Access Control & Security Arch
Access Control & Security Arch ITIS 6210
Popular in Course
verified elite notetaker
verified elite notetaker
verified elite notetaker
verified elite notetaker
verified elite notetaker
Popular in Informational Systems
This 138 page Class Notes was uploaded by Rosendo Lind on Sunday October 25, 2015. The Class Notes belongs to ITIS 6210 at University of North Carolina - Charlotte taught by Mohamed Shehab in Fall. Since its upload, it has received 8 views. For similar materials see /class/229037/itis-6210-university-of-north-carolina-charlotte in Informational Systems at University of North Carolina - Charlotte.
Reviews for Access Control & Security Arch
Report this Material
What is Karma?
Karma is the currency of StudySoup.
Date Created: 10/25/15
rm ITIS 62 082 I 0 Access Control Lecture 7 Dr Mohamed Shehab mshehabunccedu mu XML Security mu Outline 0 Security requirements for web data 0 Basic concepts of XML Securit olicies for XML data protection and release 0 Access control mechanisms for XML data XMLbased specification of security information 0 XML security future trends TS62 082 O m Web Data Protection Requirements 0 The web is becoming the main information dissemination means for many organizations 0 Strong need for models and mechanisms enablin39 the s ecification and enforcement of security policies for web data protection and release TS62 082 O m Web Data 0 In the web environment information distribution often takes the form of documents that are made available atWeb servers or that are activer broadcasted by Web servers to interested clients 0 Documents may also be exchanged among the various servers TS62 082 O Web Docs Protection Requirements 0 Web documents may have a nested or hierarchical interlinked structure m 0 Different portions of the same document may have different protection requirements gt We need a wide spectrum of protection Vranularit levels TS62 082 O m Web Docs Protection Requirements 0 Web documents may have an associated intensional description of their structure 0 DTDs and XMLSchemas for XML documents 0 Data models for describing the logical organization of data into web pages Policies specified both at the schema and at the instance level gt TS62 082 O m Web Docs Protection Requirements 0 Documents with the same type and structure may have contents of different sensitivity degree Igt Policies that take the document content into account contentbased policies TS62 082 O Web Docs Protection Requirements 8 0 Supporting finerained olicies could lead to the specification of a possiny high number of access control policies 3 gt Need of mechanisms for exception management and authorization propagation TS62 082 O Web Docs Protection Requirements Heterogeneity of subjects 0 Subjects accessing a web source may be characterized by different skills and needs and may dynamically change 0 Conventional identitybased access control schemes are not enough Igt Credentials based on subject characteristics and quali cations lTlS62lO82IO IO m Web Docs Protection Requirements 0 In a web environment the traditional on userdemand mode of performing access control is not enough Security policies enforcing both the pull and push dissemination modes gt lTlS62lO82IO l l Dissemination Policies Reguest PULL gg ltl View mu Outline 0 Security requirements for web data 0 Basic concepts of XML Securit olicies for XML data protection and release 0 Access control mechanisms for XML data XMLbased specification of security information 0 XML security future trends TS62O82O l3 Why XML 0 Because XML is a standard for data representation over the web mu 0 XML compatibility is thus an importn requirement for security policies models and mechanisms forWeb data sources TS62O82O l4 XML 0 Building blocks of XML are tagged elements that can be nested at any depth in the document structure 0 Each tagged element has zero or more subelements and zero or more attributes Elements can be linked b means of IDREF SI attributes Optional presence of a data type definition DTDXMLSchema for describing the structure of documents TS62 082 O An XML Document ltWorldLawBulletin Date 88l999 gt latedLaws LK75 gt oplcgtTaxationltToplc arygtltSummaryigt ltLaw Id LK75 Country Italy gt ltTopicgtImport ExportltTopicgt ltSummarygtltSummarygt ltLawgt ltBluePageReportgt ltSection GeoArea Europe gt ltLaw Country Germany gt ltTopicgtGunsltTopicgt ltSummarygtltSummarygt ltLawgt ltSectiongt ltSection GeoArea NorthAmerica gt ltLaw Country USA gt ltTopicgtTransportationltTopicgt ltSummarygt ltLawgt ltSummarygt ltSectiongt ltBluePageReportgt ltWorldLawBulletingt TS62 082 O Gra h Re resentation WurszwBuHetm DatequotOEOEI 999quot uuntrxquotUSAquot 10pm GeuArEAE GeuAreaquotNunhAquot A Law Taxatmn