Access Control - Computer Security | CSE 543, Study notes of Computer Science

Material Type: Notes; Class: Computer Security; Subject: Computer Science and Engineering; University: Penn State - Main Campus; Term: Fall 2006;

Typology: Study notes

Pre 2010

Uploaded on 09/24/2009

koofers-user-28i
koofers-user-28i 🇺🇸

9 documents

1 / 24

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page
CSE 543 - Computer Security
Lecture 11 - Access Control
October 10, 2006
URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18

Partial preview of the text

Download Access Control - Computer Security | CSE 543 and more Study notes Computer Science in PDF only on Docsity!

CSE 543 - Computer Security

Lecture 11 - Access Control

October 10, 2006

URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/

Access Control System

  • Protection Domain
    • What can be accessed by a process
      • Default access: memory
      • Mediated access: E.g., files
  • Access Control Enforcement
    • Mediates Access
      • Reference Monitor
    • Processes a Query
      • Can Subject S perform Operation OP on Object OBJ?
  • What should the answer to the query be?

In class exercise …

  • Find a partner: pick an interviewer and a responder, do 5 minute interview asking them what, with whom, and what they do with personal information they share with third parities. - Example: what do you share with phone telemarketers, departmental secretaries, the university, your advisor, your significant other, … - Don’t be exhaustive about all the information, but definitely identify the broad classes of information you share (sensitive, highly sensitive, etc) .. do the same for the entities you share with. - What are you allowing them to do with this information: e.g., share, alter, record, unknown? - Discuss and formulate a subject, object matrix for each right defined by this process. The interviewer should lead the process, I.e., the responder answers questions only.

Access Policy Goals

  • Rights assignment is the process of describing a security goal
  • Principle of least privilege
    • You should provide the minimal set or rights necessary to perform the needed function
    • Implication 1 : you want to reduce the protection domain to the smallest possible set of objects
    • Implication 2 : you want to assign the minimal set of rights to each subject
    • Caveat : of course, you need to provide enough rights and a large enough protection domain to get the job done.
  • What other kinds of policy goals are there?

Access Control Model

  • What language should I use to express policy?
    • Access Control Model
  • Oodles of these
    • Some specialize in secrecy
      • Bell-LaPadula
    • Some specialize in integrity
      • Clark-Wilson
    • Some focus on jobs
      • RBAC
    • Some specialize in least privilege
      • SELinux Type Enforcement
  • Q: Why are there so many different models?

Groups

  • Groups are collections of identities who are assigned rights as a collective
  • Important in that it allows permissions to be assigned in aggregates of users …
  • This is really about membership
  • Standard DAC
  • Permissions are transient Alice Bob Trent Ivan Group Users^ Permissions
  • A role is a collection of privileges/permissions associated with some function or affiliation
  • NIST studied the way permissions are assigned and used in the real world, and this is it …
  • Important: the permissions are static, the user-role membership is transient
  • This is not standard DAC Role Read Delete Modify Write Role Users^ Permissions

RBAC

  • Role based access control is a class of access control not direct MAC and DAC, but may one or either of these. - A lot of literature deals with RBAC models - Most formulations are of the type - U : users -- these are the subjects in the system - R : roles -- these are the different roles users may assume - P : permissions --- these are the rights which can be assumed - There is a many-to-many relation between: - Users and roles - Roles and permissions - Relations define the role-based access control policy

Multilevel Security

  • A multi-level security system tags all object and subject with security tags classifying them in terms of sensitivity/access level. - We formulate an access control policy based on these levels - We can also add other dimensions, called categories which horizontally partition the rights space (in a way similar to that as was done by roles) security levels categories

Lattice Model

  • Used by the US military (and many others), the Lattice model uses MLS to define policy
  • Levels: unclassified < confidential < secret < top secret
  • Categories (actually unbounded set) NUC(lear), INTEL(igence), CRYPTO(graphy)
  • Note that these levels are used for physical documents in the US government as well.

Evaluating Policy Access is allowed if subject clearance level >= object sensitivity level and object categories ⊇ subject categories ( read down ) Q: What would write-up be? Hence, Bob: CONF., {INTEL}) Charlie: TS, {CRYPTO, NUC, INTEL}) Alice: (SEC., {CRYTPO, NUC}) DocA: (CONFIDENTIAL, {INTEL}) DocB: (SECRET, {CRYPTO}) DocC: (UNCLASSIFIED , {NUC})

How about integrity?

  • Biba defined a dual of secrecy for integrity
    • Lattice policy with
      • No read down
      • No write up
    • Q: Why would this work?
  • The lattice model for secrecy matched the paper world, does this integrity model? - Consider an Oracle
  • What is a realistic view of integrity?

Clark-Wilson Integrity Model

  • Associate Code with Objects
    • For each TP a list of CDIs that it can access
  • Associate Users with TPs and Objects
    • For each user, she can access some CDIs using some TPs
  • What are the subjects and objects? What happened to operations?
  • Result
    • The rights of a user are “constrained” by the rights of the TP
    • Further, we are restricted by “separation of duty”
      • more later

Clark-Wilson Issues

  • Correct Function
    • Certify IVPs, TPs to be ‘valid’ (i.e., correct) (C1,C2)
    • Such certification is impossible in general (Halting Problem)
  • Is there a general way of defining correctness?
  • Handle Low Integrity Data
    • A TP must upgrade or discard any UDI (low integrity data) it receives (C5)
  • What modern problems are instances of this?