Slide 1

Access control models and policiesAalto University, autumn 2012Tuomas AuraT-110.4206 Information security technologyOutlineAccess controlDiscretionary ACMandatory ACOther AC models2Models and terminology for thinking about security policiesAccess control3Access control (AC)Subjects request actions on objectsAlice wants to read a fileBob wants to update account balanceProcess wants to open a socketAC = authentication + authorizationauthentication = verifying the identity of the subjectauthorization = checking that the subject has the right to perform the requested action on the subject4Reference monitorReference monitor controls access by subjects to objectsGrants or denies access requestsLogs events to audit trailFollows rules set by administrators (i.e. implements a policy)Trusted computing base (TCB) = all system components that need to be trusted to implement access controlSecurity kernel = implementation of reference monitor in an OSBut more about the implementation later; now we are talking about policies5ObjectsSubjectsReference monitorAudit trailAccess rulesAccessrequestsAccess control matrixAccess control matrix is the simplest, most general AC modelM : Subjects Objects P(Actions)Subject S is allowed to request action A on object O iff AM(S,O)

AC matrix represents the protection state of a system6AliceBobProcess 4567Process6789file1.txtread, writereadread, writeappendfile2.txtwriteread--Socket s---open, read, write, closeProtection systemsAC matrix represents the static protection stateDynamic protection systems are more interestingSubjects and AC matrix cells themselves can be objectsAccess to them is also controlled by the matrixProtection state transitionsSubjects may grant and remove access rightsSubjects may create and destroy subjects and objectsEarly research on computer security studied various different theoretical protection systemsSafety question: given an initial state and implementation of transitions, can subject s get the access right r to object o?E.g. HRU model (safety undecidable), take-grant model (safety decidable)Study of protection systems is not so relevant today, but AC matrix is still a useful way to think about access control7Background information if you want to read classic computer security literatureDiscretionary access control8Discretionary access control (DAC)Data owners, usually users, set access rightsSubjects are trusted to make decisions about sharing access rightsUsers decide who is allowed to access their filesUser or process that can read a secret file can also email itDAC is also called identity-based AC: rights are assigned to usersTypical in commercial and consumer systemsThere may be a policy against sharing and access may be audited, but the policy is not enforced technicallyExamples of DAC outside computers:Person with a key can open the door to others; door keys can be shared and copiedTell your friend a secret on the condition that he does not tell it to anyone else 9Access control list (ACL)ACL = list of the access rights associated with an objectACLs are another way to represent the AC matrix: one row of the matrix is stored for each objectfile1.txt ACL:Alice: { read, write }; Bob: { read }; Process 4567: { read, write }; Process 6789: { append }.file2.txt ACL:Alice: { write }; Bob: { read }.Socket s ACL:Process 6789: { open, read, write, close }.ACL examples:Key cards, table reservations, Windows file system10CapabilitiesCapability = an access right associated with the subjectCapabilities are another way to represent the AC matrix: one column is stored for each subjectAlices capabilities:file1.txt: { read, write }; file2.txt: { write }.Bobs capabilities:file1.txt: { read }; file2.txt: { read }.Process 4567 capabilities:file1.txt: { read, write }.Process 6789 capabilities:file1.txt: { append }; Socket s: {open, read, write, close }.Examples of capabilities:metal keys, drivers license, parking permit11Mandatory access control12Mandatory access control (MAC)Access rights are based on rules (i.e. policy) set by administrationThe AC policy is enforced and cannot be changed by usersSubjects cannot leak access rights to othersUser can read a secret file but cannot copy, print or email; file viewer application prevents cut-and-paste and screen shots One process can access the Internet, another write files to the disk, neither is allowed to do bothMAC is also called rule-based ACMAC originates from military policiesIntelligence officer may not be allowed to read his own reportsOfficer can read a secret plan but cannot take a copy out of the roomOfficer who has had contact with foreign agents may lose access to classified information13Mandatory access control (MAC)MAC has some uses in commercial systemsDRM: Alice can play the music she has purchased, but cannot share itMalware isolation: Host firewall may block potential spyware from making outbound connections to prevent information leaksExamples of MAC-like policies outside computers:Biometric authentication prevents sharing of capabilities, e.g. photo on drivers license or signature on credit cardAdmit-one event tickets: UV stamps, shredding braceletsIn UK, jurors must not read newspapers or watch TV about the case so that they are not influenced by them 14Clearance and classificationMandatory access control rules are often based on security labels on subjects and objectsSubject clearance Object classification l : (Subjects Objects)LabelsMAC based on clearance and classification levels is also called multi-level security (MLS)Simple security property: S can read O iff l(S) l(O)15Top secretSecretConfidentialUnclassifiedHighLowMulti-level securityLabels depend on the organization but should form a lattice Labels, (i.e. a partial order with join and meet operations) Example. military security labelsLevels: top secret > secret > confidential > unclassifiedCategories = { army, navy, air force }Labels = Levels P(Categories)Domination relation: ifflevel1 level2 and categories1 categories2Theoretical publications often consider only two labels: high > lowHow to define labels for commercial systems?

