04 Access Control
04 Access Control
Access control
Angelo Spognardi
[email protected]
Dipartimento di Informatica
Sapienza Università di Roma
Topic: Access Control
●
Goal: Protect confidentiality and integrity of information
●
Control what a subject can do to prevent damage to the system
●
Regulate the operations that can be executed by a subject on data and
resources
●
Typically provided as part of operating systems and of database
management systems
●
NISTIR 7298: “the process of granting or denying specific requests to:
– (1) obtain and use information and related information processing services;
and
– (2) enter specific physical facilities”
●
RFC 4949: “a process by which use of system resources is regulated
according to a security policy and is permitted only by authorized
entities (users, programs, processes, or other systems) according to that
policy”
●
Discretionary access control ●
Role-based access control (RBAC)
(DAC) – Controls access based on the roles
– Controls access based on the that users have within the system
identity of the requestor and on and on rules stating what accesses
access rules (authorizations) are allowed to users in given roles
stating what requestors are (or ●
Attribute-based access control
are not) allowed to do (ABAC)
●
Mandatory access control (MAC) – Controls access based on
– Controls access based on attributes of the user, the resource
comparing security labels with to be accessed, and current
security clearances environmental conditions
Access
Subject Object
right
Describes the way in
An entity capable of A resource to which
which a subject may
accessing objects access is controlled
access an object
●
Scheme in which an entity may be granted access rights that permit the
entity, by its own volition, to enable another entity to access some
resource
●
Often provided using an access matrix
●
One dimension: identified subjects asking data access to the resources
●
Other dimension: the objects that may be accessed
●
Each entry in the matrix indicates the access rights of a particular subject for a
particular object
●
An empty cell means that no access rights are granted.
Considers the ability of one subject to transfer rights, create another subject and to
have ‘owner’ access right to that subject
Considers the
ability of one
subject to
transfer rights,
create another
subject and to
have ‘owner’
access right to
that subject.
●
Every access by a subject to an
object is mediated by the
controller for that object
●
The controller’s decision is
based on the current contents of
the matrix
●
Certain subjects have the
authority to make specific
changes to the access matrix.
●
Subjects: users, groups, others
●
Objects: files, directories
●
Access rights: read, write, execute
– For files
●
read: reading from a file
●
write: writing to a file
●
execute: executing a (program) file
– For directories
●
read: list the files within the directory
●
write: create, rename, or delete files within the directory
●
execute: enter the directory
●
Unique user identification number (user ID)
●
Member of a primary group identified by a group ID
●
Belongs to a specific group
●
12 protection bits
– Specify read, write, and execute permission for the owner of the file, members
of the group and all other users
●
The owner ID, group ID, and protection bits are part of the file’s inode
●
Many modern UNIX systems support access control lists
– FreeBSD, OpenBSD, Linux, and Solaris.
●
FreeBSD
– Setfacl command assigns a list of UNIX user IDs and groups
– Any number of users and groups can be associated with a file
– Read, write, execute protection bits
– A file does not need to have an ACL
– Includes an additional protection bit that indicates whether the file has an extended ACL
●
When a process requests access to a file system object two steps are performed:
1) Selects the most appropriate ACL
2) Checks if the matching entry contains sufficient permissions
●
Inspired by the Bell-La Padula model
●
Each subject and each object is assigned a security class
●
In the simplest formulation, security classes form a strict hierarchy and are
referred to as security levels.
– One example is the U.S. military classification scheme:
top secret < secret < confidential < restricted < unclassified
●
A subject is said to have a security clearance of a given level
●
An object is said to have a security classification of a given level
●
The security classes control the manner by which a subject may access an
object
●
The model defined four access modes:
– read: The subject is allowed only read access to the object
– append: The subject is allowed only write access to the object
– write: The subject is allowed both read and write access to the object
– execute: The subject is allowed neither read nor write access to the object but
may invoke the object for execution
●
Confidentiality is achieved if a subject at a high level may not convey
information to a subject at a lower level...
