Chapter 4
Subject attributes (ABAC)
- A subject is an active entity (e.g., a user, an application, a process, or a device) that causes information to flow among objects or changes the system state. - define the identity and characteristics of the subject. - the subject's identifier, name, organization, job title, role
ABAC Policies
- a set of rules and relationships that govern allowable behavior within an organization, based on the privileges of subjects and how resources or objects are to be protected under which environment conditions. - privileges represent the authorized behavior of a subject; defined by an authority and embodied in a policy ( rights , authorizations , or entitlements). - written from the perspective of the object that needs protecting and the privileges available to subjects.
Capability Ticket
- Access matrix decomposition by rows - specifies authorized objects and operations for a particular user. - Each user has a number of tickets and may be authorized to loan or give them to others. - may be dispersed around the system, they present a greater security problem than access control lists. - the ticket must be unforgeable by having the OS hold all tickets on behalf of users and store in memory inaccessible to users. - to include an unforgeable token (a large random password, or a cryptographic message authentication code) - Good: determine the set of access rights that a given user has - Bad: more difficult to determine the list of users with specific access rights for a specific resource.
Object attributes (ABAC)
- An object (a resource) is a passive (in the context of the given request) information system-related entity (e.g., devices, files, records, tables, processes, programs, networks, domains) containing or receiving information. - objects have attributes that can be leveraged to make access control decisions. - title, subject, date, and author, ownership
Attribute-Based Access Control (ABAC)
- Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions. - can define authorizations that express conditions on properties of both the resource and the subject. - strength is its flexibility and expressive power. - OBSTACLE: concern about the performance impact of evaluating predicates on both resource and user properties for each access. - Web services have been pioneering technologies through the introduction of the eXtensible Access Control Markup Language (XAMCL) - there is considerable interest in applying the model to cloud services - 3 key elements: attributes, which are defined for entities in a configuration; a policy model, and the architecture model, which applies to policies that enforce access control. - distinguishable because it controls access to objects by evaluating rules against the attributes of entities (subject and object), operations, and the environment relevant to a request. - relies upon the evaluation of attributes of the subject, attributes of the object, and a formal relationship or access control rule defining the allowable operations for subject-object attribute combinations in a given environment. - capable of enforcing DAC, RBAC, and MAC concepts. - allows an unlimited number of attributes to be combined to satisfy any access control rule.
Mandatory Access Control (MAC)
- Controls access based on comparing security labels (which indicate how sensitive or critical system resources are) with security clearances (which indicate system entities are eligible to access certain resources). - an entity that has clearance to access a resource MAY NOT enable another entity to access that resource. - evolved out of requirements for military information security
Role-Based Access Control (RBAC)
- Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles - models define a role as a job function within an organization. - assign access rights to roles instead of individual users. - users are assigned to different roles, either statically or dynamically, according to their responsibilities. - Each role will have specific access rights to one or more resources.
computer security
- Measures that implement and assure security services in a computer system - to prevent unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner - to enable legitimate users to access resources in an authorized manner.
access matrix
- One dimension consists of identified subjects that may attempt access to the resources - The other dimension lists the objects that may be accessed - Each entry in the matrix indicates the access rights of a particular subject for a particular object.
extended access control matrix
- The model assumes a set of subjects, a set of objects, and a set of rules that govern the access of subjects to objects. - slide 11
Environment attributes (ABAC)
- These attributes have so far been largely ignored in most access control policies - describe the operational, technical, and even situational environment or context in which the information access occurs. - current date and time, the current virus/hacker activities, and the network's security level (e.g., Internet vs. intranet), are not associated with a particular subject nor a resource, but may nonetheless be relevant in applying an access control policy.
File access control
- Unique user identification number (user ID) - Member of a primary group identified by a group ID - Belongs to a specific group - 12 protection bits to specify read, write, and execute permission for the owner of the file, members of the group and all other users - The owner ID, group ID, and protection bits are part of the file's inode - When a file is created, it is designated as owned by a particular user and marked with that user's ID. It also belongs to a specific group. - These form a hierarchy of owner, group, and all others, with the highest relevant set of permissions being used. - Figure 4.5a shows an example in which the file owner has read and write access; all other members of the file's group have read access, and users outside the group have no access rights to the file.
Role Hierarchy
- a means of reflecting the hierarchical structure of roles in an organization. - job functions with greater responsibility have greater authority to access resources. - A subordinate job function may have a subset of the access rights of the superior job function. - the concept of inheritance - slide 24: A line between two roles implies that the upper role includes all of the access rights of the lower role, as well as other access rights not available to the lower role. Two roles can have overlapping access rights.
object
- a resource to which access is controlled - used to contain and/or receive information - The number and types to be protected by an access control system depend on the environment in which access control operates and the desired tradeoff between security and complexity, processing burden, and ease of use.
