0% found this document useful (0 votes)
8 views50 pages

04 Access Control

The document discusses access control in cybersecurity, focusing on its goals, definitions, and various models such as Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC). It explains the importance of regulating access to information and resources to maintain confidentiality and integrity, detailing concepts like access control lists and matrices. Additionally, it covers the organization of access control functions and the implications of role hierarchies within RBAC.

Uploaded by

lcdp alcantra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
8 views50 pages

04 Access Control

The document discusses access control in cybersecurity, focusing on its goals, definitions, and various models such as Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC). It explains the importance of regulating access to information and resources to maintain confidentiality and integrity, detailing concepts like access control lists and matrices. Additionally, it covers the organization of access control functions and the implications of role hierarchies within RBAC.

Uploaded by

lcdp alcantra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 50

Cybersecurity

Bachelor’s degree in ACSAI 2024-25

Access control

Angelo Spognardi
[email protected]
Dipartimento di Informatica
Sapienza Università di Roma
Topic: Access Control


Goal: Protect confidentiality and integrity of information

Control what a subject can do to prevent damage to the system

Regulate the operations that can be executed by a subject on data and
resources

Typically provided as part of operating systems and of database
management systems

2 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Access control: definitions


NISTIR 7298: “the process of granting or denying specific requests to:
– (1) obtain and use information and related information processing services;
and
– (2) enter specific physical facilities”

RFC 4949: “a process by which use of system resources is regulated
according to a security policy and is permitted only by authorized
entities (users, programs, processes, or other systems) according to that
policy”

3 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Access control concepts

4 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Access control models


Discretionary access control ●
Role-based access control (RBAC)
(DAC) – Controls access based on the roles
– Controls access based on the that users have within the system
identity of the requestor and on and on rules stating what accesses
access rules (authorizations) are allowed to users in given roles
stating what requestors are (or ●
Attribute-based access control
are not) allowed to do (ABAC)

Mandatory access control (MAC) – Controls access based on
– Controls access based on attributes of the user, the resource
comparing security labels with to be accessed, and current
security clearances environmental conditions

5 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Subjects, objects and access rights

Access
Subject Object
right
Describes the way in
An entity capable of A resource to which
which a subject may
accessing objects access is controlled
access an object

Three classes Could include:


Entity used to contain • Read
• Owner and/or receive • Write
• Group information • Execute
• World • Delete
• Create
• Search

6 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Discretionary Access Control (DAC)


Scheme in which an entity may be granted access rights that permit the
entity, by its own volition, to enable another entity to access some
resource

Often provided using an access matrix

7 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Example Access Control Matrix


One dimension: identified subjects asking data access to the resources

Other dimension: the objects that may be accessed

Each entry in the matrix indicates the access rights of a particular subject for a
particular object

An empty cell means that no access rights are granted.

8 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Access Control Lists

It defines, for each object (o) a list (L) called o’s access control list,
which enumerates all the subjects that have access rights for o and, for
each such subject, s, gives the access rights that s has for object o.

/etc/passwd /usr/bin/ /u/roberto/ /admin/

root: r,w root: r,w,x root: r,w,x root: r,w,x


mike: r mike: r,x roberto: r,w,x backup: r,x
roberto: r roberto: r,x backup: r,x
backup: r backup: r,x

9 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Capabilities
/etc/passwd: r,w,x; /usr/bin: r,w,x;
root /u/roberto: r,w,x; /admin/: r,w,x

Takes a subject-centered approach
to access control.

It defines, for each subject s, the mike /usr/passwd: r; /usr/bin: r,x
list of the objects for which s has
nonempty access control rights,
together with the specific rights /usr/passwd: r; /usr/bin: r;
roberto /u/roberto: r,w,x
for each such object.

/etc/passwd: r,x; /usr/bin: r,x;


backup /u/roberto: r,x; /admin/: r,x

10 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Extended access control matrix

Considers the ability of one subject to transfer rights, create another subject and to
have ‘owner’ access right to that subject

11 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Extended access control matrix rules

Considers the
ability of one
subject to
transfer rights,
create another
subject and to
have ‘owner’
access right to
that subject.

