Chapter 4
Protection Domain
(LAMP71) A set of objects together with access rights to those objects In terms of an access matrix, a row defines a protection domain; thus, each user has a protection domain, shared by any processes spawned by that user (Might be a subset of the access rights)
Key ABAC Elements
- Attributes: Defined for entities in a configuration - Policy model: Defines the ABAC policies - Architecture model: Applies to policies that enforce access control
Lifecycle Management (ICAM)
- Mechanisms, policies, and procedures for protecting personal identity information - Controlling access to identity data - Techniques for sharing authoritative identity data with applications that need it - Revocation of an enterprise identity
RBAC Relationships
- The relationship of users to roles is many to many - The relationship of roles to resources is many to many - The set of users changes, in some environments frequently, and the assignment of a user to one or more roles may also be dynamic - The set of roles in the system in most environments is relatively static, with only occasional additions or deletions -The set of resources and the specific access rights associated with a particular role are also likely to change infrequently
Subject Access to an Object (ABAC)
1. A subject requests access to an object. This request is routed to an access control mechanism 2. The access control mechanism is governed by a set of rules. Based on these rules, the access control mechanism assesses the attributes of the subject, object, and current environmental conditions to determine authorization 3. The mechanism grants or denies access based on its assessment
ABAC Solution Core Capabilities
1. ABAC systems are capable of enforcing DAC, RBAC and MAC concepts 2. ABAC enables fine-grained access control, which allows for a higher number of discrete inputs into an access control decision, providing a bigger set of possible combinations 3. Moreover, ABAC systems can be implemented to satisfy a wide array of requirements from basic access control lists through advanced expressive policy models
Protection Bits
12 bits associated with each file and considered part of the file's inode - 9 of the protection bits specify read, write, and execute permission for the Owner, Group and Other - The other 3 bits define special behavior for files or directories -- SetUID -- SetGID -- Sticky bit
Superuser
A UNIX user who is exempt from the usual file access control constraints and has system-wide access.
Access Matrix
A common means of implementing DAC in which one dimension of a matrix consists of identified subjects that may attempt data access to the resources. - Typically it consists of individual users or user groups, though it can also be done by terminals, network equipment, hosts or applications The other dimension lists the objects that may be accessed - Each object might have its own data field, or grouped by types that take up a single data field Each entry in the matrix indicates the access rights of a particular subject for a particular object
Identity, Credential, and Access Management (ICAM)
A comprehensive approach to managing and implementing digital identities (And associated attributes), credentials and access control
Inode (Index node)
A control structure containing the key information needed by the OS for a particular file (UNIX). All types of UNIX files are administered by the OS through their use - Several file names may be associated with a single _______ - an active _______ is associated with exactly one file, and each file is controlled by exactly one _______ - Directories also have _______
Credential Production
A credential is produced. Depending on the credential type, production may involve encryption, the use of a digital signature, the production of a smartcard, or other functions.
Subdirectory
A directory contained inside another directory.
Subject Hierarchy
A hierarchy of subjects who are the "Owners" of other subjects because they created those subjects, going all the way back up to the "root" subject Child subjects are created with a subset of the parents access rights
Role (RBAC)
A job function within an organization
Inode Table/List
A location on the hard disk containing the inodes of all the files in the file system - When a file is opened, its inode is brought into main memory and stored in a memory-resident inode table
Session
A mapping between a user and an activated subset of the roles to which the user is assigned - Used to define a temporary one-to-many relationship between a user and one or more of the roles to which they've been assigned The user establishes a session with only the roles needed for a particular task (Least privilege)
Cardinality
A maximum number with respect to roles - Ex: maximum number of users that can be assigned to a given role OR maximum # of roles per user
Group
A named group of users granted access rights, such that membership in the group is sufficient to exercise these access rights. In most schemes, a user may belong to multiple groups.
Role
A named job function within the organization that controls this computer system. Typically, associated with each ______ is a description of the authority and responsibility conferred on this role
Authorization Table
A non-sparse, more convenient method of implementing an access control data structure Each row is for one access right of one subject to one resource, meaning it can be sorted by subject (Like a Capability List) or by object (Like an ACL). Typically done as a relational database
Constraints
A relationship among roles or a condition related to roles - SAND96 lists the constraint types: Mutually exclusive roles, Cardinality, Prerequisite roles - Provide a means of adapting RBAC to the specifics of administrative and security policies in an organization
Object
A resource to which access is controlled; an entity used to contain and/or receive information - Records, blocks, pages, files, directories, etc.
Identity Federation
A term used to describe the technology, standards, policies and processes that allow an organization to trust digital identities, identity attributes, and credentials created and issued by another organization
Processes
Access rights include the ability to delete a process, stop (Block), and wake up a process
Memory Location/Region
Access rights include the ability to read/write certain regions of memory that are protected such that the default is to disallow access.