Guns Transpurmmun mssl mam A ltDOCTYPE ltELEMENT ltELEMENT ltELEMENT ltELEMENT ltELEMENT ltELEMENT ltATTLIST ltATTLIST ltATTLIST gt An XML DTD WorldLawBulletin WorldLawBulletin LawBluePageReportgt Law TopicSummarygt Topic PCDATAgt Summary ANYgt BluePageReport Sectiongt Section Lawgt WorldLawBulletin Date CDATA REQUIREDgt Law Id ID REQUIRED Country CDATA REQUIRED RelatedLaws IDREFS IMPLIEDgt Section GeoArea CDATA REQUIREDgt TS62O82O I8 m XML amp Security Two main issues Development of access control models techniques mechanisms and systems for protecting XML documents Use of XML to specify security relevant information organizational policies subject credentials authentication information encrypted contents lTlS62lO82IO l9 rm The AuthorX Project Bertno et al AuthorX lt 0 Javabased system for XML data sources protection 0 Security policy design and administration Credentialbased access control to XML document sources 0 Secure document dissemination and update TS62O82O 2 I EL AuthorX Access Control Policy ACP Setoriented and documentoriented policies 0 Positive and negative policies at different granularity levels to enforce differentiated protection of XML documents and DTDs Controlled propagation of access rights ACPs reflect user profiles through credential based qualifications TS62 082 O 22 mu Enforcing access control Subvect s ecification Protection object specification Privilege Propagation option TS62 082 O 23 mu Subject Specification 0 User Identi ers OR 0 Subject credential credential expression Ex Xage gt 2 ProgrammerX m Xcountry ltaly TS62 082 O 24 Protection Object Specification 0 Identify the portions of a documents to which the authorization applies We want to allow users to s ecif authorizations ranging from o from sets of documents 0 to single elementsattributes within documents s ecilication on DTD or documents docDTDpathOfElemElemldsAttrslinllts 3E TS62 082 O 25 mu Privileges 0 browsing 0 authoring read navigate write append delete TS62 082 O 26 mu Propagation option NO PROPAGATION TS62 082 O 27 mu Propagation option FIRST LEVEL TS62 082 O 28 mu Propagation option CASCADE Examples of authorization rules Pl LLoC Employee g European Division Employee WorIdLawBuIIetinLaw browsea gtK this authorization rule authorizes the LLoC and European Division Employees to view all laws not contained in the BIuePageReport element in all instances of WorIdLawBuIIetin relations among laws that is Related Laws attributes are also displayed lTlS62lO82IO 3O A An XML Document ltWorldLawBulletin Date 88l999 gt ltLaw Country USA RelatedLaws LK75 gt ltTopicgtTaxationltTopicgt ltSummarygtltSUmmarygt ltLawgt 39 I ltLaw Id LK75 Country Italy gt ltTopicgtImport ExportltTopicgt ltSummarygtltSummarygt ltLawgt ltBluePageReportgt ltSection GeoArea Europe gt ltLaw Country Germany gt ltTopicgtGunsltTopicgt ltSummarygtltSummarygt ltLawgt ltSectiongt ltSection GeoArea NorthAmerica gt ltLaw Country USA gt ltTopicgtTransportationltTopicgt ltSummarygt ltLawgt ltSummarygt ltSectiongt ltBluePageReportgt ltWorldLawBulletingt TS62 082 0 3 Examples of authorization rules P4 European Division Employee WorldLawBuIletinBIuePageReportSection GeoArea Europe browsea gtk this authorization rule authorizes the European Division Employees to view the section pertaining to Europe of the BIuePageReport in all instances of World LawBuIIetin TS62O82O 32 A An XML Document ltWorldLawBulletin Date 88l999 gt ltLaw Country USA RelatedLaws LK75 gt ltTopicgtTaxationltTopicgt ltSummarygtltSummarygt ltLawgt ltLaw Id LK75 Country Italy gt ltTopicgtImport ExportltTopicgt ltSummarygtltSummarygt ltLawgt ltBluePageReportgt ltSection GeoArea Europe gt ltLaw Country Germany gt ltTopicgtGunsltTopicgt ltSummarygtltSummarygt ltLawgt M ltSeCtiongt ltSection GeoArea NorthAmerica gt ltLaw Country USA gt ltTopicgtTransportationltTopicgt ltSummarygt ltLawgt ltSummarygt ltSectiongt ltBluePageReportgt ltWorldLawBulletingt TS62 082 O 33 user ccess request AuthorX DOIWXQL XML Source I 8 X Access The access control component of AuthorX enabhng 0 The enforcement of access control policies on top of an XML source 0 Pu and push dissemination modes ClientServer architecture TS62 082 O 35 Information Pull Architecture CLIENT Internet I 0 query Web Server Excelon File Sytem gt SERVER XILIL souch TS62O82O 36 Access Control Polic base Cred ntial base Pruning XML document Pruned XML document Query Resulting view ITIS62 082 O 37 Access request Au mrx Knccasa Microsoft lrltarnal Explumr EH udi uu JJuuliLLu Erufuril lrL39wnli 2 4 vr aw Irdiri 39 h39 l lvlr mm uini L39HJ LlHAdLampR 5 EILFH5t H J fz x ei 39 DHLHLIaw GruqJ Dlpar ncnm animal dull39mfunnazlunn Drxzra Universit di Milano IA 1 55 target II crm uni JlthzseUrjer mar IFquot anch D Page Available