© 2004 Ravi Sandhu A Perspective on Graphs and Access Control Models Ravi Sandhu Laboratory for Information Security Technology George

© 2004 Ravi Sandhuwww.list.gmu.edu

A Perspective on Graphs andAccess Control Models

Ravi SandhuLaboratory for Information Security Technology

George Mason [email protected]

2


Outline

• A perspective on security

• A perspective on access control

• The safety problem in access control

• Looking ahead

• Discussion

3


Security Confusion

INTEGRITYmodification

AVAILABILITYaccess

CONFIDENTIALITYdisclosure

USAGEpurpose

• electronic commerce, electronic business• digital rights management, client-side controls

4


Good enough security

EASY SECURE

COST

Security geeksReal-world users

System owner

• whose security• perception or reality of security

• end users• operations staff• help desk

• system cost• operational cost• opportunity cost• cost of fraud

Business modelswill dominate

security models

5


Good enough security

RISK

COST

H

M

L

L M H

1

2

3

2

3

4

3

4

5

Entrepreneurialmindset

Academicmindset

6


Access Control Models

Authentication

Authorization Enforcement

• who is trying to access a protected resource?

• who should be allowed to access which protected resources?• who should be allowed to change the access?

• how does the system enforce the specified authorization

Access Control Models Access Control Architecture

7


The OM-AM Way

Objectives

Models

Architectures

Mechanisms

What?

How?

Assurance

8


Access Control Status

• Ten years ago• Emphasis on

– Cryptography and intrusion detection– Access control relegated to back burner

• Ravi Sandhu, “Access Control: The Neglected Frontier.” Proc. First Australasian Conference on Information Security and Privacy, LNCS, 1996.

• Today• Strong industry interest• Growing need• Growing research

9


Safety in Access Control

Authentication

Authorization Enforcement

• who is trying to access a protected resource?

• who should be allowed to access which protected resources?• who should be allowed to change the access?

• how does the system enforce the specified authorization

Access Control Models Access Control Architecture

The Safety Problem

10


The HRU (Harrison-Ruzzo-Ullman) Model, 1976

U r w

V

F

r w

G

r

11



U Fr, w

V Gr, w

r

12



U Fr, w

V Gr, w

r

13


HRU Commands and Operations

• command α(X1, X2 , . . ., Xk)if rl in (Xs1, Xo1) and r2 in (Xs2, Xo2) and ri in (Xsi, Xoi)

thenop1; op2; … opn

end• enter r into (Xs, Xo)

delete r from (Xs, Xo)create subject Xscreate object Xodestroy subject Xsdestroy object Xo

14


HRU as Graph Rules (from Koch et al 2002)

15


Safety in HRU (late 1970’s)

• Safety Problem: Is there a reachable state with edge labeled z from X to Y?

• Undecidable in general• HRU unable to find interesting decidable cases.

• Mono-operational: decidable but uninteresting

• Monotonic: undecidable

• Bi-conditional monotonic: undecidable

• Mono-conditional monotonic: decidable but uninteresting

16


The Safety Problem• HRU 1976:

• “It would be nice if we could provide for protection systems an algorithm which decided safety for a wide class of systems, especially if it included all or most of the systems that people seriously contemplate. Unfortunately, our one result along these lines involves a class of systems called “mono-operational,” which are not terribly realistic. Our attempts to extend these results have not succeeded, and the problem of giving a decision algorithm for a class of protection systems as useful as the LR(k) class is to grammar theory appears very difficult.”

• 2004:• Considerable progress has been made but much remains to be done and

practical application of known results is essentially non-existent.– Progress includes: Take-Grant Model (Jones, Lipton, Snyder, Denning, Bishop; late

79’s early 80’s), Schematic Protection Model (Sandhu, 80’s), Typed Access Matrix Model (Sandhu, 1990’s), Graph Transformations (Koch, Mancini, Parisi-Pressice 2000’s)

17


Safety with Types

• Typed Access Matrix or TAM model (Sandhu 1992)• Safety is polynomial-decidable for monotonic ternary

TAM with acyclic create-graph

• Typed Graphs (Koch et al 2002)• Safety is decidable for transformations that are either

expanding or deleting

• The given algorithm is exponential but actual complexity remains an open question

18


The Take-Grant Model (late 70’s, early 80’s)

A Bt

(a) B/t Є dom(A)

A Bg

(b) B/g Є dom(A)

Original graph representation, late 70’s

19


The Take-Grant Model (late 70’s, early 80’s)

A Bt

(a) B/t Є dom(A)

A Bg

(b) B/g Є dom(A)

Lockman-Minsky representation, 1982

20


Creation in Take-Grant

A

A’

t g

(a) The Original View

A

A’

t g

(b) The Lockman-Minsky View

21


Reversal of Take-Grant Flow: case t

A Bt

A’

t gg

t

22


Reversal of Take-Grant Flow: case g

A Bg

A’

t gg

t, g

23


Reversal of Grant-Only Flow

A Bg

A’

g gg

g

24


Non-Reversal of Take-Only Flow

A Bt

A’

t tt

25


Safety in more recent (and practical) models

• RBAC96 (foundation of a new NIST/ANSI/ISO standard)• Safety is undecidable in general

– Sandhu, Munawer, Crampton, 1998• Decidable cases exist

– Li, Mitchell, Winsborough, Solworth, Sloan, 2000’s

• UCON (Usage Control Models)• Safety is undecidable in general• Decidable cases exist

– Park, Sandhu, Zhang, Parisi-Pressice 2000’s

26


Looking ahead

• Security lags information technology applications• Information technology applications are moving extremely

rapidly• The need for decentralized and automatic authorization is

growing very rapidly• The safety problem of access control remains a critical path

problem• Challenges

– Develop new real-world relevant theory– Apply old and new theory

• Can theory of graph transformations help us?

27


RBAC96 model (Currently foundation of a NIST/ANSI/ISO standard)

ROLES

USER-ROLEASSIGNMENT

PERMISSIONS-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

CONSTRAINTS

28


UCON (Usage Control) Models

Rights(R)

UsageDecision

Authoriza-tions (A)

Subjects(S)

Objects(O)

Subject Attributes(ATT(S))

Object Attributes(ATT(O))

Obligations(B)

Conditions(C)

Usage

Continuity ofDecisions

pre

Before After

pre ongoing postMutability of

Attributes

ongoing N/A

Documents

© 2004 Ravi Sandhu A Perspective on Graphs and Access Control Models Ravi Sandhu Laboratory for Information Security Technology George