Access Control and Authorization in Information Assurance

Access Control CSE 465 Information Assurance Fall 2017 Adam Doup Arizona State University http://adamdoupe.com

Example A university s academic integrity policy disallows cheating Includes copying homework, with or without permission CSE class has students do homework on a shared server (similar to general.asu.edu) Student A forgets to read-protect homework file Student B copies the file Who did something wrong? Adam Doup , Information Assurance 2

Authorization What can you do on the system? Vs. Authentication (we will cover later) Who are you? Adam Doup , Information Assurance 3

Authorization, Trust, and Risk Need to manage Authorization Trust To manage risk Can you eliminate risk? Adam Doup , Information Assurance 4

Authorization vs. Access Control Authorization is the policy Access Control is the mechanism Adam Doup , Information Assurance 5

Modeling Access Control Subjects S Things in the system that can act Objects O Assets or objects in the system (acted upon) Rights R What can the subject do to the object? Adam Doup , Information Assurance 6

Access Matrix Model F G U V r1, r2 r2, r3 r2 r4 r5, r6 U V Adam Doup , Information Assurance 7

Simplified UNIX Model Subjects are processes p, q Files are objects f, g Rights (read, write, execute, append, own) r, w, x, a, o Adam Doup , Information Assurance 8

Access Control Matrix Model f rwo a g r ro p rwxo r q w rwxo p q Adam Doup , Information Assurance 9

Access Control Matrix Benefits Drawbacks Adam Doup , Information Assurance 10

Implementation How to implement Access Control Matrix? Adam Doup , Information Assurance 11

Access Control Lists (ACLs) Each column of the access matrix is stored with the object f p: rwo q: a g p: r q: ro Adam Doup , Information Assurance 12

Capability Lists Each row of the access matrix is stored with the subject p f: rwo g: r q f: a g: ro Adam Doup , Information Assurance 13

Relation Subject Access r w o r a r o Object f f f g f g g p p p p q q q Adam Doup , Information Assurance 14

ACL vs. Capability ACL requires authentication of subjects CAP does not require authentication of subjects Capabilities must be unforgeable and propagation must be controlled Adam Doup , Information Assurance 15

ACL vs. Capability Per-Object basis File a File b User: rights . . . . User: rights . . . . File c /project File b File a Per-Subject basis Rights: File a, Rights: Fila b user Adam Doup , Information Assurance 16

ACL vs. Capability Least Privilege CAP provides for finer grained least privilege control with respect to subjects, especially dynamic short-lived subjects created for specific tasks Adam Doup , Information Assurance 17

ACL vs. Capability Access review ACL better for access review of objects CAP better for access review of subjects Revocation ACL better for revocation on object basis CAP better for revocation on subject basis Adam Doup , Information Assurance 18

Capability Lists: Granting Access p wants to grant q read access to file f How to do this? p f: rwo g: r q f: a g: ro q f: ar g: ro q f: a g: ro f: r Adam Doup , Information Assurance 19

UNIX ACL 12 permission bits for each file, logically grouped into 4 sets of three bits each _ _ _ _ _ _ _ _ _ _ _ _ first 3 bits: SUID SGID Sticky-bit next 3 bit sets apply to file s owner, users in file s group and all users respectively read write execute 20 Adam Doup , Information Assurance

Other Access Control Ideas Content dependent controls You can only see salaries less than 50K You can only see salaries of employees who report to you Context dependent controls Cannot access sensitive information from a remote login Salary information can be updated only at year end Company s earnings report is confidential until announced at the stockholder s meeting Adam Doup , Information Assurance 21

Types of Access Control Discretionary Access Control Owner of the object controls who can access the object Mandatory Access Control System controls access to an object Originator Controlled Access Control Originator of the object controls who can access the object Adam Doup , Information Assurance 22

Mandatory Access Control Security Levels Security Category Security Labels Adam Doup , Information Assurance 23

Security Levels Many organizations have hierarchical relationship between security sensitivity of assets One file might have the highest security sensitivity Office environments: memos, reports, customer lists, backup data Defined sensitivity and importance Adam Doup , Information Assurance 24

Security Levels Need some way to tag data on a computer system Associate a security level with each entity What type of relationship? 1-1? 1-*? Adam Doup , Information Assurance 25

Examples Military Security Levels Top Secret Secret Confidential Unclassified Commercial Security Levels Restricted Proprietary Sensitive Public 26

Policy What policy do we want our MAC to enforce? Let s use the military example Top Secret Secret Confidential Unclassified Adam Doup , Information Assurance 27

Notation L(S) = ls is the security clearance of subject S L(O) = lOis the security classification of object O For all security classifications li,i=0, , k- 1, li < li+1 Adam Doup , Information Assurance 28

Security Conditions Simple-Security Condition (preliminary version) S can read O iff lO lS *-Property (preliminary version) S can write O iff lS lO Adam Doup , Information Assurance 29

Examples Write Military Security Levels Top Secret Secret Confidential Unclassified Commercial Security Levels Restricted Proprietary Sensitive Public Read 30

Security Categories Security levels are too fine-grained Categories NUC NATO ACE Need-to-know basis for assigning categories to subjects How to define the security policy now? Adam Doup , Information Assurance 31

Notation A subject s security level and object s security level is now (L, C), where L is the level and C is the set of categories How to compare subject S1 with object O1 for access? Adam Doup , Information Assurance 32

Lattice {NUC, NATO, ACE} {NUC, NATO} {NATO, ACE} {NUC, ACE} {NATO} {NUC} {ACE} {} Adam Doup , Information Assurance 33

Bell-LaPadula Model The security level (L, C)dominates the security level (L , C ) iff L L and C C Simple-Security Condition S can read O iff Sdom O *-Property S can write to O iff O domS Adam Doup , Information Assurance 34

Examples A has TS, {ACE} B has S, {NATO, ACE} Can A Read TS, {} Write S, {ACE} Read TS, {NATO, ACE} Write TS, {ACE, NATO} Can B Write S, {NATO} Read TS, {NATO, ACE} Read S, {ACE, NUC} Write U, {} Adam Doup , Information Assurance 35

Other Types of Access Control Role Based Access Control (RBAC) User s permissions are determined by the user s role Rather than identity (DAC) or clearance (MAC) More natural expression of business logic Attribute Based Access Control (ABAC) Users have attributes (age, ID number, group membership, etc.) Policy is a complex Boolean expression on the attributes Adam Doup , Information Assurance 36

Research in Access Control Usability Flexibility Expressiveness Federation Adam Doup , Information Assurance 37