d iscretionary a ccess c ontrols truong quynh chi faculty of computer science & engineering hcmc...
TRANSCRIPT
![Page 1: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/1.jpg)
DISCRETIONARY ACCESS CONTROLS
Truong Quynh ChiFaculty of Computer Science & EngineeringHCMC University of [email protected]
![Page 2: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/2.jpg)
Introduction to Discretionary Access Control Proposed Models for DAC SQL for Data Control DAC & Information Flow Controls
OUTLINE
2
![Page 3: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/3.jpg)
INTRODUCTION TO DAC
Discretionary Access Control (DAC): User can protect what they own. The owner is given all privileges on their own data. The owner can define the type of access
(read/write/execute/…) and grant access to others.
The typical method of enforcing DAC in a database system is based on the granting and revoking privileges
3
![Page 4: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/4.jpg)
INTRODUCTION TO DAC
Types of Discretionary Privileges: The account/system level: The administrator
specifies the particular privileges that each account holds independently of the objects in the database system.
The object level: The administrator can control the privilege to access each individual object in the database system.
4
![Page 5: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/5.jpg)
Introduction to Discretionary Access Control Proposed Models for DAC SQL for Data Control DAC & Information Flow Controls
OUTLINE
5
![Page 6: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/6.jpg)
PROPOSED MODELS FOR DAC
Access matrix model Take-Grant model
6
![Page 7: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/7.jpg)
ACCESS MATRIX MODEL
Authorization state: Q=(S,O,A)
For DBs, A[s,o] also includes conditions that must be satisfied in order for s to exercise the access modes
Possible conditions: data-dependent (sal<1000), time-dependent (8:00am-5:00pm), context-dependent (“name-salary” pair is prohibited), history-dependent, …
O1 … Oi … Om
S1 A[s1,o1] A[s1,oi] A[s1,om]
…
Si A[si,o1] A[si,oi] A[si,om]
…
Sn A[sn,o1] A[sn,oi] A[sn,om]
![Page 8: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/8.jpg)
ACCESS MATRIX MODEL
Asset 1 Asset 2 file device
Role 1
read, write, execute, own
execute read write
Role 2 read
read, write, execute, own
![Page 9: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/9.jpg)
ACCESS MATRIX MODEL
Model implementation: S {(O,A)}: capability list O{(S,A)}: ACL (access control list) Each entry in the list specifies a subject and operation(s):
for example, the entry (Alice, delete) on the ACL for file X gives Alice permission to delete file X
Advantages & disadvantages of the two above & the model? [2] Capability list: compute a set of subjects granted access
on a given object all lists must be gone through ACL: find all objects a subject can access
![Page 10: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/10.jpg)
TAKE-GRANT MODEL
Authorization state: G=(S,O,E) V=S U O is the set of vertexes, S ∩ O = Ф E is the set of labelled arcs
take(d,s,x,y): the subject s takes the right d on the object/subject y from the object/subject xt
s
y
x
d
ts
y
x
ddtake(d,s,x,y)
10
![Page 11: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/11.jpg)
TAKE-GRANT MODEL
gs
y
x
d
gs
y
x
ddgrant(d,s,x,y)
• grant(d,s,x,y): the subject s grants the right d on the object/subject y to the object/subject x
11
![Page 12: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/12.jpg)
TAKE-GRANT MODEL
Access modes: read, write, take, grant Read, write: inert rights Take, grant: transport rights A subject S may lose control on the
subsequent transfers of the rights it granted to an object O
This model is classifiable as an access matrix model
Disadvantages?
12
![Page 13: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/13.jpg)
TAKE-GRANT MODEL
Disadvantages: Non-selectivity of administrative rights: all
authorizations of S owning a ‘GRANT’ authorization can be transferred, and all authorizations of O/S on which a ‘TAKE’ right is held can be taken
No control on propagation of authorizations Non locality: S owning the grant privilege on O
can give any of its privileges to O, thus augmenting the domain of O (the set of authorizations associated to O)
Reversibility of the privileges transport flow13
![Page 14: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/14.jpg)
OTHER MODELS
Acten (Action-Entity) model Wood et al. model See [2] + Internet
14
![Page 15: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/15.jpg)
Introduction to Discretionary Access Control Proposed Models for DAC SQL for Data Control DAC & Information Flow Controls
OUTLINE
15
![Page 16: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/16.jpg)
SQL FOR DATA CONTROL
Commands:
• GRANT
• REVOKE
Based on three central objects:• Users
• Database objects
• Privileges: select, modify (insert, update, delete), reference
16
![Page 17: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/17.jpg)
SQL FOR DATA CONTROL
GRANT: pass privileges on their own database objects to other usersGRANT <privilege list>ON <database objects>TO <user list>
REVOKE: take back (cancel) privileges on their own database objects from other usersREVOKE <privilege list>ON <database objects>FROM <user list>
17
![Page 18: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/18.jpg)
SQL FOR DATA CONTROL Propagation of Privileges using the GRANT
OPTION Whenever the owner A of a relation R grants a
privilege on R to another account B, privilege can be given to B with or without the GRANT OPTION.
