Computer security Lecture 3 Access control
Access control, the basic problem: Efficient representation of access rights Simply listing, per subject and object, what access is allowed and/or denied is very inefficient We need a structured approach The approach needs to be efficient flexible testable
Access control concepts Principals and subjects (users, processes etc.) Active, access something Objects (files, devices, storage areas, services, etc.) Passive, are accessed Operations (what subjects do) Observe, alter, use Read, write, append, execute principal do operation reference monitor object Source Request Guard Resource
Terminology Permission is usually used for direct access rights to objects Privilege is sometimes used for more basic rights to system resources There is no fixed, correct terminology (got root?)
Principals and subjects A principal is an entity that has an authenticated identity A subject is an entity that acts on behalf of a principal, within a computer system Example of principal: a user identity Example of subject: a process running under a user identity principal do operation reference monitor object Source Request Guard Resource
Subjects and objects A subject is an entity that acts on behalf of a principal, within a computer system An object is an entity that is acted upon Example of subject: a process running under a user identity Example of object: a text file principal do operation reference monitor object Source Request Guard Resource
Observe/alter/use To observe is simply to look at the contents of an object To alter is to change the contents of an object, alternatively to add contents to an object It is also possible to use functionality of an object without extracting its contents (example: smart card signatures) principal do operation reference monitor object Source Request Guard Resource
More on subjects I To simplify access control handling, the special subject group is often used I A system often has a special group, administrators, that can access all (or many) resources of the system The special subject owner In computers, the owner can grant access or revoke it, and decide what type of access I This is called discretionary access control I The opposite, mandatory access control mostly occurs in the defence sector, that handles classified data
More on operations Usually read, write and execute are used (and not append ) Does write imply read permissions? Or does it not? Does write mean alter contents, add contents, delete? If not all, what are the others called? What does execute mean for non-code objects? There can also be special arrangements for the create and delete operations
More on objects Subjects are active parties, such as users, processes etc; they access Objects are passive entities, resources such as data, equipment etc; they are accessed When checking if access is allowed, both subject and object must be identified Identities must be unique within their domain
Access control matrix Lists what users are allowed to do with resources like files Has one row (or column) per user Has one column (or row) per resource An abstract concept, not something used in actual storage, because that would be extremely inefficient Data 1 Data 2 Prog 1 Prog 2 Alice RW X Bob R RW RWX Carol R X David RW R X RWX Eve R RX
Representing the Access Matrix Mechanisms Access Control Lists: Per object what rights the listed subjects have to the object (a simple version is permission bits) Capability Lists: Per subject what rights the subject has to the listed objects Data 1 Data 2 Prog 1 Prog 2 Alice RW X Bob R RW RWX Carol R X David RW R X RWX Eve R RX
Representing the Access Matrix Mechanisms Access Control Lists: Per object what rights the listed subjects have to the object (a simple version is permission bits) Capability Lists: Per subject what rights the subject has to the listed objects Data 1 Data 2 Prog 1 Prog 2 Alice RW X Bob R RW RWX Carol R X David RW R X RWX Eve R RX
ACLs in simple form: Permission Bits Very simple Fixed set of rights, fixed set of subjects Very inflexible Efficient to determine permission for a given object No lists to search, registered directly with the objects Three subject types per object: Owner Group Others Three types of rights per subject type: Read Write execute
In UNIX these have different meaning for different objects Files Read: read from a file Write: write to a file execute: execute a (program) file Directories Read: list directory contents Write: create, rename, or delete files execute: access file contents and metadata (but not name)
ACLs in simple form: Unix permissions /.../html/: -rw-rw-r-- harna icgwww aktuellt.html drwxrwxr-x root root mall -rw-rw-r-- jalar icgwww index.html /home/jalar/: -rw-r--r-- jalar users cseclecture02.pdf drwx------ jalar users mysecretmaterial drwxrwx--- jalar icg ourproject Permissions are listed in the order: user (owner), group, others
