Lecture 7Access Control

modified from slides of Lawrie Brown

Access Control

• ITU-T Recommendation X.800 definition: – “The prevention of unauthorized use of a resource,

including the prevention of use of a resource in an unauthorized manner.”

• RFC 2828 defines computer security as:– “Measures that implement and assure security

services in a computer system, particularly those that assure access control service”.

Access Control Principles

Verification that the credentials of a user or an entity are valid.

Granting of a right or permission to an entity to access a system resource.

An independent review and examination of system records and activities

Access Control Policies• dictates

– what types of access are permitted, – under what circumstances, – by whom.

based on the identity of the requestor and on access rules

based on comparingsecurity labels with clearances

based on the roles and their accesses

Attribute-based access controlbased on attributes of the user, the resource to be accessed, and current environmental conditions

Access Control Requirements

• reliable input• support for fine and coarse specifications• least privilege• separation of duty• open and closed policies• policy combinations and conflict resolution• administrative policies• dual control

Access Control Basic Elementssubject entity

capable of accessing objects

•concept equates with that of process•typically held accountable for the actions they initiate

•often have three classes: owner, group, world

object resource to

which access is controlled

•entity used to contain and/or receive information

•protection depends on the environment in which access control operates

access right: the way in

which a subject may access an

object

•e.g. read, write, execute, delete, create, search

Discretionary Access Control

• scheme in which an entity may enable another entity to access some resource– often provided using an access matrix

• one dimension consists of identified subjects that may attempt data access to the resources

• the other dimension lists the objects that may be accessed

– each entry in the matrix indicates the access rights of a particular subject for a particular object

Access Matrix

Example of Access Control Structures

Authorization Table

Extended Access Control Matrix

Access Control

Function

Access Control System

Commands

Protection Domains

• set of objects together with access rights to those objects

• more flexibility when associating capabilities with protection domains

• in terms of the access matrix, a row defines a protection domain

• user can spawn processes with a subset of the access rights of the user

Protection Domains

• association between a process and a domain can be static or dynamic

• in user mode certain areas of memory are protected from use and certain instructions may not be executed

• in kernel mode privileged instructions may be executed and protected areas of memory may be accessed

UNIX File Access Control

• control structures with key information needed for a particular file

• several file names may be associated with a single inode• an active inode is associated with exactly one file• file attributes, permissions and control information are

sorted in the inode• on the disk there is an inode table, or inode list, that

contains the inodes of all the files in the file system• when a file is opened its inode is brought into main memory

and stored in a memory resident inode table

UNIX files are administered using inodes (index nodes)

• may contain files and/or other directories• contains file names plus pointers to associated inodes

directories are structured in a hierarchical tree

UNIX File Access Control• unique user identification

number (user ID)• member of a primary group

identified by a group ID– belongs to a specific group– 12 protection bits

• specify read, write, and execute permission for owner of file, members of group, and all other users

– owner ID, group ID, and protection bits are part of file’s inode

Traditional UNIX File Access Control

• “set user ID”(SetUID)

• “set group ID”(SetGID)– system temporarily uses rights of the file owner /

group in addition to the real user’s rights when making access control decisions

– enables privileged programs to access files / resources not generally accessible

Traditional UNIX File Access Control

• sticky bit – when applied to a directory it specifies that only

the owner of any file in the directory can rename, move, or delete that file

• superuser – is exempt from usual access control restrictions– has system-wide access

Access Control Lists (ACLs) in UNIX

• modern UNIX systems support ACLs– FreeBSD, OpenBSD, Linux, Solaris

• FreeBSD– Setfacl assigns a list of UNIX user IDs and groups– any number of users and groups can be associated

with a file– read, write, execute protection bits– a file does not need to have an ACL– includes an additional protection bit that indicates

whether the file has an extended ACL

Access Control Lists (ACLs) in UNIX

• when a process requests access to a file system object two steps are performed:– step 1: selects the most appropriate ACL

• owner, named users, owning / named groups, others

– step 2: checks if the matching entry contains sufficient permissions

22

Mandatory Access Control (MAC)

Unclassified

Confidential

Secret

Top Secret

can-flowdominance

Labeling Mechanism is used

Military Security

Require a strict classification of subjects and objects in security levels

Drawback of being too rigid

Applicable only to very few environments

Prevent any illegal flow of information through the enforcement of multilevel security

Adopted from : Role-Based Access Control by Prof.Ravi Sandhu

Compartments and Sensitivity Levels

Unclassified

Restricted

Confidential

Secret

Top SecretCompartment 1

Compartment 3Compartment 2

• Information access is limited by the need-to-know• Compartment: Each piece of classified information

may be associated with one or more projects called compartments

Classification & Clearance

• <rank; compartments>– class of a piece of information

• Clearance: an indication that a person is trusted to access information up to a certain level of sensitivity

• <rank; compartments>– clearance of a subject

Dominance Relation

• We say that s dominates o (or o is dominated by s) if o <= s

For a subject s and an object o,o <= s if and only if

rank(o) <= rank(s) andcompartments(o) is subset of

compartments(s)

• A subject can read an object if the subject dominates the object.

