MT5104 - Computer Security - Access Control 1 Access Control Our working definition: Computer...

MT5104 - Computer Security - Access Control

1

Access Control

• Our working definition: Computer security deals with the prevention and detection of unauthorised actions by users of a computer system.

• Computer systems control access to data and shared resources, like memory, printers, etc., more often for reasons of integrity than for confidentiality.

• Access control is at the core of computer security.


2

Background• Computer systems and their use have changed over the

last decades.• Traditional multi-user operating systems provide

generic services to a wide variety of users and do not ‘know’ about the meaning of the files they handle.

• Modern PC operating systems support individual users in performing their job. Access operations are complex and application specific. Users are not interested in the lower level details of the execution of their programs.

• It is often difficult to map high level security requirements to low level security controls.


3

The Agenda for Today

• Terminology for access control• Basic access control structures: ACLs,

capabilities, etc.• New paradigms• Mathematical concepts – partial orderings and

lattices• Exercises and further reading


4

A Model for Access Control

principal do operationreferencemonitor

object

source request guard resource

Lampson et al.: Authentication in Distributed Systems: Theory and Practice, ACM ToCS, 1992


5

Authentication and Authorisation

• If s is a statement authentication answers the question ‘Who said s?’ with a principal. Thus principals make statements; this is what they are for.

• Likewise, if o is an object authorisation answers the question ‘Who is trusted to access o?’ with a principal.


6

Principals and Subjects• ‘Principal’ and ‘subject’ are both used to denote the

active entity in an access operation.• The word ‘principal’ has many different meanings

and is the source of much confusion:– Principals are subjects in the TCSEC sense, but not all

subjects are principals. [Morrie Gasser, 1989]– Principals are public keys. [SDSI, 1996]– The term principal represents a name associated with a

subject. Since subjects may have multiple names, a subject essentially consists of a collection of principals. [Li Gong, 1999]


7

My Recommendation

• Policy: A principal is an entity that can be granted access to objects or can make statements affecting access control decisions.

• System: Subjects operate on behalf of (human users we call) principals, and access is based on the principal’s name bound to the subject in some unforgeable manner at authentication time.


8

Basic Terminology

• Subject/Principal: active entity – user or process• Object: passive entity – file or resource• Access operations: read, write, ... • Access operations vary from basic memory access

to method calls in an object-oriented system.• Comparable systems may use different access

operations or attach different meanings to operations which appear to be the same.


9

Changing Focus

Subjects and objects provide a different focus of control (first design principle): What is the subject allowed to do? What may be done with an object?

Traditionally, multi-user operating systems manage files and resources, i.e. objects. Access control takes the second approach.

Application oriented IT systems, like database management systems, offer services directed to the user and may well control the actions of subjects.


10

Access Modes

• On the most elementary level, a subject may observe an object, or alter an object.

• Observe and Alter are called access modes.• At the next level of complexity, we find the access

rights of the Bell-LaPadula security model and the access attributes of the Multics operating system.


11

• The four Bell LaPadula access rights: execute read append, also called blind write write

• Mapping between access rights and access modes.

Access Rights in BLP

writereadappendexecuteObserve XX

Alter XX


12

Rationale• In a multi-user O/S, users open files to get access. Files are

opened for read access or for write access so that the O/S can avoid conflicts like two users simultaneously writing to the same file.

• Write access usually includes read access. A user editing a file should not be asked to open it twice. Hence, the write right includes Observe and Alter mode.

• Few systems actually implement append. Allowing users to alter an object without observing its content is rarely useful (exception: audit log).

• A file can be used without being opened (read). Example: use of a cryptographic key. This can be expressed by an execute right that includes neither Observe nor Alter mode.


13

Multics

• Data segments read r execute e, r read and write w write a

• Directory segments status r search e status & modify w append a

Multics has access attributes for data segments and access attributes for directory segments

Bell-LaPadula access rights: e, r, a, w


14

Unix• Access control

expressed in terms of three operations:

read: read from a file write: write to a file execute: execute a file

• Applied to a directory, the access operations take this meaning:

read: list contents write: create or rename

files in the directory execute: search directory

These operations differ from the Bell-LaPadula model. E.g., Unix write access does not imply read access.

Lesson: Do not use your own intuition when inter-preting access operations someone else has defined!


15

More operations

• Creation and deletion of files

• Change of security parameters:

– by default rules– explicit access operations (like grant and revoke)

• Exercise: List the access operations in the Windows NTFS file system.


16

Creation and Deletion of Files

• Can be governed by access control on the directory (Unix)

• Can be governed by explicit access operation (OpenVMS, Windows)

• When a new object is created, in many operating systems the subject (principal) creating the object becomes its owner.

• Ownership is an aspect often considered in access control rules.


17

Access Control Structures

• Requirements on access control structures:

– The access control structure should help to express your desired access control policy.

– You should be able to check that your policy has been captured correctly.

• Access rights can be defined individually for each combination of subject and object.