Directory access in UNIX and general ACLs In UNIX, rwx have special meaning for directories General ACL Access permissions for a directory can mean accessaccess to the directory itself to see what the next level contains and to add or delete files and sub-directories Or, access permissions may also mean access to the files in that directory Other systems list this as specific named permissions
Access Control Lists (ACLs) in general More general ACLs do list per object what rights the listed subjects have to the object Easy answer to the question who has what kind of access to this object bill.doc edit.exe tetris.exe Bill:rw Alice:rx, Bill:rx Alice:rx, Bill:rwx May be inefficient, since determining rights for one user may require searching a long list Revoking permissions for one user needs searching through the whole set of ACLs Doesn t always work well in distributed systems, since permissions are stored together with objects
Access Control Lists (ACLs) in general More general ACLs do list per object what rights the listed subjects have to the object Easy answer to the question who has what kind of access to this object bill.doc edit.exe tetris.exe Bill:rw Alice:rx, Bill:rx Alice:rx, Bill:rwx Popular despite its shortcomings Simple to implement Natural in systems with discretionary access control Unix-based systems and Windows (although the later is more complicated)
Intermediate levels in ACLs u 1 u 2 u 3 u 4 u 5 g 1 g 2 o 1 o 2 o 3 o 4 o 5 o 6 Use groups to shorten lists
Intermediate levels in ACLs u 1 u 2 u 3 u 4 u 5 g 1 g 2 o 1 o 2 o 3 o 4 o 5 o 6 Use groups to shorten lists Individual permissions can still be used
Intermediate levels in ACLs u 1 u 2 u 3 u 4 u 5 x g 1 g 2 o 1 o 2 o 3 o 4 o 5 o 6 Use groups to shorten lists Individual permissions can still be used Negative permissions can be used to create a smaller group out of an existing large one
Intermediate levels in ACLs u 1 u 2 u 3 u 4 u 5 x g 1 g 2 o 1 o 2 o 3 o 4 o 5 o 6 Use groups to shorten lists Individual permissions can still be used Negative permissions can be used to create a smaller group out of an existing large one But now you need a rule for the case when someone (through groups) appears twice with different rights
Intermediate levels in ACLs u 1 u 2 u 3 u 4 u 5 g 1 g 2 o 1 o 2 o 3 o 4 o 5 o 6 g 1 u 1, u 2, u 3 g 2 u 3, u 4, u 5 o 3 g 1 :r g 2 :rw. Two possible rules to resolve conflicts: First match Any match If u 3 wants to write to o 3, the first match rule denies this, the any match rule allows this
Intermediate levels in ACLs: any match u 1 u 2 u 3 u 4 u 5 g 1 g 2 o 1 o 2 o 3 o 4 o 5 o 6 g 1 u 1, u 2, u 3 g 2 u 3, u 4 o 3 g 1 :r g 2 :r... u 4 :rw. If the list for o 3 is long, then it takes a long time to check if u 4 has write access Efficiency depends on ACL order For o 3, removal of g 2 :r does not change anything
Intermediate levels in ACLs: first match u 1 u 2 u 3 u 4 u 5 g 1 g 2 o 1 o 2 o 3 o 4 o 5 o 6 g 1 u 1, u 2, u 3 g 2 u 3, u 4 o 3 g 1 :r g 2 :r... u 4 :rw. Finding u 4 s access rights is fast even though the list is long But here, u 4 doesn t have write access to o 3 Placing u 4 first slows down the search for other users For o 3, removal of g 2 :r gives u 4 write access
Negative permissions in ACLs u 1 u 2 u 3 u 4 u 5 x g 1 g 2 o 1 o 2 o 3 o 4 o 5 o 6 g 1 u 1, u 2, u 3, u 4, u 5 o 1 u 1 :None g 1 :r. Negative access rights can be used for the exceptional case This makes the ACL structure much more efficient First match: Negative must be first Any match: Negative wins
Owners in ACLs Usually the creator of an object has default maximum privileges for the object Granting access to others is one of those privileges Sometimes only the owner and system manager can ever change the ACL Some systems allow ACLs to have ACLs
System manager Usually the system manager, root in UNIX, has default maximum privileges Often processes that check access restrictions are not even invoked for the system manager Sometimes specific rights are given for the system manager in the ACL System managers can normally give themselves any privilege they don t already have, but that event is (should be) logged in non-erasable form
Program or user permission? You cannot always allow users direct access to files Solution is to allow the program the access, and allow the user to execute the program Basically, access control is delegated to the program This is used for specialized data handling tasks (databases/accounting/drm), or system tasks -rwsr-xr-x root root /bin/mount You cannot always register programs as subjects Solution in UNIX etc. is to use SUID
Program or user permission? You cannot always allow users direct access to files Solution is to allow the program the access, and allow the user to execute the program Basically, access control is delegated to the program This is used for specialized data handling tasks (databases/accounting/drm), or system tasks -rw-r----- acct acct accounting.dat -rwsr-xr-x acct acct accounting acct:x:1001:...