It can also define


a hierarchy of
subjects.

12 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Organization of the Access Control Function


Every access by a subject to an
object is mediated by the
controller for that object

The controller’s decision is
based on the current contents of
the matrix

Certain subjects have the
authority to make specific
changes to the access matrix.

13 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Example: Unix subjects, obejects, rights


Subjects: users, groups, others

Objects: files, directories

Access rights: read, write, execute
– For files

read: reading from a file

write: writing to a file

execute: executing a (program) file
– For directories

read: list the files within the directory

write: create, rename, or delete files within the directory

execute: enter the directory

14 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


UNIX File Access Control


Unique user identification number (user ID)

Member of a primary group identified by a group ID

Belongs to a specific group

12 protection bits
– Specify read, write, and execute permission for the owner of the file, members
of the group and all other users

The owner ID, group ID, and protection bits are part of the file’s inode

15 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Traditional UNIX File Access Control
(minimal ACL)

“Set user ID”(SetUID) and “Set group ID”(SetGID)
– System temporarily uses rights of the file owner/group in addition to the real
user’s rights when making access control decisions
– Enables privileged programs to access files/resources not generally accessible

Sticky bit
– When applied to a directory it specifies that only the owner of any file in the
directory can rename, move, or delete that file

Superuser
– Is exempt from usual access control restrictions
– Has system-wide access

16 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Access Control Lists (ACLs) in UNIX


Many modern UNIX systems support access control lists
– FreeBSD, OpenBSD, Linux, and Solaris.

FreeBSD
– Setfacl command assigns a list of UNIX user IDs and groups
– Any number of users and groups can be associated with a file
– Read, write, execute protection bits
– A file does not need to have an ACL
– Includes an additional protection bit that indicates whether the file has an extended ACL

When a process requests access to a file system object two steps are performed:
1) Selects the most appropriate ACL
2) Checks if the matching entry contains sufficient permissions

17 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Mandatory Access Control


Inspired by the Bell-La Padula model

Each subject and each object is assigned a security class

In the simplest formulation, security classes form a strict hierarchy and are
referred to as security levels.
– One example is the U.S. military classification scheme:
top secret < secret < confidential < restricted < unclassified

A subject is said to have a security clearance of a given level

An object is said to have a security classification of a given level

The security classes control the manner by which a subject may access an
object

18 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Multilevel security (MLS)


The model defined four access modes:
– read: The subject is allowed only read access to the object
– append: The subject is allowed only write access to the object
– write: The subject is allowed both read and write access to the object
– execute: The subject is allowed neither read nor write access to the object but
may invoke the object for execution

Confidentiality is achieved if a subject at a high level may not convey
information to a subject at a lower level...
– ...unless that flow accurately reflects the will of an authorized user as revealed
by an authorized declassification

19 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Multilevel security confidentiality


No read up: A subject can only read an object of less or equal security
level
– This is referred to in the literature as the simple security property (ss-
property).

No write down: A subject can only write into an object of greater or
equal security level.
– This is referred to in the literature as the *-property (pronounced star
property).

The more recent MAC implementations, are SELinux and AppArmor for
Linux and Mandatory Integrity Control for Windows

20 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Role-based Access Control


Define roles and then specify access control rights for these roles,
rather than for subjects directly.
Department
Chair

Administrative Lab System Undergraduate Graduate


Manager Manager Administrator TA TA

Lab Backup Undergraduate Graduate


Accountant Secretary
Technician Agent Student Student

Administrative Technical
Personnel Personnel Faculty Student

Department
Member
21 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity
Role Based Access Control (RBAC) goals

Goals

Describe organizational access control policies

Based on job function
– A user’s permissions are determined by her roles rather than by identity or
clearance

Increase flexibility/scalability in policy administration
– Easy to meet new security requirements
– Reduce errors in administration
– Reduce cost of administration

22 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


RBAC: Intuition

23 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Role Based Access Control (RBAC)


Roles defined based on job functions
– e.g., bookkeeper

Permissions defined based on job authority and responsibilities within
a role
– e.g., bookkeeper is allowed to read financial records

Users have access to objects based on the assigned role
– e.g., Sally is the bookkeeper

24 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Access Control Matrix Representation of RBAC

25 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Exercise


Given the following User Assignment and Permission Assignment,
define the corresponding access matrix.