passmrd 39F r39ch39IJ dEIr KDESC quotr39 u n F39 Frrrru1 r Hid 301 Burnt I No DTD available FIE Okla u II u Hilbl I I III I Mdu39 TS62O82O 38 Query result Aulh or Khulna as Microsoft lntamet Explumr Emirvl l l va rga v ll39lEllr EC Hlu3939lh5tl ru Jus39ti i39 iL39qul unkauaaamw llnl j LEId EL ELLICE EJJulLLJ ErLI39LII Elrun39li 39 I Dalabaau Eruup martinch Sclmzc doll39mfurmazlmc orx39z39a Uliversit ii Milannu Mccess ame are 391 0 Tr 1 39J ll39lh39ql 2 ms Ill39 39ll39l39r39l I 39 39 3939 1 39 Hg 39nl 5 rngtl quoth ttp f39fww w0bjc ctchignuL cmfc Hcclonfnamcspa ccsfq Licr39y39 39 I cEe3DIMM 64ME39 SDRAM 158 pin PC133 133MHz can chip SF39D per sistcmi ll alagcrlLlrclnseLlrdEI pc Death BeacbDIMPr i 255MB SUREM i pin FELDD iEIIZIMI 12 con chip SPD per sistemi UEBI39E PC C a39 flu1 Iiimaga 1 innua irrn arlMHtlia iiiml lr I 39IhMH IIIHIIIUI lH Jr2r IlllIIEIIIIHFH H lHl luri Pin Elem p mm Begchaewoo 21quot mar Monitor 101 pitch 025 max res l Dxl D FGI IE I 139 PF H l39 il ifl Dru 7 lt i ezargt u39nnr 3924quot HIJ r1 W9llli39 nl ifnr39 rlnt pirEI III39IHn1axms 19H1PIIII a FEHz Retailcx39Eesm CILIEFYI QBE jL39JHiJFLl Disk QLIHI ILLIHI Fireball LM 30GB EIEEIEI LllLra ATAfE 85m5 Luquot Ipu C39LEdjf g W39ier39J 139 acc 2MB came FEUIZI RPMrifi ascre 39 quotf39 39 1x1lrxqresulv J l r 7quot l l 39LV39 39539 EFr39nw W m r1 I39Pil iJT r 39394 inf7 Iquot CZlFl ILLEJI ni u t39 5 Ki 39t uIbVIL iPliiLiizLi cmi Isw39nzuqi L39iel iii l ELEMENT 53121 V H I Lact naumcr39 aft 31 J l aCLumuu um malm I III ItlthlitiJ39I lTlS62lO82IO 39 mu Push Dissemination Mode 0 Since 0 Different subjects gt different views 0 Wide ranve of I rotection Vranularities 0 High number of subjects Number of views can be too large Solutiongt Encryption Techniques TS62 082 O 40 Push Dissemination Mode f The approach is based on encrypting different portions of the same document with different keys 0 The same encrypted copy is then broadcasted to all subjeCts Each sub39ect onll receives the ke s for the portions heshe is enabled to see TS62 082 0 4 I EL Information Push Main Issues 0 How to encrypt the documents in a source 0 Which and how many keys should be distributed to which subjects 0 How to securely and efficiently distribute keys to subjects In such a way that keys are received only by the entitled subjects TS62 082 O 42 How to Encrypt Documents 8 0 Document encryption is driven by the specified access control policies all the document portions to which the same access control policies apply are encrypted with the same key 3 0 Thus to determine which keys should be sent to a particular subject it is only necessary to verify which are the access control policies that apply to that subject and then sending the keys associated with these policies TS62 082 O 43 WellFormed Encryption mssl mm 44 P3 PP3 PP3 WellFormed Encryption Node encrypted with key KI mssl mam WellFormed Encryption P2 P3 P 3 a a a P3 PP3 PP3 39 3 P3 Nodes encrypted with key K2 Q w TS62 082 O 46 WellFormed Encryption P2 P P3 Nodes encrypted ith key K3 TS62 082 O 47 WellFormed Encryption a P2 CI CCCCCJUD h Nodes encrypted with key Kd w TS62 082 O 48 WellFormed Encryption a P2 V a P I P3 PI K2 P2 K P3 K2 K3 TS62 082 O 49 Key Management A 0 Key assignment scheme such that 0 From the key associated with a policy Pl it is possible to derive the keys associated with all the policy configurations containing Pl 0 Benefits 0 The system should manage in the worst case a number of keys equal to the size of the Policy Base 0 Each subject receives a key for each policy heshe satisfies TS62 082 O 50 mu Key Distribution 0 Two modes 0 Online the XML source delivers both the keys and the encrypted document to subjects 0 Offline subjects retrieve the keys through further interactions with the XML source LDAP directory TS62 082 0 5 mu Outline 0 Security requirements for web data 0 Basic concepts of XML Securit olicies for XML data protection and release 0 Access control mechanisms for XML data XMLbased specification of security information 0 XML security future trends TS62 082 O 52 Why o It allows a uniform protection of XML documents and their securityrelated information 3 o It facilitates the export and exchange of security information TS62 082 O 53 m Goals 0 Definition of an XMLbased language for specifying securityrelated information for web documents 0 Subject credentials 0 Access control policies for web documents satisfying the previoust stated requirements An example X Sec the XMLbased language developed in the framework of AuthorX TS62 082 O 54 X Sec Credentials mu Credentials with similar structure are grouped into credential types 0 A credential is a set of simple and composite properties Credential types CI DTDs Credentials lgtXML documents TS62 082 O 55 A