1. CSC 8320 Advanced Operating System Discretionary Access Control Models Presenter: Ke Gao Instructor: Professor Zhang

2. Overview Part 1: Fundamental Knowledge Part 2: Current Technology Part 3: Future Research

3. Part 1: Fundamental Knowledge

4. The Access Control Matrix (ACM) [1, Randy Chow, 1997] The Access Control Matrix (ACM) is the most fundamental and widely used discretionary access control model for simple security policies. Access control is a function that given a subject and object pair, (s, o) and a requested operation, r from s to o, return true if the request is permitted.

5. Two Types of Security Policies Simple Security Policy A statement that specifies what privileges and limitation a certain subject has on an object, without ant special constraints. Complex Security Policy Security requirements that are dependent on how and when other access are being performed. Eg. a subject can access object x if it has not already access object y.

6. Example of ACM - Resource ACM

7. Example of ACM - Process ACM

8. Example of ACM - Domain ACM

9. Reducing the Size of Access Control Matrix The user subjects are generally related and could have similar access rights to some commom objects. Rows in ACM can be mergerd as a single group of user. A user is identfied with a group name which is based on group rather than the user name. Object columns can be merged as categories which a based on objects rather than the attributes of the users.

10. Distributed Compartments A distributed application with collaborating processes may consists of subject users and object resources crossing the physical boundaries of physical resources. Because it is impossible to have a global ACM, a logical ACM called a ‘distributed compartment’ that regulates access among the collaborating users would serve a better purpose.

11. Each distributed compartment has at least one member called an owner which has the maximum privleged. Access to the distributed compartments are based on ‘distributed handles’ rather than user ID. These handles are application oriented and they provide a protective wall around an application and are authenticated by the application.

12. Distributed Compartments

13. ACM Implementations The Linked list structure that contains all entries in a column for a particular object is called a Access control List (ACL) for the object. An ACL specifies the permissible rights that various subjects have on the object. Likewise all entries in a row for a subject is called a Capability List (CL) for the subject. A CL specifies privileges to various objects held by a subject

14. ACM Implementations Subject Client ACL S = {S i } s Є S and r Є R s ? Object Server s (r, s) ACL Implementation o Є O and r Є R o ? Object Server CL = O = {O i } (o, s) Subject Client CL Implementation

15. ACM Implementations LL = o Є O ? K=l? r Є R l ? Object Server CL = O = {O i } (o, r, k) Subject Client Lock-key Implemtation

16. Comparison of ACL & CL Authentication Reviewing of Access Rights Propagation of Access Rights Revocation of Access Rights Conversion between ACL and CL

17. Authentication ACL Authenticates subjects, which is performed by the system, no overhead. In CL, authentication is performed by the object server. But it’s easiler. It’s widely used in distributed system.

18. Review of Access Right Easier to review ACL, because ACL contains exactly this information. Difficult for CL unless some type of activity log is kept.

19. Propagation Of Access Rights In ACL, propagation of rights is initiated by a request to the object server, which modifies or adds an entry to its ACL. In CL, theoretically it is propagate rights between subjects without intervention of object server. But it may result in uncontrollable system.

20. Revocation of Access Rights Revocation is trivial in ACL because it is easy to delete subject entries from the ACL. It is difficult for CL’s to revoke access selectively.

21. Conversion Between ACL & CL Conversion from CL to ACL is straight forward. Conversion from ACL to CL Gateway Authenticates the process identifier and verifies the operation in the capability list. The remote host grants the accss request if its ACL contains the process as a subject and the requested opertion is within the authorized range.

22. Part 2: Current Technology

23. Role-based Access Control (RBAC) Access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, manager). The operations that a user is permitted to perform are based on the user's role. Role hierarchies can be established to provide for the natural structure of an enterprise. Organizations establish the rules for the association of operations with roles.

24. Application of Role-Based Access Control for Web Environment [2, Robles, R.J, 2004] Secure cookies provide three types of security services: authentication, integrity, and confidentiality. Authentication verifies the cookies’ owner. Integrity protects against unauthorized modification of cookies. Confidentiality protects against the cookies’ values being revealed to an unauthorized entity.

28. Part 3: Future Research

29. The PEI Framework for application-centric security [3, 4, Ravi Sandhu, 2009]

30. Reference [1] Randy Chow, Theodore Johnson, “Distributed Operating Systems & Algorithms”, Addison Wesley, 1997 [2] Robles, R.J.; Min-Kyu Choi; Sang-Soo Yeo; Tai-hoon Kim, "Application of Role-Based Access Control for Web Environment," Ubiquitous Multimedia Computing, 2008. UMC '08. International Symposium on, vol., no., pp.171-174, 13-15 Oct. 2008 [3] Ravi Sandhu, The PEI Framework for Application-Centric Security, 2009 [4] Krishnan, Ram and Sandhu, Ravi and anganathan, Kumar, PEI models towards scalable, usable and high-assurance information sharing, Proceedings of the 12th ACM symposium on Access control models and technologies

31. Thank You Q & A