Security – User Access Controls

John

Access Control

  • Provides the essential services of authorization, identification and authentication, access approval, and accountability
    • authorization specifies what a subject can do
    • identification and authentication ensure that only legitimate subjects can log on to a system
    • access approval grants access during operations, by association of users with the resources that they are allowed to access, based on the authorization policy
    • accountability identifies what a subject (or all subjects associated with a user) did 
  • A reference monitor mediates all access to resources

 

Referencer Monitor

  • Three required properties for reference monitors in “trusted systems”
    • Tamper-proof
    • non-bypassable (complete mediation)
    • small enough to be analyzable
  • Multics is a classic system using this model 

 

Mandatory Access Control (MAC)

  • Means of assigning access rights based on regulations by a central authority
  • Rules are enforced on every attempted access, not at the discretion of any system user
  • Authorized processes CANNOT pass along their capabilities to other processes
  • Ex. Bell-LaPadula Model 

 

Bell-Lapadula Model

  • MAC system
  • When is it OK to release information?
    • Government / Military applications – security clearances
  • Simple Security
  • Property – subject at a given security level may not read an object at a higher security level
  • *-Property – subject at a given security level may not write to any object at a lower security level
  • “read down, write up” 
    • Secret can create TS but cannot create Open in case something leaked

 

Biba Integrity Model

  • Rules that preserve integrity of information
  • Simple Integrity Property – subject at a given level of integrity must not read data at a lower integrity level
  • *-Integrity Property – subject at a given level of integrity must not write to data at a higher level of integrity
  • “read up, write down” 
    • Priest writes down but shouldnt need to read lower integrity level

 

Problems?

  • Bell-LaPadula – Confidentiality
    • Read down, write up
  • Biba – Integrity
    • Read up, write down
  • Want both confidentiality and integrity
    • May use Bell-LaPadula for some classification of personnel and data, Biba for another
    • Otherwise, only way to satisfy both models is only allow read and write at same classification 

 

Discretionary Access Control (DAC)

  • Means of assigning access rights based on rules specified by users
  • Rule enforcement may be waived or modified by some users
  • Authorized processes can pass along their capabilities to other processes
  • Ex. Unix file mode, which represent write, read, and execute in each of the 3 bits for each of User, Group and Others 

 

Access Control Matrix

  • Introduce rules that control what accesses (i.e., actions) subjects may take with respect to objects 

Implementation Concepts

  • Access control list (ACL)
    • Store column of matrix with the resource  
  • Capabilities
    • User holds a “ticket” for each resource
    • Two variations
      • Store row of matrix with user
      • Unforgeable ticket in user space
    • Ex: Kerberos

 

Access Control List

  • File 1 – User 1:rwx, User 4:rw  
  • File 2 – User 1:r, User 2:w, User 3:rw, User 4:x  
  • File 3 – User 2:rw, User 3:rwx, User 4:rwx  
  • File 4 – User 1:w, User 2:r, User 3:rw

 

Capabilities List

  • User 1 – File 1:rwx, File 2:r, File 4:w  
  • User 2 – File 2:w, File 3:rw, File 4:r  
  • User 3 – File 2:rw, File 3:rwx, File 4:rw  
  • User 4 – File 1:rw, File 2:x, File 3: rwx

 

ACL vs Capabilities

  • Access control list  (user centric – guard at the gate lookup user on list)
    • Associate list with each object
    • Check user/group against list
    • Relies on authentication: need to know user   
  • Capabilities (process focused – user has a ticket indicating what they can do)
    • Capability is unforgeable ticket
      • Random bit sequence, or managed by OS
      • Can be passed from one process to another
    • Reference monitor checks ticket
      • Does not need to know identity of user/process

 

Confused Deputy Problem

  • Process or program is tricked into performing an operation on an adversary’s behalf that the adversary could not perform on their own
    • Ex. write to (read from) a privileged file
    • EX: Developer uses a compiler and tells it where to create file – the file can be created on system folders and overwrites system files or files owned by other users. The compiler has elevated privileges and the developer can exploit it.
  • Type of privilege escalation
  • One solution is to bundle together the designation of an object and the permission to access that object
    • This is exactly a capability
    • When a user wants to run a program, the user must pass along their capability to the program

 

Role Based Access Control (RBAC)

  • Access rights need to change as the responsibilities of users change  
  • Associate permissions with job functions
    • Each job defines a set of tasks
    • The tasks need permissions
    • The permissions define a role
  • Ex. Bank Teller
    • Read/Write to client accounts
    • Cannot create new accounts
    • Cannot create a loan
    • Role defines only the permissions allowed for the job 
  • Model consists of two relationships
    • Role-permission assignments
    • User-role assignments
  • Assign permissions to roles
    • These are largely fixed
  • Assign a user to the roles they can assume
    • These change with each user
    • Administrators must manage this relationship