Authorization

What is authorization? Authentication---who are you? Authorization---what is a user authroized to access? Role-based authorization Policy-based authorization

Access control Models An access control model defines a computer and/or network system's rules for user access to information resources Access control models protect: objects, subjects and operations Object definition includes terminals, documents, files (an object is a passive entity) Subject definition includes system-users, programs, etc. (a subject is an active entity) Operation is the way a subject interacts with an object There are three Access Control Models: Discretionary Access Control (DAC) is termed discretionary because user access rights are defined by the system administrator based on each user's needs. This type of access control is usually identity-based. Mandatory Access Control (MAC) is found in military and highly sensitive information systems and networks. Each object and each subject have security classification tags (labels) which define clearance levels for specific operations. An operation is only permitted when a subject and object have complimentary clearance levels for the requested operation. The rules-based middleware required for mandatory access control is both complex and expensive. Non-Discretionary Access Control is usually role-based (RBAC), centrally administered with authorization decisions based on the roles individuals have within an organization (e.g. bank teller, loan officer, etc. in a banking model). A system's security administrator grants and/or revokes system privileges based on a user's role. This model works well for corporations with a large turnover of personnel.

Reference Monitors Reference monitors are kernels which mediate accesses to objects by subjects. A kernel may be hardware or software. Bell-LaPadula information does not flow to an object of less classification Harrison-Ruzzo-Ullman model Chinese Wall model Biba no subject may depend on a less trusted object or subject Clark-Wilson no subject may depend on a less trusted object or subject

Bell-Lapadula Model The Bell-Lapadula Model of protection systems deals with the control of information flow. It is a linear non-discretionary model. It consists of: –A set of subjects, a set of objects, and an access control matrix –Several ordered security levels. Each subject has a clearance and each object has a classification which attaches it to a security level. Each subject also has a current clearance level which does not exceed its clearance level. Thus a subject can only change to a clearance level below its assigned clearance level. The set of access rights given to a subject are the following: Read-Only: The subject can only read the object. Write : The subject can only write to the object but it cannot read. Execute : The subject can execute the object but can neither read nor write. Read-Write: The subject has both read and write permissions to the object.

Bell-Lapadula (Cont.) The following restrictions are imposed by the model: –Read down: A subject has only read access to objects whose security level is below the subject's current clearance level. This prevents a subject from getting access to information available in security levels higher than its current clearance level. –Write up: A subject has write access to objects whose security level is higher than its current clearance level. This prevents a subject from passing information to levels lower than its current level.

Orange Book Orange book --- DoD’s Trusted computer system evaluation criteria –The DoD security categories range from D (Minimal Protection) to A (Verified Protection) –D - Minimal Protection: Any system that does not comply to any other category, or has failed to receive a higher classification. D- level certification is very rare. –C - Discretionary Protection (applies to Trusted Computer Bases (TCBs) with optional object (i.e. file, directory, devices etc.) protection. –B - Mandatory Protection (TCB protection systems should be mandatory, not discretionary) –A - Verified Protection (highest security division)

C-Discretionary Protection C1 - Discretionary Security Protection Discretionary Access Control, for example Access Control Lists (ACLs), User/Group/World protection. Usually for users who are all on the same security level. Username and Password protection and secure authorisations database (ADB). Protected operating system and system operations mode. Periodic integrity checking of TCB. Tested security mechanisms with no obvious bypasses. Documentation for User Security. Documentation for Systems Administration Security. Documentation for Security Testing. TCB design documentation. Typically for users on the same security level C1 certification is rare. Example systems are earlier versions of Unix, IBM RACF. C2 - Controlled Access Protection –As C1, plus Object protection can be on a single-user basis, e.g. through an ACL or Trustee database. Authorisation for access may only be assigned by authorised users. Object reuse protection (i.e. to avoid reallocation of secure deleted objects). Mandatory identification and authorisation procedures for users, e.g. Username/Password. Full auditing of security events (i.e. date/time, event, user, success/failure, terminal ID) Protected system mode of operation. Added protection for authorisation and audit data. Documentation as C1 plus information on examining audit information. This is one of the most common certifications. Example Operating Systems are: VMS, IBM OS/400, Windows NT, Novell NetWare 4.11, Oracle 7, DG AOS/VS II.VMSIBM OS/400 Windows NTNetWare 4.11Oracle 7AOS/VS II.

B - Mandatory Protection B1 - Labeled Security Protection –As C2 plus: Mandatory security and access labelling of all objects, e.g. files, processes, devices etc. Label integrity checking (e.g. maintenance of sensitivity labels when data is exported). Auditing of labelled objects. Mandatory access control for all operations. Ability to specify security level printed on human-readable output (e.g. printers). Ability to specify security level on any machine-readable output. Enhanced auditing. Enhanced protection of Operating System. Improved documentation. Example OSes are: HP-UX BLS, Cray Research Trusted Unicos 8.0, Digital SEVMS, Harris CS/SX, SGI Trusted IRIX.HP-UX BLSTrusted Unicos 8.0SEVMSCS/SXTrusted IRIX B2 - Structured Protection –As B1 plus: Notification of security level changes affecting interactive users. Hierarchical device labels. Mandatory access over all objects and devices. Trusted path communications between user and system. Tracking down of covert storage channels. Tighter system operations mode into multilevel independent units. Covert channel analysis. Improved security testing. Formal models of TCB. Version, update and patch analysis and auditing. Example systems are: Honeywell Multics, Cryptek VSLAN, Trusted XENIX. VSLANXENIX.

