Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS580 Internet Security Protocols

Published byAshlynn Doyle Modified over 6 years ago

Similar presentations

Presentation on theme: "CS580 Internet Security Protocols"— Presentation transcript:

1 CS580 Internet Security Protocols
12/5/2017 CS580 Internet Security Protocols 8. Access Control Huiping Guo Department of Computer Science California State University, Los Angeles

2 Outline Introduction to access control Security policy
Discretionary Access Control (DAC) Mandatory Access Control (MAC) Multilevel security Multilateral security 8. Access Control CS580_S16

3 Introduction Two parts to access control Authentication:
12/5/2017 Introduction Two parts to access control Authentication: A process by which you verify that someone is who they claim they are Authorization: A process of giving someone permission to do or have something Once you have access, what can you do? Enforces limits on actions 8. Access Control CS580_S16

4 Authentication How to authenticate a human to a machine?
Can be based on… Something you know For example, a password Something you have For example, a smartcard Something you are For example, your fingerprint 8. Access Control CS580_S16

5 Authentication vs Authorization
Authentication  Who goes there? Restrictions on who (or what) can access system Authorization  Are you allowed to do that? Restrictions on actions of authenticated users Authorization is a form of access control Access control often used as synonym for authorization 8. Access Control CS580_S16

6 A Model for Access Control
reference monitor object subject access request source (e.g. users, processes) request guard resource (e.g. files, printers) 8. Access Control CS580_S16

7 Basic Terminology Subject/Principal: active entity – user or process
Object: passive entity – file or resource Access operations Ex: read, write, execute ... Access operations vary from basic memory/file access to method calls in an object-oriented system. Comparable systems may use different access operations. 8. Access Control CS580_S16

8 A Reference Monitor Common Examples:
Abstract machine that mediates subject access to objects Ex. Observes the execution of a program and halts the program if it’s going to violate the security policy. Common Examples: operating system interpreters firewalls Claim: majority of today’s enforcement mechanisms are instances of reference monitors. 8. Access Control CS580_S16

9 Security Policies Reference monitor makes decisions based on request and policy Security Policy Or access control policy Set of detailed rules as to what is allowed on the system and what is not allowed. 8. Access Control CS580_S16

10 Access Control Policies
Discretionary Access Control (DAC) Mandatory Access Control (MAC) 8. Access Control CS580_S16

11 Discretionary Access Control
A system that uses discretionary access control allows the owner of the resource to specify which subjects can access which resources. Access control is at the discretion of the owner. Example: In Unix, a directory listing might yield "... rwxr-xr-x ... file.txt" the owner of file.txt may read, write, or execute it, and that other users may read or execute the file but not write it.  The set of access rights in this example is {read, write, execute}, and the operating system mediates all requests to perform any of these actions.  Users may change the permissions on files they own, making this a discretionary policy 8. Access Control CS580_S16

12 Access Control Matrix Does subject S have right R for object O?
12/5/2017 Access Control Matrix Does subject S have right R for object O? Abstractly, the  information needed to answer this question can be represented as a mathematical relation D on subjects, objects, and rights:   if (S,O,R) is in D, then S does have right R for object O; otherwise, S does not More practically, the same information could also be represented as an access control matrix.  Each row of the matrix corresponds to a subject and each column to an object.  Each cell of the matrix contains a set of rights 8. Access Control CS580_S16

13 Access Control Matrix S … set of subjects O … set of objects
A … set of access operations Access control matrix: M = (Mso)sS,oO, Mso  A; Mso specifies the operations subject s may perform on object o. Alice Bob {} {read,write} bill.doc {exec} edit.exe {exec,read} {exec,read,write} fun.com 8. Access Control CS580_S16

14 Access Control Matrix ctd.
The access control matrix is an abstract concept not very suitable for direct implementation Management of the matrix is likely to be extremely difficult if there are ten thousands of files and hundreds of users (resulting in millions of matrix entries) The matrix is likely to be extremely sparse and therefore implementation is inefficient 8. Access Control CS580_S16

15 Are You Allowed to Do That?
How to manage a large access control (AC) matrix? Could be 1000’s of users, 1000’s of resources Then AC matrix with 1,000,000’s of entries Need to check this matrix before access to any resource is allowed Hopelessly inefficient 8. Access Control CS580_S16

16 Access Control Lists (ACLs)
ACL: store access control matrix by column Example: ACL for insurance data is in blue Accounting program Accounting data Insurance data Payroll data OS rx r --- rw rwx Bob Alice Sam Accounting program 8. Access Control CS580_S16