26 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Solution


Homework 1:
– What happens if the job function of a user changes?

e.g., Charlie becomes a GP
– What happens if permissions are added/removed from a role?

e.g., Radiologist can also delete image scans

27 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


A Family of Role-Based Access Control Models

28 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


RBAC1: Role Hierarchy


Some roles subsume others:
– many operations are common to a large number of roles
– a GP can perform all actions that a physician can perform (plus other actions)

This suggests a hierarchy of roles

Reflect an organization’s role structure

Inheritance among roles
– Instead of specifying permissions for each role, one specifies it for a more
generalized role
– Granting access to role R implies that access is granted for all specialized roles
of R

29 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Role Hierarchy


Structuring roles
– Partial order ≤: x ≤ y we say x is specialization of y

Inheritance of permission from generalized role y (top) to specialized role x
(bottom)
– Members of x are also implicitly members of y
– if x ≤ y then role x inherits permissions of role y

Partial order
– Reflexivity (i.e., x ≤ x)
– Transitivity (i.e., x ≤ y and y ≤ z then x ≤ z)
– Antisymmetry (i.e., x ≤ y and y ≤ x then x = y )

30 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Role Hierarchy – Examples

31 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Solved exercise


Let UA = {(u1, r2), (u2, r3), (u3, r4), (u4, r5)} and
PA = {(r1 , p1), (r2, p2), (r3, p3), (r4, p4), (r5, p5)}.

Given the following role hierarchy, determine the permissions that
users have in form of an access matrix.

32 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Solved exercise (2)


Let UA = {(u1, r2), (u2, r3), (u3, r4), (u4, r5)} and
PA = {(r1 , p1), (r2, p2), (r3, p3), (r4, p4), (r5, p5)}.

Given the following role hierarchy, determine the permissions that
users have in form of an access matrix.

p1 p2 p3 p4 p5

u1 x x

u2 x x x

u3 x x x

u4 x x x x x

33 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


RBAC2: constraints


Provide a means of adapting RBAC to the specifics of administrative and
security policies of an organization

A defined relationship among roles or a condition related to roles

Types:

Mutually exclusive
Cardinality Prerequisite roles
roles
• A user can only be Dictates that a user
assigned to one role in can only be assigned
the set (either during a Setting a maximum
to a particular role if it
session or statically) number with respect to
• Any permission (access is already assigned to
roles
right) can be granted to some other specified
only one role in the set role
34 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity
Attribute-Based Access Control (ABAC)


Can define authorizations that express conditions on properties of both
the resource and the subject

Strength is its flexibility and expressive power

Main obstacle to its adoption in real systems has been concern about
the performance impact of evaluating predicates on both resource and
user properties for each access

Web services have been pioneering technologies through the
introduction of the eXtensible Access Control Markup Language (XAMCL)

There is considerable interest in applying the model to cloud services

35 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


ABAC Model: Attributes

Environment
Subject attributes Object attributes
attributes
• A subject is an active • An object (or resource) is a • Describe the operational,
entity that causes passive information technical, and even
information to flow among system-related entity situational environment or
objects or changes the containing or receiving context in which the
system state information information access occurs
• Attributes define the • Objects have attributes • These attributes have so
identity and that can be leverages to far been largely ignored in
characteristics of the make access control most access control
subject decisions policies

36 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


ABAC

Distinguishable Relies upon the evaluation of


attributes of the subject,
because it controls attributes of the object, and a
access to objects by formal relationship or access
evaluating rules control rule defining the
against the attributes allowable operations for
of entities, operations, subject-object attribute
and the environment combinations in a given
relevant to a request environment