ltDOCTYPE ltELEMENT ltELEMENT ltELEMENT ltELEMENT ltELEMENT ltELEMENT ltATTLIST gt X Sec credential type carrieremployee carrieremloee name address honenumber email companygt name fnamelnamegt PCDATAgt phonenumber PCDATAgt PCDATAgt PCDATAgt address email company credID ID RE UIRED ssuer CDATA REQUI carrieremploye TS62 082 O 56 X Sec credential ltcarrieremployee credID 154 CIssuer CAl6 gt ltnamegt ltfnamegt Bob ltfnamegt ltlnamegt Watson ltlnamegt ltnamegt ltaddressgt 24 Baker Street ltaddressgt ltphoneinumbergt 8005769840 ltphoneinumbergt ltemailgt bwatsonupscom ltemailgt ltcompanygt UPS ltcompanygt ltcarrieremployeegt TS62 082 O 57 m X Profiles To sim lif credential evaluation all the credentials a subject possesses are collected into an X profile TS62 082 O 58 A Xprofile ltX profile sbjID bw585 PIssuer CAl6 gt ltcarrieremployee credID 154 CIssuer CAl6 gt ltnamegt ltfnamegt Bob ltfnamegt ltlnamegt Watson ltlnamegt ltnamegt ltaddressgt 24 Baker Street ltaddressgt ltphonenumbergt 8005769840 ltphonenumbergt ltemailgt bwatsonupscom ltemailgt ltcompanygt UPS ltcompanygt ltcarrieremployeegt ltstockholder credID 254 CIssuer CAl6 gt ltnamegt m ltnamegt ltcompanygt ltnamegt Paragon ltnamegt ltstocknumbergt 400 ltstocknumbergt ltstockvaluegt 1000 ltstockvaluegt ltcompanygt ltstockholdergt ltX profilegt TS62 082 O 59 X Sec Policy Specification mu 0 XML tem late for s ecif in credential based access control policies 0 The templae is oenrl as r a Hibl to is able to model access control policies for a variet of web documents eo HTML XML TS62 082 0 6O A X Sec Policy Base Template lt1DOCTYPE lt1ELEMENT I UL lt1ELEMENT lt1ELEMENT lt1 U k Hk lt1EL 39 V lt1ELEM V lt1ELEMENT lt1ATTLIST lt1ATTLIST IMPLIEDgt lt1ATTLIST lt1ATTLIST lt1ATTLIST lt1ATTLIST lt1ATTLIST gt policyBase policyBase policySpecgt 39 ect object subject userID dentialgt object EMPTYgt 39 MPTYgt prop EMPT userID EMPTYgt credential EMPTYgt userID id CDATA REQUIREDgt priv type propgt credential targetCredType CDATA REQUIRED credExpr CDA object target CDATA REQUIRED path CDATA REQUIREDgt userID id CDATA REQUIREDgt priv value CDATA REQUIREDgt type value CDATA REQUIREDgt prop value CDATA REQUIREDgt TS62 082 0 6 A Instantiation for XML Sources ltpolicyBasegt ltLolic SLecgt ltsubjectgtltcredential targetCredTypequotACMmemberquotgtltsubjectgt ltobjectgtlt targetquotSigmodRecordxmlquot pathquotissuesquotgtltobjectgt ltpriv valuequotREADquotgt lttype valuequotgrantquotgt ltprop valuequotcascadequotgt ltpolicySpecgt ltpolicySpecgt ltsubjectgtltcredential targetCredTypequotnoACMmemberquotgtltsubjectgt ltobjectgtlt targetquotSigmodRecordxmlquot pathquotissuesquotgtltobjectgt ltpriv valuequotREADquotgt lttype valuequotgrantquotgt ltprop valuequotcascadequotgt ltpolicySpecgt ltpolicySpecgt ltsubjectgtltcredential targetCredTypequotnoACMmemberquotgtltsubjectgt ltobjectgtlt targetquotSigmodRecordxmlquot path quotissuesissuesTuplearticles articlesTupleabstractquotgtltobjectgt ltpriv valuequotREADquotgt lttype valuequotdenyquotgt ltprop valuequotnopropquotgt ltpolicySpecgt ltpolicyBasegt TS62 082 O 62 mu Outline 0 Security requirements for web data 0 Basic concepts of XML Securit olicies for XML data protection and release 0 Access control mechanisms for XML data XMLbased specification of security information 0 XML security future trends TS62 082 O 63 Research Trends 0 Secure publishing of XML documents 0 A new class of informationcentered applications based on Data dissemination 0 Possible scenarios Information commerce digital libraries electronic news lntracompany information systems 0 Security requirements 0 Confidentiality 0 Integrit 0 Authenticity 0 Completeness TS62 082 O 64 Secure Publishing 8 Traditional Architecture Information Owner The Owner is the producer of information lt specifies access control policies lt answers to subject queries IIIIII Subject TS62 082 O 65 ThirdParty Architectu re oThe Publisher is responsible for managing a portion of the Owner information and for answering subject queries oBenefits oScalability Subs ription oNo Bottleneck lllllll Subct TS62 082 O 66 ThirdParty Architectu re XML 500m grade ta Policy Base XML SEXML W l Pubi5 er Rep39y Rep39y documei cr dentials document Pub5 er policy Query eonfigu atio H Query TS62 082 O 67 Security Enhanced XML doc Merkle Signature m 0 Policy information o The identifiers of the policies that apply to the document 0 Information about the set of policies that applies to a specific elementattribute TS62 082 O 68 Merkle Signature mu title M a e Front a e Politicpage Literarypage Sportpage 4 L d39 Paragraphs Author topic Author title paragraph uthor title MhXAUI orhhAuthor hAuthorvaue top Author z t0P Author title topic Author MhXtitlehhtitle htitlevalue MhXpa graphhhparagraph