FRAC: Implementing Role-Based Access FRAC: Implementing Role-Based Access Control for Network File SystemsControl for Network File Systems

Aniruddha Bohra, Stephen Smaldone, and Liviu IftodeDepartment of Computer Science

Rutgers University

{bohra,smaldone,iftode}@cs.rutgers.edu

2

Programmers

MotivationMotivation

User A

Time > 5 PM

Time < 5 PMUser ADeveloper

User AProgramme

r

Shell scriptscron jobsManual

Developers

User A

User B

User C

User A

User D

File F : { Developers, !Programmers }

File F : { User B, User C }

3

Role-Based Access Control (RBAC)Role-Based Access Control (RBAC)

RolesUsers Perms

Users 1

User A

READ WRITE DELETE

ALLOW Users 1 Users 2 Devs

LOG Progs Progs Progs

ALARM Threat Threat Threat

READ WRITE DELETE

ALLOW

LOG

ALARM

Role Hierarchy

Users 2

Devs

Users 1

Progs

4

Benefits of RBACBenefits of RBAC

• Policy Specification– Administrators define system-wide access control policies– Users may query and update portions of the access control system

state– Simplified sharing and protection

• Role Management– Role Hierarchy: Inheritance– Static Separation of Duties (SSD)

• Session Management– Dynamic User to Role Mapping– Dynamic Separation of Duties (DSD)

• Centralized Access Control Policy Enforcement– Enforcement of Principle of Least Privilege (POLP)– Verifiability of policy enforcement: auditing

5

RBAC for Network File Systems?RBAC for Network File Systems?

FS Client File Server

FS Protocol

Modifications

Interface changes

Application changes…

FS Client File Server

ExternalAuthority

User AC Policy Changes require

user agent

Access ControlDecisions

AC Policy Changes

6

FRAC: Network File System RBAC in a MiddleboxFRAC: Network File System RBAC in a Middlebox

FS Client File Server

Middlebox

Access ControlDecisions

Virtual Control Namespace

(VCN)

• Maintained at FRAC and Accessed by Client• Query State of AC System = FS READ• Update Permissions and AC Policies = FS WRITE

VCN

Standard FS Protocol

FRAC

AC Policy Changes

7

OutlineOutline

• Introduction• Design and Implementation

– Background– Permission Evaluation in FRAC– Enforcing Principle of Least Privilege– Virtual Control Namespace (VCN)

• Evaluation• Related Work• Conclusions

8

Design RequirementsDesign Requirements

• Middlebox to Enforce RBAC Policies– Interpose and transform messages

– Understand file system semantics

– Store policies and maintain state

– Evaluate and enforce file system access control policies

• Virtual Control Namespace– Enable users to query and owners to update the access control policy

– Virtualize file system objects

– Handle file system operations for virtual objects

9

Background: FileWallBackground: FileWall

FileWall: A Firewall for Network File System, S. Smaldone, A. Bohra, and L. Iftode. To appear in the Proceedings of the 3rd IEEE International Symposium

on Dependable, Autonomic and Secure Computing (DASC'07)

Scheduler

Forwarder

AccessContext

FileWall Policy

RequestHandler

File Server

…

FS Client

10

Permission Evaluation in FRACPermission Evaluation in FRAC

Forwarder

AccessContext

FRAC

FS ClientFile Server

AC Matrix

DENY

Time

Time > 5 PM ? ALLOW

Scheduler

11

Enforcing Principle of Least PrivilegeEnforcing Principle of Least Privilege

Access Context

SessionID {Active Roles}

(U0, G0) Progs

VFH FH AC Matrix

V0 F0 (READ, Users1)

FS Request

File Handle = V0

UserID = U0

GroupID = G0

Op = READ

Role Hierarchy

Users 2

Devs

Users 1

Progs

Users 1

12

Virtual Control Namespace (VCN)Virtual Control Namespace (VCN)

Root

VCN

Session Shadow

MirroredFS Namespace

FILE METADATA

AC MATRIX

Shadow File Contents

• Active Roles• User -> Role Mappings• Session Control Interface

13

VCN ChallengesVCN Challenges

• Creation of virtual objects– Must create file identifiers for virtual objects

– Must avoid file identifier collisions between virtual and real objects

– Provide virtual identifiers for all objects and store mappings

• Introduce virtual objects in existing namespace– Create virtual namespace under root of real namespace

– Must modify namespace operations (e.g., READDIR, LOOKUP, etc.) to “splice” in virtual namespace

• Handle file system operations to virtual objects– Need to distinguish accesses to virtual objects from those for real

objects

– Demultiplex based on virtual identifier to real identifier mappings

14

VCN Handler

VCN in FRACVCN in FRAC

Forwarder

AccessContext

FRAC

FS ClientFile Server

home

VCN bob

VFH -> FHMap

To Server

To Client

home

bob

Scheduler

15

Prototype ImplementationPrototype Implementation

• Network middlebox– FRAC implemented as a FileWall policy module

– Implements RBAC for NFSv3 protocol

– Direct access limited only to administrators

• Access Context– Berkeley DB: An open source database

• Policy specification– Static configuration using XACML

– Updates supported through VCN for users

16

OutlineOutline

• Introduction• Design and Implementation• Evaluation• Related Work• Conclusions

17

EvaluationEvaluation

• Roles– Arranged as linear chain: highest to lowest privilege level

– Session starts with a role at head of chain (worst case)

• Setup– Systems: Dell Poweredge 2600 SMP systems, 2.4 GHz Xeon II CPU, 2

GB RAM, running Linux 2.6

– Microbenchmark: User-level RPC client

– Application Benchmark: OpenSSH compilation

18

Results - MicrobenchmarkResults - Microbenchmark

Worst case overhead is low!Worst case overhead is low!

0

100

200

300

400

500

600

700

getattr lookup access read write readdir

Res

po

nse

Lat

ency

(m

sec)

NFS FRAC-5 FRAC-50

19

Results - OpenSSH CompilationResults - OpenSSH Compilation

Most expensive data phases have small (<10% & < 15%) overheads!

Most expensive data phases have small (<10% & < 15%) overheads!

0

10

20

30

40

50

60

70

80

untar configure compile install remove

Tim

e (

se

c)

NFS FRAC-5 FRAC-50

20

Related WorkRelated Work

• RBAC Model– RBAC Standards [Ferraiolo’01, ANSI/INCITS’04]

• RBAC for Network File Systems– Protocol Modifications [Gustaffson’97]

– Agent-Based Systems [He’05]

• Virtual and Programmable Namespaces– Plan 9 [Pike’93]

– Semantic File Systems [Sheldon’91]

21

Conclusions and Future WorkConclusions and Future Work

• FRAC: RBAC for network file systems using a middlebox (FileWall)– Requires no client or server modifications

– Virtual Control Namespace eliminates use of specialized agents

– Low overheads: < 15% overhead for up to 50 roles

• Future Work:– Language for Specification and Verification of policies

– Continuous Monitoring of network file system accesses

Thank You!Thank You!

Questions?