IS 302: Information Security and Trust Week 10: Access Control 2012
Jan 01, 2016
IS 302: Information Security and Trust
Week 10: Access Control
2012
Access Control
• Who can access what and how in a shared system
I. DAC
II. MAC
III. RBAC
© Yingjiu Li 2007 2
© Yingjiu Li 2007 3
I. Discretionary Access Control
• DAC1) AC matrix
2) ACL
3) Capabilities
4) Authorization relations
© Yingjiu Li 2007 4
1) Access Control Matrix
U
V
F G
orw
orwr
subjects
objects (and subjects)
rights
o – own r – read
w – write
© Yingjiu Li 2007 5
Subjects
• Are subjects users?
user
principals
subjects
© Yingjiu Li 2007 6
User - Principals• One to many mapping
between user and principals
• System authenticates user in the context of principal
• Shared principals (accounts) are not good for accountability
user principals
Alice
Alice.Top-secret
Alice.Secret
Bob
Bob.Dean
Bob.Faculty
Bob.Super-user
© Yingjiu Li 2007 7
Principal - Subjects• One to many mapping
between principal and subjects
• A subject is a program or application run on behalf of principal
• Subjects are often treated the same as principal if all subjects of a principal have the same rights
subjectsprincipal
Alice.Top-secret
Word
Database
© Yingjiu Li 2007 8
Objects• An object is anything on which a subject can
perform operations (mediated by rights)
• Usually objects are passive, for example– File – Directory (or Folder)– Memory segment
• But, subjects can also be objects, with operations– Kill– Suspend – Resume
© Yingjiu Li 2007 9
Rights• A right specifies what kind of access a
subject can perform on an object– Own– Read– Write– Execute– Create– Delete– Transfer
© Yingjiu Li 2007 10
Implementation of Access Control Matrix
U
V
F G
orw
orwr
subjects
objects
rightsCapabilities
ACL
© Yingjiu Li 2007 11
2) Access Control List (ACL)• ACL – Each column of access control matrix is stored with
corresponding object
• ACL requires subjects to be authenticated before access to a particular object
U:o
U:r
U:w
V:r
V:o
V:r
V:w
F G
© Yingjiu Li 2007 12
3) Capabilities• Capabilities – Each row of access control matrix is stored with
corresponding subject
• Capabilities do not require subjects to be authenticated but require– Capabilities are unforgeable – Propagation of capabilities are under control
F/o, F/r, F/w
F/r, G/o, G/r, G/w
U
V
© Yingjiu Li 2007 Ref. INFS762 Sushil Jajodia 1999 13
Capabilities
• Propagation of capability
A B CF/r, F/t F/r
User User User
capability capability t: transfer
© Yingjiu Li 2007 14
Comparison of ACL and Capabilities
• ACL– Access rights stored with
objects
– Requires authentication of subjects
– Provides access review on a per-object basis
– Most operating systems such as UNIX and Windows use ACL to protect files
• Capabilities– Access rights stored with
subjects
– Requires unforgeability of capabilities and propagation control of capabilities
– Provides revocation facilities on a per-subject basis
– Used in authentication systems such as Kerberos
© Yingjiu Li 2007 15
4) Authorization Relation• Besides ACL and capabilities, access matrix can also be
implemented/stored in relation form
• This form is often used in database management systems
subject access right objectU o FU r FU w FV r FV o GV r GV w G
© Yingjiu Li 2007 16
Case Study: UNIX File System• 3 types of permissions
(rights)– r – read file or directory– w – write to file or
directory– x – execute file or search
directory
• 3 types of users (subjects)– u – user who owns file– g – members of the group
to which the owner belongs– o – all other users
• Given a file (object), each of 3 permissions can be set for any of 3 types of users by its owner– user group others – r w x r w x r w x
– ls -l file1 – -rwx--x--x 2 Alice staff
2048 Jan 1 12:10 file1– ls -l dir1– drwxr-xr-x 3 Alice user
1024 Jan 1 09:27 dir1– chmod g+r file1
© Yingjiu Li 2007 17
Windows File System
• File/folder permissions user/group of users
• Read
• Write
• Change owner
• Delete
• …
© Yingjiu Li 2007 18
Security Problems of DAC• However, DAC dose not provide real assurance – access
restrictions can be easily bypassed– Trojan horse attack
File F
File G
U:r U:w
U:w V:r
ACL
Principal U
Principal V
w
wr
Principal V is an adversary who wants to read file F
r
© Yingjiu Li 2007 19
Security Problems of DAC• Principal V sends U a benign software with Trojan horse
embedded
• U executes the software Trojan horse gains U’s privileges
File F
File G
U:r U:w
U:w V:r
ACL
Principal U
Principal V
Principal V can now read file F with the help of Trojan horse
w
r
r
Benign software
Trojan horseexe
© Yingjiu Li 2007 20
II. MAC
• Mandatory Access Control (MAC)– MAC augments DAC based on security labels
attached to subjects and objects• Security label to subject security clearance
• Security label to object security classification
– Users have no control of security labels, but information flow is restricted to certain can-flow paths
© Yingjiu Li 2007 21
Security Labels
Top secret
Secret
Confidential