hparagraphcontent MhXAuthor MhXtitle TS62 082 O title 69 I erkle Signature mssl mm 70 erkle Signature IVIhXNewspaper 0 MhXIVhX Merkle Signature of Newspaper XML le mssl mm 7 eply document We News a a date Politic page Literaryjage Smrtjage I Jf r fa J 6 mm 1 h paragaph pavagap w W mDIC Duthor S g S A7 If bopic pumr 555 how Pumor title Rootreply o Sig n 6 MhPath MhPath I Duthcr we topic mthcr u d Author me toDIc Aulhor title erkle Signature h Merkle Hash Path ITIS62 082 o 72 Main References E Bertino and E Ferrari Secure and Selective Dissemination of XML Documents ACM Trans on Information System and Security to appear E Bertino S Castano e E FerrariAuthor X a Comprehensive System for Securing XML Documents IEEE Internet Computing May 200 E Bertino S Castano e E Ferrari Securing XML Documentsthe AuthorX Project Demonstration Proc of the ACM SIGMOD Conference 200 Bertino Castano c a Mesiti Specifying ancl Enforcing Access Control Policies for XML Document Sources World Wide Web journal 33 2000 TS62 082 0 73 ITIS 62l0l82 I 0 Access Control Mohamed Shehab mshehabunccedu Overview 0 Access Control 0 Basic definitions 0 Discretionar Access Control DAC 0 Mandatory Access Control MAC 0 Other Models 0 Access Control Matrix 0 HRU Model 0 Leak Safety and Security 0 Decidability Access Control basic concepts 0 An access control system regulates the operations that can be executed on data and resources to be protected 0 Its goal is to control operations executed by subects in order to I revent actions that could damage data and resources 0 Access control is typically provided as part of the operating system and of the database management system DBMS Access Control basic concepts Q The ver nature of access control suwests that there is an active subject requiring access to a passive object to perform some specific access operation A reference monitor grants or denies access This fundamental and simple notion of access control is due to Lampson 0 B Lampson ProtectionACM Operating System Reviews 8 I974 quot l l ll Access Control Mechanism o It is typically a software system implementing the access control functionservice It is usualll I art of other systems 0 The access control mechanism uses access control pOlCeS to deCIde Whether to grant or deny a subject access to a requested resource We will refer to an access control system as system comprising an access control mechanism and all the information required to take access control decisions for example access permissions Object 0 An thinv that holds data such as DB relations directories interprocess messages network ackets lO devices or h sical media 0 We often refer to objects cw V u he access control system as protection objects 0 Note that not all resources managed by a system need to be protected Subject 0 An abstraction of any active entity that performs operations in tne system 0 Subjects can be classified into 0 users single individuals connecting to the system 0 groups SEtS Of users 0 roles named collections of privileges functional entities within the organization 0 processes executing programs on behalf of users 0 Relations may exist among the various types of subjects Access Operations Access Modes 0 Operations that a subject can exercise on the protected objects in the system 0 Each type of operation corresponds to an access moae The basic idea is that several different types of operations may be executed on a given type of object the access control system must be able to control these types of operations 0 Simple example of access modes is 0 Read look at the contents of an object 0 Write change the contents of an object Access Operations Access Modes 0 In reality there is a large variety of access modes 0 The access modes supported by an access control mechanism depend on the resources to be protected read write execute select insert update de ete Often an access control 5 stem uses modes with the same name for ifferent types of ob39ect the same mode can correspond to diflerent operations when applied to different objects Access Operations Access Modes Example 0 Unix o eratin s stem 0 Access modes defined for files read reading from a file 39 write writing to a file 39 execute executing a program file 0 Access modes defined for directories read list a directory contents write create or rename a file in a directory execute search a directory Access Operations Access Modes Example 0 Hypertext Transfer Protocol HTTP defines several methods indicating the desired action to be performed on the identified resource 0 GET Requests a representation of the specified resource The most common method used on the Web today 0 HEAD Asks for the response identical to the one that would correspond to a GET request but without the response