CS580 Internet Security Protocols 12/5/2017 CS580 Internet Security Protocols 8. Access Control Huiping Guo Department of Computer Science California State University, Los Angeles
Outline Introduction to access control Security policy Discretionary Access Control (DAC) Mandatory Access Control (MAC) Multilevel security Multilateral security 8. Access Control CS580_S16
Introduction Two parts to access control Authentication: 12/5/2017 Introduction Two parts to access control Authentication: A process by which you verify that someone is who they claim they are Authorization: A process of giving someone permission to do or have something Once you have access, what can you do? Enforces limits on actions 8. Access Control CS580_S16
Authentication How to authenticate a human to a machine? Can be based on… Something you know For example, a password Something you have For example, a smartcard Something you are For example, your fingerprint 8. Access Control CS580_S16
Authentication vs Authorization Authentication Who goes there? Restrictions on who (or what) can access system Authorization Are you allowed to do that? Restrictions on actions of authenticated users Authorization is a form of access control Access control often used as synonym for authorization 8. Access Control CS580_S16
A Model for Access Control reference monitor object subject access request source (e.g. users, processes) request guard resource (e.g. files, printers) 8. Access Control CS580_S16
Basic Terminology Subject/Principal: active entity – user or process Object: passive entity – file or resource Access operations Ex: read, write, execute ... Access operations vary from basic memory/file access to method calls in an object-oriented system. Comparable systems may use different access operations. 8. Access Control CS580_S16
A Reference Monitor Common Examples: Abstract machine that mediates subject access to objects Ex. Observes the execution of a program and halts the program if it’s going to violate the security policy. Common Examples: operating system interpreters firewalls Claim: majority of today’s enforcement mechanisms are instances of reference monitors. 8. Access Control CS580_S16
Security Policies Reference monitor makes decisions based on request and policy Security Policy Or access control policy Set of detailed rules as to what is allowed on the system and what is not allowed. 8. Access Control CS580_S16
Access Control Policies Discretionary Access Control (DAC) Mandatory Access Control (MAC) 8. Access Control CS580_S16
Discretionary Access Control A system that uses discretionary access control allows the owner of the resource to specify which subjects can access which resources. Access control is at the discretion of the owner. Example: In Unix, a directory listing might yield "... rwxr-xr-x ... file.txt" the owner of file.txt may read, write, or execute it, and that other users may read or execute the file but not write it. The set of access rights in this example is {read, write, execute}, and the operating system mediates all requests to perform any of these actions. Users may change the permissions on files they own, making this a discretionary policy 8. Access Control CS580_S16
Access Control Matrix Does subject S have right R for object O? 12/5/2017 Access Control Matrix Does subject S have right R for object O? Abstractly, the information needed to answer this question can be represented as a mathematical relation D on subjects, objects, and rights: if (S,O,R) is in D, then S does have right R for object O; otherwise, S does not More practically, the same information could also be represented as an access control matrix. Each row of the matrix corresponds to a subject and each column to an object. Each cell of the matrix contains a set of rights 8. Access Control CS580_S16
Access Control Matrix S … set of subjects O … set of objects A … set of access operations Access control matrix: M = (Mso)sS,oO, Mso A; Mso specifies the operations subject s may perform on object o. Alice Bob {} {read,write} bill.doc {exec} edit.exe {exec,read} {exec,read,write} fun.com 8. Access Control CS580_S16
Access Control Matrix ctd. The access control matrix is an abstract concept not very suitable for direct implementation Management of the matrix is likely to be extremely difficult if there are ten thousands of files and hundreds of users (resulting in millions of matrix entries) The matrix is likely to be extremely sparse and therefore implementation is inefficient 8. Access Control CS580_S16