1617Top secret, army & navyTop secret, armyTop secret, navyTop secret, Secret, army & navySecret, armySecret, navySecret, Classified, army & navyClassified, armyClassified, navyClassified, UnclassifiedLattice exampleLabels Finnish governmentMinistry of finance confidentiality classification: http://www.vm.fi/vm/fi/04_julkaisut_ja_asiakirjat/03_muut_asiakirjat/6206_fi.pdf Not a lattice, though

18

Kytss mys:Bell-LaPadula modelBell-LaPadula (BLP) is a MAC policy for protecting secretsMilitary security model for computers; military is mostly concerned with protecting secretsObservation: the simple security property is not sufficient to prevent secrets from leaking Bell-LaPadula rules:Simple security property: S can read O iff l(S) l(O)*-property: S can write O iff l(O) l(S)Also called: no read up, no write down19Biba modelIn computer systems, integrity of data and the system is often more important than confidentialityWhich is more important in a bank IT systems?Biba is a MAC policy for protecting integrity of dataBiba rules:S can write O iff l(S) l(O)S can read O iff l(O) l(S)Also called: no write up, no read down20Biba examplesIntegrity policies in commercial computer systems:Web application open in the browser should not write to the file system Type safety should prevent communication between Java or .Net applications running in the same runtime environmentVirtual machines running in the same host are isolated from each other

21Information flow securityBLP and Biba are information flow policiesBLP prevents flow of information from high to lowBiba prevents flow if information from low to highInformation flow policies are the basis for many security proofs. Typical proofs show non-interference:view of one subject is not affected by the data of the otherlow output does not depend on high input, orhigh output does not depend on low input

How to use BLP and Biba in the same system?22Systemhigh inputhigh outputlow inputlow outputHigh water mark, low water markHow to classify an object that is created combining low and high information? High water mark policy for secrecy: always set the classification to the highest input Low water mark policy for integrity: always set the classification if to the lowest inputProblem:Over time, all documents will become top secret with the lowest integrity level

23Upgrading and downgradingUpgrading, downgrading:In practice, security levels need to be changed by humansE.g. downgrading documents for publicationE.g. upgrading intelligence reports that aggregate a lot of low-level dataDocuments may need to be sanitized i.e. redacted before downgradingE.g. removing personal names from military documents before publicationSanitization may be difficultE.g. US military painting black box over text in PDF;AOL publishing anonymized web search dataHigh subjects can use covert channels to leak data intentionally, e.g. hide data in photos

