System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON)...
Transcript of System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON)...
![Page 1: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/1.jpg)
System Security
Access Control Fundamentals
Giovanni Russello
http://www.cs.auckland.ac.nz/compsci725s2c/
![Page 2: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/2.jpg)
Access Control
“The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner“ central element of computer security assume have users
authenticate to system assigned access rights to certain resources
on system
![Page 3: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/3.jpg)
Access Control Requirements
reliable input least privilege separation of duty fine and coarse specifications open and closed policies policy combinations, conflict resolution administrative policies
![Page 4: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/4.jpg)
Access Control Elements
subject - entity that can access objects a process representing user/application
object - access controlled resource e.g. files, directories, records, programs etc
access right - way in which subject accesses an object e.g. read, write, execute, delete, create, search
![Page 5: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/5.jpg)
Access Control Features
Authentication Mechanism
Authorisation Mechanism Resources
Authorisations
User
Security Administrator
Auditor
![Page 6: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/6.jpg)
Access Control Models
Discretionary AC (DAC) Mandatory AC (MAC) Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control
![Page 7: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/7.jpg)
Discretionary Access Control
Subjects are able to assign on the objects they control access rights to other subjects Model used in operating systems and
DB management systems often provided using an access matrix
![Page 8: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/8.jpg)
Access Control Matrix
Own Read Write
Own Read Write
Read
Own Read Write
Write Read
Read Write
Read
Own Read Write
User A
User B
User C
File1 File2 File3 File4
![Page 9: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/9.jpg)
Access Control List
Own Read Write
Own Read Write
Read
Own Read Write
Write Read
Read Write
Read
Own Read Write
User A
User B
User C
File1 File2 File3 File4
![Page 10: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/10.jpg)
Capability List
Capability Myths Demolished: http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf
Own Read Write
Own Read Write
Read
Own Read Write
Write Read
Read Write
Read
Own Read Write
User A
User B
User C
File1 File2 File3 File4
![Page 11: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/11.jpg)
Access Matrix Details
File System
Process Manager
Memory
Access Matrix Manager
Files
Processes
Pages
Access Matrix
read
writ
e
S1, read, F2
S2, write, P2
S1, grant, S2,read,F2
S1
S2
S1
![Page 12: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/12.jpg)
Mandatory AC
Entities cannot enable other entities to access their resources
It enforces a lattice between labels assigned to subjects and object security labels: how sensitive or critical a
system resource is security clearances: which entities are
eligible to access certain resources
![Page 13: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/13.jpg)
MAC: The Bell-LaPadula Model (‘76)
Colonel
Major
Sergeant
Private
Top Secret
Secret
Confidential
Unclassified
User Labels Data Labels
The main goal is to control the confidentiality of information
![Page 14: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/14.jpg)
MAC Confidentiality Rules Simple Security Property: No Read-Up
read Colonel
Major
Sergeant
Private
Top Secret
Secret
Confidential
Unclassified
![Page 15: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/15.jpg)
MAC Confidentiality Rules *(Star)property: No Write-Down
write Colonel
Major
Sergeant
Private
Top Secret
Secret
Confidential
Unclassified
![Page 16: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/16.jpg)
MAC Confidentiality Rules Strong *(Star)-property: No Write-Down & No Write-up
write Colonel
Major
Sergeant
Private
Top Secret
Secret
Confidential
Unclassified
![Page 17: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/17.jpg)
MAC: Biba Integrity Model (‘77)
Manager
Project Leader
Engineer
Jr. Engineer
Strategic
Sensitive
Confidential
Public
User Labels Data Labels
The main goal is to control the integrity of information
![Page 18: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/18.jpg)
MAC Integrity Rules Simple Integrity Axiom: No Read Down
read Manager
Project Leader
Engineer
Jr. Engineer
Strategic
Sensitive
Confidential
Public
![Page 19: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/19.jpg)
MAC Integrity Rules
write
*(Star)-Integrity Axiom: No Write Up
Manager
Project Leader
Engineer
Jr. Engineer
Strategic
Sensitive
Confidential
Public
![Page 20: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/20.jpg)
Where is MAC used
BLP: Implemented the multi-level security policy for US Department of Defense BIBA: Implemented in the FreeBSD MAC
policy A combined versions of BLP and BIBA is
used in Android!
