ROLE HIERARCHIES AND CONSTRAINTS FOR LATTICE- BASED ACCESS CONTROLS Ravi Sandhu George Mason University and SETA Corporation
Mar 26, 2015
ROLE HIERARCHIES AND CONSTRAINTS FOR LATTICE-BASED ACCESS CONTROLS
Ravi Sandhu
George Mason University
and
SETA Corporation
2© Ravi Sandhu
OUTLINE
RBAC96 model: policy neutral LBAC models: policy full and varied LBAC can be reduced to RBAC96
LBAC < RBAC96 ? why bother to do this?
3© Ravi Sandhu
RBAC96
ROLES
USER-ROLEASSIGNMENT
PERMISSION-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
4© Ravi Sandhu
HIERARCHICAL ROLES
Engineer
HardwareEngineer
SoftwareEngineer
SupervisingEngineer
5© Ravi Sandhu
RBAC96
ROLES
USER-ROLEASSIGNMENT
PERMISSIONS-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
CONSTRAINTS
6© Ravi Sandhu
WHAT IS THE POLICY IN RBAC?
RBAC is policy neutral Role hierarchies facilitate security
management Constraints facilitate non-discretionary
policies
7© Ravi Sandhu
LBAC: LIBERAL *-PROPERTY
H
L
M1 M2
Read Write- +
+ -
8© Ravi Sandhu
RBAC96: LIBERAL *-PROPERTY
HR
LR
M1R M2R
LW
HW
M1W M2W
Read Write-
+
9© Ravi Sandhu
RBAC96: LIBERAL *-PROPERTY
user xR, user has clearance x
user LW, independent of clearance Need constraints
session xR iff session xW read can be assigned only to xR roles write can be assigned only to xW roles (O,read) assigned to xR iff
(O,write) assigned to xW
10© Ravi Sandhu
LBAC: STRICT *-PROPERTY
H
L
M1 M2
Read Write-
+
11© Ravi Sandhu
RBAC96: STRICT *-PROPERTY
HR
LR
M1R M2R LW HWM1W M2W
12© Ravi Sandhu
LBAC: WRITE RANGE
subjects have 2 labels read labelwrite label
H
L
M1 M2
13© Ravi Sandhu
RBAC96: WRITE RANGE LIBERAL *-PROPERTY
HR
LR
M1R M2R
LW
HW
M1W M2W
read role ° write role
14© Ravi Sandhu
RBAC96: WRITE RANGE STRICT *-PROPERTY
HR
LR
M1R M2R LW HWM1W M2W
read role ° write role
15© Ravi Sandhu
LBAC: CONFIDENTIALITY AND INTEGRITY
HS
LS
LI
HI
HS-LI
LS-HI
HS-HI LS-LI
two independentlattices
one compositelattice
16© Ravi Sandhu
RBAC96: CONFIDENTIALITY AND INTEGRITY READ ROLES
HSR-LIR
LSR-HIR
HSR-HIR LSR-LIR
Same for all cases
17© Ravi Sandhu
RBAC96: CONFIDENTIALITY AND INTEGRITY WRITE ROLES
LSW-HIW
HSW-LIW
HSW-HIW LSW-LIW
Liberal confidentialityLiberal integrity
18© Ravi Sandhu
RBAC96: CONFIDENTIALITY AND INTEGRITY WRITE ROLES
Strict confidentialityLiberal integrity
LSW-LIW
LSW-HIW
HSW-LIW
HSW-HIW
19© Ravi Sandhu
RBAC96: CONFIDENTIALITY AND INTEGRITY WRITE ROLES
Strict confidentialityStrict integrity
LSW-LIWLSW-HIW HSW-LIWHSW-HIW
20© Ravi Sandhu
SUMMARY
policy-neutral RBAC96 can accommodate policy-full LBAC in all its variations
LBAC variations are modeled by adjusting role hierarchy adjusting constraints
21© Ravi Sandhu
COVERT CHANNELS
are a problem for LBAC remain a problem for RBAC but
they don’t get any worse same techniques can be adapted who cares about them anyway