Example

• Information classified as <secret; {Sweden}>

• Which of the following subject clearances can read the above information?– <top secret; {Sweden}>– <secret; {Sweden, crypto}>– <top secret; {crypto}>– <confidential; {Sweden}>– <secret; {France}>

Role-Based Access Control

(RBAC)

AccessControlMatrix

Role-Based Access Control

ROLES

Usrer-RoleAssignment

Permission-RoleAssignment

USERS PERMISSIONS

...Sessions

Role Hierarchies

• Users are human beings or other active agents• Business function the user perform is role• A user can be a member of many roles• Each role can have many users as members• A user can invoke multiple sessions• In each session a user can invoke any subset

of roles that the user is a member of

• A permission can be assigned to many roles

• Each role can have many permissions‐ read, write, append, execute

Health-Care Provider

Physician

Primary-CarePhysician

SpecialistPhysician

Adopted from : Role-Based Access Control by Prof.Ravi Sandhu

Role-Based Access Control

Scope RBAC Models

Example of Role Hierarchy

Constraints - RBAC

• provide a means of adapting RBAC to the specifics of administrative and security policies of an organization

• a defined relationship among roles or a condition related to roles

mutually exclusive roles

• a user can only be assigned to one role in the set (during a session or statically)

• any permission can be granted to only one role in the set

cardinality

• setting a maximum number with respect to roles

prerequisite roles

• dictates that a user can only be assigned to a particular role if it is already assigned to some other specified role

RBAC System

administrative functions

• provide the capability to create, delete, and maintain RBAC elements and relations

supporting system

functions

• provide functions for session management and for making access control decisions

review functions

• provide the capability to perform query operations on RBAC elements and relations

NIST RBAC Basic Definitions

• object– any system resource subject to access control,

such as a file, printer, terminal, database record• operation

– an executable image of a program, which upon invocation executes some function for the user

• permission– an approval to perform an operation on one or

more RBAC protected objects

NIST RBAC Model

Core RBACadministrative

functions• add and delete

users from the set of users

• add and delete roles from the set of roles

• create and delete instances of user-to-role assignment

• create and delete instances of permission-to-role assignment

supporting system functions• create a user

session with a default set of active roles

• add an active role to a session

• delete a role from a session

• check if the session subject has permission to perform a request operation on an object

review functions

• enable an administrator to view but not modify all the elements of the model and their relations

Hierarchical RBAC

general role hierarchies

allow an arbitrary partial ordering of the role hierarchy

supports multiple inheritance, in which a role may inherit permissions from multiple

subordinate roles and more than one role can inherit from

the same subordinate role

limited role hierarchies

impose restrictions resulting in a simpler tree structure

role may have one or more immediate ascendants

but is restricted to a single immediate descendant

Static Separation of Duty• enables the definition of a set of mutually exclusive

roles, – if a user is assigned to one role in the set, the user may not be

assigned to any other role in the set

• can place a cardinality constraint on a set of roles– defined as a pair (role set, n) where no user is assigned to n or

more roles from the role set

• includes administrative functions for creating and deleting role sets and adding and deleting role members

• includes review functions for viewing the properties of existing SSD sets

Dynamic Separation of Duty• limit the permissions available to a user

– places constraints on the roles that can be activated within or across a user’s sessions

• define constraints as a pair (role set, n) with the property that no user session may activate n or more roles from the role set– where n is a natural number n ≤ 2

• enables the administrator to specify certain capabilities for a user at different, time spans

• includes administrative and review functions for defining and viewing DSD relations

41

Task Based Access Control

P – PermissionS – SubjectO – ObjectA – ActionsU – Usage and Validity CountsAS – Authorization step

• Active Security Model• Dynamic authorization gives flexibility• No Roles Involved• Constraints for this model is still under

study

• For each authorization step consumes permission, usage count is incremented

• Usage Count reaches its limit, the associated permission is deactivated

Adopted from Source: Task based authorization controls by R.S.Sandhu and R.K.Thomas

