Access Control Intro, DAC and MAC System Security System Security • It is concerned with regulating how entities use resources in a system • It consists of two main phases: • Authentication: uniquely identifying entities • Authorisation: assigning access rights to entities Authentication Phase • It is only concerned with identifying an entity against a known set • Assigning a unique identifier to the entity (i.e., user name) • Using a secret (supposedly) known only to the specific entity • Alternatively, using a unique feature that characterizes the entity Authorisation Phase • Known also as Access Control • “The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner” • It assumes users have been • authenticated to the system • assigned access rights to certain resources on the system (for instance, by an admin) Access Control Requirements • Reliable Input • Authenticated entities • Genuine information • Least Privilege • Entities granted minimum set of access rights • Administrative Duties • Only a special entity should be able to manage access rights for other entities Access Control Refinements • • • • Separation of Duty Fine Vs. Coarse Specifications Open and Closed policies (Automated) Conflict Resolution Access Control Elements • Subject - entity that can access objects • a process representing user/application • Object - access controlled resource • e.g. files, directories, records, programs etc • Access right - way in which subject accesses an object • e.g. read, write, execute, delete, create, search Security Modules Access Control Models • • • • • Discretionary AC (DAC) Mandatory AC (MAC) Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control Discretionary Access Control • A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. • The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission on to any other subject • Subjects are able to assign rights to other subjects on the objects they control • Model used in operating systems and DB management systems • Often provided using an access matrix Access Control Matrix Access Control List Capability List Capability Myths Demolished: http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf Access Matrix Details UNIX Access Control Lists • Modern UNIX systems support ACLs • Can specify any number of additional users / groups and associated rwx permissions • ACLs are optional extensions to std perms Mandatory Access Control • Entities cannot enable other entities to access their resources • It enforces a lattice between labels assigned to subjects and object • security labels: how sensitive or critical a system resource is • security clearances: which entities are eligible to access certain resources MAC: The Bell-LaPadula Model The main goal is to control the confidentiality of information MAC Confidentiality Rules Simple Security Property: No Read-Up Read MAC Confidentiality Rules *(Star)property: No Write-Down Write MAC Confidentiality Rules Strong *(Star)-property: No Write-Down & No Write-up Write MAC: Biba Integrity Model The main goal is to control the integrity of information MAC Integrity Rules Simple Integrity Axiom: No Read Down Read MAC Integrity Rules *(Star)-Integrity Axiom: No Write Up Write Where is MAC used • BLP: Implemented the multi-level security policy for US Department of Defense • BIBA: Implemented in the FreeBSD MAC policy • A combined versions of BLP and BIBA is used in Android Summary • Introduced access control principles • subjects, objects, access rights • Discretionary Access Control • access matrix, access control lists (ACLs), capability tickets • UNIX traditional and ACL mechanisms • Mandatory Access Control • Bell-Lapadula • Biba Resources • Chapter 8 in Mark Stamp, Information Security: Principles and Practice, Wiley 2011. • Matt Bishop, Computer Security: Art and Science, AddisonWesley 2003. Questions?