Capability lists Lists per subject what rights the subject has to what objects Easy answer the question what kind of access does this subject have to what objects Alice Bill edit.exe:rx, tetris.exe:rx bill.doc:rw, edit.exe:rx, tetris.exe:rwx May also be inefficient, since determining who has what rights for one object will require searching all users Here, principals will pass on rights to subjects; to be able to revoke permissions a principal needs to keep track of this Works better in distributed systems, since roaming users have their permissions close at hand (but you need to implement this securely)
Capability lists Lists per subject what rights the subject has to what objects Easy answer the question what kind of access does this subject have to what objects Alice Bill edit.exe:rx, tetris.exe:rx bill.doc:rw, edit.exe:rx, tetris.exe:rwx Experimental implementations in the -70 s, a bit like file passwords A system that used capability lists is IBM AS/400 Have made a limited comeback in the form of public key certificates These are often considered crypto rather than access control, but should sometimes be thought of as the second
Capability lists Lists per subject what rights the subject has to what objects Easy answer the question what kind of access does this subject have to what objects Ticket: The user holding this ticket can change contents in ICG web A common concept is Tickets A capability list is of course just the contents of a row (subject dimension) of the access control matrix Tickets and attribute certificates are subsets of this. Tickets etc. do not reveal the subjects full permissions to the checking party
Grant/revoke access In ACLs, usually only the owner or the system manager can grant and revoke access to an object In some systems, subjects with directory write permissions can grant/revoke access to library objects ACLs for ACLs (as objects) enables more complicated behaviour With capability lists, subjects can grant and revoke access If you can grant permission to grant access, the situation can become very complex The problem is keeping track of who has been granted access
Role-Based Access Control (RBAC) A Role is a collection of procedures, that users that have a role can execute A procedure is a more complicated operation (not merely read or write), for example a fund transfer between bank accounts A data type is associated to the objects, and to each data type, only specific procedures apply Frequently a user needs to take an explicit action to activate a desired role Roles often have a hierarchial structure Example: itslearning has Course head, Teacher, Student, Guest This is not always the hierarchy of the organization
NIST classification of RBAC levels Flat RBAC: As on last slide, adding user-role reviews, which would tell a user if her role has changed Hierachial RBAC: adds role hierarchies, with more senior (or powerful) roles Constrained RBAC: adds separation-of-duties, so that users cannot have two roles that are unsuitable to share Symmetric RBAC: adds permission-role reviews, in more complicated situations, to find roles with specific permissions Unfortunately, RBAC does not have a generally accepted meaning
More on hierarchial structure Course head Teacher Teacher Teacher Student Student Student Guest Guest Guest Guests are lower in the hierarchy than students Guests do not have a natural relation to students (unless it s your mum)
More on hierarchial structure Dept head Group head Group head Group head Employee Employee Employee Employee Employee Employee Employees can work in several departments
Security level partial order Top Secret,{Army,Navy} Secret,{Army,Navy} Secret,{Army} Top Secret,{Army} Confidential,{} Unclassified,{} Top Secret,{} A higher level dominates a lower one A set of categories dominates a subset When none of two sets is a subset of the other, there is no dominance relation between them So Top Secret,{Army} dominates Secret,{Army} and Top Secret,{} There is no such relation between Top Secret,{} and Secret,{A,N}, or Top Secret,{} and Secret,{A}
Access control, the basic problem: Efficient representation of access rights Simply listing, per subject and object, what access is allowed and/or denied is very inefficient We need a structured approach The approach needs to be efficient flexible testable