![Page 21: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/21.jpg)
Role Based Access Control
Enterprises organise employees in different roles RBAC maps roles to access rights Access rights are assigned to roles After Subjects are authenticated they are
assigned to roles
![Page 22: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/22.jpg)
A simple example
Lecturer
Course Material
Read/Write
Student
Read
![Page 23: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/23.jpg)
User to Role
X X
x
Giovanni
Ulrich
Clark
Lecturer S Lecturer Ass Prof Prof
![Page 24: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/24.jpg)
Role to Access Rights
Own Read Write
Own Read Write
Read
Own Read Write
Write Read
Read Write
Read
Own Read Write
Lecturer
S Lectuer
Professor
File1 File2 File3 File4
![Page 25: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/25.jpg)
Extensions to the Model
A user can be in more than one role Gill Dobbie is both Prof. and HoD
Roles can be organised in Hierarchies Prof>Ass Prof>Sen Lect>Lect Top Roles inhered access rights of Lower
Roles Constraints to enforce enterprise-specific
requirements
![Page 26: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/26.jpg)
RBAC Constraints
Separation of Duties (SoD) Protecting the organisation from frauds
Chinese Wall CW) Conflict of interests between different domains
![Page 27: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/27.jpg)
SoD Details
SoD are used when an activity involves more than one roles: Purchase order needs to be prepared by a clerk and then authorised by a manager To avoid a fraud, the user that prepares the order should not be the same that authorises it
![Page 28: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/28.jpg)
Static SoD
In Static SoD, the same subject cannot be member of two mutually exclusive roles clerk and manager are mutually exclusive
Too restrictive: the user might get assigned to both roles as long as she is not working on the same order!
![Page 29: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/29.jpg)
Dynamic SoD
In Dynamic SoD, the same subject can be member of two mutually exclusive roles However, it requires extra checks that need to
be done at runtime to avoid undesired behaviour Simple DSoD, Object DSoD, Operational
DSoD, History DSoD
![Page 30: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/30.jpg)
Simple DSoD
Users cannot be active in mutually exclusive roles at the same time For instance, a user can be assigned to
both clerk and manager roles as long as she is not active on both at the same time
![Page 31: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/31.jpg)
Object DSoD Users can be active in mutually exclusive
roles at the same time as long as she is not operating on the same object instance for the entire business process For instance, a user can act in either
clerk or manager role for a purchase order Let say that there is another operation:
sending the order to depot. The user cannot execute this action even if it is not in conflict
![Page 32: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/32.jpg)
Operational DSoD
Users can be active in mutually exclusive roles at the same time but cannot perform all the operations of business process For instance, a user can activate both
clerk and manager roles but cannot execute both the prepare and authorise operations (even for different objects!!)
![Page 33: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/33.jpg)
History DSoD
Users can be active in mutually exclusive roles at the same time as long as she is not authorised to execute all the operation for the same object instance For instance, a user can be activate in
both clerk role for a purchase order and manager role for another order
![Page 34: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/34.jpg)
Chinese Wall
It applies to accesses in multiple domains with conflict of interest For instance, a consultant company
offering services to both Microsoft and Apple. CW makes sure that an employee of the company will not get access to documents of both companies
![Page 35: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/35.jpg)
NIST RBAC Model
![Page 36: System Security Access Control Fundamentals€¦ · Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control . Discretionary Access Control Subjects are able to assign](https://reader034.fdocuments.net/reader034/viewer/2022042911/5f42f9ece384496084028c8e/html5/thumbnails/36.jpg)
Resources
Chapter 8 in Mark Stamp, Information Security: Principles and Practice, Wiley 2011. Matt Bishop, Computer Security: Art and
Science, Addison-Wesley 2003.