• For large numbers of subjects and objects, such structures are cumbersome to manage. Intermediate levels of control are preferable.


18

Access Control Matrix• Notation

– S … set of subjects

– O … set of objects

– A … set of access operations

• Access control matrix: M = (Mso)sS,oO, MsosoA.

• The entry Msoso specifies the operations subject s may perform on object o.

AliceBob

-{read,write}

bill.doc{exec}{exec}

edit.exe{exec,read}

{exec,read,write}

fun.com


19

Access Control Matrix ctd.• The access control matrix is

– an abstract concept– not very suitable for direct implementation– not very convenient for managing security

• How do you answer the question: Has your security policy been implemented correctly?

• Bell LaPadula (and Orange Book): access control matrix defines discretionary access control (DAC).

• Warning: ‘discretionary’ is not always used in this particular meaning.


20

Capabilities• Focus on the subject

– access rights are stored with the subject

– capabilities rows of the access control matrix

• Subjects may grant rights to other subjects. Subjects may grant the right to grant rights.

• Problems:

– How to check who may access a specific object?

– How to revoke a capability?

• Distributed system security has created renewed interest in capabilities.

Alice edit.exe: {exec} fun.com: {exec,read}


21

Access Control Lists (ACLs)• Focus on the object

– access rights are stored with the object

– ACLs columns of the access control matrix

• Access rights are often defined for groups of users.

– Unix: owner, group, others

– VMS: owner, group, world, system

• Problem: How to check access rights of a specific subject?

• ACLs are typical for secure operating systems of Orange Book class C2.

fun.com Alice: {exec} Bill: {exec,read,write}


22

Intermediate Controls• Intermediate controls facilitate better security management.

• To deal with complexity, introduce more levels of indirection.

users

roles

procedures

data types

objects


23

Groups and Negative Permissions

• Groups are an intermediate layer between users and objects.

• To deal with special cases, negative permissions withdraw rights users

groups

objects

users

groups

objects


24

Role Based Access Control (RBAC)• Several intermediate concepts can be inserted between

subjects and objects

– Roles: collection of procedures assigned to users; a user can have more than one role and more than one user can have the same role.

– Procedures: ‘high level’ access control methods with a more complex semantic than read or write; procedures can only be applied to objects of certain data types; example: funds transfer between bank accounts.

– Data types: each object is of a certain data type and can be accessed only through procedures defined for this data type.


25

RBAC continued

• RBAC itself does not have a generally accepted meaning, and it is used in different ways by different vendors and users.

• Controlling access to an object by restricting the procedures that may access this object is a general programming practice. It is a fundamental concept in the theory of abstract data types and object-oriented programming.

• Examples: user profiles in IBM’s OS/400; global groups and local groups in Windows NT.


26

New Paradigms

• In today’s IT environment (World Wide Web) the source of a request (applet) is not always a useful access control parameter.

• New security attributes are:– location (network address)– code identity, – code author (code signing), – proof carrying code, …

• What will become of principals and authentication?


27

Who Sets the Policy?

• The owner of a resource decrees who is allowed access. Such policies are called discretionary as access control is at the owner’s discretion.

• A system wide policy decrees who is allowed access. Such policies are called mandatory.

Security policies specify how subjects are given access to objects. There are two options for deciding who is in charge of setting the policy:

Warning: There exist other interpretations of discretionary and mandatory.


28

Protection Rings• Every subject and object is assigned a number, depending

on its importance.

• Example: QNX/Neutrino microkernel– 0 … Neutrino microkernel resides/executes/runs in ring 0

– 1 … Neutrino process manager runs in ring 1

– 3 … all other programs run in ring 3

• To make an access control decision, compare the numbers of the subject and the object.

0 1 2 3


29

Partial orderings• A partial ordering (‘less or equal’) on a set L is

relation on LL that is– reflexive: for all aL, aa

– transitive: for all a,b,cL, if ab and bc, then ac

– antisymmetric: for all a,bL, if ab and ba, then a=b

• An example for a partial ordering is the subset relation on a power set P(C).

• When L is a set of security labels that has a partial ordering, access control decisions can be made by comparing the labels of subjects and objects.


30

Abilities in the VSTa Microkernel• The VSTa microkernel uses (cap)abilities for access

control. A VSTa (cap)ability is a data structure of the form .i1.i2. .in where i1,…,in are integers.

• Examples for abilities: .1, .1.2, .1.2.3, .4, .10.0.0.5 .

• Abilities can be ordered through the prefix relation:

– Ability a2 is a prefix of ability a1 if there exists another ability a3 so that a1 = a2a3. In this case, write a2 a1.

• For example: .1 .1.2 .1.2.3 but not .1 .4 !

• The empty string is the prefix of any ability. In a security policy that grants access if the ability of the subject is a prefix of the ability of the object, a subject without an ability has access to every object.


31

Towards Lattices• In a partial ordering of security labels, not every

pair of labels is comparable.• Assume that a subject may observe an object only if

the subject’s label is higher than the object’s label.– Given two objects with different labels, what is the

minimal label a subject must have to be allowed to observe both objects?

