  others

21
Access Matrix Model
OBJECTS AND SUBJECTS
File 1
File 2

Read Write Own Read

Read Write Own
S U B J E C T S
Joe
Sam
22
Discretionary Security Property

• Every current access must be in the access matrix

23
Implementation
File 1 File 2 JoeRead JoeRead JoeWrite SamRea
d JoeOwn SamWrite SamOwn
Access Control List (column)
(ACL)
Capability List (row)
Joe File 1/Read, File 1/Write, File 1/Own, File
2/Read Sam File 2/Read, File 2/Write, File 2/Own
Subject Access Object Joe Read File
1 Joe Write File 1 Joe Own File
1 Joe Read File 2 Sam Read File 2 Sam Write
File 2 Sam Own File 2
Access Control Triples
24
ACL v.s. Capabilities

• ACL
• Per object based
• Good for file systems
• Capabilities
• Per subject based
• Good for environment with dynamic, short-lived
  subjects

25
Access Control Conditions

• Data-dependent conditions access constraints
  based on the value of the accessed data
• Time-dependent access constraints based on the
  time of the data access
• Context-dependent access constraints based on
  combinations on data which can be accessed
• History-dependent access constraints based on
  previously accessed data

26
Access Control Mechanisms

• Security through Views
• Stored Procedures
• Grant and Revoke
• Query modification
• Will revisit with databases

27
Security Through Views

• Assign rights to access predefined views
• CREATE VIEW Outstanding-Student
• AS SELECT NAME, COURSE, GRADE
• FROM Student
• WHERE GRADE gt B
• Problem
• Difficult to maintain updates.

28
Security Through Views
Student relation
NAME COURSE GRADE SEMESTER
White CSCE 122 C Fall 2000
Black CSCE 313 A Fall 2000
Brown CSCE 580 A Spring 2000
Green CSCE 850 B Fall 2000
Blue CSCE 122 B Fall 2000
29
Security Through Views
CREATE VIEW Outstanding-Student AS SELECT NAME,
COURSE, GRADE FROM Student WHERE GRADE gt B
Outstanding-Student
NAME COURSE GRADE
Black CSCE 313 A
Brown CSCE 580 A
Green CSCE 850 B
30
Security Through Views
CREATE VIEW Fall-Student AS SELECT NAME,
COURSE FROM Student WHERE SEMESTERFall 2000
NAME COURSE
White CSCE 122
Black CSCE 313
Green CSCE 850
Blue CSCE 122
Fall-Student
31
Stored Procedures

• Assign rights to execute compiled programs
• GRANT RUN ON ltprogramgt TO ltusergt
• Problem
• Programs may access resources for which the user
  who runs the program does not have permission.

32
Grant and Revoke

• GRANT ltprivilegegt ON ltrelationgt
• To ltusergt
• WITH GRANT OPTION
• GRANT SELECT ON Student TO Matthews
• GRANT SELECT , UPDATE(GRADE) ON Student TO
  FARKAS
• GRANT SELECT(NAME) ON Student TO Brown
• GRANT command applies to base relations as well
  as views

33
Grant and Revoke

• REVOKE ltprivilegesgt ON ltrelationgt
• FROM ltusergt
• REVOKE SELECT ON Student FROM Blue
• REVOKE UPDATE ON Student FROM Black
• REVOKE SELECT(NAME) ON Student FROM Brown

34
Non-cascading Revoke
A revokes Ds privileges
E
B
A
F
C
35
Cascading Revoke
A revokes Ds privileges
B
A
C
36
Positive and Negative Authorization

• Problem
• Contradictory authorizations
• GRANT ltprivilegegt ON X TO ltusergt
• DENY ltprivilegegt ON X TO ltusergt

37
Negative Authorization
-
Positive authorization granted By A to D becomes
blocked but NOT deleted.
38
Negative Authorization
-

F
What should happen with the privilege given by
D To F? (Blocked but not deleted)
39
Query Modification

• GRANT SELECT(NAME) ON Student TO Blue WHERE
  COURSECSCE 590
• Blues query
• SELECT
• FROM Student
• Modified query
• SELECT NAME
• FROM Student
• WHERE COURSECSCE 580

40
Current Research

• Make cascading optional
• Permit negative authorization
• Flexible policies for resolving conflicts
• Extend to groups and views

