Access Control - Discretionary Access Control - PDF

Access Control Discretionary Access Control Prof.dr. Ferucio Laurenţiu Ţiplea Fall 2023 Department of Computer Science “Alexandru Ioan Cuza” University of Iaşi Iaşi 700506, Romania e-mail: [email protected] Outline Introduction to DAC The access control matrix model The model The safety problem Implementation Other related DAC models A major weakness of DAC models Concluding remarks on DAC models Introduction to DAC Discretionary Access Control Basic features : DAC models enforce access control based on the identity of requesters; DAC models are called “discretionary” as users can be given the ability of passing on their privileges to other users; DAC mechanisms usually include a concept of object ownership; DAC models are state-transition systems: A state specifies the rights that subjects have over objects at a given time; A transition shows how the state changes when a command involving subjects, objects, or rights is executed. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 2 / 39 The access control matrix model The access control matrix model The most general DAC model is the access control matrix (ACM) model, also called the access matrix model or the HRU model, introduced by Harrison et al. (1976). Basic features : It is a state-transition system; States are matrices where each row corresponds to a subject, each column corresponds to an object, and a cell specifies the rights a subject has over an object; Transitions between states are performed by commands; Subjects are objects too. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 3 / 39 States In what follows, R denotes a non-empty finite set of rights. Definition 1 A state over R is a triple Q = (S, O, A), where S and O are non-empty finite sets of subjects and objects, respectively, and A is an | S | × | O |-matrix whose elements are subsets of R. Example 2 Let S = {process1 , process2 }, O = S ∪ {file}, and A given by: process1 process2 file ! process1 r r, w process2 r, x r The triple (S, O, A) is a state over R = {r , w , x}. A(process1 , file) lists the rights process1 has over file, namely r and w. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 4 / 39 States For more readability, one may represent states by directed graphs. This representation is specific to the Take-Grant model (Lipton and Snyder (1977)), a sub-model of the ACM model. Example 3 mount root r, w x t user file1 r, w r, w file2 device Dark vertices stand for subjects and open vertices stand for objects. A labeled arc from x to y specifies the rights x has over y. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 5 / 39 Primitive operations Changing rights in the system is based on precisely defined rules, formally specified by commands that are made up of primitive operations. Let Vs and Vo be sets of subject-type and object-type variables, resp. Definition 4 A primitive operation over R is a construct of the one of the following types (r ∈ R, Xs ∈ Vs , and Xo ∈ Vo ): 1. enter r into (Xs , Xo ) 2. delete r from (Xs , Xo ) 3. create subject Xs 4. create object Xo 5. destroy subject Xs 6. destroy object Xo Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 6 / 39 Commands Definition 5 A command over R is a construct of the form: command α(X1 ,... , Xk ) if r1 in (Xs1 , Xo1 ) and command α(X1 ,... , Xk ) ··· op1 ,... , opn rm in (Xsm , Xom ) end then op1 ,... , opn end where m, n ≥ 1, {X1 ,... , Xk } ⊆ Vs ∪ Vo , Xsi ∈ Vs ∩ {X1 ,... , Xk }, Xoi ∈ Vo ∩ {X1 ,... , Xk }, ri ∈ R, and op1 ,... , opn are operations over R with variables in {X1 ,... , Xk }. Commands do not check the lack of rights but only their existence! Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 7 / 39 Examples of commands Example 6 (Harrison et al. (1976)) command CREATE (process, file) create object file enter own into (process, file) end Example 7 (Harrison et al. (1976)) command CONFER READ(owner , friend, file) if own in (owner , file) then enter r into (friend, file) end Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 8 / 39 Examples of commands Example 8 (Harrison et al. (1976)) command REMOVE READ(owner , exfriend, file) if own in (owner , file) and r in (exfriend, file) then delete r from (exfriend, file) end Example 9 (Samarati and de Capitani di Vimercati (2001)) command TRANSFER READ(subj, friend, file) if r in (subj, file) then enter r into (friend, file) end Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 9 / 39 Substitution To execute a command, its