Topic 4 Access Control

Outline
z Introduce access control principles. z Talk about access control policies, requirements and elements.
subjects, objects, access rights

z Discuss discretionary access controls.

access matrix, access control lists (ACLs), capability tickets UNIX traditional and ACL mechanisms

z Discuss role-based access control. z Present a case study.

(C) Davar Pishva, 2013

Security and Information System Management

Access Control
Introduction
z We defined access control as the prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner. z This is a central element of computer security. z For a population of users and user groups:
It authenticate them to a system. It assigns access rights to certain resources on the system.

(C) Davar Pishva, 2013

Security and Information System Management

Access Control Principles

A security policy that specifies who or what may have access to each specific system resource and the type of access that is permitted in each instance. It involves:
z Authentication:
The verification of an identity claimed by or for a system entity.

z Authorization:
The granting of a right or permission to a system entity to access a system resource. This function determines who is trusted for a given purpose.

z Audit:
An independent review and examination of system records and activities in order to test for adequacy of system controls. Used to:
ensure compliance with established policy and operational procedures, detect breaches in security, and recommend any indicated changes in control, policy and procedures.

more
(C) Davar Pishva, 2013

Security and Information System Management

Access Control Principles (cont.)

(C) Davar Pishva, 2013

Security and Information System Management

Access Control Policies

This is embodied in an authorization database, dictates what types of access are permitted, under what circumstances, and by whom. They are generally grouped into the following access control categories:
z Discretionary Access Control (DAC):
This policy is based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do. It is termed discretionary because an entity might have access rights that permit the entity, by its own volition, to enable another entity to access some resource. This policy is based on comparing security labels (which indicate how sensitive or critical system resources are) with security clearances (which indicate system entities are eligible to access certain resources). It is termed mandatory because an entity that has clearance to access a resource may not, just by its own volition, enable another entity to access that resource. See chapter 10. This policy is based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles.

z Mandatory Access Control (MAC):

z Role-Based Access Control (RBAC):

more
(C) Davar Pishva, 2013

Security and Information System Management

Access Control Policies (cont.)

These three policies are not mutually exclusive, two or even all three can be included to cover different classes of system resources.

(C) Davar Pishva, 2013

Security and Information System Management

Access Control Requirements

Reliable Input Fine and Coarse specifications Least Privilege Separation of Duty Open and Closed policies Policy combinations, conflict resolution Administrative Policies

(C) Davar Pishva, 2013

Security and Information System Management

Access Control Elements

Subject - entity that can access objects
z a process representing user/application z often have 3 classes: owner, group, world

Object - access controlled resource

z e.g. files, directories, records, programs etc z number/type depend on environment

Access Right - way in which subject accesses an object

z e.g. read, write, execute, delete, create, search

(C) Davar Pishva, 2013

Security and Information System Management

Discretionary Access Control

Often provided using an access matrix
z lists subjects in one dimension (rows) z lists objects in the other dimension (columns) z each entry specifies access rights of the specified subject to that object

Access matrix is often sparse Can decompose by either row or column

(C) Davar Pishva, 2013

Security and Information System Management

Access Matrix
A simple example of an access matrix is shown below: Objects
File 1 User A Own Read Write Read Write Read Write Own Read Write Read File 2 File 3 Own Read Write Write Read Own Read Write File 4

Subjects

User B

User C

(C) Davar Pishva, 2013

Security and Information System Management

10

Access Control Structures

In the example of access matrix, user A owns files 1 and 3 and has read and write access rights to those files, user B has read and write access rights to file 1, and so on as shown here.
z

The matrix may be decomposed by columns, yielding access control lists (ACLs).
An ACL lists users and their permitted access rights.

Its decomposition by rows yields capability tickets:

A capability ticket specifies authorized objects and operations for a user. more

(C) Davar Pishva, 2013

Security and Information System Management

11

Access Control Model

DAC developed by Lampson, Graham and Denning
z The model assumes a set of subjects, a set of objects, and a set of rules that govern the access of subjects to objects.

(C) Davar Pishva, 2013

Security and Information System Management

12

Access Control Function

From a logical or functional point of view, a separate access control module is associated with each type of object. The module evaluates each request by a subject to an object to determine if the access right exists. An access attempt triggers the following steps:
z z

A subject S0 issues a request of type for object X. The request causes the system (operating system or an access control interface module) to generate a message of the form (S0, , X) to the controller for X. The controller interrogates the access matrix A to determine if is in A[S0, X]. If so, the access is allowed, if not the access is denied and a protection violation occurs.

(C) Davar Pishva, 2013

Security and Information System Management

13

Protection Domains
A protection domain is a set of objects together with access rights to those objects. In access matrix view, each row defines a protection domain.
z but not necessarily just a user z may be a limited subset of users rights z applied to a more restricted process

It may be static or dynamic.