Classical subject-object access control P S x O x A

TBAC view of access control P S x O x A x U x AS

TBAC extensions

42

Constraints

Users are not given more permission than is necessary to perform their duties

Constraints

User Instance

Tasks Permissions

Task constraints – Least Privilege

Achieved through task instances

Alice Check Patient Josh

Access Permissions starts when the instance is initiated

Access Permissions end when the instance is completed or revoked

Fine Grained Access Control

Initiated

Active

Completed Revoked

status

43

WorkflowUsers

Alice

Bob

Tasks

Check Patient

Do Physical Exam

Non-Workflow

Workflow

Start

Do Physical Exam (T1)

Check Patient (T2)

Perform Lab Test (T3)

View Lab Results (T4)

Write Prescription (T5)

Refer another specialist (T6)

End

Out Patient Workflow

Non-WorkflowView Current Patient List

44

Passive and Active Access Control

Start

Do Physical Exam (T1)

Check Patient (T2)

Perform Lab Test (T3)

View Lab Results (T4)

Write Prescription (T5)

Refer another specialist (T6)

End

Workflow

Physician Write Prescription

View Current Patient List

File 2

File 1Read

Write

Passive Access

Active Access

45

Spatial and Temporal Constraints

• Accessed from anywhere and at anytime– User’s location and time is taken into

consideration for granting access to a task

Family Practice

Physician

Nurse

Location Constraint

(Reno Office)

Time Constraint

(8 - 5)

Tasks

46

Static and Dynamic Separation of Duty

No single individual can execute all tasks within the workflowDo Physical Exam (T1)

Check Patient (T2)

Perform Lab Test (T3)

View Lab Results (T4)

Write Prescription (T5) End

Start

Alice Check Patient JoshTask Instance 1

Protects against fraudulent activities of users

Static SOD - Defining the tasks in workflow or non workflow govern the administration or design-time associations between users and permissions.Dynamic SOD - permissions or task instances are granted at run-time.

Nurse Physician Technician Physician

47

Delegation of TasksInitially assigned user is not available to complete the task

Supervisor can delegate task to another junior user in the same hierarchy

Access rights revoked once the task is completed

Alice Check Patient JoshTask Instance

Physician (Alice)

Physician (Bob)

Senior Physician

(Jan)

Bob Check Patient JoshTask Instance

Jan can delegate task to Bob

48

Classification of TasksNon-Inheritable Inheritable

Passive Access Control Private Supervision

Active Access control Workflow Approval

Class Private

Class Supervision

Start

Do Physical Exam (T1)

Check Patient (T2)

Perform Lab Test (T3)

View Lab Results (T4)

Write Prescription (T5)

Refer another specialist (T6)

End

View Current Patient List

Family Practice

Physician (Alice)

Senior Physician

(Jan)

Workflow

Diagnosis Details

Non-Inheritable InheritablePassive Access Control Private SupervisionActive Access control Workflow Approval

Class WorkflowClass Approval

Classification of Tasks

Start

Do Physical Exam (T1)

Check Patient (T2)

Perform Lab Test (T3)

View Lab Results (T4)

Write Prescription (T5)

Refer another specialist (T6)

End

Workflow

Check Patient

Family Practice

Physician (Alice)

Senior Physician

(Jan)

Physician (Alice)

Physician (Bob)

Senior Physician

(Jan) Same Hierarchy

Attribute Based Access Control

Subject attributes

• A subject is an active entity that causes information to flow among objects or changes the system state

• Attributes define the identity and characteristics of the subject

Object attributes

• An object (or resource) is a passive information system-related entity containing or receiving information

• Objects have attributes that can be leverages to make access control decisions

Environment attributes

• Describe the operational, technical, and even situational environment or context in which the information access occurs

• These attributes have so far been largely ignored in most access control policies

ABACDistinguishable because it

controls access to objects by evaluating rules against the

attributes of entities, operations, and the

environment relevant to a request

Relies upon the evaluation of attributes of the subject,

attributes of the object, and a formal relationship or

access control rule defining the allowable operations for

subject-object attribute combinations in a given

environment

Systems are capable of enforcing DAC, RBAC, and

MAC concepts

Allows an unlimited number of attributes to be combined to satisfy any access control

rule

ABAC Scenario

ACL Trust Chain (NIST)

ABAC Trust Chain (NIST)

