Access Control I Exercises

Luca Vigan` o
Institut f ur Informatik Albert-Ludwigs-Universit at Freiburg

IT-Security: Theory and Practice (WS02)

Luca Vigan` o

Basic Principles of Access Control (AC)

Aim: Limit what legitimate agents can do.
Authorization Database Security Admin Reference Monitor User AUTHENTICATION ACCESS CONTROL Objects

AUDITING

IT-Security: Theory and Practice (WS02)

12.12.02

Luca Vigan` o

An example of an attack

IT-Security: Theory and Practice (WS02)

12.12.02

Luca Vigan` o

An example of an attack

IT-Security: Theory and Practice (WS02)

12.12.02

Luca Vigan` o

An example of an attack

IT-Security: Theory and Practice (WS02)

12.12.02

Luca Vigan` o

An example of an attack

IT-Security: Theory and Practice (WS02)

12.12.02

Luca Vigan` o

An example of an attack

Masquerading (with replay). This is mainly a problem of authentication (cf. other classes). Authentication and access control are tightly connected. (Authentication prerequisite of AC.)
IT-Security: Theory and Practice (WS02) 12.12.02

Luca Vigan` o
Security Admin

Authorization Database Objects

Reference Monitor User AUTHENTICATION ACCESS CONTROL

AUDITING

Authentication establishes/veries identity of requester. Requester presents credentials: something he knows (password), possesses (smartcard) or is (biometric). Is the legitimate (authenticated) requester authorized to perform the action? AC/authorization decision made by agent(s) in charge. Auditing process gathers data to discover violations or diagnose their cause. Oine after the fact, or online in real time (intrusion detection).
IT-Security: Theory and Practice (WS02) 12.12.02

Luca Vigan` o

Example of Recovery by Auditing

IT-Security: Theory and Practice (WS02)

12.12.02

Luca Vigan` o

AC Policies and AC Mechanisms

Subjects (e.g. users, agents) detain privileges (e.g. rwx) on objects (e.g. data, programs, devices) according to AC policies (models). Policy: species how accesses are controlled and access decisions determined. Discretionary AC. Mandatory AC. Role-based AC. Mechanism (structure): implements or enforces a policy. Access matrix. AC list (ACL). Capability list. Separation policiesmechanisms allows for abstraction and independence.
IT-Security: Theory and Practice (WS02) 12.12.02

Luca Vigan` o

Access Matrix
Model by Harrison, Ruzzo & Ullman: in general, changes to the state of the system are modeled by commands of the form command c(x1, . . . , xk ) if r1 in M (xs1 , xo1 ) and r2 in M (xs2 , xo2 ) and . . rm in M (xsm , xom ) then op1; . . opn end where r1, . . . , rm are rights, s1, . . . , sm and o1, . . . , om are integers (m 0), and each opi is a primitive operation (n > 0).
IT-Security: Theory and Practice (WS02) 12.12.02

Luca Vigan` o

Six primitive operations causing a transition from state (S, O, M ) to state (S , O , M ):

Operation enter r into M (s, o) Conditions sS oO New State S =S O =O M (s, o) = M (s, o) {r} M (s1, o1) = M (s1, o1) for (s1, o1) = (s, o) S =S O =O M (s, o) = M (s, o) \ {r} M (s1, o1) = M (s1, o1) for (s1, o1) = (s, o)

delete r from M (s, o)

sS oO

IT-Security: Theory and Practice (WS02)

12.12.02

Luca Vigan` o

Assumption: all subjects are objects, i.e. S O. Operation Conditions New State create subject s s O S = S {s } O = O {s } M (s, o) = M (s, o) for s S , o O M (s , o) = for o O M (s, s ) = for s S destroy subject s s S S = S \ {s } O = O \ {s } M (s, o) = M (s, o) for s S , o O S =S O = O {o } M (s, o) = M (s, o) for s S , o O M (s, o ) = for s S S =S O = O \ {o } M (s, o) = M (s, o) for s S , o O
12.12.02

create object o

o O

destroy object o

o O o S

IT-Security: Theory and Practice (WS02)

Luca Vigan` o

Def: A state Q = (S, O, M ) yields a state Q = (S , O , M ) under command c(x1, . . . , xk ) if r1 in M (xs1 , xo1 ) and . . . rm in M (xsm , xom ) then op1; . . . opn end with arguments a1, . . . , ak , written Q (or Q c(a1,...,ak ) Q ), provided
c(a1,...,ak )

Q = Q if one of the conditions of c is not satised. Q = Qn otherwise, where there exist states Q0, Q1, . . . , Qn such that Q0 = Q and Qn = Q and for each i, with 0 i n, Qi
opi+1[aj /xj ]

Qi+1

where opi+1[aj /xj ] denotes the primitive operation opi+1, substituting a1, . . . , ak for the variables x1, . . . , xk .
IT-Security: Theory and Practice (WS02) 12.12.02

