Upload
minya
View
25
Download
0
Embed Size (px)
DESCRIPTION
Cyber-Identity, Authority and Trust in an Uncertain World. Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu [email protected]. Outline. Perspective on security Role Based Access Control (RBAC) - PowerPoint PPT Presentation
Citation preview
© 2004 Ravi Sandhuwww.list.gmu.edu
Cyber-Identity, Authority and Trust in an Uncertain World
Prof. Ravi SandhuLaboratory for Information Security Technology
George Mason University
www.list.gmu.edu
2
© 2004 Ravi Sandhuwww.list.gmu.edu
Outline
• Perspective on security
• Role Based Access Control (RBAC)
• Objective Model-Architecture Mechanism (OM-AM) Framework
• Usage Control (UCON)
• Discussion
© 2004 Ravi Sandhuwww.list.gmu.edu
PERSPECTIVE
4
© 2004 Ravi Sandhuwww.list.gmu.edu
Security Conundrum
• Nobody knows WHAT security is
• Some of us do know HOW to implement pieces of it
Result: hammers in search of nails
5
© 2004 Ravi Sandhuwww.list.gmu.edu
Security Confusion
INTEGRITYmodification
AVAILABILITYaccess
CONFIDENTIALITYdisclosure
USAGEpurpose
• electronic commerce, electronic business• DRM, client-side controls
6
© 2004 Ravi Sandhuwww.list.gmu.edu
Security Successes
• On-line banking
• On-line trading
• Automatic teller machines (ATMs)
• GSM phones
• Set-top boxes
• …………………….
Success is largely unrecognizedby the security community
7
© 2004 Ravi Sandhuwww.list.gmu.edu
Good enough security
• Exceeding good enough is not good• You will pay a price in user convenience, ease of
operation, cost, performance, availability, …• There is no such thing as free security
• Determining good enough is hard• Necessarily a moving target
8
© 2004 Ravi Sandhuwww.list.gmu.edu
Good enough security
EASY SECURE
COST
Security geeksReal-world users
System owner
• whose security• perception or reality of security
• end users• operations staff• help desk
• system cost• operational cost• opportunity cost• cost of fraud
Business models dominatesecurity models
9
© 2004 Ravi Sandhuwww.list.gmu.edu
Good enough security
• In many cases good enough is achievable at a pretty low threshold• The “entrepreneurial” mindset
• In extreme cases good enough will require a painfully high threshold• The “academic” mindset
10
© 2004 Ravi Sandhuwww.list.gmu.edu
Good enough security
RISK
COST
H
M
L
L M H
1
2
3
2
3
4
3
4
5
Entrepreneurialmindset
Academicmindset
© 2004 Ravi Sandhuwww.list.gmu.edu
ROLE-BASED ACCESS CONTROL (RBAC)
12
© 2004 Ravi Sandhuwww.list.gmu.edu
MAC, DAC and RBAC
• For 25 years (1971-96) access control was divided into• Mandatory Access Control (MAC)
• Discretionary Access Control (DAC)
• Since the early-mid 1990’s Role-Based Access Control (RBAC) has become a dominant force• RBAC subsumes MAC and DAC
• RBAC is not the “final” answer BUT is a critical piece of the “final” answer
13
© 2004 Ravi Sandhuwww.list.gmu.edu
Mandatory Access Control (MAC)
TS
S
C
U
InformationFlow
Dominance
Lattice ofsecuritylabels
Rights are determined by security labels (Bell-LaPadula 1971)
14
© 2004 Ravi Sandhuwww.list.gmu.edu
Discretionary Access Control (DAC)
• The owner of a resource determines access to that resource• The owner is often the creator of the resource
• Fails to distinguish read from copy• This distinction has re-emerged recently under the
name Dissemination Control (DCON)
15
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC96 model(Currently foundation of a NIST/ANSI/ISO standard)
ROLES
USER-ROLEASSIGNMENT
PERMISSIONS-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
CONSTRAINTS
16
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC SECURITY PRINCIPLES
• least privilege
• separation of duties
• separation of administration and access
• abstract operations
17
© 2004 Ravi Sandhuwww.list.gmu.edu
HIERARCHICAL ROLES
Health-Care Provider
Physician
Primary-CarePhysician
SpecialistPhysician
18
© 2004 Ravi Sandhuwww.list.gmu.edu
Fundamental Theorem of RBAC
• RBAC can be configured to do MAC
• RBAC can be configured to do DAC
RBAC is policy neutral
© 2004 Ravi Sandhuwww.list.gmu.edu
OM-AM (Objective/Model Architecture/Mechanism) Framework
20
© 2004 Ravi Sandhuwww.list.gmu.edu
THE OM-AM WAY
Objectives
Model
Architecture
Mechanism
What?