Devices
Access rights include the ability to read/write the device, to control its operation (e.g., a disk seek), and to block/unblock the device for use
Mutually Exclusive Permission Assignments
An additional constraint added to mutually exclusive roles; it has the following properties: 1. A user can only be assigned to one role in the set (either during a session or statically) 2. Any permission (access right) can be granted to only one role in the set I.e. non-overlapping permissions
Permission
An approval of a particular mode of access to one or more objects. Equivalent terms are access right, privilege, and authorization
Credential Sponsorship
An authorized individual sponsors an individual or entity for a credential to establish the need for the credential
Subject
An entity capable of accessing objects - Typically it's a process (Processes access things on behalf of users and applications) - Held accountable for the actions they initiate and may have an audit trail created to record their actions
Access Control List (ACL)
An implementation of an access matrix in which it is decomposed by columns For each object, it lists users and their permitted access rights. It may also contain a default/public entry for those who do not have specified rights and typically has the fewest rights
Capability Tickets
An implementation of an access matrix in which it is decomposed by rows Specifies authorized objects and operations for a particular user. Each user has a number of tickets and may be authorized to loan or give them to others, which requires further security measures to keep secure
Audit
An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy and procedures.
User
An individual that has access to this computer system. Each individual has an associated user ID
Access Matrix Controller
An object access controller specifically being used to managed the access matrix itself
ABAC Object
An object, also referred to as a resource, is a passive containing or receiving information.
Process and Protection Domain Association
Can be static or dynamic. For example, a process may execute a sequence of procedures and require different access rights for each procedure, such as read file and write file
Resource Management
Concerned with defining rules for a resource that requires access control. The rules would include - credential requirements - user attributes - resource attributes - environmental conditions
Privilege Management
Concerned with establishing and maintaining the privilege/entitlement attributes that comprise an individual's access profile. These attributes represent features of an individual that can be used as the basis for determining access decisions to both physical and logical resources. - Privileges are considered attributes that can be linked to a digital identity.
Attribute-Based Access Control (ABAC)
Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions. - Can define authorizations that express conditions on properties of both the resource and the subject - Strength is in flexibility and expressive power - Mostly used for Web and Cloud (XAMCL)
Discretionary Access Control (DAC)
Controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do. Discretionary because an entity might have access rights that permit it to enable another entity to access some resource.
Role-Based Access Control (RBAC)
Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles. - Access rights are assigned to roles, not the users themselves
Mandatory Access Control (MAC)
Controls access by comparing security labels with security clearances Mandatory because an entity that has clearance to access a resource may not enable another entity to access that resource without higher approval
ICAM Purposes
Create trusted digital identity representations of individuals and Nonperson Entities (NPEs) - NPEs include processes, applications and automated devices seeking access to a resource Bind those identities to credentials that may serve as a proxy for the individual or NPE in access transactions Use the credentials to provide authorized access to an agency's resources
Multiple Access Control Policies
DAC, MAC, RBAC and ABAC are not mutually exclusive, and some mechanisms may employ multiple of these policies to cover different classes of system resources
Access Management
Deals with the management and control of the ways entities are granted access to resources. It covers both logical and physical access, and may be internal to a system or an external element - Purpose is to ensure proper identity verification - Three support elements: Resource management, Privilege management and Policy management
Access Right
Describes the way in which a subject may access an object Could include: Read, Write, Execute, delete, Create and Search
Prerequisite Role
Dictates that a user can only be assigned to a particular role if it is already assigned to some other specified role - used to structure the implementation of the least privilege concept
Access Control Policy
Dictates what types of access are permitted, under what circumstances, and by whom. Access control policies are generally grouped into the following categories - DAC - MAC - RBAC - ABAC Can be embodied in an authorization database,
ICAM Goal
Establish a trustworthy digital identity that is independent of a specific application or context.
setfacl
FreeBSD (UNIX-based OS) allows an administrator to assign a list of UNIX user IDs and groups to a file with this command
Extended ACL Support
FreeBSD and most UNIX implementations that support extended ACLs use the following strategy 1. The owner class and other class entries in the 9-bit permission field have the same meaning as in the minimal ACL case. 2. The group class entry specifies the maximum permissions that can be assigned to named users or named groups, other than the owning user. In this latter role, the group class entry functions as a mask. 3. Additional named users and named groups may be associated with the file, each with a 3-bit permission field. The permissions listed for a named user or named group are compared to the mask field. Any permission for the named user or named group that is not present in the mask field is disallowed.