Systems are Allows an unlimited


capable of number of
attributes to be
enforcing DAC, combined to satisfy
RBAC, and MAC any access control
concepts rule

37 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Policies

38 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


ABAC Policies


A policy is a set of rules and relationships that govern allowable
behavior within an organization, based on the privileges of subjects
and how resources or objects are to be protected under which
environment conditions

Typically written from the perspective of the object that needs
protecting and the privileges available to subjects

39 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


ABAC policies model


S, O, and E are subjects, objects, and environments, respectively

SAk (1 ... k ... K), OAm (1 ... m ... M), and EAn (1 ... n ... N) are the pre-defined
attributes for subjects, objects, and environments, respectively

ATTR(s), ATTR(o), and ATTR(e) are attribute assignment relations, for
example
– Role(s) = “Service Consumer”
– ServiceOwner(o) = “XYZ, Inc.”
– CurrentDate(e) = “01-23-2005”

Rule: can_access (s, o, e) ← f(ATTR(s), ATTR(o), ATTR(e))

40 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


ABAC example


R1: can_access(u, m, e) ←
– (Age(u) ≥ 17 and Rating(m) ∈ {R, PG-13, G}) or
(Age(u) ≥ 13 and Age(u) < 17 and Rating(m) ∈ {PG-13, G}) or
(Age(u) < 13 and Rating(m) ∈ {G})

41 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


ABAC vs RBAC


In RBAC as the number of attributes increases to accommodate finer-
grained policies, the number of roles and permissions grows
exponentially


The ABAC model deals with additional attributes in an efficient way

42 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Finer grained policy example


Movies are classified as either New Release or Old Release, based on release
date compared to the current date

Users are classified as Premium User and Regular User, based on the fee they
pay

Policy: only premium users can view new movies.

Roles Permissions
RBAC
Adult-Regular R-Old_release

Double the number of roles, to
Juvenile-Regular PG13-Old_release
distinguish each user by age and fee
Child-Regular G-Old_release

Double the number of separate Adult-Premium R-New_release
permissions Juvenile-Premium PG13-New_release
Child-Premium G-New_release
43 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity
ABAC: Finer grained policy example

ABAC

R2: can_access(u, m, e) ← (MembershipType(u) = Premium) or
(MembershipType(u) = Regular and MovieType(m) = OldRelease)

R3: can_access(u, m, e) ← R1 and R2


Environment attributes example:
– New policy: Regular users are allowed to view new releases in promotional periods.
– Difficult to express in an RBAC model.
– In an ABAC model, we only need to add a conjunctive (AND) rule that checks to see
the environmental attribute today’s date falls in a promotional period

44 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Exercise

Let UA = {(u1, hp), (u2, ph), (u3, sp), (u4, gp)} Given the following role


and
PA = {(hp, <o1, R>), hierarchy, determine the
(ph, <o1, W>), permissions that users have in
(sp, <o2, RW>),
(gp, <o3, RW>), form of an access matrix.
(gp, <o2, R>),
(gp, <o4, RW>)}.

45 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Homework 2


Given the following access matrix, try to define the best possible roles

46 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Homework 3

Consider a database for patients' measurements in a hospital.



Doctors can add (A), update (U), and view (V) any patients’ diseases and
read (RP) and write prescriptions (WP)

Pharmacists can read prescriptions (RP) and give drugs (G) to patients.

Patients (P) can only read their diseaeses and prescriptions.

47 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Homework 3 (cont.)


Describe the RBAC system, given the following settings
– Doctors: Derek Shepherd (DS), Meredith Grey (MG);
– Pharmacists: Alex Karev (AK), Cristina Yang (CY)
– Patients: Mark Sloan (MS), Lexie Grey (LG)

List the users

List the roles

List the permissions

List the user assignments

Realize the access matrix

48 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Thanks!

See you on Monday!

52 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity


Disclaimer

Slides based on the


Introduction to Computer Security,
Computer Security: Principles and Practice, Global
Edition,
and Nicola Zannone (Eindhoven University of
Technology) material on RBAC.

This material should not be disclosed outside the course.

You might also like