How?
Assurance
21
© 2004 Ravi Sandhuwww.list.gmu.edu
LAYERS AND LAYERS
• Multics rings• Layered abstractions• Waterfall model• Network protocol stacks• Napolean layers• RoFi layers• OM-AM• etcetera
22
© 2004 Ravi Sandhuwww.list.gmu.edu
OM-AM AND MANDATORY ACCESS CONTROL (MAC)
What?
How?
No information leakage
Lattices (Bell-LaPadula)
Security kernel
Security labels
Assurance
23
© 2004 Ravi Sandhuwww.list.gmu.edu
OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC)
What?
How?
Owner-based discretion
numerous
numerous
ACLs, Capabilities, etc
Assurance
24
© 2004 Ravi Sandhuwww.list.gmu.edu
OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC)
What?
How?
Objective neutral
RBAC96, ARBAC97, etc.
user-pull, server-pull, etc.
certificates, tickets, PACs, etc.
Assurance
25
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC96 model(Currently foundation of a NIST/ANSI/ISO standard)
ROLES
USER-ROLEASSIGNMENT
PERMISSIONS-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
CONSTRAINTS
26
© 2004 Ravi Sandhuwww.list.gmu.edu
Server-Pull Architecture
Client Server
User-roleAuthorization
Server
27
© 2004 Ravi Sandhuwww.list.gmu.edu
User-Pull Architecture
Client Server
User-roleAuthorization
Server
28
© 2004 Ravi Sandhuwww.list.gmu.edu
Proxy-Based Architecture
Client ServerProxyServer
User-roleAuthorization
Server
© 2004 Ravi Sandhuwww.list.gmu.edu
USAGE CONTROL (UCON)
30
© 2004 Ravi Sandhuwww.list.gmu.edu
The UCON Vision: A unified model
• Traditional access control models are not adequate for today’s distributed, network-connected digital environment.• Authorization only – No obligation or condition
based control• Decision is made before access – No ongoing
control• No consumable rights - No mutable attributes • Rights are pre-defined and granted to subjects
31
© 2004 Ravi Sandhuwww.list.gmu.edu
OM-AM layered Approach
What ?
How ?
Assurance
Objective
Mechanism
Architecture
Model
Policy Neutral
ABC model
CRM/SRM, CDID architectures
DRM technologies, certificates, etc.
OM-AM Framework Usage Control System
32
© 2004 Ravi Sandhuwww.list.gmu.edu
Prior Work
• Problem-specific enhancement to traditional access control• Digital Rights Management (DRM)
– mainly focus on intellectual property rights protection.
