Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 14, 2003 Introduction to Computer Security Lecture.

Slides:



Advertisements
Similar presentations
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
Advertisements

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
Operating System Security
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.
Access Control RBAC Database Activity Monitoring.
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
Access Control Discretionary Access Control Lecture 4 1.
Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies (2000) Author: Sylvia Osborn, Ravi Sandhu,Qamar Munawer.
Access Control Intro, DAC and MAC System Security.
Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Role-Based Access Control (RBAC) Approach for Defense-in-Depth Peter Leight and Richard.
1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.
Software Connectors. Attach adapter to A Maintain multiple versions of A or B Make B multilingual Role and Challenge of Software Connectors Change A’s.
Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
1 Temporal Location-Aware Access Control Model Based on Composite Events Presented by Yu, Lijun
User Domain Policies.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
Fall 2010/Lecture 301 CS 426 (Fall 2010) Role Based Access Control.
Role Based Access Control Models Presented By Ankit Shah 2 nd Year Master’s Student.
Role-Based Access Control Standard
Protection and Security An overview of basic principles CS5204 – Operating Systems1.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Li Xiong CS573 Data Privacy and Security Access Control.
Role-Based Access Control Richard Newman (c) 2012 R. Newman.
CMSC 414 Computer (and Network) Security Lecture 14 Jonathan Katz.
CSCE 201 Introduction to Information Security Fall 2010 Access Control.
Next-generation databases Active databases: when a particular event occurs and given conditions are satisfied then some actions are executed. An active.
NIST Standard for Role- Based Access Control Present by Wenyi Ni.
Li Xiong CS573 Data Privacy and Security Access Control.
Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
Software Security II Karl Lieberherr. What is Security Enforcing a policy that describes rules for accessing resources. Policy may be explicit or implicit.
ROLE BASED ACCESS CONTROL 1 Group 4 : Lê Qu ố c Thanh Tr ầ n Vi ệ t Tu ấ n Anh.
(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏
CSCE 201 Introduction to Information Security Fall 2010 Access Control Models.
Design Principles and Common Security Related Programming Problems
Computer Security: Principles and Practice
Fall 2008CS 334: Computer SecuritySlide #1 Design Principles Thanks to Matt Bishop.
Protection & Security Greg Bilodeau CS 5204 October 13, 2009.
June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #13-1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe.
IS 2150 / TEL 2810 Introduction to Security
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Morteza Amini; 2nd Semester ; Database Security; Sharif Univ. of Tech. Role-Based Access Control Overview user_sessions (RH) Role Hierarchy session_roles.
1 Chapter 12: Design Principles Overview –There are principles for many kinds of design Generally, a design should consider: Balance, Rhythm, Proportion,
June 1, 2004© Matt Bishop [Changed by Hamid R. Shahriari] Slide #13-1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe.
Slide #13-1 Design Principles CS461/ECE422 Computer Security I Fall 2008 Based on slides provided by Matt Bishop for use with Computer Security: Art and.
1 Saltzer [1974] and later Saltzer and Schroeder [1975] list the following principles of the design of secure protection systems, which are still valid:
1 Design Principles CS461 / ECE422 Spring Overview Simplicity  Less to go wrong  Fewer possible inconsistencies  Easy to understand Restriction.
1 Role-Based Access Control (RBAC) Prof. Ravi Sandhu Executive Director and Endowed Chair January 29, © Ravi.
Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 4, 2005 Introduction to Computer Security Lecture.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Lecture 6 October 4, 2007 Integrity Models Role based Access Control.
Access Control Model SAM-5.
Role-Based Access Control (RBAC)
Software Security II Karl Lieberherr.
Access Control Role-based models RBAC
Chapter 13: Design Principles
Chapter 1: Introduction
Chapter 13: Design Principles
Role-Based Access Control Richard Newman (c) 2012 R. Newman
Computer Security: Art and Science, 2nd Edition
Chapter 13: Design Principles
Design Principles Thanks to Matt Bishop 2006 CS 395: Computer Security.
NIST Standard for Role-Based Access Control
Presentation transcript:

Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 14, 2003 Introduction to Computer Security Lecture 6 RBAC, Policy Composition Design Principles

INFSCI 2935: Introduction to Computer Security2 Permissions RBAC (NIST Standard) UsersRolesOperationsObjects Sessions UA user_sessions (one-to-many) role_sessions (many-to-many) PA An important difference from classical models is that Subject in other models corresponds to a Session in RBAC

