Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Overview
Introduction to access control and access control structures Partial orders, lattices and their use in access control Administration and aggregation of access control structures New directions
A schematic view
A user requests access (read, write, print, etc.) to a resource in the computer system The reference monitor
establishes the validity of the request and returns a decision either granting or denying access to the user
Access Request Reference Monitor System Decision
Simple analogies
Consider a paper-based office in which certain documents should only be read by certain individuals We could implement security by
storing documents in filing cabinets issuing keys to the relevant individuals for the appropriate cabinets
Simple analogies
The reference monitor is the set of (locked) filing cabinets An access request (an attempt to open a filing cabinet) is granted if the key fits the lock (and denied otherwise)
Simple analogies
Consider now a night club where only certain individuals are allowed into the club We can implement security by
employing a bouncer providing the bouncer with a guest list (that is, a list of people permitted to enter the club)
Simple analogies
The reference monitor is the security guard + the guest list An access request is granted only if
a club-goer can prove their identity (authentication) she is on the guest list
Object
Passive entity or resource in a computer system
Files, directories, printers
Principals
Principal and subject are both used to refer to the active entity in an access operation A principal is generally assumed to be an attribute or property associated with a subject
User ID Public key Process Thread
Access operations
An interaction between an object and a subject A subject may observe (read) an object
Information flows from object to subject
The append (or blind write or write-only) access mode allows users to alter an object without observing its contents
Rarely useful (audit log files being the main exception) Implemented in Multics
Directory access
Read (list directory contents) Write (create or rename files in directory) Execute (search directory)
UNIX ls command
Operations drwxr-xr-x -rw-------rwxr-xr-x -rw-r----Owner Group jason jason jason jason Research research research research Size 512 127092 7632 0 Updated Jul 3 15:51 Aug 28 15:01 Name Research Trash
Objects have an ID (determined by the creator of the object) and a group ID (determined by the group ID of the creator)
12.6 is the object ID of an object created by user 12.6
Assume the ID of the Research directory is 12.6 Any user has the default access given by the first 3 bits (read and execute in this case) Any user with ID 12.x has group access because the user ID and object ID match in the first place The user with ID 12.6 has owner access because the user ID and object ID match in both places
trash
{r,w}
a.out
{r,w,x} {r,x}
allfiles.txt
{r,w} {r}
jason mick
Objects Subjects
trash {r,w}
jason mick
Disadvantages
Abstract formulation of access control Not suitable for direct implementation
The matrix is likely to be extremely sparse and therefore implementation is inefficient Management of the matrix is likely to be extremely difficult if there are 0000s of files and 00s of users (resulting in 000000s of matrix entries)
Objects Subjects
trash {r,w}
jason mick
Disadvantage
How can we check the access rights of a particular subject efficiently (before-the-act per-subject review)?
Capability lists
A capability list corresponds to a row in the access control matrix [jason: (trash, {r,w}), (a.out, {r,w,x}), (allfiles.txt, {r,w})] How would such a reference monitor check the validity of the request (jason, a.out, r)?
Objects Subjects
trash
{r,w}
a.out
{r,w,x} {r,x}
allfiles.txt
{r,w} {r}
jason mick
Capability lists
Capability lists focus on the subjects
Typically implemented in services and application software Database applications often use capability lists to implement fine-grained access to tables and queries Renewed interest in capability-based access control for distributed systems
Disdavantage
How can we check which subjects can access a given object (before-the-act per-object review)?
A capability list is analogous to the set of keys issued to a user (the subject) for unlocking the filing cabinets (the objects)
Administration
Tasks include
Creation of new objects and subjects Deletion of objects and subjects Changing entries in access control matrix (changing entries in ACLs and capability lists)
The administration of access control structures is extremely time-consuming, complicated and error-prone
Aggregation
There are several important theoretical results (Harrison, Ruzzo and Ullman; Lipton and Snyder) that demonstrate that it is extremely difficult to anticipate the consequences of administrative actions Access control structures that aggregate subjects and objects are used to simplify the administrative burden
Aggregation techniques
User groups Roles Procedures Data types
Groups
Access rights are often defined for groups of users
In UNIX three groups are associated with each object
Owner Group (owner) Others
In VSTa complicated hierarchical group structures can be constructed based on the UNIX model (see handout)
Roles
A data type is a set of objects with the same structure (bank accounts, for example) We define access operations (procedures or permissions) on a data type Permissions are assigned to roles Users are assigned to roles Roles are (usually) arranged in a hierarchy
Example
Objects are bank accounts Subjects are bank employees The set of bank accounts forms a data type We define roles
Teller Clerk Administrator
Example
We assign procedure
CA and DA to the Teller role TF to the Clerk role NA and AO to the Administrator role
Admin
We assign all users who are tellers to the Teller role, etc. The Administrator role can run all the procedures
Clerk
Teller
Benefits of RBAC
We only need to assign users and permissions to roles We can use inheritance in the role hierarchy to reduce the number of assignments that are required Simplifies administration
RBAC models
NIST (Ferraiolo et al., 1992-2000) RBAC96 (Sandhu et al., 1996) ARBAC97 (Sandhu et al., 1997-99) OASIS (Hayton et al., 1996-2001) Role Graph model (Nyanchama and Osborn, 1995-2001) Unified RBAC96 NIST model (Ferraiolo, Sandhu et al., 2001)
RBAC implementations
Roles implemented in
Window NT (as global and local groups) IBMs OS/400 Oracle 8 onwards .NET framework
New challenges
How do we do access control if we cant identify subjects? How do we control the access of untrusted code running on our machine?
.NET security
Evidence-based access control
Location Code identity Code author Proof carrying code
Role-based security
Authentication Authorisation (access control)
Java security
Protection domains
The scope of a protection domain is the set of objects accessible by a principal System domains Application domains (sandboxes)
Signed applets
Digitally signed code that can be trusted by the host
Further reading
D.E. Bell and L. LaPadula. Secure computer systems: Mathematical foundations. Technical Report MTR-2547, Volume 1, Mitre Corporation, 1973. J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 36(9):1278-1308, 1975. M.A. Harrison et al. Protection in operating systems. Communications of the ACM. 19(8):461-471, 1976. R.S. Sandhu. Lattice-based access control models. IEEE Computer, 26(11):9-19, 1993. R.S. Sandhu et al. Role-based access control models. IEEE Computer, 29(2):38-47, 1996. J. Moffett and E.C. Lupu. The uses of role hierarchies in access control. Proceedings of Fourth ACM Workshop on Role-Based Access Control, 153-160, 1999. W. Yao et al. A role-based access control model for supporting active security in OASIS. Proceedings of Sixth ACM Symposium on Access Control Models and Technologies, 171-181, 2001. http://www.vsta.org/documentation/papers/capabilities.html http://www.vsta.org/documentation/papers/microkernel.html http://www.microsoft.com/net/technical/security.asp http://java.sun.com/j2se/1.4/docs/guide/security/spec/security-specTOC.fm.html