1. FRAC: Implementing Role-Based Access Control for Network File Systems Aniruddha Bohra, Stephen Smaldone, and Liviu Iftode Department of Computer Science Rutgers University {bohra,smaldone,iftode}@cs.rutgers.edu

2. 2 ProgrammersMotivation User A Time > 5 PM Time < 5 PM User A Developer User A Programme r Shell scripts cron jobs Manual Developers User A User B User C User A User D File F : { Developers, !Programmers } File F : { User B, User C }

3. 3 Role-Based Access Control (RBAC) Roles UsersPerms Users 1 User A READWRITEDELETE ALLOWUsers 1Users 2Devs LOGProgs ALARMThreat READWRITEDELETE ALLOW LOG ALARM Role Hierarchy Users 2 Devs Users 1 Progs

4. 4 Benefits of RBAC Policy Specification –Administrators define system-wide access control policies –Users may query and update portions of the access control system state –Simplified sharing and protection Role Management –Role Hierarchy: Inheritance –Static Separation of Duties (SSD) Session Management –Dynamic User to Role Mapping –Dynamic Separation of Duties (DSD) Centralized Access Control Policy Enforcement –Enforcement of Principle of Least Privilege (POLP) –Verifiability of policy enforcement: auditing

5. 5 RBAC for Network File Systems? FS ClientFile Server FS Protocol Modifications Interface changes Application changes … FS ClientFile Server External Authority User AC Policy Changes require user agent Access Control Decisions AC Policy Changes

6. 6 FRAC: Network File System RBAC in a Middlebox FS ClientFile Server Middlebox Access Control Decisions Virtual Control Namespace (VCN) Maintained at FRAC and Accessed by Client Query State of AC System = FS READ Update Permissions and AC Policies = FS WRITE VCN Standard FS Protocol FRAC AC Policy Changes

7. 7Outline Introduction Design and Implementation –Background –Permission Evaluation in FRAC –Enforcing Principle of Least Privilege –Virtual Control Namespace (VCN) Evaluation Related Work Conclusions

8. 8 Design Requirements Middlebox to Enforce RBAC Policies –Interpose and transform messages –Understand file system semantics –Store policies and maintain state –Evaluate and enforce file system access control policies Virtual Control Namespace –Enable users to query and owners to update the access control policy –Virtualize file system objects –Handle file system operations for virtual objects

9. 9 Background: FileWall FileWall: A Firewall for Network File System, S. Smaldone, A. Bohra, and L. Iftode. To appear in the Proceedings of the 3rd IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC'07) Scheduler Forwarder Access Context FileWall Policy Request Handler File Server … FS Client

10. 10 Permission Evaluation in FRAC Forwarder Access Context FRAC FS Client File Server AC Matrix DENY Time Time > 5 PM ? ALLOW Scheduler

11. 11 Enforcing Principle of Least Privilege Access Context SessionID{Active Roles} (U0, G0)Progs VFHFHAC Matrix V0F0(READ, Users1) FS Request File Handle = V0 UserID = U0 GroupID = G0 Op = READ Role Hierarchy Users 2 Devs Users 1 Progs Users 1

12. 12 Virtual Control Namespace (VCN) Root VCN Session Shadow Mirrored FS Namespace FILE METADATA AC MATRIX Shadow File Contents Active Roles User -> Role Mappings Session Control Interface

13. 13 VCN Challenges Creation of virtual objects –Must create file identifiers for virtual objects –Must avoid file identifier collisions between virtual and real objects –Provide virtual identifiers for all objects and store mappings Introduce virtual objects in existing namespace –Create virtual namespace under root of real namespace –Must modify namespace operations (e.g., READDIR, LOOKUP, etc.) to “splice” in virtual namespace Handle file system operations to virtual objects –Need to distinguish accesses to virtual objects from those for real objects –Demultiplex based on virtual identifier to real identifier mappings

14. 14 VCN Handler VCN in FRAC Forwarder Access Context FRAC FS Client File Server home VCNbob VFH -> FH Map To Server To Client home bob Scheduler

15. 15 Prototype Implementation Network middlebox –FRAC implemented as a FileWall policy module –Implements RBAC for NFSv3 protocol –Direct access limited only to administrators Access Context –Berkeley DB: An open source database Policy specification –Static configuration using XACML –Updates supported through VCN for users

16. 16Outline Introduction Design and Implementation Evaluation Related Work Conclusions

17. 17Evaluation Roles –Arranged as linear chain: highest to lowest privilege level –Session starts with a role at head of chain (worst case) Setup –Systems: Dell Poweredge 2600 SMP systems, 2.4 GHz Xeon II CPU, 2 GB RAM, running Linux 2.6 –Microbenchmark: User-level RPC client –Application Benchmark: OpenSSH compilation

18. 18 Results - Microbenchmark Worst case overhead is low!

19. 19 Results - OpenSSH Compilation Most expensive data phases have small (<10% & < 15%) overheads!

20. 20 Related Work RBAC Model –RBAC Standards [Ferraiolo’01, ANSI/INCITS’04] RBAC for Network File Systems –Protocol Modifications [Gustaffson’97] –Agent-Based Systems [He’05] Virtual and Programmable Namespaces –Plan 9 [Pike’93] –Semantic File Systems [Sheldon’91]

21. 21 Conclusions and Future Work FRAC: RBAC for network file systems using a middlebox (FileWall) –Requires no client or server modifications –Virtual Control Namespace eliminates use of specialized agents –Low overheads: < 15% overhead for up to 50 roles Future Work: –Language for Specification and Verification of policies –Continuous Monitoring of network file system accesses

22. Thank You! Questions?