Policy Management
Governs what is allowable and unallowable in an access transaction. That is, given the identity and attributes of the requestor, the attributes of the resource or object, and environmental conditions, a policy specifies what actions this user can perform on this object
Set User ID (SetUID)
If active for an executable file, any user who executes the file temporarily inherits the rights of the file's creator - Also known as the "effective user ID" (As opposed to "real user ID) - Ignored for directories
SetGroupID (SetGID)
If active for an executable file, any user who executes the file temporarily inherits the rights of the file's group - Also known as the "effective group ID" (As opposed to "real group ID") - For directories it means newly created files automatically inherit the group the directory belongs to
Security Label
Indicates how sensitive or critical an associated resource is
Security Clearance
Indicates what system entities are eligible to access certain resources
Credential Maintenance
Might include revocation, reissuance/replacement, reenrollment, expiration, personal identification number (PIN) reset, suspension, or reinstatement
RBAC Use
NIST FIPS PUB 140-3 requires support for access control and administration through roles
Classes of Subjects
Owner, Group and World
Access Control System Commands
Pg. 123 has a table summarizing these weird formula-rules
Access Control (RF 4949)
Process by which use of system resources is regulated according to a security policy and is permitted only by authorized entities (users, programs, processes, or other systems) according to that policy
Role Hierarchies
Provide a means of reflecting the hierarchical structure of roles in an organization. - Typically, job functions with greater responsibility have greater authority to access resources - A subordinate job function may have a subset of the access rights of the superior job function
RBAC1
RBAC1 includes the RBAC0 functionality and adds role hierarchies, which enable one role to inherit permissions from another role
RBAC2
RBAC2 includes RBAC0 and adds constraints, which restrict the ways in which the components of a RBAC system may be configured
RBAC3
RBAC3 contains the functionality of RBAC0, RBAC1, and RBAC2
Basic Elements of Control
Subject, Object and Access Right
Access Control
The central element of computer security. The principal objectives of computer security are to prevent unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner.
Credential Issuance
The credential is issued to the individual or NPE
Directory Execute Permission
The execute permission for a directory means you can open it or search it for a file it contains
Authorization
The granting of a right or permission to a system entity to access a system resource. This function determines who is trusted for a given purpose.
World
The least amount of access is granted to users who are able to access the system but are not included in the categories owner and group for this resource.
Credential Management
The management of the life cycle of the credential, with 5 logical components - Sponsorship - Enrollment - Production - Issuance - Maintenance
User Mode
The mode a user program executes on a computer, in which certain areas of memory are protect from the user's use and certain instructions may not be executed
Kernel/System Mode
The mode system routines are executed in, in which privileged instructions may be executed and protected areas of memory may be accessed
Access Control (NIST IR 7298)
The process of granting or denying specific requests to: - Obtain and use information and related information processing services and/or - Enter specific physical facilities
Credential Enrollment
The sponsored individual enrolls for the credential, a process which typically consists of identity proofing and the capture of biographic and biometric data. This step may also involve incorporating authoritative attribute data
Owner
This may be the creator of a resource, such as a file. For system resources, ownership may belong to a system administrator.
Authentication vs. Access Control
Typically, the authentication function determines whether the user is permitted to access the system at all. The access control function determines if the specific requested access by this user is permitted, typically by consulting a database of access rights for various user/types of users
Write
User may add, modify or delete data in the system resource - Includes read access as well
Create
User may create new files, records, or fields
Delete
User may delete certain system resources, such as files or records
Execute
User may execute the specified program
Search
User may list the files in a directory or otherwise search the directory
Read
User may view information in a system resource, as well as copy it and print it
RBAC0 Entities
User, Role, Permission and Session
Authentication
Verification that the credentials of a user or other system entity are valid.
ACL File Access Steps
When a process requests access to a file system object: 1. The ACL entry that most closely matches the requesting process is selected - Search order goes: Owner, Named users, (Owning or named) groups, others 2. Check if the matching entry contains sufficient permissions - Possible for multiple entries to match; the system will always choose the one with sufficient permissions, if any
Sticky Bit
When set on a file, it indicates the system should retain the file contents in memory following executing When applied to a directory, it specifies only the owner of any file in the directory can rename, move or delete that file
ABAC Subject
an active entity that causes information to flow among objects or changes the system state
RBAC0
contains the minimum functionality for an RBAC system
SAND96
defines a family of RBAC reference models that has served as the basis for ongoing standardization efforts - Consists of four related models -- RBAC0 -- RBAC1 -- RBAC2 -- RBAC3
Environment Attributes
describe the operational, technical, and even situational environment or context in which the information access occurs. For example, attributes, such as current date and time - Largely ignored in most access control policies to date
Access Control Mechanism
mediates between a user (or a process executing on behalf of a user) and system resources, such as applications, operating systems, firewalls, routers, files, and databases
Object Attributes
objects have attributes that can be leveraged to make access control decisions; can often be extracted from the metadata of the object
ABAC Privileges
represent the authorized behavior of a subject; they are defined by an authority and embodied in a policy - AKA rights, authorizations, and entitlements
Mutually Exclusive Roles
roles such that a user can be assigned to only one role in the set - This limitation could be a static one, or it could be dynamic, in the sense that a user could be assigned only one of the roles in the set for a session - Supports separation of duties and capabilities in an organization
ABAC Policy
set of rules and relationships that govern allowable behavior within an organization, based on the privileges of subjects and how resources or objects are to be protected under which environment conditions
Subject Attributes
subject has associated attributes that define the identity and characteristics of the subject. Such attributes may include the subject's identifier, name, organization, job title, and so on. A subject's role can also be viewed as an attribute.