24Other access control models25Clark-Wilson modelData integrity cannot always be expressed in terms of MLS, i.e. who has access to what dataE.g. transfers between bank accounts must not change the total balanceIntegrity in many commercial systems depends on following the correct proceduresClark-Wilson model defines rules for commercial systems for how to maintain data integrity:Transactions must transform data items from a consistent state to another consistent stateAuditing and procedural controls to enforce this(The specific rules could be different in each system)Clark-Wilson model has not really been implemented; it is important because of the idea of using accounting rules as a model for security policy26Chinese Wall modelConflicts of interest are common in business:Consulting company, investment bank, or law office may be advising competing clients and must keep their information separateThe clients are assigned to different employees who do not speak to each otherTo avoid conflicts of interest, the access control policy must take into account the information previously accessed by the subjectChinese Wall model:If subject S has previously accessed an object O1 and the objects O1 and O2 are in a conflict of interest, then S may not access O2 Subject can fall to either side of the wall but cannot change sides later27Separation of dutyChinese Wall is an example of separation of dutyOther separation of duty policies:Expense claim requires two signatures: the claimant and an authorized approver, e.g. department manager; one person cannot act in both roles for the same expense claimAuditors are often required to be from outside the companySome safes have two locks, and the keys are given to two different personsLecturers issue grades to students but only study office staff can enter them into the study registerUnlike BLP and Biba, separation of duty policies are stateful28Groups and rolesAdding structure to policiesGroup = set of subjectsE.g. Administrators, T-110.4206-studentsObject ACL can list groups in addition to individual usersBoth group membership and ACLs change over timeRole = set of permissions (i.e. permitted actions on objects)E.g. Administrator, T-110.4206-teacher, SCI-professorRoles are usually relatively static; their assignment to users changesBoth are forms of indirection

29Objects x ActionsSubjectsRoles or groups****Role-based access control (RBAC)NIST standardModeling high-level roles in an organizationE.g. Doctor, Nurse, Student, Lecturer, Course-assistantRoles defined once; changed infrequentlyRoles may be parameterized E.g. Treating doctor of Mr. Smith, Lecturer or Student of T-110.4206 Roles may form a hierarchy with inheritanceRoles are assigned to users for longer term but activated on demand for each sessionConstraints on role assignment and activation can implement separation of duty30

31Example: University of Turku has implemented identity management based on RBAC. Source: http://www.come.uw.edu.pl/eunis/pandp/paper/kmiika_RBAC-In-Prodution.doc Other access control modelsOriginator-controlled AC (ORCON)Creator of data retains control over access to itAttribute-based ACAccess control is based in subject attributes instead of subject identityAC = attribute verification + authorizationE.g. need to be 18 to buy tobacco; need to be an Aalto student to access course materialEnables anonymous accessDouble-blinded review for scientific journalsMany other AC models have been proposed32Why study these AC models?Abstract models help to see the similarities between different products and implementations E.g. how many different user interfaces have you seen that implement an ACL?They also help to understand the expressiveness and limitations of the technologiesE.g. a stateless AC system cannot implement separation of duty, while one separation-of-duty policy can often be used to implement othersSome models presented in this lecture are unrealistic! Nevertheless, they can be useful as tools for thinking about security policies

33Reading materialDieter Gollmann: Computer Security, 2nd ed., chapters 4, 8, 9; 3rd ed. chapters 56Edward Amoroso: Fundamentals of Computer Security Technology, chapters 6-13 Ross Anderson: Security Engineering, 2nd ed., chapter 8Swiderski and Snyder, Threat modeling, 200434ExercisesWhat are the subjects, object and actions in Noppa?Can you think of security mechanisms outside computers which would need MAC but actually implement DAC?What security labels and MAC policy would be suitable for Noppa?Give examples of systems that require confidentiality or integrity but not both.Which AC model and what kind of security labels could be used to describe virtual machine isolation? What label would be hypervisor or VM monitor get?Could you define different confidentiality labels and integrity labels and then use both Bell-LaPadula and Biba policies in the same system? Give an example.Define RBAC roles that could be used in the implementations of Noppa.To what extent can your RBAC policy (above) be implemented with groups? 35