– Architecture and Mechanism level studies, Functional specification languages – Lack of access control model
• Trust Management– Authorization for strangers’ access based on credentials
33
© 2004 Ravi Sandhuwww.list.gmu.edu
Prior Work
• Incrementally enhanced models• Provisional authorization [Kudo & Hada, 2000]• EACL [Ryutov & Neuman, 2001]• Task-based Access Control [Thomas & Sandhu,
1997]• Ponder [Damianou et al., 2001]
34
© 2004 Ravi Sandhuwww.list.gmu.edu
Usage Control (UCON) Coverage
Protection Objectives• Sensitive information
protection• IPR protection• Privacy protection
Protection Architectures• Server-side reference
monitor (SRM)• Client-side reference
monitor (CRM)• Both SRM and CRMServer-side
Reference Monitor(SRM)
Client-sideReference Monitor
(CRM)
TraditionalAccessControl
TrustManagement
Usage ControlSensitive
InformationProtection
IntellectualProperty Rights
Protection
PrivacyProtection
DRM
SRM & CRM
35
© 2004 Ravi Sandhuwww.list.gmu.edu
Core UCON (Usage Control) Models
Rights(R)
UsageDecision
Authoriza-tions (A)
Subjects(S)
Objects(O)
Subject Attributes(ATT(S))
Object Attributes(ATT(O))
Obligations(B)
Conditions(C)
ongoing postpre
Continuity of decisions
Mutability of attributes
36
© 2004 Ravi Sandhuwww.list.gmu.edu
Examples
• Long-distance phone (pre-authorization with post-update)
• Pre-paid phone card (ongoing-authorization with ongoing-update)
• Pay-per-view (pre-authorization with pre-updates)• Click Ad within every 30 minutes (ongoing-
obligation with ongoing-updates)• Business Hour (pre-/ongoing-condition)
37
© 2004 Ravi Sandhuwww.list.gmu.edu
Beyond the UCON Core Models
Objects(O)
ConsumerSubjects
(CS)
ProviderSubjects
(PS) SerialUsage Controls
Usage Control
IdentifieeSubjects
(IS)
ParallelUsage Controls
38
© 2004 Ravi Sandhuwww.list.gmu.edu
UCON ArchitecturesWe narrow down our focus so
we can discuss in detail how UCON can be realized in architecture level• Sensitive information
protection X CRM
First systematic study for generalized security architectures for digital information dissemination
Architectures can be extended to include payment functionServer-side
Reference Monitor(SRM)
Client-sideReference Monitor
(CRM)
SensitiveInformationProtection
IntellectualProperty Rights
Protection
PrivacyProtection
SRM & CRM
UCONArchitectures
DRM
TrustManagement
TraditionalAccessControl
39
© 2004 Ravi Sandhuwww.list.gmu.edu
Three Factors of Security Architectures
• Virtual Machine (VM)• runs on top of vulnerable computing environment and
has control functions• Additional assurance will come with emerging hardware
support
• Control Set (CS)• A list of access rights and usage rules• Fixed, embedded, and external control set
• Distribution Style• Message Push (MP), External Repository (ER) style
40
© 2004 Ravi Sandhuwww.list.gmu.edu
Architecture Taxonomy
VM: Virtual Machine
CS: Control Set
MP: Message Push
ER: External Repository
NC1: No control architecture w/ MP
NC2: No control architecture w/ ER
FC1: Fixed control architecture w/ MP
FC2: Fixed control architecture w/ ER
EC1: Embedded control architecture w/ MP
EC2: Embedded control architecture w/ ER
XC1: External control architecture w/ MP
XC2: External control architecture w/ ER
w/o VM w/ VM
MP ER
MPMPMP ERERER
Fixed CS Embedded CS External CS
NC1 NC2
FC1 FC2 EC1 EC2 XC1 XC2
© 2004 Ravi Sandhuwww.list.gmu.edu
DISCUSSION
42
© 2004 Ravi Sandhuwww.list.gmu.edu
THE OM-AM WAY
Objectives
Model
Architecture
Mechanism
What?
How?
Assurance
43
© 2004 Ravi Sandhuwww.list.gmu.edu
Good enough security
RISK
COST
H
M
L
L M H
1
2
3
2
3
4
3
4
5
Entrepreneurialmindset
Academicmindset