Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Sushil Jajodia 2001 1 Recent Advances in the Flexible Access Control Models Duminda Wijesekera ise.gmu.edu/~duminda.html.

Published byKory Harrison Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright Sushil Jajodia 2001 1 Recent Advances in the Flexible Access Control Models Duminda Wijesekera ise.gmu.edu/~duminda.html."— Presentation transcript:

1 copyright Sushil Jajodia 2001 1 Recent Advances in the Flexible Access Control Models Duminda Wijesekera dwijesek@gmu.edu ise.gmu.edu/~duminda.html

2 copyright Sushil Jajodia 2001 2 OutlineOutline Access Control A Flexible Access Control Model Materialization Editing Rules Revoking Permissions Provisions and Obligations Access Constraints Concluding comments

3 copyright Sushil Jajodia 2001 3 OutlineOutline Integrity Information Assurance Intrusion Detection Final Remarks Access Control

4 copyright Sushil Jajodia 2001 4 Access Control Models Making them flexible Making them general

5 copyright Sushil Jajodia 2001 5 Access Control in Commercial Systems Unix –xrw xrw xrw Database management systems –Griffiths and Wade, ACM TODS 1976 –GRANT ON TO [WITH GRANT OPTION] –REVOKE [ON ] FROM

6 copyright Sushil Jajodia 2001 6 Need for Multiple Access Control Policies Closed policy Open policy Closed policy with negative authorizations and denials-take-precedence Closed policy with negative authorizations and most-specific-authorizations-take- precedence Static and dynamic separation of duty Chinese wall

7 copyright Sushil Jajodia 2001 7 Usual Approach Separation between policies high level guidelines and mechanisms implementing the policies –Policy neutral mechanism –For each policy a security server is specified –Security server maps the policy into mechanisms Change of policy  Change of server

8 copyright Sushil Jajodia 2001 8 Policy Neutral Mechanism User Policy Neutral Mechanism o,a Closed Policy Server u,o,ayes/no Open Policy Server

9 copyright Sushil Jajodia 2001 9 Flexible Authorization Framework An authorization is of the form s,o, a An authorization specification AS consists of a set of: –authorization cando, –derivation dercando, –conflict resolution do, –history done, and I –ntegrity error predicate symbols

10 copyright Sushil Jajodia 2001 10 Closed Policy in ASL dercando (u,o,+a)  cando(s,o,+a) & in(u,s). do (u,o,+a)  dercando(u,o,+a). error(s,o,a)  cando(s,o,-a). do (u,o,-a)  not do(u,o,+a).

11 copyright Sushil Jajodia 2001 11 Denials-take-precedenceDenials-take-precedence do (u,o,+a)  dercando(u,o,+a)& not dercando(u,o,-a). do (u,o,-a)  not do(u,o,+a).

12 copyright Sushil Jajodia 2001 12 Static Separation of Duty error()  do(s,budget,submitting) & do(s,budget,evaluating) & do(s,budget,approving).

13 copyright Sushil Jajodia 2001 13 Dynamic Separation of Duty error()  done(u,o,R,submitting,t) & done(u,o,R’,approving,t’) & done(u,o,R,approving,t’’) & typeof(o,Order).

14 copyright Sushil Jajodia 2001 14 Chinese Wall error()  done(u,o’,R,a’,t) & done(u,o,R’,a,t’) & typeof(o,Company-A) & typeof(o,Company-B).

15 copyright Sushil Jajodia 2001 15 Functional Architecture Propagation Policy Conflict Resol. + Decision Policy Integrity Constraints History Table Authorization Table USERUSER o,s,+a DECISIONDECISION

16 copyright Sushil Jajodia 2001 16 ReferenceReference Jajodia, Samarati, Sapino, Subrahmanian, “A united framework for supporting multiple access control polices,” ACM TODS, June 2001.

17 copyright Sushil Jajodia 2001 17 SemanticsSemantics A FAF specification forms a locally stratified logic program It has a unique stable model Stable model = well founded model

18 copyright Sushil Jajodia 2001 18 MaterializationMaterialization Access requests must be decided fast. Hence materialize FAF predicates –Most useful = DO Materialization algorithm reconstructs the unique stable model Looking up materialized rules are faster that backtracking.

19 copyright Sushil Jajodia 2001 19 Updating FAF Specifications

20 copyright Sushil Jajodia 2001 20 Example: Electronic Library System An article A that is published under project P can be made available to all members of P Any user at the rank of manager or above can access A If the user is a sponsor who funded the project or the writing of A, then A can be released only after a proprietary notice is added No one else should have access to the article.