Are You Allowed to Do That? How to manage a large access control (AC) matrix? Could be 1000’s of users, 1000’s of resources Then AC matrix with 1,000,000’s of entries Need to check this matrix before access to any resource is allowed Hopelessly inefficient 8. Access Control CS580_S16
Access Control Lists (ACLs) ACL: store access control matrix by column Example: ACL for insurance data is in blue Accounting program Accounting data Insurance data Payroll data OS rx r --- rw rwx Bob Alice Sam Accounting program 8. Access Control CS580_S16
Access Control Lists (ACLs) OS: { (Bob, rx), (Alice, rx), (Sam, rwx),(Accounting program, rx)} Accounting program: {(Bob, rx), (Alice, rx), (Sam, rwx),(Accounting program, rx)} Accounting data: {(Bob, r), (Alice, r), (Sam, r),(Accounting program, rw)} Insurance data: {(Alice, rw), (Sam, rw),(Accounting program, rw)} Payroll data: {(Alice, rw), (Sam, rw),(Accounting program, rw)} 8. Access Control CS580_S16
Capabilities (or C-Lists) Store access control matrix by row Example: Capability for Alice is in red Accounting program Accounting data Insurance data Payroll data OS rx r --- rw rwx Bob Alice Sam Accounting program 8. Access Control CS580_S16
Capability List Bob: {(OS, rx), (Accounting program, rx), (accounting data, r)} Alice: {(OS, rx), (Accounting program, rx), (accounting data, r), (insurance data, rw), (payroll data, rw} Sam: {(OS, rwx), (Accounting program, rwx), (accounting data, r), (insurance data, rw), (payroll data, rw) } Accounting program : {(OS, rwx), (Accounting program, rwx), (accounting data, r), (insurance data, rw), (payroll data, rw) } 8. Access Control CS580_S16
ACLs vs Capabilities Note that arrows point in opposite directions! --- r w rw Alice file1 Alice file1 w r --- --- r Bob file2 Bob file2 rw r r --- Fred file3 Fred file3 Access Control List Capability Note that arrows point in opposite directions! 8. Access Control CS580_S16
ACLs vs Capabilities ACLs Capabilities Good when users manage their own files Protection is data-oriented Easy to change rights to a resource Capabilities Easy to delegate Easy to add/delete users More difficult to implement 8. Access Control CS580_S16
Mandatory Access Control 12/5/2017 Mandatory Access Control A mandatory access control (MAC) policy is a means of assigning access rights based on regulations by a central authority. This class of policies includes examples from both industry and government. The philosophy underlying these policies is that information belongs to an organization (rather than individual members of it), and it is that organization which should control the security policy. 8. Access Control CS580_S16
Mandatory Access Control (MAC) Multilevel security (military applications) Bell-LaPadula model Identifies allowable communication flows Concerned primarily with ensuring secrecy Biba model Concerned primarily with “trustworthiness”/ integrity Multilateral security (corporate application) Chinese wall Concerned with preventing conflicts of interest Developed for commercial applications 8. Access Control CS580_S16
Multilevel Security (MLS) Models 8. Access Control CS580_S16
Classifications and Clearances Classifications apply to objects Clearances apply to subjects US Department of Defense uses 4 levels of classifications/clearances TOP SECRET SECRET CONFIDENTIAL UNCLASSIFIED 8. Access Control CS580_S16
Clearances and Classification To obtain a SECRET clearance requires a routine background check A TOP SECRET clearance requires extensive background check Practical classification problems Proper classification not always clear Level of granularity to apply classifications Aggregation flipside of granularity 8. Access Control CS580_S16
Subjects and Objects Let O be an object, S a subject O has a classification S has a clearance Security level denoted L(O) and L(S) For DoD levels, we have TOP SECRET > SECRET > CONFIDENTIAL > UNCLASSIFIED 8. Access Control CS580_S16
Multilevel Security (MLS) MLS needed when subjects/objects at different levels use same system MLS is a form of Access Control Military/government interest in MLS for many decades Lots of funded research into MLS Strengths and weaknesses of MLS relatively well understood (theoretical and practical) Many possible uses of MLS outside military 8. Access Control CS580_S16
MLS Applications Classified government/military information Business example: info restricted to Senior management only All management Everyone in company General public Network firewall Keep intruders at low level to limit damage Confidential medical info, databases, etc. 8. Access Control CS580_S16