The tool to use is a formal model In order to describe and evaluate system security, we must define What is a breach of confidentiality? What is a breach of data integrity? Checks/evaluations can not be made per single items Information flow must be taken into account The relations are important, or really, the pattern of relations Hierarchies and partial order can be used to describe this pattern
Hierarchial structures are ubiqutous A common structure for allowed/forbidden flow is that higher authorities are allowed what their subordinates are forbidden, but not the other way around Examples are that generals are allowed to see more sensitive information than colonels, and doctors are allowed to prescribe more sensitive things than nurses By placing users on levels in such a hierarchy, and assigning data to the lowest level that may access them, we can check and control information flow
Hierarchies, example Dept head Group head Group head Group head Employee Employee Employee Employee Employee Employee Whatever is allowed for one level is also allowed for higher levels Thus the privileges on one level is the union of all privileges introduced at that level and all privileges on all lower levels
Hierarchies, example Dept head Group head Group head Group head Employee Employee Employee Employee Employee Employee Whatever is allowed for one level is also allowed for higher levels Thus the privileges on one level is the union of all privileges introduced at that level and all privileges on all lower levels However, employees can work in several departments
Extending from strict hierarchies: partial order Definition: A partial order on a set (of security levels) L is a relation on L L (pairs of security levels) which is reflexive for all a L, a a holds transitive for all a, b, c L, if a b and b c, then a c antisymmetric for all a, b L, if a b and b a, then a = b There may be a and b in L that don t have a relation, in which case we write a b
Examples: posets, and totally ordered sets The real numbers R ordered by the standard less-than-or-equal relation (this is a totally ordered set: all pairs are either,, or =) The complex numbers C ordered by on the real part (not a total order) The set of natural numbers equipped with the relation of divisibility (3 6, 5 10 but 7 25) The set of subsets of a given set (its power set) ordered by inclusion (see the figure on the right). {a,b,c} {a,b} {c,a} {b,c} {a} {b} {c} {}
Security level partial order Top Secret,{Army,Navy} Secret,{Army,Navy} Secret,{Army} Top Secret,{Army} Classified,{} Unclassified,{} Top Secret,{} A higher level dominates a lower one A set of categories dominates a subset When none of two sets is a subset of the other, there is no dominance relation between them So Top Secret,{Army} dominates Secret,{Army} and Top Secret,{} There is no such relation between Top Secret,{} and Secret,{A,N}, or Top Secret,{} and Secret,{A}
Security level lattice Top Secret,{Army,Navy} Secret,{Army,Navy} Top Secret,{Army} Top Secret,{} Given two objects at different security levels, what is the minimal security level a subject must have to be allowed to read both objects? Given two subjects at different Secret,{Army} security levels, what is the maximal security level an object Classified,{} can have while still being readable Unclassified,{} by both subjects? These questions can be answered if the structure is of a particular type: Definition: A lattice L is a partial order that for each pair of elements a and b has a least upper bound u L : a u and b u, and a greatest lower bound l L : l a and l b
Security level lattice Top Secret,{Army,Navy} Secret,{Army,Navy} Secret,{Army} Top Secret,{Army} Classified,{} Unclassified,{} Top Secret,{} It is not strictly necessary to use a lattice in security But it is convenient You do need to have a partial order Often (very often) the lattices used has a unique maximal element, that dominates all others and a unique minimal element that is dominated by all others These maximal and minimal security levels are called System High and System Low
Multi-Level Security Top Secret,{Army,Navy} Top Secret,{Army} Secret,{Army,Navy} Top Secret,{} Secret,{Army} Classified,{} Unclassified,{} In this example, we use clearance levels : Top Secret Secret Classified Unclassified and categories : Army Navy Air Force... A compartment is a set of categories The complete lattice uses (l 1, c 2 ) (l 2, c 2 ) if l 1 l 2 and c 1 c 2 This structure can describe complicated behaviour Some systems today have less of a hierarchal component
Example: a firewall in multi-level security System high Inside Outside System low A firewall has three levels in this description Normally, you only think of firewalls as Inside and Outside two levels of security