INFSCI 2935: Introduction to Computer Security3 Core RBAC (relations) Permissions = 2 Operations x Objects Permissions = 2 Operations x Objects UA ⊆ Users x Roles UA ⊆ Users x Roles PA ⊆ Permissions x Roles PA ⊆ Permissions x Roles assigned_users: Roles  2 Users assigned_users: Roles  2 Users assigned_permissions: Roles  2 Permissions assigned_permissions: Roles  2 Permissions Op(p): set of operations associated with permission p Op(p): set of operations associated with permission p Ob(p): set of objects associated with permission p Ob(p): set of objects associated with permission p user_sessions: Users  2 Sessions user_sessions: Users  2 Sessions session_user: Sessions  Users session_user: Sessions  Users session_roles: Sessions  2 Roles session_roles: Sessions  2 Roles  session_roles(s) = {r | (session_user(s), r)  UA)} avail_session_perms: Sessions  2 Permissions avail_session_perms: Sessions  2 Permissions

INFSCI 2935: Introduction to Computer Security4 Permissions RBAC with General Role Hierarchy UsersRolesOperationsObjects Sessions UA user_sessions (one-to-many) role_sessions (many-to-many) PA RH (role hierarchy)

INFSCI 2935: Introduction to Computer Security5 RBAC with General Role Hierarchy  2 Users authorized_users: Roles  2 Users  authorized_users(r) = {u | r’ ≥ r &(r’, u)  UA)  2 Permissions authorized_permissions: Roles  2 Permissions authorized_users(r) = {p | r’ ≥ r &(p, r’)  PA) ⊆ Roles x Roles RH ⊆ Roles x Roles is a partial order  called the inheritance relation  written as ≥. (r 1 ≥ r 2 )  authorized_users(r 1 ) ⊆ authorized_users(r 2 ) & authorized_permisssions(r 2 ) ⊆ authorized_permisssions(r 1 )

INFSCI 2935: Introduction to Computer Security6 Example authorized_users(Employee)? authorized_users(Administrator)? authorized_permissions(Employee)? authorized_permissions(Administrator)? p x, p y p 1, p 2 p a, p b p x, p y e 1, e 2 p x, p y e 3, e 4 p x, p y e5e5 e 6, e 7 p x, p y e 8, e 9 p x, p y e 10 p m, p n popo p

INFSCI 2935: Introduction to Computer Security7 Constrained RBAC Permissions UsersRolesOperationsObjects Sessions UA user_sessions (one-to-many) PA RH (role hierarchy) Static Separation of Duty Dynamic Separation of Duty

INFSCI 2935: Introduction to Computer Security8 Static Separation of Duty SSD ⊆ 2 Roles x N SSD ⊆ 2 Roles x N In absence of hierarchy In absence of hierarchy  Collection of pairs (RS, n) where RS is a role set, n ≥ 2; for all (RS, n)  SSD, for all t ⊆ RS: |t| ≥ n  ∩ r  t assigned_users(r)=  In presence of hierarchy In presence of hierarchy  Collection of pairs (RS, n) where RS is a role set, n ≥ 2; for all (RS, n)  SSD, for all t ⊆ RS: |t| ≥ n  ∩ r  t authorized_uers(r)= 

INFSCI 2935: Introduction to Computer Security9 Dynamic Separation of Duty DSD ⊆ 2 Roles x N DSD ⊆ 2 Roles x N  Collection of pairs (RS, n) where RS is a role set, n ≥ 2;  A user cannot activate n or more roles from RS  What if both SSD and DSD contains (RS, n)? Consider (RS, n) = ({r 1, r 2, r 3 }, 2)? If SSD – can r 1, r 2 and r 3 be assigned to u? If DSD – can r 1, r 2 and r 3 be assigned to u?