MLS Security Models MLS models explain what needs to be done Models do not tell you how to implement Models are descriptive, not prescriptive High level description, not an algorithm There are many MLS models We’ll discuss simplest MLS model Other models are more realistic Other models also more complex, more difficult to enforce, harder to verify, etc. 8. Access Control CS580_S16
Bell-LaPadula BLP security model designed to express essential requirements for MLS BLP deals with confidentiality To prevent unauthorized reading Recall that O is an object, S a subject Object O has a classification Subject S has a clearance Security level denoted L(O) and L(S) 8. Access Control CS580_S16
Bell-LaPadula BLP consists of No read up, no write down Simple Security Condition: S can read O if and only if L(O) L(S) *-Property (Star Property): S can write O if and only if L(S) L(O) No read up, no write down With Bell-LaPadula, users can create content only at or above their own security level. Conversely, users can view content only at or below their own security level 8. Access Control CS580_S16
Communicating down… How to communicate from a higher security level to a lower one? The transfer of information from a high security document to a lower security document may happen in the BLP model via the concept of trusted subjects. Trusted Subjects are not restricted by the Star-property. Trusted Subjects must be shown to be trustworthy with regard to the security policy. 8. Access Control CS580_S16
Biba’s Model BLP for confidentiality, Biba for integrity Biba is to prevent unauthorized writing Biba is (in a sense) the dual of BLP Integrity model Spse you trust the integrity of O but not O If object O includes O and O then you cannot trust the integrity of O Integrity level of O is minimum of the integrity of any object in O 8. Access Control CS580_S16
Biba Let I(O) denote the integrity of object O and I(S) denote the integrity of subject S Biba can be stated as Write Access Rule: S can write O if and only if I(O) I(S) (if S writes O, the integrity of O that of S) Read Access Rule: S can read O if and only if I(S) I(O) (if S reads O, the integrity of S that of O) Often, replace Biba’s Model with Low Water Mark Policy: If S reads O, then I(S) = min(I(S), I(O)) 8. Access Control CS580_S16
Multilateral Security (Compartments) 8. Access Control CS580_S16
Multilateral Security Multilevel Security (MLS) enforces access control up and down Simple hierarchy of security labels may not be flexible enough Multilateral security enforces access control across by creating compartments Suppose TOP SECRET divided into TOP SECRET {CAT} and TOP SECRET {DOG} Both are TOP SECRET but information flow restricted across the TOP SECRET level 8. Access Control CS580_S16
Multilateral Security Why compartments? Why not create a new classification level? May not want either of TOP SECRET {CAT} TOP SECRET {DOG} TOP SECRET {DOG} TOP SECRET {CAT} Compartments allow us to enforce the need to know principle Regardless of your clearance, you only have access to info that you need to know 8. Access Control CS580_S16
Multilateral Security Arrows indicate “” relationship TOP SECRET {CAT, DOG} TOP SECRET {CAT} TOP SECRET {DOG} TOP SECRET SECRET {CAT, DOG} SECRET {CAT} SECRET {DOG} SECRET Not all classifications are comparable, e.g., TOP SECRET {CAT} vs SECRET {CAT, DOG} 8. Access Control CS580_S16
Chinese wall Intended to prevent conflicts of interest Rights are dynamically updated based on actions of the subjects 8. Access Control CS580_S16
Chinese wall -- basic setup Company datasets Bank A Bank B School 1 School 2 School 3 Conflict of interest (CI) class files 8. Access Control CS580_S16
Chinese wall: Read rule A Subject S can access company C’s data only if S has already accessed C’s data OR S has not accessed any of C’s competitor’s data In another word Subject S is allowed to read from at most one company dataset in any CI class 8. Access Control CS580_S16
Example Bank A Bank B School 1 School 2 School 3 read read 8. Access Control CS580_S16
Chinese wall: Write rule S can write to O only if S can read O and All objects that S can read are in the same dataset as O This is intended to prevent an indirect flow of information that would cause a conflict of interest E.g., S reads from Bank A and writes to School 1; S’ can read from School 1 and Bank B S’ may find out information about Banks A and B! Note that S can write to at most one dataset… 8. Access Control CS580_S16