B3 - Security Domains –As B2 plus: ACLs additionally based on groups and identifiers. Trusted path access and authentication. Automatic security analysis. TCB models more formal. Auditing of security auditing events. Trusted recovery after system down and relevant documentation. Zero design flaws in TCB, and minimum implementation flaws. The only B3-certified OS is Getronics/Wang Federal XTS- 300.XTS- 300.

A - Verified Protection A1 - Verified Protection –As B3 plus: Formal methods and proof of integrity of TCB. These are the only A1-certified systems: Boeing MLS LAN, Gemini Trusted Network Processor, Honeywell SCOMP. MLS LANGemini Trusted Network Processor A2 and above –Provision is made for security levels higher than A2, although these have not yet been formally defined. No OSes are rated above A1.

Harrison-Ruzzo-Ullman Model Bell-LaPadula model does not state policies for changing access rights or for creation/deletion of subjects/objects (authorization system). HRU: subjects (S), objects (O), access rights (R), access matrix (M) Primitive operations: –Enter r into Mso –Delete r from Mso –Create subject s, delete subject s –Create object o, delete object o Example: (s owner; f file; p another subject); if s is the owner of f then grant p the read access to f. command grant_read(s,p,f) if o in Msf then enter r in Mpf end

Chinese Wall model Proposed by Brewer and Nash Models access rules in a consultancy business where conflicts of interest when dealing with different competing clients. Rule: There must not be no information flow that causes a conflict of interest We need to add the following to Bell-LaPadula model to incorporate this rule: Companies ( C), Objects (O), Subjects/Analysts (S); y: O  C maps objects to companies; conflict of interest group for each object x: O  P(C); security label of an object (x(o), y(o)); sanitized object has x(o)={}

Conflicts of interest may also arise due to past accesses: Nso=true if s had access to o in the past. Simple security (ss-property): A subject s will be permitted to access an object o only if for all objects o’that he has already accessed, y(o)=y(o’) (i.e., company they belong is the same) or y(o) is not in x(o’) *-property (to control write access): A subject s is granted write access to an object o, only if s has no read access to an object o’ that belongs to another company and contains unsanitized information (x(o’) <> {})

Biba Model Extends BLP L: Lattice of integrity levels; fs: S  L; fo: O  L To prevent corruption of clean high-level entities by ‘dirty’ low level enties; information only flows downwards No single high-level policies; multiple (a lattice)

ss-property: if subject s can modify (alter) object o, then fs(s)≥ fo(o) (No write-up) Integrity *-property: if subject s can read (observe) object o, then s can have write access to some other object p only if fo(p) ≤ fo(o) (i.e., if s can read an object, then s can write only objects with security level greater than or equal to the read object) These two polices prevent clean subjects and objects from being contaminated by dirty information.

The following integrity properties automatically adjust the integrity level of an entity if it has come into contact with low-level information (Chinese Wall model) Subject low watermark property: s can read an object o at any integrity level. The new integrity level of the subject is inf(fs(s),fo(o)) [greatest lower bound of fs(s) and fo(o)] Object low watermark property: subject s can modify an object o at any integrity level. The new integrity level of the object is inf(fs(s),fo(o))

A subject can invoke another subject, e.g., a software tool, to access an object. Invoke property: subject s1 can invoke subject s only if fs(s2) ≤ fs(s1)

Clark-Wilson Model Address the security requirements of commercial applications---data integrity--- unauthorized modification of data, fraud, concurrency control, and errors Internal consistency: properties of the internal state of a system and can be enforced by the computing system External consistency: relation of the internal state of a system to the real world and has to be enforced by means outside the computing system, e.g., by auditing

Mechanisms for enforcing integrity: –Well-formed transactions: data items can be manipulated only by a specific set of programs; users have access to programs rather than to data items –Separation of duties: users have to collaborate to manipulate data and to collude to penetrate the security system (different persons develop, test, certify, and operate a system. During operation different persons have to collaborate to enable a transaction)

Programs are intermediate control layer between subjects and objects (data items) Subjects are authorized to execute certain programs Programs can access certain data objects Integrity---being authorized to apply a program to a data item that may be accessed through this program Subjects have to be identified and authenticated; objects can be manipulated only by a restricted set of programs; subjects can only execute a restricted set of programs; proper audit log has to be kept; system has to be certified

Terminology –CDI: constrained data items: data items governed by the security policy –UDI: Unconstrained data items: Inputs to the system received from outside –UDI to CDI conversion is outside the security system –TP: Transformation procedures: Programs that can manipulate CDI –IVP: Integrity verification procedures: To check the integrity of a state

Certification rules: –IVPs must ensure that all CDIs are in a valid state when the IVP is run –Each TP is certified to access certain CDIs. –Access rules must satisfy any separation of duties requirements –All TPs must write to an append-only log –Any TP that takes a UDI as input must either convert it to CDI or reject it