Distributed Computer Security

1
Distributed Computer Security

• 8.2 Discretionary Access Control Models
• - Liang Zhao

2
Outline

• Security Policies
• Discretionary Access Control Model
• Access Control Matrix (ACM)
• Distributed Compartments
• ACM Implementation
• ACL vs CL
• References

3
Security Policy

• There are two kinds of security policies
• Simple security policies
• Access control matrix (ACM) models are widely
  used to enforce the simple security policies.
• Complex Security policies
• Security requirements how and when the accesses
  are performed( special constraints are involved).
• Relevant to the distributed systems.

4
Discretionary Access Control

• Discretionary security models provide access
  control on an individual basis.
• Access control is based on
• Users identity and
• Access control rules
• Most common administration owner based
• Users can protect what they own
• Owner may grant access to others
• Owner may define the type of access given to
  others

5
Access Control

• An access control is a function that given a
  subject and object pair i.e. (s,o) and a
  requested operation r , from s to o , returns a
  true value if requested is permitted.
• R P ( s , o )
• P access matrix
• R set of allowable operations.( r is a
  particular operation
  belonging to set R ).
• s subject
• o object

6
Access Control matrix

• Access Control Matrix model is perhaps the most
  fundamental and widely used discretionary access
  control model for enforcing simple security
  policies.
• Resource and process protection can use separate
  access control matrices.

7
Resource ACM

• In a resource ACM subjects are users and objects
  are the files to be accessed.
• Access Rights - read, write, execute,
  append.
• Special privileges may be like owner privilege.

8
Process ACM

• In process ACM the subjects and objects are both
  processes.
• Operations are basically related to communication
  and synchronization

9
Domain ACM

• Set of objects with same access rights

10
Access Control Matrix

• Reducing the Size of Access Control Matrix
• Subject rows in the ACM that have identical
  entries i.e subjects that have similar access
  rights on common objects , could be merged into
  groups.
• If a user belongs to more than one group, its
  access rights is the union of all access rights
  of all the groups it belongs to.
• Similarly Object columns with same entries could
  be merged into categories

Randy, 97
11
A Distributed Compartment Model
Randy, 97
12
Advantages of Distributed compartment model

• The grouping of subjects and objects is logical
  and application specific.
• The accesses are more transparent since they do
  not depend on the operating systems and
  administrative units.
• Since the application manages the distributed
  handles, it allows different security policies to
  be implemented

Randy, 97
13
ACM implementations

• For efficiency and organizational purposes ,
  access control matrices need to be partitioned
• The Linked list structure that contains all
  entries in a column for a particular object is
  called a Access control List (ACL) for the object
  - specifies the permissible rights that various
  subjects have on the object
• Likewise all entries in a row for a subject is
  called a Capability List (CL) for the subject -
  CL specifies privileges to various objects held
  by a subject like movie tickets

14
Comparison of ACL CL

• Comparison in terms of management functions
• Authentication
• Reviewing of Access Rights
• Propagation of Access Rights
• Revocation of Access Rights
• Conversion between ACL and CL

Randy, 97
15
Authentication

• ACL Authenticates subjects, which is performed by
  the system
• While in CL, authentication is performed on
  capabilities of objects , by the object server.
• Objects have knowledge of the capabilities ,but
  do not know the users or processors. This is one
  of the reasons why many Distributed
  implementations favour the CL approach

16
Review of Access rights

• To know which subjects are authorized to use a
  certain objects.
• Easier to review ACL, because ACL contains
  exactly this information. For storage efficiency
  subject grouping, wildcards ,prohibitive rights
  could also be used.
• It is difficult to review for a CL unless some
  type of activity log is kept for all subjects
  that are given the capability

17
Propagation Of Access Rights

• Access rights must be replicatable to facilitate
  sharing.
• Propagation is Duplication of some or all the
  privileges from one subject to the others.
• Propagation is not transfer of rights, it is only
  duplication.
• In ACL, propagation of rights is explicitly
  initiated by a request to the object server,
  which modifies or adds an entry to its ACL.

Randy, 97
18
Propagation Of Access Rights

• Propagation of rights must adhere to the
  principle of least principles.
• i.e. Only the minimum privileges required to
  perform the tasks are given when propagating the
  rights
• In CL, theoretically it is propagate rights
  between subjects without intervention of object
  server.
• This could result in an uncontrollable system and
  hence is avoided.

19
Revocation Of Access Rights

• Revocation is trivial in ACL because it is easy
  to delete subject entries from the ACL.
• It is difficult for CLs to revoke access
  selectively.

20
Conversion Between ACL CL

• Interactions among processes involving different
  Access control models would require gateways for
  conversions.
• Conversion to ACL is straightforward.
• Consider example of processes in a CL requiring
  to access remote objects in ACL
• Gateway Authenticates the process identifier.
• It Then verifies the operation in the capability
  list.
• The request is then converted to ACL and is
  presented to the remote host

Source Randy, 97
21
Conversion Between ACL CL

• Converting a ACL request to CL is slightly more
  complex
• Requires a database with resource capabilities
  for the interacting processes
• Gateway validates the ACL request
• obtains the resource capability from the database
  server
• Capability is then presented to capability based
  object server.
• A system utilizing both ACL and CL suffers the
  drawback of both approaches
• Furthermore the conversions causes additional
  security hazards

22
My current research

• Distributed Computing in Smart Grid

23
Distributed Computing in SG
24
Distributed Computing in SG
25
References

• 1 Randy Chow Theodore Johnson,
  1997,Distributed Operating Systems
  Algorithms, (Addison-Wesley), p. 271 to 278
• 2 Samarati, P. Bertino, E. Ciampichetti, A.
  Jajodia, S. Information flow control in
  object-oriented systems. Knowledge and Data
  Engineering, IEEE Transactions on Volume 9, 
  Issue 4,  July-Aug. 1997 Page(s)524 - 538
• 3 Izaki, K. Tanaka, K. Takizawa, M. Access
  control model in object-oriented systems
  Parallel and Distributed Systems Workshops,
  Seventh International Conference on, 2000 4-7
  July 2000 Page(s)69 - 74
• 4 Lin, Tsau Young (T. Y.) Managing
  Information Flows on Discretionary Access Control
  Models Systems, Man and Cybernetics, 2006. ICSMC
  '06. IEEE International Conference onVolume 6, 
  8-11 Oct. 2006 Page(s)4759 - 4762
• 5 Solworth, J.A. Sloan, R.H. A layered
  design of discretionary access controls with
  decidable safety properties Security and
  Privacy, 2004. Proceedings. 2004 IEEE Symposium
  on 9-12 May 2004 Page(s)56 - 67

26
QUESTIONS ?

• Thank you!