If the GRANT OPTION is given, this means that B can also grant that privilege on R to other accounts.
18
![Page 19: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/19.jpg)
SQL FOR DATA CONTROL
DAC with views (virtual relations) If the owner A of a relation R wants another
account B to be able to retrieve only some fields of R, then A can create a view V of R that includes only those attributes and then grant SELECT on V to B.
The same applies to limiting B to retrieving only certain tuples of R; a view V’ can be created by defining the view by means of a query that selects only those tuples from R that A wants to allow B to access.
19
![Page 20: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/20.jpg)
AN EXAMPLE
Suppose that the DBA creates four accounts A1, A2, A3, A4
and wants only A1 to be able to create base relations. Then the DBA must issue the following GRANT command in SQLGRANT CREATETAB TO A1;
In SQL2 the same effect can be accomplished by having the DBA issue a CREATE SCHEMA command as follows:
CREATE SCHEMA EXAMPLE AUTHORIZATION A1;
20
![Page 21: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/21.jpg)
AN EXAMPLE(2) User account A1 can create tables under the
schema called EXAMPLE. Suppose that A1 creates the two tables
EMPLOYEE and DEPARTMENT A1 is then owner of these two relations and
hence all the relation privileges on each of them.
Suppose that A1 wants to grant A2 the privilege to insert and delete tuples in both of these relations, but A1 does not want A2 to be able to propagate these privileges to additional accounts:GRANT INSERT, DELETE ON
EMPLOYEE, DEPARTMENT TO A2;21
![Page 22: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/22.jpg)
AN EXAMPLE(3)
22
![Page 23: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/23.jpg)
AN EXAMPLE(4) Suppose that A1 wants to allow A3 to retrieve
information from either of the two tables and also to be able to propagate the SELECT privilege to other accounts.
A1 can issue the command:GRANT SELECT ON EMPLOYEE, DEPARTMENT
TO A3 WITH GRANT OPTION; A3 can grant the SELECT privilege on the
EMPLOYEE relation to A4 by issuing:GRANT SELECT ON EMPLOYEE TO A4; Notice that A4 can’t propagate the SELECT
privilege because GRANT OPTION was not given to A4
23
![Page 24: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/24.jpg)
AN EXAMPLE(5)
Suppose that A1 decides to revoke the SELECT privilege on the EMPLOYEE relation from A3; A1 can issue:
REVOKE SELECT ON EMPLOYEE FROM A3; The DBMS must now automatically revoke
the SELECT privilege on EMPLOYEE from A4, too, because A3 granted that privilege to A4 and A3 does not have the privilege any more.
24
![Page 25: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/25.jpg)
AN EXAMPLE(6) Suppose that A1 wants to give back to A3 a limited
capability to SELECT from the EMPLOYEE relation and wants to allow A3 to be able to propagate the privilege. The limitation is to retrieve only the NAME, BDATE,
and ADDRESS attributes and only for the tuples with DNO=5.
A1 then create the view:CREATE VIEW A3EMPLOYEE ASSELECT NAME, BDATE, ADDRESSFROM EMPLOYEEWHERE DNO = 5;
After the view is created, A1 can grant SELECT on the view A3EMPLOYEE to A3 as follows:GRANT SELECT ON A3EMPLOYEE TO A3
WITH GRANT OPTION;25
![Page 26: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/26.jpg)
AN EXAMPLE(7)
Finally, suppose that A1 wants to allow A4 to update only the SALARY attribute of EMPLOYEE;
A1 can issue:
GRANT UPDATE ON EMPLOYEE (SALARY) TO A4; The UPDATE or INSERT privilege can specify
particular attributes that may be updated or inserted in a relation.
Other privileges (SELECT, DELETE) are not attribute specific.
26
![Page 27: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/27.jpg)
Introduction to Discretionary Access Control Proposed Models for DAC SQL for Data Control DAC & Information Flow Controls
OUTLINE
27
![Page 28: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/28.jpg)
DAC & INFORMATION FLOW CONTROLS
Inherent weakness of DAC: Unrestricted DAC allows information from an object which can be read by a subject to be written to any other object Bob is denied access to file A, so he asks cohort Alice
to copy A to B that he can access Suppose our users are trusted not to do this
deliberately. It is still possible for Trojan Horses to copy information from one object to another.
28
![Page 29: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/29.jpg)
TROJAN HORSE EXAMPLE
29
![Page 30: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/30.jpg)
TROJAN HORSE EXAMPLE
30
![Page 31: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/31.jpg)
TROJAN HORSE EXAMPLE
31
![Page 32: D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn](https://reader035.vdocument.in/reader035/viewer/2022062719/56649ef45503460f94c06ba9/html5/thumbnails/32.jpg)
32