INFSCI 2935: Introduction to Computer Security10 MAC using RBAC L M1 H M2 LR M1R HR M2R H M1W LW M2W Read Roles (same lattice) Write Roles (inverse lattice) Transformation rules R = {L 1 R, L 2 R,…, L n R, L 1 W, L 2 W,…, L n W} Two separate hierarchies for {L 1 R, L 2 R,…, L n R} and { L 1 W, L 2 W,…, L n W} Each user is assigned to exactly two roles: xR and LW Each session has exactly two roles yR and yW Permission (o, r) is assigned to xR iff (o, w) is assigned to xW) Transformation rules R = {L 1 R, L 2 R,…, L n R, L 1 W, L 2 W,…, L n W} Two separate hierarchies for {L 1 R, L 2 R,…, L n R} and { L 1 W, L 2 W,…, L n W} Each user is assigned to exactly two roles: xR and LW Each session has exactly two roles yR and yW Permission (o, r) is assigned to xR iff (o, w) is assigned to xW) BLP

INFSCI 2935: Introduction to Computer Security11 RBAC’s Benefits

INFSCI 2935: Introduction to Computer Security12 Cost Benefits Saves about 7.01 minutes per employee, per year in administrative functions  Average IT amin salary - $59.27 per hour  The annual cost saving is: $6,924/1000; $692,471/100,000 Reduced Employee downtime  if new transitioning employees receive their system privileges faster, their productivity is increased  26.4 hours for non-RBAC; 14.7 hours for RBAC  For average employee wage of $39.29/hour, the annual productivity cost savings yielded by an RBAC system: $75000/1000; $7.4M/100,000

INFSCI 2935: Introduction to Computer Security13 Time-based Access Control Requirement Organizational functions and services with temporal requirements Organizational functions and services with temporal requirements  A part-time staff is authorized to work only between 9am-2pm on weekdays  A day doctor must be able to perform his/her duties between 8am-8pm  An external auditor needs access to organizational financial data for a period of three months  A video library allows access to a subscriber to view at most three movies every week  In an insurance company, an agent needs access to patient history until a claim has been settled

INFSCI 2935: Introduction to Computer Security14 Generalized Temporal RBAC Triggers and Events Triggers and Events Temporal constraints Temporal constraints  Roles, user-role and role-permission assignment constraints  Activation constraints (cardinality, active duration,..) Temporal role hierarchy Temporal role hierarchy Time-based Separation of duty constraints Time-based Separation of duty constraints

INFSCI 2935: Introduction to Computer Security15 States of a Role in GTRBAC Enabled Active Disabled

INFSCI 2935: Introduction to Computer Security16 Event and Trigger Simple events Simple events  enable r disable r  assign U r to u deassign U r to u  assign P p to r deassign P p to r  activate r for u deactivate r for u Prioritized event pr:E, where pr  Prios Prioritized event pr:E, where pr  Prios Status Status  Role, assignment status – e.g.. enabled( r ); p_assigned( p, r ) Triggers: E 1,…, E n, C 1,…, C k  pr:E after ∆ t, where E i are events, C i are status expressions Triggers: E 1,…, E n, C 1,…, C k  pr:E after ∆ t, where E i are events, C i are status expressionsExample: enable DayDoctor  enable DoctorInTraining after 1 hour User/administrator run-time request: pr:E after ∆ t User/administrator run-time request: pr:E after ∆ t

INFSCI 2935: Introduction to Computer Security17 Temporal Constraints: Roles, User-role and Role-permission Assignments Periodic time Periodic time  (I, P) :  [ begin, end ], P  is a set of intervals  P is an infinite set of recurring intervals Calendars: Calendars:  Hours, Days, Weeks, Months, Years Examples Examples all.Weeks + {2, …, 6}.Days + 10.Hours ⊲ 12.hours - Daytime (9am to 9pm) of working days all.Weeks + {2, …, 6}.Days - Working days

INFSCI 2935: Introduction to Computer Security18 Temporal Constraints: Roles, User-role and Role-permission Assignments Periodicity: (I, P, pr:E) Periodicity: (I, P, pr:E)  ([1/1/2001,  ], Daytime, enable DayDoctor)  ([1/1/2000,  ], {Mon,Wed}, assign U DayDoctor to Smith) Duration constraint: (D, pr:E) Duration constraint: (D, pr:E)  (Five hours, enable DoctorInTraining)  activate DayDoctor for Smith  enable DoctorInTraining after 1 hour Cardinality constraint: ([I, P], N, assign U r ) Cardinality constraint: ([I, P], N, assign U r )  ([1/1/2000,  ], {Mon, Wed}, 5, assign U DayDoctor)

INFSCI 2935: Introduction to Computer Security19 Activation Time Constraints Active role duration Active role duration  Total duration for role activation 1.Per role: D active, [D default ], active R_total r 2.Per user role:D uactive, u, active UR_total r  Max active role duration per activation C 1.Per role: D max, active R_max r 2.Per user role: D umax, u, active UR_max r Cardinality Cardinality  Total number of role activations 1.Per role:N active, [N default ], active R_n r 2.Per user role:N uactive, u, active UR_n r  Max number of concurrent activations C 1.Per role: N max, [N default ], active R_con r 2.Per user role:N umax, u, active UR_con r