Protection Domain
- a set of objects together with access rights to those objects. - More flexibility - In terms of the access matrix, a row defines a protection domain - User can spawn processes with a subset of the access rights of the user - Association between a process and a domain can be static or dynamic - In user mode certain areas of memory are protected from use and certain instructions may not be executed - In kernel mode, privileged instructions may be executed and protected areas of memory may be accessed
mutually exclusive roles
- a user can be assigned to only one role in the set (either dynamically during a session or statically) - supports a separation of duties and capabilities within an organization. - use of mutually exclusive permission assignments. - Any permission (access right) can be granted to only one role in the set. - non-overlapping permissions. If two users are assigned to different roles in the set, then the users have non-overlapping permissions while assuming those roles. - increase the difficulty of collusion among individuals of different skills or divergent job functions to thwart security policies.
subject
- an entity capable of accessing objects - held accountable for the actions they have initiated, and an audit trail may be used to record the association of a subject with security-relevant actions performed on an object by the subject. • Owner: creator of a resource or system administrator, project administrator or leader • Group: a named group of users may also be granted access rights, such that membership in the group is sufficient to exercise these access rights. In most schemes, a user may belong to multiple groups. • World: The least amount of access is granted to users who are able to access the system but are not included in the categories owner and group for this resource.
access control
- central element of computer security - the process of granting or denying specific requests to: (1) obtain, use information & related information processing services; (2) enter specific physical facilities - implements a security policy that specifies who or what (e.g., in the case of a process) may have access to each specific system resource and the type of access that is permitted in each instance.
access right
- describes the way in which a subject may access an object. - Read, Write, Execute, Delete, Create, Search
Prerequisite roles
- dictates that a user can only be assigned to a particular role if it is already assigned to some other specified role. - In a hierarchy, it might be required that a user can be assigned to a senior (higher) role only if it is already assigned an immediately junior (lower) role. - tied to the concept of hierarchy & least privilege
Constraints - RBAC
- provide a means of adapting RBAC to the specifics of administrative and security policies in an organization. - a defined relationship among roles or a condition related to roles. - types: mutually exclusive roles, cardinality, and prerequisite roles.
Cardinality
- setting a maximum number with respect to roles. - set the number of role that a user is assigned to, or the number of roles a user can activate for a single session. - set a maximum number of roles that can be granted a particular permission
Access Control List (ACL)
- slide 9 - yield through access matrix decomposed by columns - For each object, lists users and their permitted access rights. => provide information for a given resource - may contain default or public entry. - allows users that are not explicitly listed as having special rights to have a default set of rights. - The default set of rights should always follow the rule of least privilege or read-only access - Good: When it is desired to determine which subjects have which access rights to a particular resource - Bad: not convenient for determining the access rights available to a specific user.
Discretionary Access Control (DAC)
- the traditional method of implementing access control - A means of restricting access to objects based on the identity of subjects and/or groups to which they belong - Controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do. - an entity might have access rights that permit the entity to enable another entity to access some resource. - Often provided using an access matrix (slide 8)
Access control matrix representation of RBAC
-slide 21 - The upper matrix relates individual users to roles. - a single user may be assigned multiple roles (more than one mark in a row) and that multiple users may be assigned to a single role (more than one mark in a column). - The lower matrix has roles as subjects. - a role can be treated as an object, allowing the definition of role hierarchies. - least privilege - Each role should contain the minimum set of access rights needed for that role. A user is assigned to a role that enables him or her to perform only what is required for that role. Multiple users assigned to the same role, enjoy the same minimal set of access rights.
audit
An independent review and examination of system records and activities - to test for adequacy of system controls, - to ensure compliance with established policy and operational procedures, - to detect breaches in security - to recommend any indicated changes in control, policy, and procedures.
Authorization Table
Matrix of access control objects, subjects, and their associated rights - contains one row for one access right of one subject to one resource. - Sorting or accessing by subject is equivalent to a capability list. - Sorting or accessing by object is equivalent to an ACL.
authorization
The granting of a right or permission to a system entity to access a system resource. This function determines who is trusted for a given purpose.
authentication
Verification that the credentials of a user or other system entity are valid.
access control policies
can be embodied in an authorization database, dictates what types of access are permitted, under what circumstances, and by whom. 4 types: - Discretionary Access Control (DAC) - Mandatory Access Control (MAC) - Role-Based Access Control (RBAC) - Attribute-Based Access Control (ABAC)
ABAC Architecture
slide 29 + 30
Architecture of access control
slide 4 - The system must first authenticate an entity seeking access. Typically, the authentication function determines whether the user is permitted to access the system at all. - The access control function determines if the specific requested access by this user is permitted. A security administrator maintains an authorization database that specifies what type of access to which resources is allowed for this user. The access control function consults this database to determine whether to grant access. - An auditing function monitors and keeps a record of user accesses to system resources.
Basic elements of access control
subject, object, and access right