– ...unless that flow accurately reflects the will of an authorized user as revealed
by an authorized declassification
●
No read up: A subject can only read an object of less or equal security
level
– This is referred to in the literature as the simple security property (ss-
property).
●
No write down: A subject can only write into an object of greater or
equal security level.
– This is referred to in the literature as the *-property (pronounced star
property).
●
The more recent MAC implementations, are SELinux and AppArmor for
Linux and Mandatory Integrity Control for Windows
●
Define roles and then specify access control rights for these roles,
rather than for subjects directly.
Department
Chair
Administrative Technical
Personnel Personnel Faculty Student
Department
Member
21 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity
Role Based Access Control (RBAC) goals
Goals
●
Describe organizational access control policies
●
Based on job function
– A user’s permissions are determined by her roles rather than by identity or
clearance
●
Increase flexibility/scalability in policy administration
– Easy to meet new security requirements
– Reduce errors in administration
– Reduce cost of administration
●
Roles defined based on job functions
– e.g., bookkeeper
●
Permissions defined based on job authority and responsibilities within
a role
– e.g., bookkeeper is allowed to read financial records
●
Users have access to objects based on the assigned role
– e.g., Sally is the bookkeeper
●
Given the following User Assignment and Permission Assignment,
define the corresponding access matrix.
●
Homework 1:
– What happens if the job function of a user changes?
●
e.g., Charlie becomes a GP
– What happens if permissions are added/removed from a role?
●
e.g., Radiologist can also delete image scans
●
Some roles subsume others:
– many operations are common to a large number of roles
– a GP can perform all actions that a physician can perform (plus other actions)
●
This suggests a hierarchy of roles
●
Reflect an organization’s role structure
●
Inheritance among roles
– Instead of specifying permissions for each role, one specifies it for a more
generalized role
– Granting access to role R implies that access is granted for all specialized roles
of R
●
Structuring roles
– Partial order ≤: x ≤ y we say x is specialization of y
●
Inheritance of permission from generalized role y (top) to specialized role x
(bottom)
– Members of x are also implicitly members of y
– if x ≤ y then role x inherits permissions of role y
●
Partial order
– Reflexivity (i.e., x ≤ x)
– Transitivity (i.e., x ≤ y and y ≤ z then x ≤ z)
– Antisymmetry (i.e., x ≤ y and y ≤ x then x = y )
●
Let UA = {(u1, r2), (u2, r3), (u3, r4), (u4, r5)} and
PA = {(r1 , p1), (r2, p2), (r3, p3), (r4, p4), (r5, p5)}.
●
Given the following role hierarchy, determine the permissions that
users have in form of an access matrix.
●
Let UA = {(u1, r2), (u2, r3), (u3, r4), (u4, r5)} and
PA = {(r1 , p1), (r2, p2), (r3, p3), (r4, p4), (r5, p5)}.
●
Given the following role hierarchy, determine the permissions that
users have in form of an access matrix.