– Given two subjects with different labels, what is the maximal label an object can have so that it still can be observed by both subjects?

• Lattices are a mathematical structure where these questions have unique answers.


32

The Lattice (L,)• A lattice (L,) is a set L with a partial ordering so that for

every two elements a,b L , there exists– a least upper bound u L: a u, b u, and for all v

L: (a v b v) u v– a greatest lower bound l L: l a, l b, and for all k

L: (k a k b) k l .• If a b, we say ‘a is dominated by b’ or ‘b dominates a’. • The label dominated by all other labels is called System Low.

The label dominating all other labels is called System High.• When L is a finite set, the elements System Low and System

High exist and are unique.

• Further reading: Denning, Chapter 5; Pfleeger, Chapter 7.


33

Lattices - Example 1• The integers with the ordering form a lattice:

– The l.u.b. of integers a,b is the maximum of a and b.– The g.l.b. of integers a,b is the minimum of a and b.– There exist no elements System Low or System High

• The natural numbers with the ordering ‘divides by’ form a lattice: – The l.u.b. of integers a,b is the least common multiple of

a and b.– The g.l.b. of integers a,b is the greatest common divisor

of a and b.– There exists an element System Low.


34

Lattices - Example 2• The lattice (P({a,b,c}), ), i.e. the power set of

{a,b,c}, with the subset relation as partial ordering– least upper bound: union of two sets

– greatest lower bound: intersection of two sets

{a,b,c}

{a,b} {a,c} {b,c}

{a} {b} {c}

{}


35

More Lattices

• A lattice for a firewall• A ‘flat’ lattice:

root

uid3uid2uid1

guest

system high

outsideinside

system low


36

Not a Lattice• No upper bound for D

and E• No unique least upper

bound for B and C

A

CB

ED

F

A

CB

ED


37

Multi level security (MLS)

• MLS: access control based on a partial ordering (or lattice) of security levels (security labels).

• Mandatory access control in the BLP model and in the Orange Book is based on such security labels.

• Traditional: hierarchical

security levels:top secret

secret

confidential

unclassified


38

Compartments• In multi-level security, the following lattice is often used.

– H is a hierarchical (linear) ordering of security levels.

– C is a set of categories, e.g. project names, company divisions, academic departments, etc.

– A compartment is a set of categories.

– A security label is a pair (h,c), where h H is a security level and c C is a compartment.

– The partial ordering is defined by (h1,c1) (h2,c2), if and only if h1 h2 and c1 c2 .

• Such lattices are used to implement need to know policies.


39

Compartments - Example• Two hierarchical levels: public, private• Two categories: PERSONNEL, ENGINEERING• The following relations hold:

– (public, {PERSONNEL})

(private, {PERSONNEL}) – (public, {PERSONNEL})

(public,{PERSONNEL,ENGINEERING})– (public, {PERSONNEL}) NOT

(private, {ENGINEERING})


40

State Machine Models• State machines (automata) are a popular tool for modeling

many aspects of computing systems.• State machines are the basis for some important security

models.• The essential features of a state machine model are the

concepts of a state and of state transitions occurring a discrete points in time.

• A state is a representation of the system under investigation at one moment in time. It should capture exactly those aspects of the system relevant to the problem.

• The state transition (next state)-function defines the next state depending on the present state and the input. An output may also be produced.


41

Exercises

• How are access control lists set up in Windows 2000?• What are the differences between groups and roles, if there are any

differences at all?• Explain why our partial ordering of abilities does not constitute a

lattice. Convert the partial ordering into a lattice by adding to the set of abilities any further elements you need.

• Construct the lattice of security labels for the security levels public, confidential, and strictly confidential, and for the categories ADMIN, LECTURERS, and STUDENTS. Which objects are visible to a subject with security label (confidential,{STUDENTS}) in a need-to-know policy? How many labels can be constructed from n security levels and m categories? For illustration, consider the values n=16 and m=64.


42

Further reading• Denning, D.E.: Cryptography and Security, Addison-

Wesley, 1982• Lampson, B., Abadi, M., Burrows, M., Wobber, E.:

Authentication in Distributed Systems: Theory and Practice, ACM Transactions on Computer Systems, vol. 10, 1992, pages 265-310

• Sandhu, R.S. and Coyne, E.J. and Feinstein, H.L. Youman, C.E.: Role-Based Access Control Models, IEEE Computer, vol. 29, February 1996 , pages 38-47

• Sandhu, R.S.: Lattice-Based Access Control Models, IEEE Computer, vol. 26, November 1993, pages 9-19

• www.qnx.com/literature/nto_sysarch/nto_sysarch.html• www.zendo.com/vsta/vsta_intro.html

Date post:	19-Dec-2015
Category:	Documents
Upload:	solomon-hensley
View:	225 times
Download:	1 times

MT5104 - Computer Security - Access Control 1 Access Control Our working definition: Computer...

Documents