DISCRETIONARY ACCESS CONTROL
Tran Thi Que Nguyet
Faculty of Computer Science & Engineering
HCMC University of Technology
Outline
1
Introduction to Discretionary Access Control
2
Propose Models for DAC
3
SQL for Data Control
4
DAC & Information Flow Controls
Homework: Case study in SQL Server 2008 – Reading chapter 4 – Access
control for Databases: Concepts and Systems. Elisa Bertino, et al.
2
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
2
Introduction to DAC
Discretionary Access Control (DAC):
User can protect what they own.
The owner is given all privileges on their own data.
The owner can define the type of access
(read/write/execute/…) and grant access to others.
The typical method of enforcing DAC in a database system is
based on the granting and revoking privileges
3
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
3
Introduction to DAC
Types of Discretionary Privileges:
The account/system level: The administrator specifies the
particular privileges that each account holds independently of
the objects in the database system.
The object level: The administrator can control the privilege
to access each individual object in the database system.
4
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
4
Introduction to DAC
The account/system level privileges (example)
CREATE SCHEMA
CREATE TABLE
CREATE VIEW
ALTER
DROP
MODIFY
SELECT
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
5
Introduction to DAC
The object level privileges
Data objects: relation or view
Includes:
INSERT
UPDATE
DELETE
DELETE
REFERENCE
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
6
Outline
1
Introduction to Discretionary Access Control
2
Propose Models for DAC
3
SQL for Data Control
4
DAC & Information Flow Controls
7
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
7
Proposed Models for DAC
General definition: security model
Access matrix model
Take-Grant model
8
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
8
Security model
A security model provides a semantically rich representation in
that it allows functional and structural properties of the security
system to be described.
A security model describes the protection needs of the system.
It is a high-level, software-independent, conceptual model.
Types of security model
Discretionary model:
DAC model govern access of users to the information on the basis of
the users’ identity and of rules that specify, for each user and object in
the system, the types of access the user is allowed for the object.
The request of a user to access an object is checked against the
specified authorizations.
Non-discretionary model
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
9
Access matrix model
An access matrix is a matrix correlating the subjects, objects and the
authorizations owned by each subject on each object.
Authorization state: Q=(S,O,A)
S (Subjects): a set of subjects or active entities that use system
resources.
Ex: user, group, process
O (Objects): a set of passive objects which must be protected such as
subjects and system resources
Ex: OS level: file, memory, segments, process.
DB level: database, relation, attribute, record, field
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
10
Access matrix model
Authorization state: Q=(S,O,A)
A: Access matrix
Row: subjects
Column: objects
A[s,o]: access mode
For DBs, A[s,o] also includes
conditions that must be satisfied
in order for s to exercise the
access modes
Possible conditions: data-dependent
(sal<1000), time-dependent (8:00am5:00pm), context-dependent (“namesalary” pair is prohibited), historydependent, …
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
O1
S1
…
Oi
…
Om
A[s1,o
1]
A[s1,o
i]
A[s1,om
]
A[si,o1]
A[si,oi
]
A[si,om]
A[sn,o
1]
A[sn,o
i]
A[sn,om
]
…
Si
…
Sn
Information Systems Security
Chapter 2: Introduction to DAC
11
Access matrix model
Role 1
Role 2
Asset 1
Asset 2
file
device
read,
write,
execute,
own
execute
read
write
read
read,
write,
execute,
own
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
12
Access matrix model
Model implementation:
S {(O,A)}: capability list
Alice {(file X, {read, delete}), (file Y, {update})}
O{(S,A)}: ACL (access control list)
File X {(Alice, {read, delete}), (Bob, {read})}
Each entry in the list specifies a subject and operation(s): for
example, the entry (Alice, delete) on the ACL for file X gives
Alice permission to delete file X
Advantages & disadvantages of the two above & the model?
Capability list: compute a set of subjects granted access on a
given object all lists must be gone through
ACL: find all objects a subject can access
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
13
(a) <Si, Oj, A[Si, Oj]>
(b) CL
(c) ACL
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
14
Take-Grant model
Authorization state: G=(S,O,E)
V=S U O is the set of vertexes, S ∩ O = Ф
E is the set of labelled arcs
take(d,s,x,y): the subject s takes the right d on the
object/subject y from the object/subject x
s
t
t
s
x
d
y
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
take(d,s,x,y)
x
d
d
y
15
Information Systems Security
Chapter 2: Introduction to DAC
15
Take-Grant model
• grant(d,s,x,y): the subject s grants the right d on the
object/subject y to the object/subject x
g
g
s
s
x
x
grant(d,s,x,y)
d
y
d
d
y
16
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
16
Take-Grant model
Access modes: read, write, take, grant
Read, write: inert rights
Take, grant: transport rights
Other rights
Create(s, x): subject s creates object x (The arc is labelled with
p, possess)
removep(s, x): The possess right p on a subject/an object x is
removed from a subject s.
This model is classifiable as an access matrix model
Disadvantages?
17
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
17
Take-Grant model
Disadvantages:
Non-selectivity of administrative rights: all authorizations of S
owning a ‘GRANT’ authorization can be transferred, and all
authorizations of O/S on which a ‘TAKE’ right is held can be
taken
No control on propagation of authorizations
Non locality: S owning the grant privilege on O can give any
of its privileges to O, thus augmenting the domain of O (the
set of authorizations associated to O)
Reversibility of the privileges transport flow
18
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
18
Other models
Acten (Action-Entity) model
Wood et al. model
See [S. Castano, M. Fugini, G. Martella, and P. Samarati (1995). Database
Security, ACM Press & Addison-Wesley, ISBN 0-201-59375-0] + Internet
19
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
19
Outline
1
Introduction to Discretionary Access Control
2
Propose Models for DAC
3
SQL for Data Control
4
DAC & Information Flow Controls
20
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
20
SQL for Data Control
Commands:
•
GRANT
•
REVOKE
Based on three central objects:
•
Users
•
Database objects
•
Privileges: select, modify (insert, update, delete), reference
21
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
21
SQL for Data Control
GRANT: pass privileges on their own database objects to
other users
GRANT
ON
<database objects>
TO
<user list>
REVOKE: take back (cancel) privileges on their own
database objects from other users
REVOKE
ON
<database objects>
FROM <user list>
22
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
22
SQL for Data Control
Propagation of Privileges using the GRANT OPTION
Whenever the owner A of a relation R grants a privilege on R
to another account B, privilege can be given to B with or
without the GRANT OPTION.
If the GRANT OPTION is given, this means that B can also
grant that privilege on R to other accounts.
23
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
23
Limit horizontal propagation
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
24
Limit Vertical Propagation
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 2: Introduction to DAC
25