Example: a firewall in multi-level security Firewall Inside Outside DMZ A firewall has three levels in this description Normally, you only think of firewalls as Inside and Outside two levels of security In this case, you can think of the firewall itself as system high... and the DMZ as system low
Formal security model I: Bell-LaPadula This is the classic (always-mentioned) security policy model It is only concerned with Confidentiality It was proposed in 1973 in response to US Air Force concerns about time-sharing mainframe systems Identifies a set of core security properties that should be enforced before all others Using these core properties and some mathematical tools, it results in a security theorem
Mathematical model of Bell-LaPadula Top Secret,{Army,Navy} s 1 s 2 Secret,{Army,Navy} Top Secret,{Army} s 3 Subjects Secret,{Army} Classified,{} Top Secret,{} Unclassified,{} Security levels, {execute,append,read,write} Access operations o 1 o 2 o 3 Objects o 1 o 2 o 3... s 1 rw r s 2 rw s 3 rwx r : Access control matrix
Bell-LaPadula core property I: Simple security Simple security property (ss-property): Subject s may read object o only if f C (s) f O (o) In plain text: a subject may read an object only if the current security level of the subject is higher than or equal to the security level of the object Top Secret,{Army,Navy} Top Secret,{Army} Secret,{Army,Navy} Top Secret,{} Secret,{Army} Classified,{} Unclassified,{}
Simple security is not enough Simple security property (ss-property): Subject s may read object o only if f C (s) f O (o) What happens if a subject with high clearance decides to copy information from a high-level object into a low-level object? Top Secret,{Army,Navy} Top Secret,{Army} Secret,{Army,Navy} Top Secret,{} Secret,{Army} Classified,{} Unclassified,{}
Bell-LaPadula core property II: writing to lower levels -property ( star -property): Subject s may write to object o only if f C (s) f O (o) In plain text: a subject may write to an object only if the current security level of the subject is lower than or equal to the security level of the object Top Secret,{Army,Navy} Top Secret,{Army} Secret,{Army,Navy} Top Secret,{} Secret,{Army} X Classified,{} Unclassified,{}
Bell-LaPadula core properties Simple security property (ss-property): Subject s may read object o only if f C (s) f O (o) -property ( star -property): Subject s may write to object o only if f C (s) f O (o) The standard mnemonic for this is No read up No write down Top Secret,{Army,Navy} Top Secret,{Army} Secret,{Army,Navy} Top Secret,{} Secret,{Army} Classified,{} Unclassified,{}
Bell-LaPadula core property problem: communication between levels When the core properties are enforced, subjects with high clearance cannot communicate with lower-cleared subjects There are two possible solutions: Temporarily downgrade high-level subjects Identify a set of trusted subjects that can violate the -property Top Secret,{Army,Navy} Top Secret,{Army} Secret,{Army,Navy} Top Secret,{} Secret,{Army} Classified,{} Unclassified,{}
Bell-LaPadula core property problem: communication between levels When the core properties are enforced, subjects with high clearance cannot communicate with lower-cleared subjects There are two possible solutions: Temporarily downgrade high-level subjects This presupposes Identify a set that of the trusted subjects subjects have no memory, that that can they violate can only the copy -property from what they can read Not so natural with human subjects, more likely when modelling computers (that can forget on command) Top Secret,{Army,Navy} Secret,{Army,Navy} Secret,{Army} Top Secret,{Army} Classified,{} Unclassified,{} Top Secret,{}
Bell-LaPadula core property problem: communication between levels When the core properties are enforced, subjects with high clearance cannot communicate with lower-cleared subjects There are two possible solutions: Temporarily downgrade high-level subjects Identify a set of trusted subjects that can violate the -property Such a trusted user can, for example, declassify a secret document Top Secret,{Army,Navy} Secret,{Army,Navy} Secret,{Army} Top Secret,{Army} Classified,{} Unclassified,{} Top Secret,{}