body 0 POST Submits data to be processed eg from an HTML form to the identi ed resource The data is included in the body of the request 0 DELETE Deletes the specified resource Access Operations Access Permissions and Attributes How does the reference monitor decides whether to give access or not 0 Main approaches 0 It uses access permissions Typical of discretionary access control DAC models 39 It uses information often referred to as attributes concerning subjects and objects 0 Typical of multilevel access control MAC models 0 More innovative approaches have been developed where access permissions can be also expressed in terms of object and subject attributes and even context parameters Access Operations Access Permissions Access Control Policies Access Permissions Access permissions also called authorizations are expressed in terms of subjects objects and access modes From a conceptual point of view an access permission is a tuple lt5 0 agt where 0 s is a subject 0 o is an object 0 a is an access mode It states that subject 5 has the permission to execute operation a on object 0 We also say that s has access rigm a on object 0 Example the access permission ltBob Read Fgt states that Bob has the permission to read file Fl Access Permissions DUDjeCtS ODJGCES and access moaes can be organized into hierarchies The semantics of the hierarchy depends on the domain 0 The use of hierarchies has two important advantages 0 It reduces the number of permissions that need to be entered into the access control system thus reducing administration costs 0 Combined with negative authorizations to be discussed later on it supports the specification of exceptions Object Hierarchy PARTOF directory TS62082I0 I6 Role Hierarchy technical manager senior mIe 39x A k lt3 W s w REGquot x 1 r 39 y z w xquot 77quot quotg i v 1 z x f I K A I A 1 V f TS62082I0 I7 Group Hierarchy GROUP MEMBERSHIP University 7 group CS Dept group member 0 Suppose that the group CS department has 200 members and the University group 5000 members suppose we have the policy that the department calendar can be read by all members of the University and written to only by the members of CS these policies can be encoded into two access permissions of the form 0 ltUniversity calendar Readgt ltCS Dept calendarWritegt Access Mode Hierarchy SUBSUMPTION write mode read implied mode Groups and Negative Permissions 0 Groups can be seen as an intermediate level between users and objects 0 An xmll if an ideal srld chore all access permissions are mediated by groups Sl Q 53 55 Users gl Groups Groups and Negative Permissions Often access control policies have special cases wnere It proves convenlent to gIve some user a permission for an object directly or den a user a ermission that it would normally derive from its membership in some group 0 A negative permission specifies an operation that a subject is not allowed to perform 0 Re resentinv nevative ermissions re uires extending our simple tuple model with an additional component 0 lt5 0 a signgt where SignE Groups and Negative Permissions 0 An example in which not all access permissions are mediated through groups o a as Users Groups Objects Ownership and Administration 0 A lte uestion when dealin with access control is who specifies which subjects can access which objects for which operations o In the case of ermissions this means specifying which are the subjects that can enter permissions Ownership and Administration Two basic options Discretionary approach 0 The owner of a resource decides who is allowed to have access 0 But thenwho is the owner of a resource Mandatory approach 0 A systemwide policy decrees who is allowed to have access 0 These approaches are the conventional ones 0 Today we need more sophisticated approaches 0 cf the column M Donner Whose Data are TheseAnyway Security amp Privacy MayJune 2004 DAC and MAC 0 Two main categories 0 DiscretionaryAccess Control Models DAC Definition Bishop p53 If an individual user can set an access control mechanism to allow or deny access to an object that mechanism is a discretionary access control DAC also called an identitybased access control IBAC O Mandatory Access Control Models MAC Definition Bishop p53When a system mechanism controls access to an object and an individual user cannot alter that access the control is a mandatory access control MAC occasionally called a rulebased access control Other Models 0 Other models 0 The Chinese Wall Model it combines elements of DAC and MAC 0 RBAC Model it is a DAC model however it is sometimes considered a policyneutral model 0 The Biba Model relevant for integrity 0 The InformationFlow model generalizes the ideas underlying MAC Discretionary Access Control ITI562 082 O 27 DAC DAC