Unclassified
High level
Low level
Can-flow
© Yingjiu Li 2007 22
BLP Model (1)
• Bell and LaPadula model (BLP)– A formal MAC model– D. E. Bell and L. J. LaPadula. Secure computer
systems: mathematical foundations and model. Technical report, MITRE, 1974
© Yingjiu Li 2007 23
BLP Model (2)• Simple-security property
– Subject S can read object O only if
• Information can flow from label(O) to label(S)
• Star-property– Subject S can write object
O only if • Information can flow from
label(S) to label(O)
Label(S)
Label(O)
Can-flow
Label(O)
Label(S)
Can-flow
Read down
Write up
© Yingjiu Li 2007 24
BLP Model (3)
• Note– BLP model is applied to subjects, not users
• Users are trusted
• Subjects are not trusted due to Trojan horses
– Star-property prevents information leakage caused by Trojan horses
• Why – see next slide
© Yingjiu Li 2007 25
BLP Model (4)• DAC:
• BLP:
File F
File G
U:r U:w
U:w V:r
Principal U
Principal Vw
r
r
Benign software
Trojan horseexe
File F
File G
U:r U:w
U:w V:r
Principal U
Principal V
w
r
r
Benign software
Trojan horseexe
(Label H)
(Label L)
can-flowstar-proprety
© Yingjiu Li 2007 26
III. Role-Based Access Control (RBAC)
• RBAC– No formalized labels
– No dominance (can-flow) function; access is less regulated
– Suitable for commercial app
• General, flexible and easy-to-use
• NIST-ANSI RBAC standard –2001
• MAC– Security labels are used
– Access control is strictly regulated by dominance function of labels
– Suitable for secure computer systems
• Orange Book US DoD standard – 1983
• Common Criteria international standard – 2005
© Yingjiu Li 2007 27
Role• Role represents users
– Specific task competency– Job responsibility– Specific duty assignment
• Role defines permissions – Student role in eLearn– Professor role– Admin and security officer role
user permissionroleUA: user assignment
PA: permission assignment
Sessions (one-to-many mapping)
© Yingjiu Li 2007 28
Security Management
• Security management is simpler with roles– User-role relationship changes over time– Role-permission relationship is relatively stable
user permissionroleUA: user assignment
PA: permission assignment
Sessions (one-to-many mapping)
dynamic stable
flexible
© Yingjiu Li 2007 29
Hands-on Exercise
• Access Control in Java– Access control modifiers– SecurityManager: access control and
enforcement
© Yingjiu Li 2007 30
Access Control ModifiersModifiers Class
accessibilityMember accessibility
public All All if class is accessible
protected N/A Same package or subclass
default Same package Same package
private N/A Same class (not subclass)
© Yingjiu Li 2007 31
Exercise on AC Modifiers
• Download – InputCredit.java– WriteCredit.java
• Make them work
© Yingjiu Li 2007 32
SecurityManager Class
• Full-time security guard– Enforce security policies
• what a program is allowed to do
– Request permission for certain operations • read, write, delete, execute
• system commands (exit)
– By default, no SecurityManager
© Yingjiu Li 2007 33
Exercise on SecurityManager (1)• Get the current SecurityManager
SecurityManager security = System.getSecurityManager();
if (security != null) { security.checkExit(status); } . . . // code continues here if checkedExit() not throw a
SecurityException• Each operation has its own checkXXX() method
– Write your own security manager– Override SecurityManager’s checkXXX() to tighten or
modify the security policy for specific operations
© Yingjiu Li 2007 34
Exercise on SecurityManager (2)• Download
– PasswordSecurityManager.java– WriteCreditCheck.java (which incorporates
PasswordSecurityManager in WriteCredit.java)– ReadCredit.java
• Task– Incorporate PasswordSecurityManager into
ReadCredit.java ReadCreditCheck.java – Enforce password checking for reading credit card
number from a file
© Yingjiu Li 2007 35
Exercise on SecurityManager (3)
• Rewrite PasswordSecurityManager and incorporate it into ReadCredit.java ReadCreditCheck.java
• Block any reading from file credit.txt
© Yingjiu Li 2007 36
Review• Which of the following is subject to Trojan horse attack?
1. DAC2. MAC3. RBAC
• Which of the following is used in secure operating systems?1. DAC2. MAC3. RBAC
• Which of the following is a NIST standard?1. DAC2. MAC3. RBAC
© Yingjiu Li 2007 37
Individual Assignment 2 (5%)
• Due in next week (hard copy during class)– Textbook 4.10 Exercise 22 (page 227 in 3rd
edition, page 240 in 4th edition)– Textbook 5.11 Exercise 1 (page 305 in 3rd
edition, page 316 in 4th edition)– Textbook 7.11 Exercises 19, 43, 62 (pages 486-
488 in 3rd edition, pages 504-507 in 4th edition)
© Yingjiu Li 2007 38
Announcement• Week 11: lab session at SEIL Rm 5013 SoE building• Week 12: project presentation
– Teams 1-8, part A, 20 minutes
• Week 13: project presentation – Teams 9-10: part A and part B, 30 minutes– Teams 1-8: part B demo and presentation, 10 minutes
• Week 14: project report due on April 9, Monday
• Week 15: final exam (40%) 1~3pm, April 25 (please double check)