ROLE HIERARCHIES AND CONSTRAINTS FOR LATTICE- BASED ACCESS CONTROLS Ravi Sandhu George Mason University and SETA Corporation.

ROLE HIERARCHIES AND CONSTRAINTS FOR LATTICE-BASED ACCESS CONTROLS

Ravi Sandhu

George Mason University

and

SETA Corporation

2© Ravi Sandhu

OUTLINE

RBAC96 model: policy neutral LBAC models: policy full and varied LBAC can be reduced to RBAC96

LBAC < RBAC96 ? why bother to do this?

3© Ravi Sandhu

RBAC96

ROLES

USER-ROLEASSIGNMENT

PERMISSION-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

4© Ravi Sandhu

HIERARCHICAL ROLES

Engineer

HardwareEngineer

SoftwareEngineer

SupervisingEngineer

5© Ravi Sandhu

RBAC96

ROLES

USER-ROLEASSIGNMENT

PERMISSIONS-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

CONSTRAINTS

6© Ravi Sandhu

WHAT IS THE POLICY IN RBAC?

RBAC is policy neutral Role hierarchies facilitate security

management Constraints facilitate non-discretionary

policies

7© Ravi Sandhu

LBAC: LIBERAL *-PROPERTY

H

L

M1 M2

Read Write- +

+ -

8© Ravi Sandhu

RBAC96: LIBERAL *-PROPERTY

HR

LR

M1R M2R

LW

HW

M1W M2W

Read Write-

+

9© Ravi Sandhu

RBAC96: LIBERAL *-PROPERTY

user xR, user has clearance x

user LW, independent of clearance Need constraints

session xR iff session xW read can be assigned only to xR roles write can be assigned only to xW roles (O,read) assigned to xR iff

(O,write) assigned to xW

10© Ravi Sandhu

LBAC: STRICT *-PROPERTY

H

L

M1 M2

Read Write-

+

11© Ravi Sandhu

RBAC96: STRICT *-PROPERTY

HR

LR

M1R M2R LW HWM1W M2W

12© Ravi Sandhu

LBAC: WRITE RANGE

subjects have 2 labels read labelwrite label

H

L

M1 M2

13© Ravi Sandhu

RBAC96: WRITE RANGE LIBERAL *-PROPERTY

HR

LR

M1R M2R

LW

HW

M1W M2W

read role ° write role

14© Ravi Sandhu

RBAC96: WRITE RANGE STRICT *-PROPERTY

HR

LR

M1R M2R LW HWM1W M2W

read role ° write role

15© Ravi Sandhu

LBAC: CONFIDENTIALITY AND INTEGRITY

HS

LS

LI

HI

HS-LI

LS-HI

HS-HI LS-LI

two independentlattices

one compositelattice

16© Ravi Sandhu

RBAC96: CONFIDENTIALITY AND INTEGRITY READ ROLES

HSR-LIR

LSR-HIR

HSR-HIR LSR-LIR

Same for all cases

17© Ravi Sandhu

RBAC96: CONFIDENTIALITY AND INTEGRITY WRITE ROLES

LSW-HIW

HSW-LIW

HSW-HIW LSW-LIW

Liberal confidentialityLiberal integrity

18© Ravi Sandhu

RBAC96: CONFIDENTIALITY AND INTEGRITY WRITE ROLES

Strict confidentialityLiberal integrity

LSW-LIW

LSW-HIW

HSW-LIW

HSW-HIW

19© Ravi Sandhu

RBAC96: CONFIDENTIALITY AND INTEGRITY WRITE ROLES

Strict confidentialityStrict integrity

LSW-LIWLSW-HIW HSW-LIWHSW-HIW

20© Ravi Sandhu

SUMMARY

policy-neutral RBAC96 can accommodate policy-full LBAC in all its variations

LBAC variations are modeled by adjusting role hierarchy adjusting constraints

21© Ravi Sandhu

COVERT CHANNELS

are a problem for LBAC remain a problem for RBAC but

they don’t get any worse same techniques can be adapted who cares about them anyway