apter 3
Access Control
Discretionary Access Control
Agenda
1.
2.
Access Control
Discretionary Access Control
Access Control
“Access control” is where security engineering meets
computer science.
Its function is to control which (active) subject have access
to a which (passive) object with some specific access
operation.
subject
Access
request
Reference
monitor
object
Access Control
Determine whether a principal can perform a requested
operation on a target object
–
–
–
Principal: user, process, etc.
Operation: read, write, etc.
Object: file, tuple, etc.
Lampson defined the familiar access matrix and its two
interpretations ACLs and capabilities [Lampson70]
Why are we still talking about
access control?
An access control policy is a specification for an access
decision function
The policy aims to achieve
–
–
Permit the principal’s intended function (availability)
Ensure security properties are met (integrity, confidentiality)
•
•
Limit to “Least Privilege,” Protect system integrity, Prevent unauthorized
leakage, etc.
Also known as ‘constraints’
Enable administration of a changeable system (simplicity)
Example: Access Control
Prof Alice manages access to course objects
‣ Assign access to individual (principal: Bob)
‣ Assign access to aggregate (coursestudents)
‣ Associate access to relation (students(course))
‣ Assign students to project groups (student(course, project,
group))
Prof Alice wants certain guarantees
‣ Students cannot modify objects written by Prof Alice
‣ Students cannot read/modify objects of other groups
Prof Alice must be able to maintain access policy
‣ Ensure that individual rights do not violate guarantees
‣ However, exceptions are possible – students may distribute
their results from previous assignments for an exam
Access Control is Hard Because
Access control requirements are domainspecific
–
Generic approaches overgeneralize
Access control requirements can change
–
Anyone could be an administrator
The Safety Problem [HRU76]
–
Can only know what is leaked right now
Access is failsafe, but Constraints are not
–
And constraints must restrict all future states
Safety Problem
Determine if an unauthorized permission is leaked given
–
–
An initial set of permissions and
An access control system, mainly administrative operations
For a traditional approach, the safety problem is
undecidable
–
–
–
Access matrix model with multioperational commands
Main culprit is create – create object/subject with own rights
Prove reduction of a Turing machine to the multioperational
access matrix system
Safety Problem
Result led to
Safe, but limited models: takegrant, schematic protection
model, typed access matrix model
Further support for models in which the constraints are
implicit in the model
–
e.g., lattice models
Check safety on each policy change – constraint approach
of RBAC
Compare to Other CS Problems
Processor design
–
Hard, but can get some smart people together to construct one,
fixed, testable design
Network protocol design
–
TCP: A small number of control parameters necessary to manage
all reasonable options, within a layered architecture
–
Constraints, such as DDoS, are ad hoc
Software design
–
Specific goals in mind to achieve function, constraints are ad hoc
Access Control Models
Discretionary Access Matrix
–
UNIX, ACL, various capability systems
Mandatory (Usually) Access Matrix
–
TE, RBAC, groups and attributes, parameterized
Plus Transitions
–
DTE, SELinux, Java
Lattice Access Control Models
–
BellLaPadula, Biba, Denning
Predicate Models
–
ASL, OASIS, domainspecific models, many others
Safety Models
–
Takegrant, Schematic Protection Model, Typed Access Matrix
Administration
Discretionary Access Control
–
Users (typically object owner) can decide permission assignments
Mandatory Access Control
–
System administrator decides on permission assignments
Flexible Administrative Management
–
Access control models can be used to express administrative
privileges
Type Enforcement [BoebertKain84]
Group and Attributes
Access Control
Discretionary Access Control
–
–
–
–
Access Matrix Model
Implementation of the Access Matrix
Vulnerabilities of the Discretionary Policies
Additional features of DAC
Discretionary Access Control
•
•
•
•
Discretionary Access Control is an individual user can
set an access control mechanism to allow or deny
access to an object.
Relies on the object owner to control access.
DAC is widely implemented in most operating systems,
and we are quite familiar with it.
Strength of DAC: Flexibility: a key reason why it is
widely known and implemented in mainstream
operating systems.
Discretionary Access Control
v
v
v
Access to data objects (files, directories, etc.) is
permitted based on the identity of users.
Explicit access rules that establish who can, or
cannot, execute which actions on which resources.
Discretionary: users can be given the ability of
passing on their privileges to other users, where
granting and revocation of privileges is regulated
by an administrative policy.
Discretionary Access Control
v
v
DAC is flexible in terms of policy specification
This is the form of access control widely
implemented in standard multiuser platforms
Unix, NT, Novell, etc.
Limitation of DAC
Global policy: DAC let users to decide the access control
policies on their data, regardless of whether those policies are
consistent with the global policies. Therefore, if there is a global
policy, DAC has trouble to ensure consistency.
Information flow: information can be copied from one object to
another, so access to a copy is possible even if the owner of the
original does not provide access to the riginal copy. This has
been a major concern for military.
Malicious software: DAC policies can be easily changed by
owner, so a malicious program (e.g.,a downloaded
untrustworthy program) running by the owner can change DAC
policies on behalf of the owner.
Flawed software: Similarly to the previous item, flawed
software can be “instructed” by attackers to change its DAC
policies.
Discretionary Access Control
Access control matrix
–
–
–
Describes protection state precisely
Matrix describing rights of subjects
State transitions change elements of matrix
State of protection system
–
Describes current settings, values of system
relevant to protection
Access Control
Discretionary Access Control
–
–
–
–
Access Control Matrix Model
Implementation of the Access Matrix
Vulnerabilities of the Discretionary Policies
Additional features of DAC
Access Control Matrix Model
Access control matrix
–
–
–
Firstly identify the objects, subjects and actions.
Describes the protection state of a system.
State of the system is defined by a triple (S, O, A)
•
•
•
–
S is the set of subject,
O is the set of objects,
A is the access matrix
Elements indicate the access rights that subjects
have on objects
•
Entry A[s, o] of access control matrix is the privilege
of s on o
Description
subjects
objects (entities)
o1
s1
s2
…
sn
… om s1 … sn
Subjects S = { s1,…,sn }
Objects O = { o1,
…,om }
Rights R = { r1,…,rk }
Entries A[si, oj] R
A[si, oj] = { rx, …, ry }
means subject si has
rights rx, …, ry over
object oj
Boolean Expression Evaluation
ACM controls access to database fields
–
–
–
Subjects have attributes
Action/Operation/Verb define type of access
Rules associated with objects, action pair
Subject attempts to access object
–
Rule for object, action evaluated, grants or
denies access
Example
Subject Annie
–
Attributes role (artist), groups (creative)
Verb paint
–
Default 0 (deny unless explicitly granted)
Object picture
–
Rule:
Annie paint picture if:
‘artist’ in subject.role and
‘creative’ in subject.groups and
time.hour ≥ 0 and time.hour < 5