© 2004 Ravi Sandhu www.list.gmu.edu A Perspective on Graphs and Access Control Models Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu [email protected]
© 2004 Ravi Sandhu A Perspective on Graphs and Access Control Models Ravi Sandhu Laboratory for Information Security Technology George.
Mar 26, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
© 2004 Ravi Sandhuwww.list.gmu.edu
A Perspective on Graphs andAccess Control Models
Ravi SandhuLaboratory for Information Security Technology
George Mason [email protected]
2
© 2004 Ravi Sandhuwww.list.gmu.edu
Outline
• A perspective on security
• A perspective on access control
• The safety problem in access control
• Looking ahead
• Discussion
3
© 2004 Ravi Sandhuwww.list.gmu.edu
Security Confusion
INTEGRITYmodification
AVAILABILITYaccess
CONFIDENTIALITYdisclosure
USAGEpurpose
• electronic commerce, electronic business• digital rights management, client-side controls
4
© 2004 Ravi Sandhuwww.list.gmu.edu
Good enough security
EASY SECURE
COST
Security geeksReal-world users
System owner
• whose security• perception or reality of security
• end users• operations staff• help desk
• system cost• operational cost• opportunity cost• cost of fraud
Business modelswill dominate
security models
5
© 2004 Ravi Sandhuwww.list.gmu.edu
Good enough security
RISK
COST
H
M
L
L M H
1
2
3
2
3
4
3
4
5
Entrepreneurialmindset
Academicmindset
6
© 2004 Ravi Sandhuwww.list.gmu.edu
Access Control Models
Authentication
Authorization Enforcement
• who is trying to access a protected resource?
• who should be allowed to access which protected resources?• who should be allowed to change the access?
• how does the system enforce the specified authorization
Access Control Models Access Control Architecture
7
© 2004 Ravi Sandhuwww.list.gmu.edu
The OM-AM Way
Objectives
Models
Architectures
Mechanisms
What?
How?
Assurance
8
© 2004 Ravi Sandhuwww.list.gmu.edu
Access Control Status
• Ten years ago• Emphasis on
– Cryptography and intrusion detection– Access control relegated to back burner
• Ravi Sandhu, “Access Control: The Neglected Frontier.” Proc. First Australasian Conference on Information Security and Privacy, LNCS, 1996.
• Today• Strong industry interest• Growing need• Growing research
9
© 2004 Ravi Sandhuwww.list.gmu.edu
Safety in Access Control
Authentication
Authorization Enforcement
• who is trying to access a protected resource?
• who should be allowed to access which protected resources?• who should be allowed to change the access?
• how does the system enforce the specified authorization
Access Control Models Access Control Architecture
The Safety Problem
10
© 2004 Ravi Sandhuwww.list.gmu.edu
The HRU (Harrison-Ruzzo-Ullman) Model, 1976
U r w
V
F
r w
G
r
11
© 2004 Ravi Sandhuwww.list.gmu.edu
The HRU (Harrison-Ruzzo-Ullman) Model, 1976
U Fr, w
V Gr, w
r
12
© 2004 Ravi Sandhuwww.list.gmu.edu
The HRU (Harrison-Ruzzo-Ullman) Model, 1976
U Fr, w
V Gr, w
r
13
© 2004 Ravi Sandhuwww.list.gmu.edu
HRU Commands and Operations
• command α(X1, X2 , . . ., Xk)if rl in (Xs1, Xo1) and r2 in (Xs2, Xo2) and ri in (Xsi, Xoi)
thenop1; op2; … opn
end• enter r into (Xs, Xo)
delete r from (Xs, Xo)create subject Xscreate object Xodestroy subject Xsdestroy object Xo
14
© 2004 Ravi Sandhuwww.list.gmu.edu
HRU as Graph Rules (from Koch et al 2002)
15
© 2004 Ravi Sandhuwww.list.gmu.edu
Safety in HRU (late 1970’s)
• Safety Problem: Is there a reachable state with edge labeled z from X to Y?
• Undecidable in general• HRU unable to find interesting decidable cases.