ABAC Policies• A policy is a set of rules and relationships that govern

allowable behavior within an organization, – based on the privileges of subjects and how resources or

objects are to be protected under which environment conditions

– Typically written from the perspective of the object that needs protecting and the privileges available to subjects

• Privileges represent the authorized behavior of a subject and are defined by an authority and embodied in a policy– rights, authorizations, and entitlements

Identity, Credential, and Access Management

• A comprehensive approach to manage and implement digital identities, credentials, and access control– Developed by the U.S. government

• Designed to:– Create trusted digital identity representations of individuals

and nonperson entities (NPEs)– Bind those identities to credentials that may serve as a proxy

for the individual of NPE in access transactions• A credential is an object or data structure that authoritatively binds

an identity to a token possessed and controlled by a subscriber

– Use the credentials to provide authorized access to an agency’s resources

Identity Management• Concerned with assigning attributes to a digital identity and

connecting that digital identity to an individual or NPE– Goal is to establish a trustworthy digital identity that is independent of a

specific application or context

• Most common approach to access control for applications and programs is to create a digital representation of an identity for the specific use of the application or program– Maintenance and protection of the identity itself is treated as secondary to

the mission associated with the application– Final element is lifecycle management which includes:

• Mechanisms, policies, and procedures for protecting personal identity info• Controlling access to identity data• Techniques for sharing authoritative identity data with applications that need it• Revocation of an enterprise identity

Credential Management• The management of the life cycle of the credential

– E.g. smart cards, private/public cryptographic keys, digital certificates• Encompasses five logical components:

– An authorized individual sponsors an individual or entity for a credential to establish the need for the credential

– The sponsored individual enrolls for the credential• Process typically consists of identity proofing and the capture of biographic and

biometric data• This step may also involve incorporating authoritative attribute data, maintained by

the identity management component– A credential is produced

• Depending on the credential type, production may involve encryption, the use of a digital signature, the production of a smart card or other functions

– The credential is issued to the individual or NPE– A credential must be maintained over its life cycle

• Might include revocation, reissuance/replacement, reenrollment, expiration, personal identification number (PIN) reset, suspension, or reinstatement

Access Management• Deals with the management and control of the ways

entities are granted access to resources

• Covers both logical and physical access

• May be internal to a system or an external element

• Purpose is to ensure that the proper identity verification is made when an individual attempts to access a security sensitive building, computer systems, or data

Support elements for an enterprise-wide access control

• Concerned with defining rules for a resource that requires access control• Rules would include credential requirements and what user attributes, resource

attributes, and environmental conditions are required for access of a given resource for a given function

Resource management

• Concerned with establishing and maintaining the entitlement or privilege attributes that comprise an individual’s access profile

• These attributes represent features of an individual that can be used as the basis for determining access decisions to both physical and logical resources

• Privileges are considered attributes that can be linked to a digital identity

Privilege management

• Governs what is allowable and unallowable in an access transaction

Policy management

Identity Federation• Term used to describe the technology, standards,

policies, and processes that allow an organization to trust digital identities, identity attributes, and credentials created and issued by another organization

• Addresses two questions:– How do you trust identities of individuals from external

organizations who need access to your systems– How do you vouch for identities of individuals in your

organization when they need to collaborate with external organizations

Open Identity Trust FrameworkOpenID•An open standard that allows users to be authenticated by certain cooperating sites using a third party service

OIDF•OpenID Foundation is an international nonprofit organization of individuals and companies committed to enabling, promoting, and protecting OpenID technologies

ICF•Information Card Foundation is a nonprofit community of companies and individuals working together to evolve the Information Card ecosystem

OITF•Open Identity Trust Framework is a standardized, open specification of a trust framework for identity and attribute exchange, developed jointly by OIDF and ICF

OIX•Open Identity Exchange Corporation is an independent, neutral, international provider of certification trust frameworks conforming to the OITF model

AXN•Attribute Exchange Network is an online Internet-scale gateway for identity service providers and relying parties to efficiently access user asserted, permissioned, and verified online identity attributes in high volumes at affordable costs

Summary• access control

– prevent unauthorized users from gaining access to resources– prevent legitimate users from accessing resources in an unauthorized manner– enable legitimate users to access resources – subjects, objects, access rights– authentication, authorization, audit

• discretionary access controls (DAC)– controls access based on identity

• mandatory access control (MAC)– controls access based on security labels

• role-based access control (RBAC)– controls access based on roles

• task-based access control (TBAC)– controls based on task at hand

• attribute-based access control (ABEC)– Controls based on attributes