INFSCI 2935: Introduction to Computer Security20 Example of Activation Time Constraint Video library offers 600 hours of total time per week Video library offers 600 hours of total time per week A, B and C subscribe for 100 hours each A, B and C subscribe for 100 hours each D subscribes for 250 hours D subscribes for 250 hours E subscribes for 50 hours E subscribes for 50 hours B D E (Weekly, 300, 100, active R_total MV1) (Weekly, 250, active R_total MV2) (Weekly, 50, active R_total MV3) C A MV3 MV2 MV1 Video Database

INFSCI 2935: Introduction to Computer Security21 Role Hierarchy in GTRBAC GTRABC-based temporal role hierarchies allow GTRABC-based temporal role hierarchies allow  Separation of permission inheritance and role activation semantics that facilitate management of access control  Capturing the effect of the presence of temporal constraints on hierarchically related roles and therefore allowing fine-grained access control

INFSCI 2935: Introduction to Computer Security22 Types of Role Hierarchy Permission-Inheritance hierarchy (I-hierarchy) Permission-Inheritance hierarchy (I-hierarchy)  Senior inherits juniors’ permission  User assigned to senior cannot activate juniors Role-Activation hierarchy (A-hierarchy) Role-Activation hierarchy (A-hierarchy)  Senior does not inherit juniors’ permissions  User assigned to senior can activate juniors  Advantage: SOD constraints can be defined hierarchically related roles General Inheritance hierarchy (IA-hierarchy) General Inheritance hierarchy (IA-hierarchy)  Senior inherits juniors’ permission  User assigned to senior can activate juniors

INFSCI 2935: Introduction to Computer Security23 Types of Role Hierarchy Programmer (a) IA Hierarchy(c) I Hierarchy Software Engineer Software Engineer Combination of roles that can be activated by u : { (Software Engineer)} Combination of roles that can be activated by u {(Software Engineer), (Software Engineer, Programmer), (Programmer) } u assigned to Programmer Software Engineer (b) A Hierarchy u assigned to

INFSCI 2935: Introduction to Computer Security24 Weakly Restricted and Strongly Restricted Temporal Role Hierarchies I-hierarchy: (assume x is senior of y ) I-hierarchy: (assume x is senior of y )  Weakly restricted hierarchy x inherits y ’s permissions y need not be enabled  Strongly restricted hierarchy x inherits y ’s permissions only when both x and y enabled A-hierarchy: (assume x is senior of y and u is assigned to x ) A-hierarchy: (assume x is senior of y and u is assigned to x )  Weakly restricted hierarchy u can activate y x need not be enabled  Strongly restricted hierarchy u can activate y only when both x and y are enabled IA-hierarchy: x and y are related by both I-hierarchy and A-hierarchy IA-hierarchy: x and y are related by both I-hierarchy and A-hierarchy

INFSCI 2935: Introduction to Computer Security25 Temporal Role Hierarchy Example DayDoctor (9am-9pm) NightDoctor (9pm-9am) PartTimeDoctor {(3pm-6pm), (7am-10am)} IsIs IsIs 9am9pm9am9pm NightDoctorDayDoctor 7am10am PartTimeDoctor

Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security26 Policy Composition

INFSCI 2935: Introduction to Computer Security27 Problem: Consistent Policies Policies defined by different organizations Policies defined by different organizations  Different needs  But sometimes subjects/objects overlap Can all policies be met? Can all policies be met?  Different categories Build lattice combining them  Different security levels Need to be levels – thus must be able to order  What if different DAC and MAC policies need to be integrated?