policies govern the access of subjects to objects on the basis of subjects39 identity objects identity and permissions 0 When an access request is submitted to the system the access control mechanism verifies whether there is a permission authorizing the access 0 Such mechanisms are discretionary In that they allow subjects to grant other subjects authorization to access their objects at their discretion DAC Pros and Cons Advantages O Flexibility in terms of policy specification 0 Supported by all OS and DBMS Drawbacks o No information flow control Trojan Horses attacks Access Control Structures 0 The most well known access control structures for DAC models are based on the notion of Access Control Matrix Let 0 S be a set of subjects 0 0 be a set of objects 0 A be a set of access modes 0 An access control matrix M on S O and A is defined as 0 M M50s E 506 0 with MSOCA The entry M50 specifies the set of access operations subject 5 can perform on object o Access Control Structures ExamplezAccess Control Matrix taXdoc editexe fundir Alice execute execute read Bill read write execute read write Access Control Structures ExamplezAccess Control Matrix File 1 File 2 Process 1 Process 2 PI OCCSS 1 1 11 0 r Ewe 0 W PI OCCSS 2 a 7 0 r e 0 r read w write a append 0 own e execute Access Control Structures Directl im lementin access control matrices is inefficient because in most cases these matrices are sparse Therefore two main implementations have been developed 0 Access control lists Used in DBMS and O eratinu S stems 0 Capabilities list Access Control List 0 An access control list ACL is a list of permissions attached to an object 0 In a ty icalA a L h entry in he list specifies a subject and an operation 0 For example the entry Bob delete on the ACL for file XYZ gives Bob permission to delete file XYZ Capabilities List 0 Ever subject has a list of capabilities 0 Each capability names an object and the set of legal operations on that object o In a typical CAL each entry in the list s ecifies an object and an o eration o For example the entry XYZ delete on the CAL for subject Bob gives Bob permission to delete file XYZ Basic Operations in Access Control 0 Grant permissions 0 Inserting values in the matrix s entries Revoke permissions 0 Remove values from the matrix s entries 0 Check permissions o Verifying whether the entry related to a subject s and an object 0 contains a given access mode HRU and Access Control Matrix ITl5620820 37 The HRU Model HarrisonRuzzoUllman HRU have introduced some important concepts 0 The notion of authorization systems 0 The notion of safety HRU76 MHarrisonVV RuzzoJ Ullman Protection in Operating Systems Comm ofACM 98August I976 subjects Access Control Matrix Description objects entities 01 0m S1 Sn oSubjectsSmn Objects O olom Rights R rrk Entries Ms 0 g R Asoj rX ry means subject s has rights rx ry over object 0 Protection State Transitions State X 5 OiA State transitions change the protection state of system 0 39 represents transition o X IT Xi command I moves system from state X to X 0 X Xi a sequence of commands moves system from state X to XI 0 Access control matrix may change 0 Change command c associated with transition 0 Commands often called transormation I rocedures Primitive Operations The model includes six primitive operations for manipulating the set of subjects the set of objects and the access matrix Create object o 0 creates new column in ACM Create subject 5 0 creates new row column in ACM Destroy object o 0 deletes column 39rrom ALIVI Destroy subject 5 0 deletes row column from ACM Enter r into Aso 0 Adds r rights for subject 5 over object 0 Delete r from Aso 0 Removes r rights from subject 5 over object o Create Object Preconditionzo 93 O Primitive command create object o Postconditions OS39SO39OU0 0 VX e S39a39xo Q 0 VX E 5W E 0a39XYJ 0XY Create Subject Preconditionzs 93 S Primitive command create subject 5 Postconditions o S39Sus0390us W E 039a39539 1 VX E S39G39XS Q 0 VX E SVy E 0a39XY 0XY Add Right Preconditionzs E So E O Primitive command enter r into as o Postconditions O S39 S O39 O O a39so aso U r 0 WW 6 Sxo 50 039XY aXY Delete Right Preconditionzs 6 50 6 O Primitive command delete r from as o Postconditions 0 S39 S O39 O 0 a39so aso r O VXJ E Sxo 50 039XY aXJJ Destroy Subject Preconditionzs e S Primitive command destroy subject 5 Postconditions o 539 S sO39 O s O W E 039a395 Y 1 VX E S39lt139X S Q 0 VX E S39Vy E 039 039X Y 0XY Destroy Object Preconditionzo E o Primitive command destroy object o Postconditions 0539s0390 o O VX E S39a39xo Q 0 VX E S39Vy E 039 039X Y 0XY Special Privileges Copy and Grant 0 Copy or rant 0 Possessor can extend privileges to another 0 Own right 0 Possessor can change their own privileges o Principle