Some example commands: command confer.write(s1, s2, o) if Own M (s1, o) then enter W into M (s2, o) end

Luca Vigan` o

10

command revoke.read(s1, s2, o) if Own M (s1, o) then delete R from M (s2, o) end

Exercise: why is there no check R M (s1, o) or R M (s2, o) in revoke.read(s1, s2, o)? Exercise: specify the commands create.le, confer.execute and revoke.write, describing the dierent possibilities for create.le. (Hint: think of the primitive rights in Unix/Linux systems.) Exercise: compute the matrix that results from the following initial state by executing the sequence of commands
File 1 File 2 File 3 File 4 Account 1 Account 2 Alice Own R W R R W Own R W R W X W R Own R X Inquiry Credit Inquiry Debit Inquiry Credit Inquiry Debit

Bob

Charlie

create.le(Alice,File5) confer.execute(Alice,Charlie,File5) revoke.write(Bob,Alice,File1) revoke.read(Charlie,Bob,File4)

12.12.02

IT-Security: Theory and Practice (WS02)

Luca Vigan` o

11

MAC: The Lattice of Security Levels

To answer uniquely questions like Given 2 objects at dierent security levels, what is the minimal level a subject must have to be allowed to read both objects? Given 2 subjects at dierent security levels, what is the maximal level an object can have so that it still can be read by both subjects? Def: a lattice (L, ) consists of a set of security levels L and a partial ordering , so that for every 2 elements a, b L there exists a least upper bound u L and a greatest lower bound l L, i.e. a u, b u and (a v & b v ) (u v ) for all v L l a, l b and (k a & k b) (k l) for all k L For example: u is System Low and l is System High.
IT-Security: Theory and Practice (WS02) 12.12.02

Luca Vigan` o

12

Orange Book Example

A set H of classications with a hierarchical (linear) ordering H . A set C of categories, e.g. project names, company divisions, etc. A security label is a pair (h, c) with h H and c C . Partial order of labels: (h1, c1) (h2, c2) if and only if h1 H h2 and c1 c2. For hierarchical levels private, {PERSONNEL, ENGINEERING} public and private, and categories private, {PERSONNEL} private, {ENGINEERING} PERSONNEL and private, {} ENGINEERING, we have the lattice: public, {PERSONNEL, ENGINEERING}
Note that public,{PERSONNEL} private,{ENGINEERING}.
IT-Security: Theory and Practice (WS02)

public, {PERSONNEL}

public, {ENGINEERING}

public, {}
12.12.02

Luca Vigan` o

13

Exercises
Exercise: construct the lattice of security labels for the security levels public, condential and strictly condential, and for the categories ADMIN, LECTURERS, and STUDENTS. Which objects are visible to a subject with security label (condential,{STUDENTS}) in a need-to-know (i.e. least privilege, where users dont use their full privileges until they are actually needed) policy? How many labels can be constructed from n security levels and m categories (e.g. n = 16 and m = 64)? Exercise: Consider a security policy that uses the lattice of compartments (i.e. the sets of categories, like in the example) as security labels. Access is granted only when the subjects label is a subset of the objects label. With the categories ADMIN, LECTURES, and STUDENTS, which objects can be accessed by a subject with label {STUDENTS}? Why is a subject with label {ADMIN,STUDENTS} more constrained than a subject with label {STUDENTS}? Interpret the roles of the labels {} and {ADMIN,LECTURERS,STUDENTS} in this policy.
IT-Security: Theory and Practice (WS02) 12.12.02

Luca Vigan` o

14

Formal Methods for Access Control

Multi-modal logics provide formal models for AC. Deduction systems to model and reason about: Agent properties and actions, e.g. (sendmail quoting Alice) speaks for Alice System policies, e.g. hand-o axiom (Alice says false ) (Alice controls (P speaks for Alice)) Goals, e.g. ((Alice says )(Bob controls )(Alice at least as powerful as Bob)) where the relation between Alice and Bob is specied by some AC policy.
IT-Security: Theory and Practice (WS02) 12.12.02

Luca Vigan` o

15

Bibliography
Edward Amoroso. Fundamentals of Computer Security Technology. Prentice Hall, 1994. Dorothy Denning. Cryptography and Data Security. Addison-Wesley, 1982. Dieter Gollmann. Computer Security. Wiley, 2000. US Department of Defense. DoD Trusted Computer System Evaluation Criteria (The Orange Book), DOD 5200.28.STD, 1985. Various papers on RBAC by Ravi Sandhu and Pierangela Samarati. M. Abadi, M. Burrows, B. Lampson, G. Plotkin. A Calculus for Access Control in Distributed Systems. ACM Transaction on Programming Languages and Systems, 15(4):706-734, 1993. Fabio Massacci. Tableaux methods for formal verication in multi-agent distributed systems. Journal of Logic and Computation, 8(3):373-400, 1998.
IT-Security: Theory and Practice (WS02) 12.12.02