111Computer SecurityCS 426Lecture 15Discretionary Access Control vsMandatory Access ControlElisa BertinoPurdue UniversityIN, [email protected] Access Control (DAC)• No precise definition• Widely used in modern operating systems• In most implementations it has the notion of owner of an object• The owner controls other users’ accesses to the object• Allows access rights to be propagated to other subjects3• DAC cannot protect against– Trojan horse–Malware– Software bugs– Malicious local users• It cannot control information flowProblems with DAC in OS4The Trojan HorseProcess P……………read O1…………………………write O2O1(alice,r,O1)(alice,r,O2), (alice,w,O2),(mallory,r,O2)O225• Mandatory access control (MAC) restricts the access of subjects to objects based on a system-wide policy• The system security policy (as set by the administrator) entirely determines the access rights granted– denying users full control over the access to resources that they create. Mandatory Access Control6The Need for MAC• Host compromise by network-based attacks is the root cause of many serious security problems– Worm, Botnet, DDoS, Phishing, Spamming• Why hosts can be easily compromised– Programs contain exploitable bugs– The discretionary access control mechanism in the operating systems was not designed by taking into account buggy software7MAC• MAC specifies the access that subjects have to objects based on subjects and objects classification• This type of security has also been referred to as multilevel security• Database systems that satisfy multilevel security properties are called multilevel secure database management systems (MLS/DBMSs) • Many of the MLS/DBMSs have been designed based on the Bell and LaPadula (BLP) model 8A Characterization of the Difference between DAC and MAC– Discretionary Access Control Models (DAC)• Definition [Bishop p.53] If an individual user can set an access control mechanism to allow or deny access to an object, that mechanism is a discretionary access control (DAC), also called an identity-based access control (IBAC).– Mandatory Access Control Models (MAC)• Definition [Bishop p.53] When a system mechanism controls access to an object and an individual user cannot alter that access, the control is a mandatory access control (MAC) [, occasionally called a rule-based access control.]39Bell and LaPadula (BLP)ModelElements of the model:– objects - passive entities containing information to be protected– subjects: active entities requiring accesses to objects (users, processes)– access modes: types of operations performed by subjects on objects• read: reading operation• append: modification operation• write: both reading and modification10BLP Model• Subjects are assigned clearance levels and they can operate at a level up to and including their clearance levels• Objects are assigned sensitivity levels• The clearance levels as well as the sensitivity levels are called access classes11BLP Model - access classes• An access class consists of two componentsa security level a category set• The security level is an element from a totally ordered set - example{Top Secret (TS), Secret (S), Confidential (C), Unclassified (U)} where TS > S > C >U• The category set is a set of elements, dependent from the application area in which data are to be used - example{Army, Navy, Air Force, Nuclear}12Access class ci= (Li, SCi) dominates access class ck= (Lk, SCk), denoted as ci> ck, if both the following conditions hold:–Li> LkThe security level of ciis greater or equal to the security level of ck–SCi⊇ SCkThe category set of ciincludes the category set of ckBLP Model - access classes413• If Li> Lkand SCi⊃ SCk, we say that cistrictly dominates ck•ciand ckare said to be incomparable(denoted as ci< > ck) if neither ci> cknor ck> ciholdsBLP Model - access classes14BLP Model - ExamplesAccess classesc1= (TS, {Nuclear, Army})c2= (TS, {Nuclear})c3= (C, {Army})•c1 > c2•c1 > c3 (TS > C and {Army} ⊂{Nuclear, Army})•c2 < > c3 15BLP Model - Axioms• The state of the system is described by the pair (A, L), where:– A is the set of current accesses: triples of the form (s,o,m) denoting that subject s is exercising access m on object o - example (Bob, o1, read)– L is the level function: it associates with each element in the system its access classLet O be the set of objects, S the set of subjects, and C the set of access classesL : O ∪ S → C16BLP Model - Axioms• Simple security property (no-read-up)a given state (A, L) satisfies the simple security property if for each element a= (s,o,m) ∈A one of the following condition holds1. m = append2. (m = read or m = write) and L(s) >L(o) • Example: a subject with access class (C, {Army})is not allowed to read objects with access classes (C, {Navy, Air Force}) or (U, {Air Force})517BLP Model - Axioms• The simple security property prevents subjects from reading data with access classes dominating or incomparable with respect with the subject access class• It therefore ensures that subjects have access only to information for which they have the necessary access class18BLP Model - Axioms• Star (*) property (no-write-down)a given state (A, L) satisfies the *-property if for each element a= (s,o,m) ∈A one of the following condition holds1. m = read2. m = append and L(o) >L(s)3. m = write and L(o) = L(s)• Example: a subject with access class (C,{Army,Nuclear}) is not allowed to append data into objects with access class (U, {Army,Nuclear})19• The *-property has been defined to prevent information flow into objects with lower-level access classes or incomparable classes• For a system to be secure both properties must be verified by any system stateBLP Model - Axioms20• Summary of access rules:– Simple security property: A subject has read access to an object if its access class dominates the access class of the object;– *-Property: A subject has append access to an object if the subject's access class is dominated by that of the object BLP Model621An Example of Application The DG/Unix B2 System• B2 is an evaluation class for secure systems defined as part of the Trusted Computer System Evaluation Criteria (TCSEC), known also as the Orange Book• DG/Unix provides mandatory access controls– MAC label identifies security level– Default labels, but can define others• Initially– Processes