• Mono-operational: decidable but uninteresting
• Monotonic: undecidable
• Bi-conditional monotonic: undecidable
• Mono-conditional monotonic: decidable but uninteresting
16
© 2004 Ravi Sandhuwww.list.gmu.edu
The Safety Problem• HRU 1976:
• “It would be nice if we could provide for protection systems an algorithm which decided safety for a wide class of systems, especially if it included all or most of the systems that people seriously contemplate. Unfortunately, our one result along these lines involves a class of systems called “mono-operational,” which are not terribly realistic. Our attempts to extend these results have not succeeded, and the problem of giving a decision algorithm for a class of protection systems as useful as the LR(k) class is to grammar theory appears very difficult.”
• 2004:• Considerable progress has been made but much remains to be done and
practical application of known results is essentially non-existent.– Progress includes: Take-Grant Model (Jones, Lipton, Snyder, Denning, Bishop; late
79’s early 80’s), Schematic Protection Model (Sandhu, 80’s), Typed Access Matrix Model (Sandhu, 1990’s), Graph Transformations (Koch, Mancini, Parisi-Pressice 2000’s)
17
© 2004 Ravi Sandhuwww.list.gmu.edu
Safety with Types
• Typed Access Matrix or TAM model (Sandhu 1992)• Safety is polynomial-decidable for monotonic ternary
TAM with acyclic create-graph
• Typed Graphs (Koch et al 2002)• Safety is decidable for transformations that are either
expanding or deleting
• The given algorithm is exponential but actual complexity remains an open question
18
© 2004 Ravi Sandhuwww.list.gmu.edu
The Take-Grant Model (late 70’s, early 80’s)
A Bt
(a) B/t Є dom(A)
A Bg
(b) B/g Є dom(A)
Original graph representation, late 70’s
19
© 2004 Ravi Sandhuwww.list.gmu.edu
The Take-Grant Model (late 70’s, early 80’s)
A Bt
(a) B/t Є dom(A)
A Bg
(b) B/g Є dom(A)
Lockman-Minsky representation, 1982
20
© 2004 Ravi Sandhuwww.list.gmu.edu
Creation in Take-Grant
A
A’
t g
(a) The Original View
A
A’
t g
(b) The Lockman-Minsky View
21
© 2004 Ravi Sandhuwww.list.gmu.edu
Reversal of Take-Grant Flow: case t
A Bt
A’
t gg
t
22
© 2004 Ravi Sandhuwww.list.gmu.edu
Reversal of Take-Grant Flow: case g
A Bg
A’
t gg
t, g
23
© 2004 Ravi Sandhuwww.list.gmu.edu
Reversal of Grant-Only Flow
A Bg
A’
g gg
g
24
© 2004 Ravi Sandhuwww.list.gmu.edu
Non-Reversal of Take-Only Flow
A Bt
A’
t tt
25
© 2004 Ravi Sandhuwww.list.gmu.edu
Safety in more recent (and practical) models
• RBAC96 (foundation of a new NIST/ANSI/ISO standard)• Safety is undecidable in general
– Sandhu, Munawer, Crampton, 1998• Decidable cases exist
– Li, Mitchell, Winsborough, Solworth, Sloan, 2000’s
• UCON (Usage Control Models)• Safety is undecidable in general• Decidable cases exist
– Park, Sandhu, Zhang, Parisi-Pressice 2000’s
26
© 2004 Ravi Sandhuwww.list.gmu.edu
Looking ahead
• Security lags information technology applications• Information technology applications are moving extremely
rapidly• The need for decentralized and automatic authorization is
growing very rapidly• The safety problem of access control remains a critical path
problem• Challenges
– Develop new real-world relevant theory– Apply old and new theory
• Can theory of graph transformations help us?
27
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC96 model (Currently foundation of a NIST/ANSI/ISO standard)
ROLES
USER-ROLEASSIGNMENT
PERMISSIONS-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
CONSTRAINTS
28
© 2004 Ravi Sandhuwww.list.gmu.edu
UCON (Usage Control) Models
Rights(R)
UsageDecision
Authoriza-tions (A)
Subjects(S)
Objects(O)
Subject Attributes(ATT(S))
Object Attributes(ATT(O))
Obligations(B)
Conditions(C)
Usage
Continuity ofDecisions
pre
Before After
pre ongoing postMutability of
Attributes
ongoing N/A
Related Documents