formal parameters must be replaced with actual parameters. This is done by substitutions that assign values to variables according to their types: subjects to subject-type variables, and objects to object-type variables. Substitutions can homomorphically be applied to primitive operations and commands. Example 10 If σ(X ) = Alice ∈ S and σ(X ′ ) = file ∈ O, then σ(enter r into (X , X ′ )) = enter r into (Alice, file) Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 10 / 39 Transition relation Given an operation op and a substitution σ, define the binary relation ⇒σ(op) on states by (S, O, A) ⇒σ(op) (S ′ , O ′ , A′ ) if and only if one of the following properties holds: σ(X ) = s, σ(Y ) = o o o enter r into (X , Y ) s R ′ s R′, r delete r from (X , Y ) Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 11 / 39 Transition relation σ(X ) = s ′ new subject s′ create subject X matrix A matrix A destroy subject X σ(X ) = s ′ existing subject s′ σ(X ) = o ′ new pure object o′ create object X matrix A matrix A destroy object X σ(X ) = o ′ existing pure object Then, (S, O, A) ⇒op (S ′ , O ′ , A′ ) ⇔ ∃σ : (S, O, A) ⇒σ(op) (S ′ , O ′ , A′ ) Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 12 / 39 Transition relation Given a command α and a substitution σ, define the binary relation ⇒σ(α) on states by (S, O, A) ⇒σ(α) (S ′ , O ′ , A′ ) iff: 1. if the test of σ(α) is not satisfied at (S, O, A), then (S ′ , O ′ , A′ ) = (S, O, A); 2. if the test of σ(α) is satisfied at (S, O, A), then there exist Q0 , Q1 ,... , Qn such that (S, O, A) = Q0 ⇒σ(op1 ) Q1 ⇒σ(op2 ) · · · ⇒σ(opn ) Qn = (S ′ , O ′ , A′ ) where op1 ,... , opn is the body of α. Define then: (S, O, A) ⇒α (S ′ , O ′ , A′ ) ⇔ ∃σ : (S, O, A) ⇒σ(α) (S ′ , O ′ , A′ ) (S, O, A) ⇒ (S ′ , O ′ , A′ ) ⇔ ∃α : (S, O, A) ⇒α (S ′ , O ′ , A′ ) Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 13 / 39 Transition relation Example 11 (Transition by CONFER READ) Alice Bob file1 file2 ! Alice own, r , w r, w Bob r CONFER READ(Alice, Bob, file1 ) Alice Bob file1 file2 ! Alice own, r , w r, w Bob r r Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 14 / 39 The need for safety In the example below, Alice only has the right to read file1 , and Bob only file2. file1 r Program Rights: (Alice,r) Alice w file2 r Program Rights: (Bob,r) Bob If at a time, Alice gets the right of writing in file2 , it can write file1 in file2 , thus giving Bob’s ability to read, indirectly, file1. Can we decide this? Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 15 / 39 Safety Definition 12 A protection system over R is a finite set C of commands over R. A protection system specifies the rules governing the rights granting in a system. Despite the name, it does not mean that it provides protection. About this, we have to talk further. Definition 13 Let C be a protection system over R, Q a state of C, r ∈ R, and α ∈ C. We say that α leaks r from Q if there exists a substitution σ such that: 1. the test of σ(α) is satisfied at Q; 2. there exist Q0 , Q1 ,... , Qi such that: Q0 = (S0 , O0 , A0 ) ⇒σ(op1 ) · · · ⇒σ(opi ) Qi = (Si , Oi , Ai ); r ∈ Ai (s, o) − Ai−1 (s, o) for some s and o, where op1 ,... , opi ,... , opn is the body of α and 1 ≤ i ≤ n. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 16 / 39 Safety Definition 14 Let C be a protection system over R, Q a state of C, and r ∈ R. We say that C leaks r from Q if there exists a command of C that leaks r from Q. Definition 15 Let C be a protection system over R, Q a state of C, and r ∈ R. We say that Q is unsafe for r if there exists a reachable state Q ′ from Q such that C leaks r from Q ′. We say that Q is safe for r if it is not unsafe for r. Remark 16 Leaks are not necessarily bad! Any interesting protection system has commands that leak some rights. However, these leaks should not occur at unauthorized states. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 17 / 39 Undecidability of safety The discussion so far shows us that it is imperative to be able to decide whether a protection system is safe or not for its rights. Safety problem for protection systems Instance: Protection system C over some set R of rights, state Q of C, and r ∈ R Question: Is Q safe for r ? Theorem 17 (Harrison et al. (1976)) The safety problem for bi-conditional (i.e., at most two conditions) monotonic (i.e., without delete and destroy operations) protection systems is undecidable. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 18 / 39 Deciding safety Even when decidable, the safety problem for practical protection systems is very complex. Theorem 18 (Harrison et al. (1976)) 1. The safety problem for mono-operational (i.e., each command has exactly one operation) protection systems is NP-complete. 2. The safety problem for state-bounded (i.e., without create operations) protection systems is PSPACE-complete. 3. The safety problem for mono-conditional protection systems without destroy-operations is decidable. Most practical systems require multi-conditional commands! Open Problem: safety for mono-conditional protection system. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 19 / 39 Implementation ACM implementations do not scale well: a bank with 50,000 staff and 300 applications would have an ACM of 15 million entries! We need compact ways of storing and managing ACMs. There are three approaches to implementing the ACM in a practical way: 1. Authorization tables – similar to relational tables in the database management; 2. Access control lists (ACL) – these are columns of the ACM; 3. Capability lists – these are rows of the ACM. Moreover, we can use groups of subjects to manage their privileges simultaneously (e.g., Employees, Programmers, etc.). Groups need not be disjoint and a single authorization granted to a group can be enjoyed by all its members. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 20 / 39 Authorization tables An authorization table has three columns corresponding to subjects, privileges, and objects. Somehow, it unfolds the non-empty access control matrix cells. Subject Access Object process1 r process2 process1 r file process1 w file process2 r file The authorization table approach is generally used in database management systems, where authorizations are stored as catalogs (relational tables) of the database. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 21 / 39 Access control lists An access control list (ACL) is a column of the ACM (therefore, associated to an object - the ACL associated to o is denoted ACLo , and it is stored along with o). Advantages and disadvantages of ACLs: Simple to implement; Suited to environments where users manage their own file security; Less suited where the user population is large and constantly changing; Less suited where users want to be able to delegate their authority to run a particular program to another user for some set period of time; Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 22 / 39 Access control lists Advantages and disadvantages of ACLs (continued): Security checking at runtime is difficult (usually, the operating system knows which user is running a particular program, rather than which files it has been authorized to access); Tedious to find all the files to which a user has access; Tedious to run system wide checks, such as verifying that no files have been left world-writable by users whose access was revoked. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 23 / 39 Access control lists in Unix Every file or folder has associated access permissions. There are three types of permissions: read access write access execute access Permissions are defined for three types of users: the owner of the file the group that the owner belongs to anyone else (world) Each permission type has exactly two values, allowed or denied, specified by a bit. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 24 / 39 Access control lists in Unix Example 19 ACL for a file: - r w - r - - - - - Alice Accounts The first bit specifies that the ACL is for a file, the next three bits give the access rights for the owner, the next three bits for the group, and the last three bits for anyone else. It follows then the owner name and the group name. Example 20 ACL for a folder: d r w x r w x r w x Alice Accounts The first bit specifies that the ACL is for a folder (directory); the next bits have the same meaning as above. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 25 / 39 Access control lists in Unix Unix / Linux offers special tools (such as programs) which enable unprivileged users to be able to accomplish tasks that require privileges (for instance, to run passwd programs): suid (set user id) the owner of the program mark the program as suid (the bit x in owner ACL is set to s meaning both x and suid, or to S meaning only suid); then, the program is placed in some folder where some user Bob has access; Bob can run the program with the privilege of its owner; sgid (set group id) – things are similar, but the bit s occurs in the group area of bits. This method may lead to serious security breaches! Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 26 / 39 Access control lists in Windows Permissions may be granted to users and groups (other than the resource’s owner), with three values each: denied, allowed, and audit; Objects include files, folders, printers, registry keys, and Active Directory Domain Services (AD DS) objects; The permissions attached to an object depend on the type of object; Six types of permissions in Windows NT: read, write, execute, delete, change permissions (i.e., modify the ACL), take ownership (make current account the new owner); Types of permissions in Windows 10: read, modify, change owner, delete, full control, read & execute, write, list folder contents. ACLs are lists of entries of the form · · · (user/group,permissions) · · · For more details please see Microsoft (2021) docs. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 27 / 39 Capability lists An capability list (C -list) is a row of the ACM (therefore, associated to a subject - the C -list associated to s is denoted Cs , and it is stored along with s). In practice, it is more convenient to store a C -list Cs as a list of pairs (o, r ), where o is an object and r is a right (permission). Such a pair will be called a capability; then, Cs becomes a list of capabilities. Each capability acts like a ticket for s to access o with permission r. Therefore, capabilities are authentication tags. This technique is used in EROS (Extremely Reliable Operating System), Hydra operating system (CMU), IBM System/38 and AS/400, Amoeba distributed operating system etc. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 28 / 39 Capability lists Problems with capabilities : How to represent object o in capability (o, r )? The use of o’s address might not be a good idea if the address changes. A solution would be to use random bit strings, hash tables, and translation techniques (naming schemes); How to make capabilities unforgeable? There are a number of possibilities: Hardware tags: 1-bit tag associated to the capability, showing that the capability can/cannot be changed or copied; Protected address space: store capabilities in parts of memory that are not accessible to programs; Language-based security: use of a programming language to enforce restrictions on access and modification to capabilities; Cryptography: use encryption. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 29 / 39 ACLs vs capabilities ACLs Capabilities require subject auth and require integrity and Authentication ACL integrity propagation control Access review suited on object-basis suited on subject-basis Revocation suited on object-basis suited on subject-basis provide for finer-grained, Least privilege especially dynamic control w.r.t. – short-lived subjects created subjects for specific tasks ACLs are preferred to capabilities: most systems use ACLs. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 30 / 39 Other related DAC models The take-grant model It was proposed by Lipton and Snyder (1977). Basic features: It is a state-transition system; Subjects are not objects; States are directed graphs whose nodes are subjects and objects, and whose arcs are labeled by sets of rights; There are two special rights: take (t) and grant (g ): if x has the right t for y , then x can “borrow” from y all his rights; if x has the right g for y , then x can “lend” to y all his rights; In this model, safety can be checked in polynomial time in the size of the initial graph (state); Main drawback: the model is a too little expressive , although one can use it to check certain security properties in computer networks (Shahriari and Jalili (2007)). Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 31 / 39 The Schematic Model It was proposed by Sandhu (1988) to fill the gap between the richness in expressive power of the HRU model and its intractability w.r.t. the safety question as compared with the limited applicability of the take-grant model but efficient decidability of safety. The schematic model subsumes several well-known protection models in terms of expressive power and safety analysis (Sandhu (1992)). The model is of more theoretical than practical interest. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 32 / 39 Adding new features to the DAC model Positive and negative permissions – their combination is a convenient way to express exceptions: a positive right to a group (shared thus by all its members) and a negative right to a member of the group would exclude that member from getting access. Example of use: Windows; Weak and strong permissions – weak permissions override each other, while strong permissions override weak permissions (no matter their specificity) and cannot be overridden; Implicit and explicit permissions – implicit permissions can be derived in the system; Context-based permissions; Content-dependent permissions. For more details please see Samarati and de Capitani di Vimercati (2001). Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 33 / 39 A major weakness of DAC models We may trust users... We assume that Alice and Bob are trustworthy, and even if Alice has the right to write in file2 , she will not write file1 in file2 to allow Bob to read file1. file1 r Program Rights: (Alice,r) Alice w file2 r Program Rights: (Alice,w), (Bob,r) Bob Assuming the users obey the access restrictions, the subjects operating on their behalf do the same? Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 34 / 39... but not subjects! A Trojan horse is a rogue software that may perform illegitimate actions unknown to the caller, exploiting access privileges of the caller. file1 Program r Rights: (Alice,r) Trojan horse Alice w file2 r Program Rights: (Alice,w), (Bob,r) Bob The Trojan horse takes Alice’s privileges, reads file1 , and copies it in file2 , allowing Bob to read it! Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 35 / 39 Concluding remarks on DAC models Concluding Remarks DAC policies enforce access control on the basis of the identity of the requester and explicit access rules; DAC policies ignore the distinction between users and subjects and evaluate all requests submitted by a process (subject) running on behalf of some user against the authorizations of the user; DAC policies do not offer protection against processes that execute malicious programs (such as Trojan Horses) exploiting the privileges of the user on behalf of whom they are executing; DAC policies do not enforce any control on the flow of information once this information is acquired by a process. Two things that emerge from our discussion: the need for separating users from subjects and controlling the flow of information! Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 36 / 39 Readings In addition to the materials indicated so far, I additionally recommend: Chapter 6 of Conrad et al. (2016); Chapters 3 and 4 of Andress (2014); Chapter 11 of Collins (2014); Chapter 23 of Bertino (2012); Samarati and de Capitani di Vimercati (2001). Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 37 / 39 References References Andress, J. (2014). The Basics of Information Security. Understanding the Fundamentals of Infosec in Theory and Practice. Syngress, Elsevier, Boston, 2nd edition. Bertino, E. (2012). Chapter 23 - Policies, access control, and formal methods. In Das, S. K., Kant, K., and Zhang, N., editors, Handbook on Securing Cyber-Physical Critical Infrastructure, pages 573–594. Morgan Kaufmann, Boston. Collins, L. (2014). Chapter 11 - Access controls. In Vacca, J. R., editor, Cyber Security and IT Infrastructure Protection, pages 269–280. Syngress, Boston. Conrad, E., Misenar, S., and Feldman, J. (2016). CISSP Study Guide. Singress, Elsevier, 3rd edition. Harrison, M. A., Ruzzo, W. L., and Ullman, J. D. (1976). Protection in operating systems. Commun. ACM, 19(8):461–471. Lipton, R. J. and Snyder, L. (1977). A linear time algorithm for deciding subject security. J. ACM, 24(3):455–464. Microsoft (2021). Windows security. Technical report, Microsoft. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 38 / 39 References (cont.) Samarati, P. and de Capitani di Vimercati, S. (2001). Access control: Policies, models, and mechanisms. In Focardi, R. and Gorrieri, R., editors, Foundations of Security Analysis and Design, pages 137–196, Berlin, Heidelberg. Springer Berlin Heidelberg. Sandhu, R. S. (1988). The schematic protection model: Its definition and analysis for acyclic attenuating schemes. J. ACM, 35(2):404–432. Sandhu, R. S. (1992). Expressive power of the schematic protection model. J. Comput. Secur., 1(1):59–98. Shahriari, H. R. and Jalili, R. (2007). Vulnerability Take Grant (VTG): An efficient approach to analyze network vulnerabilities. Computers & Security, 26:349–360. Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Access ControlDAC Fall 2022 39 / 39

Access Control - Discretionary Access Control - PDF

Document Details

Tags

Related

Summary

Full Transcript