© 2004 Ravi Sandhu A Perspective on Graphs and Access Control Models Ravi Sandhu Laboratory for Information Security Technology George Mason University

© 2004 Ravi Sandhu 2 Outline A perspective on security A perspective on access control The safety problem in access control Looking ahead Discussion

© 2004 Ravi Sandhu 3 Security Confusion INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure USAGE purpose electronic commerce, electronic business digital rights management, client- side controls

© 2004 Ravi Sandhu 4 Good enough security EASY SECURE COST Security geeksReal-world users System owner whose security perception or reality of security end users operations staff help desk system cost operational cost opportunity cost cost of fraud Business models will dominate security models

© 2004 Ravi Sandhu 5 Good enough security RISKRISK COST H M L LMH Entrepreneurial mindset Academic mindset

© 2004 Ravi Sandhu 6 Access Control Models Authentication AuthorizationEnforcement who is trying to access a protected resource? who should be allowed to access which protected resources? who should be allowed to change the access? how does the system enforce the specified authorization Access Control ModelsAccess Control Architecture

© 2004 Ravi Sandhu 7 The OM-AM Way Objectives Models Architectures Mechanisms What? How? AssuranceAssurance

© 2004 Ravi Sandhu 8 Access Control Status Ten years ago Emphasis on –Cryptography and intrusion detection –Access control relegated to back burner Ravi Sandhu, Access Control: The Neglected Frontier. Proc. First Australasian Conference on Information Security and Privacy, LNCS, Today Strong industry interest Growing need Growing research

© 2004 Ravi Sandhu 9 Safety in Access Control Authentication AuthorizationEnforcement who is trying to access a protected resource? who should be allowed to access which protected resources? who should be allowed to change the access? how does the system enforce the specified authorization Access Control ModelsAccess Control Architecture The Safety Problem

© 2004 Ravi Sandhu 10 The HRU (Harrison-Ruzzo-Ullman) Model, 1976 Ur w V F G r

© 2004 Ravi Sandhu 11 The HRU (Harrison-Ruzzo-Ullman) Model, 1976 UF r, w VG r

© 2004 Ravi Sandhu 12 The HRU (Harrison-Ruzzo-Ullman) Model, 1976 UF r, w VG r

© 2004 Ravi Sandhu 13 HRU Commands and Operations command α(X1, X2,..., Xk) if rl in (Xs1, Xo1) and r2 in (Xs2, Xo2) and ri in (Xsi, Xoi) then op1; op2; … opn end enter r into (Xs, Xo) delete r from (Xs, Xo) create subject Xs create object Xo destroy subject Xs destroy object Xo

© 2004 Ravi Sandhu 14 HRU as Graph Rules (from Koch et al 2002)

© 2004 Ravi Sandhu 15 Safety in HRU (late 1970s) Safety Problem: Is there a reachable state with edge labeled z from X to Y? Undecidable in general HRU unable to find interesting decidable cases. Mono-operational: decidable but uninteresting Monotonic: undecidable Bi-conditional monotonic: undecidable Mono-conditional monotonic: decidable but uninteresting

© 2004 Ravi Sandhu 16 The Safety Problem HRU 1976: It would be nice if we could provide for protection systems an algorithm which decided safety for a wide class of systems, especially if it included all or most of the systems that people seriously contemplate. Unfortunately, our one result along these lines involves a class of systems called mono- operational, which are not terribly realistic. Our attempts to extend these results have not succeeded, and the problem of giving a decision algorithm for a class of protection systems as useful as the LR(k) class is to grammar theory appears very difficult. 2004: Considerable progress has been made but much remains to be done and practical application of known results is essentially non-existent. –Progress includes: Take-Grant Model (Jones, Lipton, Snyder, Denning, Bishop; late 79s early 80s), Schematic Protection Model (Sandhu, 80s), Typed Access Matrix Model (Sandhu, 1990s), Graph Transformations (Koch, Mancini, Parisi- Pressice 2000s)

© 2004 Ravi Sandhu 17 Safety with Types Typed Access Matrix or TAM model (Sandhu 1992) Safety is polynomial-decidable for monotonic ternary TAM with acyclic create-graph Typed Graphs (Koch et al 2002) Safety is decidable for transformations that are either expanding or deleting The given algorithm is exponential but actual complexity remains an open question

© 2004 Ravi Sandhu 18 The Take-Grant Model (late 70s, early 80s) AB t (a) B/t Є dom(A) AB g (b) B/g Є dom(A) Original graph representation, late 70s

© 2004 Ravi Sandhu 19 The Take-Grant Model (late 70s, early 80s) AB t (a) B/t Є dom(A) AB g (b) B/g Є dom(A) Lockman-Minsky representation, 1982

© 2004 Ravi Sandhu 20 Creation in Take-Grant A A tg (a) The Original View A A tg (b) The Lockman-Minsky View

© 2004 Ravi Sandhu 21 Reversal of Take-Grant Flow: case t AB t A tg g t

© 2004 Ravi Sandhu 22 Reversal of Take-Grant Flow: case g AB g A tg g t, g

© 2004 Ravi Sandhu 23 Reversal of Grant-Only Flow AB g A gg g g

© 2004 Ravi Sandhu 24 Non-Reversal of Take-Only Flow AB t A tt t

© 2004 Ravi Sandhu 25 Safety in more recent (and practical) models RBAC96 (foundation of a new NIST/ANSI/ISO standard) Safety is undecidable in general –Sandhu, Munawer, Crampton, 1998 Decidable cases exist –Li, Mitchell, Winsborough, Solworth, Sloan, 2000s UCON (Usage Control Models) Safety is undecidable in general Decidable cases exist –Park, Sandhu, Zhang, Parisi-Pressice 2000s

© 2004 Ravi Sandhu 26 Looking ahead Security lags information technology applications Information technology applications are moving extremely rapidly The need for decentralized and automatic authorization is growing very rapidly The safety problem of access control remains a critical path problem Challenges –Develop new real-world relevant theory –Apply old and new theory Can theory of graph transformations help us?

© 2004 Ravi Sandhu 27 RBAC96 model (Currently foundation of a NIST/ANSI/ISO standard) ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE HIERARCHIES CONSTRAINTS

© 2004 Ravi Sandhu 28 UCON (Usage Control) Models ongoingN/A