ofAttenuation of Privilege 0 A subject may not give rights it does not possess 0 Example if Bob does not have read access to a file then Bob should not be able to give read access to Alice Creating File 0 Process p creates file f with r and w permission command create lep f create object f enter own into Ap f enter r into Ap f enter w into Ap f end MonoOperational Commands Make process p the owner of file g command makeownerp g enter own into Ap g end Monooperational command 0 Single primitive operation in this command Conditional Commands 0 Monoconditional command 0 Single condition in this command 0 Let p give q rights r over file f 0 only if p owns 1quot command rantread IeI f if own inp f P CD then enter r into Aq f end Multiple Conditions 0 Let p give q r and w rights over f if p owns f and p has c rights over q command grantreadwrite Ie2p f q if own in Ap f and c in Ap q then enter r into Aq 1 enter w into Aq 1 end Copy Right Allows ossessor to ive rihts to another Often attached to a right so only applies to that right 0 r is read right that cannot be copied o rc is read right that can be copied ls copy flag copied when giving r rights 0 Depends on model instantiation of model Own Right Usuall allows ossessor to chane entries in ACM column 0 So owner of ob39ect can add delete rivhts for others 0 May depend on what system allows Can t give rights to specific set of users Can t pass copy flag to specific set of users Attenuation of Privilege This rinci le dictates that ou can t give rights you do not possess O Restricts addition of rivhts within a s stem 0 Usually ignored for owner 39 Why Owner gives herself rights gives them to others deletes her rights Key Points 0 Access control matrix simplest abstraction mechanism for representing protection state Transitions alter protection state 0 6 primitive operations alter matrix 0 Transitions can be expressed as commands composed of these operations and possibly conditions ITI562 082 0 57 The HRU Model States 0 The effects of a command are recorded as a change to the access matrix usually the modified access control matrix is denoted by M 0 Hence the access matrix describes the state of the protection system 0 What do we mean by the state of the protection system 0 The state of a system is the collection of the current values of all memory locations all secondary storage and all registers and other components of the system 0 The state of the protection system is the subset of such a collection that deals with allocation of access I ermissions it is thus I resented b the access control matrix HRU Model Leak De nition A state ie an access matrix M is said to leak the right r if there exists a command c that adds the right r into an entry in the access matrix that previoust did not contain r More formally there exist 5 and 0 such that r 93 M50 and after the execution of c r e M SO m The fact that an right is leaked is not necessarily bad many systems allow subjects to give other sub ects access rights HRU Model Safe 0 De nition If a system can never leak the right r the system is called safe with respect to the right r If the s stem can leak riht r enter an unauthorized state it is called unsafe with res ect to the ri39ht r HRU Model Safety of States 0 What do we mean by saying that a state is safe 0 Definition l access to resources without the concurrence of the owner is impossible HRU76 Definition 2 the user should be able to tell whether what he is about to do give away a right presumably can lead to me Turtner leakage of that right to truly unauthorized subjects H RU76 What is Secure A secure system doesn t allow violations of policy 0 Is this a good definition 0 Can we use it 0 Alternative view based on rights 0 Start with access control matrix A 0 Leak commands can add right r to an element ofA not containing r 0 Safe System is safe with respect to r if r cannot be leaked HRU Safety 0 Given 0 initial state X0 0 OOA0 0 Set of primitive commands c 0 Can we reach a state Xn where Elso such that Anso includes a right r not in A0so 0 If so the system is not safe with respect to right r 0 If not then the system is safe with respect to right r 0 But is safe secure Safe and Secure Safety refers to the abstract model 0 Security refers to the actual implementation of the model 0 Example 0 An OS allows the network admin to read all network traffic The system disallows all other users from reading this tramc I ne network admin cannot communicate with other users Thus there is no way for rights r to be leaked from the network admin to the other users oySLeIII lb Odlc O The OS has a flaw If a user specifies a certain file name in a file deletion system cathe user is able to obtain access to any file on the OS oyStem is not secure