INFSCI 2935: Introduction to Computer Security28 Multidomain Environments Heterogeneity exists at several levels Heterogeneity exists at several levels -Availability -Bibaintegrity model -Multilevel etc. -UN -Federal -Local -EC etc. -MLS DBMS -MLS OS etc. Security goals Constituent organizational units Constituent systems

INFSCI 2935: Introduction to Computer Security29 Multidomain Challenges Key challenges Semantic heterogeneity Semantic heterogeneity Secure interoperation Secure interoperation Assurance and risk propagation Assurance and risk propagation Security Management Security Management

INFSCI 2935: Introduction to Computer Security30 Semantic heterogeneity Different systems use different security policies Different systems use different security policies  e.g., Chinese wall, BLP policies etc. Variations of the same policies Variations of the same policies  e.g., BLP model and its variations Naming conflict on security attributes Naming conflict on security attributes  Similar roles with different names  Similar permission sets with different role names Structural conflict Structural conflict  different multilevel lattices / role hierarchies Different Commercial-Off-The-Self (COTS) products Different Commercial-Off-The-Self (COTS) products

INFSCI 2935: Introduction to Computer Security31 Secure Interoperability Principles of secure interoperation [Gong, 96] Principles of secure interoperation [Gong, 96] Principle of autonomy If an access is permitted within an individual system, it must also be permitted under secure interoperation Principle of security If an access is not permitted within an individual system, it must not be permitted under secure interoperation Interoperation of secure systems can create new security breaches Interoperation of secure systems can create new security breaches

INFSCI 2935: Introduction to Computer Security32 a b c a b Secure Interoperability (Example) X Y Z A BC D X Y Z A BC D d F 12 = {a, b} F 12 = {a, b, c, d} (1) F 12 = {a, b, d} Direct access (2) F 12 = {c} Indirect access F 12 - permitted access between systems 1 and 2

INFSCI 2935: Introduction to Computer Security33 Assurance and Risk Propagation & Security Management Assurance and Risk propagation Assurance and Risk propagation  A breach in one component affects the whole environment  Cascading problem Management Management  Centralized/Decentralized  Managing metapolicy  Managing policy evolution

Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security34 Design Principles

INFSCI 2935: Introduction to Computer Security35 Design Principles for Security Mechanisms Principles Principles  Least Privilege  Fail-Safe Defaults  Economy of Mechanism  Complete Mediation  Open Design  Separation of Privilege  Least Common Mechanism  Psychological Acceptability Based on the idea of simplicity and restriction Based on the idea of simplicity and restriction

INFSCI 2935: Introduction to Computer Security36 Overview Simplicity Simplicity  Less to go wrong  Fewer possible inconsistencies  Easy to understand Restriction Restriction  Minimize access power (need to know)  Inhibit communication

INFSCI 2935: Introduction to Computer Security37 Least Privilege A subject should be given only those privileges necessary to complete its task A subject should be given only those privileges necessary to complete its task  Function, not identity, controls RBAC!  Rights added as needed, discarded after use Active sessions and dynamic separation of duty  Minimal protection domain A subject should not have a right if the task does not need it

INFSCI 2935: Introduction to Computer Security38 Fail-Safe Defaults Default action is to deny access Default action is to deny access If action fails, system as secure as when action began If action fails, system as secure as when action began  Undo changes if actions do not complete  Transactions (commit)

INFSCI 2935: Introduction to Computer Security39 Economy of Mechanism Keep the design and implementation as simple as possible Keep the design and implementation as simple as possible  KISS Principle (Keep It Simple, Silly!) Simpler means less can go wrong Simpler means less can go wrong  And when errors occur, they are easier to understand and fix Interfaces and interactions Interfaces and interactions

INFSCI 2935: Introduction to Computer Security40 Complete Mediation Check every access to an object to ensure that access is allowed Check every access to an object to ensure that access is allowed Usually done once, on first action Usually done once, on first action  UNIX: Access checked on open, not checked thereafter If permissions change after, may get unauthorized access If permissions change after, may get unauthorized access

INFSCI 2935: Introduction to Computer Security41 Open Design Security should not depend on secrecy of design or implementation Security should not depend on secrecy of design or implementation  Popularly misunderstood to mean that source code should be public  “Security through obscurity”  Does not apply to information such as passwords or cryptographic keys

INFSCI 2935: Introduction to Computer Security42 Separation of Privilege Require multiple conditions to grant privilege Require multiple conditions to grant privilege  Example: Checks of $70000 must be signed by two people  Separation of duty  Defense in depth Multiple levels of protection

INFSCI 2935: Introduction to Computer Security43 Least Common Mechanism Mechanisms should not be shared Mechanisms should not be shared  Information can flow along shared channels  Covert channels Isolation Isolation  Virtual machines  Sandboxes

INFSCI 2935: Introduction to Computer Security44 Psychological Acceptability Security mechanisms should not add to difficulty of accessing resource Security mechanisms should not add to difficulty of accessing resource  Hide complexity introduced by security mechanisms  Ease of installation, configuration, use  Human factors critical here