Bell-LaPadula core property problem: communication between levels When the core properties are enforced, subjects with high clearance cannot communicate with lower-cleared subjects There are two possible solutions: Temporarily downgrade high-level subjects We now Identify need a way set of to trusted describe subjects temporary securitythat levels canfor violate the users the -property The current security level f C (s) handles this, and this is always less than or equal to the subject s maximal security level f S (s) Top Secret,{Army,Navy} Secret,{Army,Navy} Secret,{Army} Top Secret,{Army} Classified,{} Unclassified,{} Top Secret,{}
Discretionary access in Bell-LaPadula Discretionary security property (dsproperty): Subject s may access object o with operation a only if a M(s, o) In plain text: a subject may access an object only if the access is allowed by the discretionary access control matrix o 1 o 2 o 3... s 1 rw r s 2 rw s 3 rwx r : Access control matrix
Time in Bell-LaPadula Subjects access objects, and the accesses change over time At a given moment, a table can be written down, connecting subject s, object o, and operation a The discretionary access control matrix M is also allowed to change over time Finally, the current security levels f C and f O can also change All of this can be collected into the state of the system Bell-LaPadula becomes a finite state machine (model) start b a b b b d b e b f b c
Secure states in Bell-LaPadula A state is secure if all the accesses in the current access table are allowed by all three of ss-, - and ds-property This takes into account the security levels and the discretionary access control matrix M, checking against the current security level f C (s) of the state start b a b b b d b e b f b c
Secure transitions in Bell-LaPadula A state is secure if all the accesses in the current access table are allowed by all three of ss-, - and ds-property This takes into account the security levels and the discretionary access control matrix M, checking against the current security level f C (s) of the state start b a b b b d b e b f b c A transition is secure if it takes the model from one secure state to another
Secure transitions in Bell-LaPadula A state is secure if all the accesses in the current access table are allowed by all three of ss-, - and ds-property This takes into account the security levels and the discretionary access control matrix M, checking against the current security level f C (s) of the state start b a b b b d b e b f b c A transition is secure if it takes the model from one secure state to another
Basic security theorem of Bell-LaPadula Theorem: If all state transitions in a system are secure and if the initial state of the system is secure, then every subsequent state will be secure start b a b b b d b e b f b c The proof now is simple, the hard work is to identify (and formally define) the core properties: Simple security property (ss-property) (Subject s may read object o only if f C (s) f O (o)) -property ( star -property) (Subject s may write to object o only if f C (s) f O (o))
Benefits and limitations of Bell-LaPadula If a system can be described using BLP, security can be verified (formally) BLP only deals with Confidentiality There are problems when security levels change: the book speaks about tranquility and covert channels Top Secret,{Army,Navy} Top Secret,{Army} Secret,{Army,Navy} Top Secret,{} Secret,{Army} Classified,{} Unclassified,{}
Tranquility in Bell-LaPadula A paper from 1987 presents a BLP model where a secure state transition downgrades all objects and subjects to the lowest level enters all access rights in the ACM But the model is still secure, because of the theorem There are two opinions: Against BLP: this is obviously not what we mean with secure. Improve BLP! For BLP: this state transition is not secure from our viewpoint so it should not be allowed. Use BLP properly! No changes of security levels and access rights is called tranquility
Covert channels in Bell-LaPadula A covert channel is information flow outside the control of the security mechanisms In BLP, a low-level subject creates an object A high-level subject may, or may not, raise the security level of the object The low-level subject tries to read the object Failure or success tells the low-level subject if the security level changed This constitutes flow of information, and is known as a covert channel
Bell-LaPadula core properties Simple security property (ss-property): Subject s may read object o only if f C (s) f O (o) -property ( star -property): Subject s may write to object o only if f C (s) f O (o) The standard mnemonic for this is No read up No write down Top Secret,{Army,Navy} Top Secret,{Army} Secret,{Army,Navy} Top Secret,{} Secret,{Army} Classified,{} Unclassified,{}