Date post: | 26-Mar-2015 |
Category: |
Documents |
Upload: | jeremiah-snyder |
View: | 214 times |
Download: | 0 times |
© 2004 Ravi Sandhuwww.list.gmu.edu
A Perspective on Graphs andAccess Control Models
Ravi SandhuLaboratory for Information Security Technology
George Mason [email protected]
2
© 2004 Ravi Sandhuwww.list.gmu.edu
Outline
• A perspective on security
• A perspective on access control
• The safety problem in access control
• Looking ahead
• Discussion
3
© 2004 Ravi Sandhuwww.list.gmu.edu
Security Confusion
INTEGRITYmodification
AVAILABILITYaccess
CONFIDENTIALITYdisclosure
USAGEpurpose
• electronic commerce, electronic business• digital rights management, client-side controls
4
© 2004 Ravi Sandhuwww.list.gmu.edu
Good enough security
EASY SECURE
COST
Security geeksReal-world users
System owner
• whose security• perception or reality of security
• end users• operations staff• help desk
• system cost• operational cost• opportunity cost• cost of fraud
Business modelswill dominate
security models
5
© 2004 Ravi Sandhuwww.list.gmu.edu
Good enough security
RISK
COST
H
M
L
L M H
1
2
3
2
3
4
3
4
5
Entrepreneurialmindset
Academicmindset
6
© 2004 Ravi Sandhuwww.list.gmu.edu
Access Control Models
Authentication
Authorization Enforcement
• who is trying to access a protected resource?
• who should be allowed to access which protected resources?• who should be allowed to change the access?
• how does the system enforce the specified authorization
Access Control Models Access Control Architecture
7
© 2004 Ravi Sandhuwww.list.gmu.edu
The OM-AM Way
Objectives
Models
Architectures
Mechanisms
What?
How?
Assurance
8
© 2004 Ravi Sandhuwww.list.gmu.edu
Access Control Status
• Ten years ago• Emphasis on
– Cryptography and intrusion detection– Access control relegated to back burner
• Ravi Sandhu, “Access Control: The Neglected Frontier.” Proc. First Australasian Conference on Information Security and Privacy, LNCS, 1996.
• Today• Strong industry interest• Growing need• Growing research
9
© 2004 Ravi Sandhuwww.list.gmu.edu
Safety in Access Control
Authentication
Authorization Enforcement
• who is trying to access a protected resource?
• who should be allowed to access which protected resources?• who should be allowed to change the access?
• how does the system enforce the specified authorization
Access Control Models Access Control Architecture
The Safety Problem
10
© 2004 Ravi Sandhuwww.list.gmu.edu
The HRU (Harrison-Ruzzo-Ullman) Model, 1976
U r w
V
F
r w
G
r
11
© 2004 Ravi Sandhuwww.list.gmu.edu
The HRU (Harrison-Ruzzo-Ullman) Model, 1976
U Fr, w
V Gr, w
r
12
© 2004 Ravi Sandhuwww.list.gmu.edu
The HRU (Harrison-Ruzzo-Ullman) Model, 1976
U Fr, w
V Gr, w
r
13
© 2004 Ravi Sandhuwww.list.gmu.edu
HRU Commands and Operations
• command α(X1, X2 , . . ., Xk)if rl in (Xs1, Xo1) and r2 in (Xs2, Xo2) and ri in (Xsi, Xoi)
thenop1; op2; … opn
end• enter r into (Xs, Xo)
delete r from (Xs, Xo)create subject Xscreate object Xodestroy subject Xsdestroy object Xo
14
© 2004 Ravi Sandhuwww.list.gmu.edu
HRU as Graph Rules (from Koch et al 2002)
15
© 2004 Ravi Sandhuwww.list.gmu.edu
Safety in HRU (late 1970’s)
• Safety Problem: Is there a reachable state with edge labeled z from X to Y?
• Undecidable in general• HRU unable to find interesting decidable cases.