41
DAC and Trojan Horses
Brown read, write
Employee
Brown
Black, Brown read, write
Blacks Employee
Black
42
DAC and Trojan Horses
Brown read, write
Employee
Word Processor
Uses shared program
Brown
Black, Brown read, write
Blacks Employee
Black
43
DAC Overview

• Advantages
• Intuitive
• Easy to implement
• Disadvantages
• Inherent vulnerability (TH example)
• Maintenance of ACL or Capability lists
• Maintenance of Grant/Revoke
• Limited power of negative authorization

44
Mandatory Access Control (MAC)

• Objects security classification
• e.g., grades(confidential, student-info)
• Subjects security clearances
• e.g., Joe(confidential, student-info)
• Access rules defined by comparing the security
  classification of the requested objects with the
  security clearance of the subject
• e.g., subject can read object only if
  label(subject) dominates label(object)

45
Mandatory Access Control

• If access control rules are satisfied, access is
  permitted
• e.g., Joe wants to read grades.
• label(Joe)(confidential,student-info)
• label(grades)(confidential,student-info)
• Joe is permitted to read grades
• Granularity of access rights!

46
Mandatory Access Control
Security Classes (labels) (A,C) A total order
authority level C set of categories e.g., A
confidential gt public , C student-info,
dept-info
(confidential,student-info,dept-info)
(confidential,dept-info)
(confidential,student-info)
(confidential, )
(public,student-info,dept-info)
(public,student-info)
(public,,dept-info)
(public, )
47
Mandatory Access Control

• Dominance (?) label l(A,C) dominates l(A,C)
  iff A ? A and C ? C
• e.g., (confidential,student-info) ?
  (public,student-info)
• BUT
• (confidential, student-info) ?
  (public,student-info, department-info)

48
Bell- LaPadula (BLP) Model

• Confidentiality protection
• Lattice-based access control
• Subjects
• Objects
• Security labels
• Supports decentralized administration

49
Bell- LaPadula (BLP) Model

• Allowed BLP access types
• Execute
• Read
• Write
• Append (aka blind write)

50
BLP Reference Monitor

• All accesses are controlled by the reference
  monitor
• Cannot be bypassed
• Access is allowed iff the resulting system state
  satisfies all security properties
• Trusted subjects subjects trusted not to
  compromise security

51
BLP Axioms 1

• Simple-security property a subject s is allowed
  to read an object o only if the security label
  of s dominates the security label of o
• No read up
• Applies to all subjects

52
BLP Axioms 2

• -property a subject s is allowed to write an
  object o only if the security label of o
  dominates the security label of s
• No write down
• Applies to un-trusted subjects only

53
Trojan Horses and BLP
Brown read, write
Employee
Reference Monitor
Word Processor
Secret
Use shared program
Read Employee
Brown
Black, Brown read, write
Secret
Blacks Employee
TH
Copy Employee To Blacks Employee
Public
Insert Trojan Horse Into shared program
Black
Secret ? Public
Public
54
Blind Writes

• Improper modification of data
• Most implementations disallow blind writes

55
Tranquility

• Read and write accesses mediated based on the
  security labels of objects and subjects
• Read and write accesses are not atomic, i.e.,
  sequences of operations that may or may not be
  interrupted
• Example secret subject requests a read to a
  secret object. While the request is being
  processed, the subjects lowers its level to
  unclassified gt unclassified subject gained read
  access to secret object

56
Strong Tranquility

• Tranquility changing security labels
• Strong tranquility security labels of subjects
  and objects never change during an operation
• Advantage system state always satisfies security
  requirements
• Disadvantage not flexible

57
Weak Tranquility

• Weak tranquility security labels of subjects and
  objects never change such a way as to violate the
  security policy
• High watermark on subject during read a subject
  may upgrade its security clearance
• High watermark on objects during write an
  objects security classification may be upgraded.

58
Biba Model

• Integrity protection
• Lattice-based access control
• Subjects
• Objects
• Integrity labels
• Access Control List

59
Integrity Labels

• Hierarchical integrity levels e.g.,
• Crucial gt Very important gt Important
• Non-hierarchical categories e.g.,
• medical, personal, administrative

60
Strict Integrity Policy

• Integrity -property a subject s can modify an
  object o only if the integrity level of the
  subject dominates the integrity level of the
  object (no write up)
• Simple integrity property a subject s can
  observe an object o only if the integrity label
  of s is dominated by the integrity label of o (no
  read down)
• Invocation property a subject s1 can invoke a
  subject s2 only if the integrity label of s1
  dominates the integrity label of s2