17 Access Control Lists (ACLs)
OS: { (Bob, rx), (Alice, rx), (Sam, rwx),(Accounting program, rx)} Accounting program: {(Bob, rx), (Alice, rx), (Sam, rwx),(Accounting program, rx)} Accounting data: {(Bob, r), (Alice, r), (Sam, r),(Accounting program, rw)} Insurance data: {(Alice, rw), (Sam, rw),(Accounting program, rw)} Payroll data: {(Alice, rw), (Sam, rw),(Accounting program, rw)} 8. Access Control CS580_S16

18 Capabilities (or C-Lists)
Store access control matrix by row Example: Capability for Alice is in red Accounting program Accounting data Insurance data Payroll data OS rx r --- rw rwx Bob Alice Sam Accounting program 8. Access Control CS580_S16

19 Capability List Bob: {(OS, rx), (Accounting program, rx), (accounting data, r)} Alice: {(OS, rx), (Accounting program, rx), (accounting data, r), (insurance data, rw), (payroll data, rw} Sam: {(OS, rwx), (Accounting program, rwx), (accounting data, r), (insurance data, rw), (payroll data, rw) } Accounting program : {(OS, rwx), (Accounting program, rwx), (accounting data, r), (insurance data, rw), (payroll data, rw) } 8. Access Control CS580_S16

20 ACLs vs Capabilities Note that arrows point in opposite directions!
--- r w rw Alice file1 Alice file1 w r --- --- r Bob file2 Bob file2 rw r r --- Fred file3 Fred file3 Access Control List Capability Note that arrows point in opposite directions! 8. Access Control CS580_S16

21 ACLs vs Capabilities ACLs Capabilities
Good when users manage their own files Protection is data-oriented Easy to change rights to a resource Capabilities Easy to delegate Easy to add/delete users More difficult to implement 8. Access Control CS580_S16

22 Mandatory Access Control
12/5/2017 Mandatory Access Control A mandatory access control (MAC) policy is a means of assigning access rights based on regulations by a central authority.  This class of policies includes examples from both industry and government.  The philosophy underlying these policies is that information belongs to an organization (rather than individual members of it), and it is that organization which should control the security policy.  8. Access Control CS580_S16

23 Mandatory Access Control (MAC)
Multilevel security (military applications) Bell-LaPadula model Identifies allowable communication flows Concerned primarily with ensuring secrecy Biba model Concerned primarily with “trustworthiness”/ integrity Multilateral security (corporate application) Chinese wall Concerned with preventing conflicts of interest Developed for commercial applications 8. Access Control CS580_S16

24 Multilevel Security (MLS) Models
8. Access Control CS580_S16

25 Classifications and Clearances
Classifications apply to objects Clearances apply to subjects US Department of Defense uses 4 levels of classifications/clearances TOP SECRET SECRET CONFIDENTIAL UNCLASSIFIED 8. Access Control CS580_S16

26 Clearances and Classification
To obtain a SECRET clearance requires a routine background check A TOP SECRET clearance requires extensive background check Practical classification problems Proper classification not always clear Level of granularity to apply classifications Aggregation  flipside of granularity 8. Access Control CS580_S16

27 Subjects and Objects Let O be an object, S a subject
O has a classification S has a clearance Security level denoted L(O) and L(S) For DoD levels, we have TOP SECRET > SECRET > CONFIDENTIAL > UNCLASSIFIED 8. Access Control CS580_S16

28 Multilevel Security (MLS)
MLS needed when subjects/objects at different levels use same system MLS is a form of Access Control Military/government interest in MLS for many decades Lots of funded research into MLS Strengths and weaknesses of MLS relatively well understood (theoretical and practical) Many possible uses of MLS outside military 8. Access Control CS580_S16

29 MLS Applications Classified government/military information
Business example: info restricted to Senior management only All management Everyone in company General public Network firewall Keep intruders at low level to limit damage Confidential medical info, databases, etc. 8. Access Control CS580_S16

30 MLS Security Models MLS models explain what needs to be done
Models do not tell you how to implement Models are descriptive, not prescriptive High level description, not an algorithm There are many MLS models We’ll discuss simplest MLS model Other models are more realistic Other models also more complex, more difficult to enforce, harder to verify, etc. 8. Access Control CS580_S16

31 Bell-LaPadula BLP security model designed to express essential requirements for MLS BLP deals with confidentiality To prevent unauthorized reading Recall that O is an object, S a subject Object O has a classification Subject S has a clearance Security level denoted L(O) and L(S) 8. Access Control CS580_S16

32 Bell-LaPadula BLP consists of No read up, no write down
Simple Security Condition: S can read O if and only if L(O)  L(S) *-Property (Star Property): S can write O if and only if L(S)  L(O) No read up, no write down With Bell-LaPadula, users can create content only at or above their own security level. Conversely, users can view content only at or below their own security level 8. Access Control CS580_S16