• Mono-operational: decidable but uninteresting
• Monotonic: undecidable
• Bi-conditional monotonic: undecidable
• Mono-conditional monotonic: decidable but uninteresting
16
© 2004 Ravi Sandhuwww.list.gmu.edu
The Safety Problem• HRU 1976:
• “It would be nice if we could provide for protection systems an algorithm which decided safety for a wide class of systems, especially if it included all or most of the systems that people seriously contemplate. Unfortunately, our one result along these lines involves a class of systems called “mono-operational,” which are not terribly realistic. Our attempts to extend these results have not succeeded, and the problem of giving a decision algorithm for a class of protection systems as useful as the LR(k) class is to grammar theory appears very difficult.”
• 2004:• Considerable progress has been made but much remains to be done and
practical application of known results is essentially non-existent.– Progress includes: Take-Grant Model (Jones, Lipton, Snyder, Denning, Bishop; late
79’s early 80’s), Schematic Protection Model (Sandhu, 80’s), Typed Access Matrix Model (Sandhu, 1990’s), Graph Transformations (Koch, Mancini, Parisi-Pressice 2000’s)
17
© 2004 Ravi Sandhuwww.list.gmu.edu
Safety with Types
• Typed Access Matrix or TAM model (Sandhu 1992)• Safety is polynomial-decidable for monotonic ternary
TAM with acyclic create-graph
• Typed Graphs (Koch et al 2002)• Safety is decidable for transformations that are either
expanding or deleting
• The given algorithm is exponential but actual complexity remains an open question
18
© 2004 Ravi Sandhuwww.list.gmu.edu
The Take-Grant Model (late 70’s, early 80’s)
A Bt
(a) B/t Є dom(A)
A Bg
(b) B/g Є dom(A)
Original graph representation, late 70’s
19
© 2004 Ravi Sandhuwww.list.gmu.edu
The Take-Grant Model (late 70’s, early 80’s)
A Bt
(a) B/t Є dom(A)
A Bg
(b) B/g Є dom(A)
Lockman-Minsky representation, 1982
20
© 2004 Ravi Sandhuwww.list.gmu.edu
Creation in Take-Grant
A
A’
t g
(a) The Original View
A
A’
t g
(b) The Lockman-Minsky View
21
© 2004 Ravi Sandhuwww.list.gmu.edu
Reversal of Take-Grant Flow: case t
A Bt
A’
t gg
t
22
© 2004 Ravi Sandhuwww.list.gmu.edu
Reversal of Take-Grant Flow: case g
A Bg
A’
t gg
t, g
23
© 2004 Ravi Sandhuwww.list.gmu.edu
Reversal of Grant-Only Flow
A Bg
A’
g gg
g
24
© 2004 Ravi Sandhuwww.list.gmu.edu
Non-Reversal of Take-Only Flow
A Bt
A’
t tt
25
© 2004 Ravi Sandhuwww.list.gmu.edu
Safety in more recent (and practical) models
• RBAC96 (foundation of a new NIST/ANSI/ISO standard)• Safety is undecidable in general
– Sandhu, Munawer, Crampton, 1998• Decidable cases exist
– Li, Mitchell, Winsborough, Solworth, Sloan, 2000’s
• UCON (Usage Control Models)• Safety is undecidable in general• Decidable cases exist
– Park, Sandhu, Zhang, Parisi-Pressice 2000’s
26
© 2004 Ravi Sandhuwww.list.gmu.edu
Looking ahead
• Security lags information technology applications• Information technology applications are moving extremely
rapidly• The need for decentralized and automatic authorization is
growing very rapidly• The safety problem of access control remains a critical path
problem• Challenges
– Develop new real-world relevant theory– Apply old and new theory
• Can theory of graph transformations help us?
27
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC96 model (Currently foundation of a NIST/ANSI/ISO standard)
ROLES
USER-ROLEASSIGNMENT
PERMISSIONS-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
CONSTRAINTS
28
© 2004 Ravi Sandhuwww.list.gmu.edu
UCON (Usage Control) Models
Rights(R)
UsageDecision
Authoriza-tions (A)
Subjects(S)
Objects(O)
Subject Attributes(ATT(S))
Object Attributes(ATT(O))
Obligations(B)
Conditions(C)
Usage
Continuity ofDecisions
pre
Before After
pre ongoing postMutability of
Attributes
ongoing N/A