Download Access Control - Computer Security | CSE 543 and more Study notes Computer Science in PDF only on Docsity!
CSE 543 - Computer Security
Lecture 11 - Access Control
October 10, 2006
URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/
Access Control System
- Protection Domain
- What can be accessed by a process
- Default access: memory
- Mediated access: E.g., files
- Access Control Enforcement
- Mediates Access
- Processes a Query
- Can Subject S perform Operation OP on Object OBJ?
- What should the answer to the query be?
In class exercise …
- Find a partner: pick an interviewer and a responder, do 5 minute interview asking them what, with whom, and what they do with personal information they share with third parities. - Example: what do you share with phone telemarketers, departmental secretaries, the university, your advisor, your significant other, … - Don’t be exhaustive about all the information, but definitely identify the broad classes of information you share (sensitive, highly sensitive, etc) .. do the same for the entities you share with. - What are you allowing them to do with this information: e.g., share, alter, record, unknown? - Discuss and formulate a subject, object matrix for each right defined by this process. The interviewer should lead the process, I.e., the responder answers questions only.
Access Policy Goals
- Rights assignment is the process of describing a security goal
- “ Principle of least privilege ”
- You should provide the minimal set or rights necessary to perform the needed function
- Implication 1 : you want to reduce the protection domain to the smallest possible set of objects
- Implication 2 : you want to assign the minimal set of rights to each subject
- Caveat : of course, you need to provide enough rights and a large enough protection domain to get the job done.
- What other kinds of policy goals are there?
Access Control Model
- What language should I use to express policy?
- Oodles of these
- Some specialize in secrecy
- Some specialize in integrity
- Some focus on jobs
- Some specialize in least privilege
- Q: Why are there so many different models?
Groups
- Groups are collections of identities who are assigned rights as a collective
- Important in that it allows permissions to be assigned in aggregates of users …
- This is really about membership
- Standard DAC
- Permissions are transient Alice Bob Trent Ivan Group Users^ Permissions
- A role is a collection of privileges/permissions associated with some function or affiliation
- NIST studied the way permissions are assigned and used in the real world, and this is it …
- Important: the permissions are static, the user-role membership is transient
- This is not standard DAC Role Read Delete Modify Write Role Users^ Permissions
RBAC
- Role based access control is a class of access control not direct MAC and DAC, but may one or either of these. - A lot of literature deals with RBAC models - Most formulations are of the type - U : users -- these are the subjects in the system - R : roles -- these are the different roles users may assume - P : permissions --- these are the rights which can be assumed - There is a many-to-many relation between: - Users and roles - Roles and permissions - Relations define the role-based access control policy
Multilevel Security
- A multi-level security system tags all object and subject with security tags classifying them in terms of sensitivity/access level. - We formulate an access control policy based on these levels - We can also add other dimensions, called categories which horizontally partition the rights space (in a way similar to that as was done by roles) security levels categories
Lattice Model
- Used by the US military (and many others), the Lattice model uses MLS to define policy
- Levels: unclassified < confidential < secret < top secret
- Categories (actually unbounded set) NUC(lear), INTEL(igence), CRYPTO(graphy)
- Note that these levels are used for physical documents in the US government as well.
Evaluating Policy Access is allowed if subject clearance level >= object sensitivity level and object categories ⊇ subject categories ( read down ) Q: What would write-up be? Hence, Bob: CONF., {INTEL}) Charlie: TS, {CRYPTO, NUC, INTEL}) Alice: (SEC., {CRYTPO, NUC}) DocA: (CONFIDENTIAL, {INTEL}) DocB: (SECRET, {CRYPTO}) DocC: (UNCLASSIFIED , {NUC})
How about integrity?
- Biba defined a dual of secrecy for integrity
- Lattice policy with
- Q: Why would this work?
- The lattice model for secrecy matched the paper world, does this integrity model? - Consider an Oracle
- What is a realistic view of integrity?
Clark-Wilson Integrity Model
- Associate Code with Objects
- For each TP a list of CDIs that it can access
- Associate Users with TPs and Objects
- For each user, she can access some CDIs using some TPs
- What are the subjects and objects? What happened to operations?
- Result
- The rights of a user are “constrained” by the rights of the TP
- Further, we are restricted by “separation of duty”
Clark-Wilson Issues
- Correct Function
- Certify IVPs, TPs to be ‘valid’ (i.e., correct) (C1,C2)
- Such certification is impossible in general (Halting Problem)
- Is there a general way of defining correctness?
- Handle Low Integrity Data
- A TP must upgrade or discard any UDI (low integrity data) it receives (C5)
- What modern problems are instances of this?