33 Communicating down… How to communicate from a higher security level to a lower one? The transfer of information from a high security document to a lower security document may happen in the BLP model  via the concept of trusted subjects. Trusted Subjects are not restricted by the Star-property. Trusted Subjects must be shown to be trustworthy with regard to the security policy. 8. Access Control CS580_S16

34 Biba’s Model BLP for confidentiality, Biba for integrity
Biba is to prevent unauthorized writing Biba is (in a sense) the dual of BLP Integrity model Spse you trust the integrity of O but not O If object O includes O and O then you cannot trust the integrity of O Integrity level of O is minimum of the integrity of any object in O 8. Access Control CS580_S16

35 Biba Let I(O) denote the integrity of object O and I(S) denote the integrity of subject S Biba can be stated as Write Access Rule: S can write O if and only if I(O)  I(S) (if S writes O, the integrity of O  that of S) Read Access Rule: S can read O if and only if I(S)  I(O) (if S reads O, the integrity of S  that of O) Often, replace Biba’s Model with Low Water Mark Policy: If S reads O, then I(S) = min(I(S), I(O)) 8. Access Control CS580_S16

36 Multilateral Security (Compartments)
8. Access Control CS580_S16

37 Multilateral Security
Multilevel Security (MLS) enforces access control up and down Simple hierarchy of security labels may not be flexible enough Multilateral security enforces access control across by creating compartments Suppose TOP SECRET divided into TOP SECRET {CAT} and TOP SECRET {DOG} Both are TOP SECRET but information flow restricted across the TOP SECRET level 8. Access Control CS580_S16

38 Multilateral Security
Why compartments? Why not create a new classification level? May not want either of TOP SECRET {CAT}  TOP SECRET {DOG} TOP SECRET {DOG}  TOP SECRET {CAT} Compartments allow us to enforce the need to know principle Regardless of your clearance, you only have access to info that you need to know 8. Access Control CS580_S16

39 Multilateral Security
Arrows indicate “” relationship TOP SECRET {CAT, DOG} TOP SECRET {CAT} TOP SECRET {DOG} TOP SECRET SECRET {CAT, DOG} SECRET {CAT} SECRET {DOG} SECRET Not all classifications are comparable, e.g., TOP SECRET {CAT} vs SECRET {CAT, DOG} 8. Access Control CS580_S16

40 Chinese wall Intended to prevent conflicts of interest
Rights are dynamically updated based on actions of the subjects 8. Access Control CS580_S16

41 Chinese wall -- basic setup
Company datasets Bank A Bank B School 1 School 2 School 3 Conflict of interest (CI) class files 8. Access Control CS580_S16

42 Chinese wall: Read rule
A Subject S can access company C’s data only if S has already accessed C’s data OR S has not accessed any of C’s competitor’s data In another word Subject S is allowed to read from at most one company dataset in any CI class 8. Access Control CS580_S16

43 Example Bank A Bank B School 1 School 2 School 3 read read
8. Access Control CS580_S16

44 Chinese wall: Write rule
S can write to O only if S can read O and All objects that S can read are in the same dataset as O This is intended to prevent an indirect flow of information that would cause a conflict of interest E.g., S reads from Bank A and writes to School 1; S’ can read from School 1 and Bank B S’ may find out information about Banks A and B! Note that S can write to at most one dataset… 8. Access Control CS580_S16

Download ppt "CS580 Internet Security Protocols"

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Jan. 2014Dr. Yangjun Chen ACS-49021 Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )

Jan. 2014Dr. Yangjun Chen ACS Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Security Models and Architecture

Security Models and Architecture
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.

Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
CS 483 – SD SECTION (8) AUTHORIZATION. INTRODUCTION The authorization (or access control) process is used to decide if person, program or device X is.

CS 483 – SD SECTION (8) AUTHORIZATION. INTRODUCTION The authorization (or access control) process is used to decide if person, program or device X is.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Security Fall 2009McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2009McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Security Fall 2006McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Sicurezza Informatica Prof. Stefano Bistarelli

Sicurezza Informatica Prof. Stefano Bistarelli
User Domain Policies.

User Domain Policies.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Li Xiong CS573 Data Privacy and Security Access Control.

Li Xiong CS573 Data Privacy and Security Access Control.
CS426Fall 2010/Lecture 191 Computer Security CS 426 Lecture 19 Discretionary Access Control.

CS426Fall 2010/Lecture 191 Computer Security CS 426 Lecture 19 Discretionary Access Control.
CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.

CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.
Computer Science 653 Lecture Authorization

Computer Science 653 Lecture Authorization

Similar presentations

Ads by Google