p1 p2 p3 p4 p5
u1 x x
u2 x x x
u3 x x x
u4 x x x x x
●
Provide a means of adapting RBAC to the specifics of administrative and
security policies of an organization
●
A defined relationship among roles or a condition related to roles
●
Types:
Mutually exclusive
Cardinality Prerequisite roles
roles
• A user can only be Dictates that a user
assigned to one role in can only be assigned
the set (either during a Setting a maximum
to a particular role if it
session or statically) number with respect to
• Any permission (access is already assigned to
roles
right) can be granted to some other specified
only one role in the set role
34 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity
Attribute-Based Access Control (ABAC)
●
Can define authorizations that express conditions on properties of both
the resource and the subject
●
Strength is its flexibility and expressive power
●
Main obstacle to its adoption in real systems has been concern about
the performance impact of evaluating predicates on both resource and
user properties for each access
●
Web services have been pioneering technologies through the
introduction of the eXtensible Access Control Markup Language (XAMCL)
●
There is considerable interest in applying the model to cloud services
Environment
Subject attributes Object attributes
attributes
• A subject is an active • An object (or resource) is a • Describe the operational,
entity that causes passive information technical, and even
information to flow among system-related entity situational environment or
objects or changes the containing or receiving context in which the
system state information information access occurs
• Attributes define the • Objects have attributes • These attributes have so
identity and that can be leverages to far been largely ignored in
characteristics of the make access control most access control
subject decisions policies
●
A policy is a set of rules and relationships that govern allowable
behavior within an organization, based on the privileges of subjects
and how resources or objects are to be protected under which
environment conditions
●
Typically written from the perspective of the object that needs
protecting and the privileges available to subjects
●
S, O, and E are subjects, objects, and environments, respectively
●
SAk (1 ... k ... K), OAm (1 ... m ... M), and EAn (1 ... n ... N) are the pre-defined
attributes for subjects, objects, and environments, respectively
●
ATTR(s), ATTR(o), and ATTR(e) are attribute assignment relations, for
example
– Role(s) = “Service Consumer”
– ServiceOwner(o) = “XYZ, Inc.”
– CurrentDate(e) = “01-23-2005”
●
Rule: can_access (s, o, e) ← f(ATTR(s), ATTR(o), ATTR(e))
●
R1: can_access(u, m, e) ←
– (Age(u) ≥ 17 and Rating(m) ∈ {R, PG-13, G}) or
(Age(u) ≥ 13 and Age(u) < 17 and Rating(m) ∈ {PG-13, G}) or
(Age(u) < 13 and Rating(m) ∈ {G})
●
In RBAC as the number of attributes increases to accommodate finer-
grained policies, the number of roles and permissions grows
exponentially
●
The ABAC model deals with additional attributes in an efficient way
●
Movies are classified as either New Release or Old Release, based on release
date compared to the current date
●
Users are classified as Premium User and Regular User, based on the fee they
pay
●
Policy: only premium users can view new movies.
Roles Permissions
RBAC
Adult-Regular R-Old_release
●
Double the number of roles, to
Juvenile-Regular PG13-Old_release
distinguish each user by age and fee
Child-Regular G-Old_release
●
Double the number of separate Adult-Premium R-New_release
permissions Juvenile-Premium PG13-New_release
Child-Premium G-New_release
43 Dipartimento Informatica, Sapienza Università di Roma ACSAI - Cybersecurity
ABAC: Finer grained policy example
ABAC
●
R2: can_access(u, m, e) ← (MembershipType(u) = Premium) or
(MembershipType(u) = Regular and MovieType(m) = OldRelease)
●
R3: can_access(u, m, e) ← R1 and R2
●
Environment attributes example:
– New policy: Regular users are allowed to view new releases in promotional periods.
– Difficult to express in an RBAC model.
– In an ABAC model, we only need to add a conjunctive (AND) rule that checks to see
the environmental attribute today’s date falls in a promotional period
Let UA = {(u1, hp), (u2, ph), (u3, sp), (u4, gp)} Given the following role
●
●
and
PA = {(hp, <o1, R>), hierarchy, determine the
(ph, <o1, W>), permissions that users have in
(sp, <o2, RW>),
(gp, <o3, RW>), form of an access matrix.
(gp, <o2, R>),
(gp, <o4, RW>)}.
●
Given the following access matrix, try to define the best possible roles
●
Describe the RBAC system, given the following settings
– Doctors: Derek Shepherd (DS), Meredith Grey (MG);
– Pharmacists: Alex Karev (AK), Cristina Yang (CY)
– Patients: Mark Sloan (MS), Lexie Grey (LG)
●
List the users
●
List the roles
●
List the permissions
●
List the user assignments
●
Realize the access matrix