CSCE 465 Lecture 15

« previous | Thursday, March 7, 2013 | next »

Access Control Policy

Function ${\displaystyle P(S,O,R)\to \{accept,deny\}}$

• Subject
• Object
• Rights

Two kinds to specify policy

1. Discretionary Access Control (DAC): Object owners define policy (like UNIX and GNU/Linux FS permissions)
2. Mandatory Access Control (MAC): Environment enforces a static policy; individuals cannot alter access (e.g. process labeling)

Access Control Models

Represents particular policy or set of policies

Focus on specific characteristics of policies:

• Secrecy
• Integrity
• Conflict of Interest
• Jobs

Types of Security Policies: Military, Commercial, Confidentiality, Integrity

Confidentiality and BLP

Goal: Prevent unauthorized disclosure of information

Multi-level security (MLS) models are best-known examples (e.g. Bell-LaPadula)

Security Levels of BLP: (each level has access to all lower levels

1. Unclassified
2. Confidential
3. Secret
4. Top-Secret

Subjects have security clearance ${\displaystyle L(s)}$

Objects have security classification ${\displaystyle O(s)}$

Bell-Lapadula (BLP) Lattice Model

Add concept of Category

Security level is tuple of clearance and category set. For example:

Information flows up not down

Simple Security Condition:

• ${\displaystyle s}$ can read ${\displaystyle o}$ iff ${\displaystyle L(o)\leq L(s)}$ and ${\displaystyle C(o)\subseteq C(s)}$ and ${\displaystyle s}$ has permission to read ${\displaystyle o}$.
• Security level ${\displaystyle (L,C)}$ dominates ${\displaystyle (L',C')}$ if ${\displaystyle L'\leq L}$ and ${\displaystyle C'\subseteq C}$
• Also called "no reads up"

*-Property

• ${\displaystyle s}$ can write object ${\displaystyle o}$ iff ${\displaystyle L(s)\leq L(o)}$ and ${\displaystyle C(s)\subseteq C(o)}$ and ${\displaystyle s}$ has permission to write to ${\displaystyle o}$.
• Also called "no writes down"
• Like Mac OS X Drop Box

Example

• Alice: (SECRET, {CRYPTO, NUC})
• Bob: (CONFIDENTIAL, {INTEL})
• Charlie: (TOP SECRET, {CRYPTO, NUC, INTEL})
• DocA: (CONFIDETNIAL, {INTEL})
• DocB: (UNCLASSIFIED, {NUC})
• DocC: (SECRET, {CRYPTO})

Alice: read DocB and DocC Bob: read DocA Charlie: read DocA, DocB, and DocC

Leak potential: Without no writes down, Charlie could copy info from DocC into DocA

Integrity Model and Biba

Trust model: concerned with who can affect integrity (content) of a document

For example: you may not care who can read DNS records, but you better care who writes to them!

Biba

Lattice policy with no read down and no write up (inverse of BLP)

• users can only create content at or below their own integrity level
• users can only view content at or above their own integrity level

Low-Water Mark

Change integrity level based on actual dependencies

Subject initially at highest level

integrity level changed based on objects accessed

Hybrid Model

Chinese Wall and RBAC

Deals with conflict of interest situations:

• Tony advises American Bank about investments
• Asked to advise Toyland bank about investments
• Conflict of interest to accept because advice for either would affect advice to other

Role-Based Access Control (RBAC)

Access depends on function, not identity

Example:

• bookkeeper for Math Dept. has access to financial records
• Job of bookkeeper could change hands if someone leaves and a new person is hired