21 copyright Sushil Jajodia 2001 21 Example: Sealed-bid Auctions Three kinds of participants –Auctioneer, Supplier, Bidders The supplier fills in the item to be auctioned, closing time, and the minimum price Bidders may submit a bid by specifying the item and a bidding price if the current time is before the close of the auction Auctioneer can fill in “no good” in the status field if the maximum price of all the bids = minimum price

22 copyright Sushil Jajodia 2001 22 Mobile Policy Grant on to with provision [ ] where [ has attribute | ]

23 copyright Sushil Jajodia 2001 23 ExampleExample Grant update on BalanceSheet to user1 with provision Add notice “For accounting Group Only” where user1 has attribute (group, accounting group) and (rank, manager of accounting group)

24 copyright Sushil Jajodia 2001 24 Another Example DoNotGrant write on PayrollEmployeeCheck to user1 with provision Notify PayrollSupervisor where user1 has attribute (group, payroll)

25 copyright Sushil Jajodia 2001 25 Auction Example cando(supplier_info, X, +rw)  in(X,supplier). cando(auctioneer_info,X, +r)  in(X,supplier). cando(auctioneer_info,X, +r)  in(X,bidder). cando(bid, A1, +r)  owner(bid, A1) and uid(A1). cando(status, auctioneer, +w(“No Good”))  current_top(A1) and field(minimum_price, A2) and A1 = A3. cando(status, auctioneer, +w(“Completed”))  current_top(A1) and field(minimum_price, A2) and A1 >= A2 and time(T) and field(closing_time, A3) and T >= A3.

26 copyright Sushil Jajodia 2001 26 ReferencesReferences Vinti Doshi, Amgad Fayad, Sushil Jajodia, Roswitha MacLean, “Using attribute certificates with mobile policies in electronic commerce applications,” Proc. 16th Annual Computer Security Applications Conf., New Orleans, LA, December 2000, pages 298-307. Sushil Jajodia, Michiharu Kudo, V. S. Subrahmanian, ``Provisional authorizations,'' Proc. 1st Workshop on Security and Privacy in E-Commerce, Athens, Greece, November 2000.

27 copyright Sushil Jajodia 2001 27 Final Remarks Cryptography is the solution Firewalls are the solution Intrusion detection systems are the solution

28 copyright Sushil Jajodia 2001 28 Focus is back on host security Access control DBMS security Application security

Download ppt "Copyright Sushil Jajodia 2001 1 Recent Advances in the Flexible Access Control Models Duminda Wijesekera ise.gmu.edu/~duminda.html."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
© 2006 Open Grid Forum OGF19 Federated Identity Rule-based data management Wed 11:00 AM Mountain Laurel Thurs 11:00 AM Bellflower.

© 2006 Open Grid Forum OGF19 Federated Identity Rule-based data management Wed 11:00 AM Mountain Laurel Thurs 11:00 AM Bellflower.
The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.

RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
Copyright © 2004 Pearson Education, Inc.. Chapter 23 Database Security and Authorization.

Copyright © 2004 Pearson Education, Inc.. Chapter 23 Database Security and Authorization.
Database Management System

Database Management System
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Database Systems: Design, Implementation, and Management Eighth Edition Chapter 10 Transaction Management and Concurrency Control.

Database Systems: Design, Implementation, and Management Eighth Edition Chapter 10 Transaction Management and Concurrency Control.
Client-server database systems and ODBC l Client-server architecture and components l More on reliability and security l ODBC standard.

Client-server database systems and ODBC l Client-server architecture and components l More on reliability and security l ODBC standard.
Role Based Access Control Models Presented By Ankit Shah 2 nd Year Master’s Student.

Role Based Access Control Models Presented By Ankit Shah 2 nd Year Master’s Student.
Distributed Computer Security 8.2 Discretionary Access Control Models - Liang Zhao.

Distributed Computer Security 8.2 Discretionary Access Control Models - Liang Zhao.
Lecture 7 Access Control

Lecture 7 Access Control
Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.

Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Cheryl Ast Project Team Leader, Administrative Computing Services (949) 824-7367 CUMREC 2003 University of California, Irvine Tuesday, May.

Cheryl Ast Project Team Leader, Administrative Computing Services (949) CUMREC 2003 University of California, Irvine Tuesday, May.
Copyright ©2014 Pearson Education, Inc. Chapter 3 Requirements and Business Rules Chapter3.1.

Copyright ©2014 Pearson Education, Inc. Chapter 3 Requirements and Business Rules Chapter3.1.
Filename\location Agent Mediated Electronic Commerce Dr. Chris Preist HP Labs.

Filename\location Agent Mediated Electronic Commerce Dr. Chris Preist HP Labs.
10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

Similar presentations

Ads by Google