(C) Davar Pishva, 2013

Security and Information System Management

14

UNIX File Concepts

UNIX files administered using inodes (index node)
z An inode is a control structure that contains the key information needed by the operating system for a particular file. attributes, permissions of a single file z several file names may be associated with same inode z have inode table / list for all files on a disk copied to memory when disk mounted

Directories form a hierarchical tree

z may contain files or other directories z are a file of names and inode numbers
(C) Davar Pishva, 2013

Security and Information System Management

15

UNIX File Access Control

In UNIX, each user is assigned a unique user identification number (user ID). When a file is created, it is designated as owned by a particular user and marked with that users ID. It also belongs to a specific group, which initially is either its creators primary group, or the group of its parent directory if that directory has SetGID permission set.
z Associated with each file is a set of 12 protection bits. z The owner ID, group ID, and protection bits are part of the files inode. z Nine of the protection bits specify read, write, and execute permission for
the owner of the file, other members of the group to which this file belongs, and all other users.

more
(C) Davar Pishva, 2013

Security and Information System Management

16

UNIX File Access Control (cont.)

set user ID(SetUID) or set group ID(SetGID)
z Two of the three remaining protection bits are used for this purpose. z System temporarily uses rights of the file owner / group in addition to the real users rights when making access control decisions. z Enables privileged programs to access files / resources not generally accessible. z The final protection bit is used as the Sticky bit. z On directory, it limits rename/move/delete to owner. z is exempt from usual access control restrictions.

Sticky Bit

Superuser

(C) Davar Pishva, 2013

Security and Information System Management

17

UNIX Access Control Lists

Modern UNIX systems support ACLs. Any number of users and groups can be associated with a file, each with three protection bits (read, write, execute), offering a flexible mechanism for assigning access rights. ACLs are optional extensions to std permissions. Group permissions also set max ACL permissions. When access is required
z Selects most appropriate ACL
owner, named users, owning / named groups, others.

z Checks if have sufficient permissions for access.

(C) Davar Pishva, 2013

Security and Information System Management

18

Role-Based Access Control

RBAC
z Define the access rights of individual users and groups of users based on the roles that users assume in a system rather than the user's identity.
Define a role as a job function within an organization.

z Have widespread commercial use and remains an area of active research. z As shown here in the adjacent figure, the relationship of users to roles is many to many, as is the relationship of roles to resources, or system objects.
(C) Davar Pishva, 2013

more
19

Security and Information System Management

Role-Based Access Control (cont.)

Access Matrix Representation
z As shown here, the access matrix representation can be used to depict the key elements of an RBAC system in simple terms.
The upper matrix relates individual users to roles.
Typically there are many more users than roles.

The lower matrix has the same structure as the DAC access control matrix, with roles as subjects.
Typically, there are few roles and many objects, or resources. more
(C) Davar Pishva, 2013

Security and Information System Management

20

Role-Based Access Control (cont.)

A variety of functions and services can be included under the general RBAC approach. Types of entries
z User
An individuals that has access to this computer system, & associated user ID.

z Role
A named job function within the organization that controls this computer system.

z Permission
An approval of a particular mode of access to one or more objects.

z Session
A mapping between a user and an activated subset of the set of roles to which the user is assigned.
The solid lines in the adjacent figure indicate relationships, or mappings.

(C) Davar Pishva, 2013

Security and Information System Management

21

NIST RBAC Model

The main innovation of the NIST standard is the introduction of the RBAC System and Administrative Functional Specification, which defines the features required for an RBAC system in three categories:
z Administrative functions
Provide the capability to create, delete, and maintain RBAC elements and relations.

z Supporting system functions

Provide functions for session management and for making access control decisions.

z Review functions
Provide the capability to perform query operations on RBAC elements and relations

(C) Davar Pishva, 2013

Security and Information System Management

22

RBAC For a Bank

This is a system wide implementation of RBAC in which the determination of access rights is compartmentalized into three different administrative units for greater security.

(C) Davar Pishva, 2013

Security and Information System Management

23

Topic 4 Access Control

Summary
z Introduced access control principles. z Talked about access control policies, requirements and elements.
subjects, objects, access rights

z Discussed discretionary access controls.

access matrix, access control lists (ACLs), capability tickets UNIX traditional and ACL mechanisms

z Discussed role-based access control. z Presented a case study.

(C) Davar Pishva, 2013

Security and Information System Management

24

RBAC For a Bank

This is a system wide implementation of RBAC in which the determination of access rights is compartmentalized into three different administrative units for greater security.
z Roles within the organization are defined by a combination of official position and job function, and form a role hierarchy in which one role is superior to another if its position is superior and their functions are identical. z The application grants access on the basis of a centrally provided security profile. A separate authorization administration associate access rights with roles and creates the security profile for a use on the basis of the user's role. z Authorization Administration, which creates a security profile for each user that associates the User ID and role with a set of access rights.

(C) Davar Pishva, 2013

Security and Information System Management

25