CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page CSE 543 - Computer SecurityLecture 14 - Access ControlOctober 11, 2007URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Access Control System•Protection Domain–What can be accessed by a process•Default access: memory•Mediated access: E.g., files•Access Control Enforcement–Mediates Access•Reference Monitor–Processes a Query•Can Subject S perform Operation OP on Object OBJ?•What should the answer to the query be?CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Access Control Policy•Reference Monitor–Queries the policy•Policy Describes Security Goals–Goal: Only let me have access–Goal: Only let people in the job have access–Goal: Only let me and others I trust have access–Q: Other goals?•Choose your goal(s) and express in policyCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page In class exercise …•Find a partner: pick an interviewer and a responder, do 5 minute interview asking them what, with whom, and what they do with personal information they share with third parities.–Example: what do you share with phone telemarketers, departmental secretaries, the university, your advisor, your significant other, …•Don’t be exhaustive about all the information, but definitely identify the broad classes of information you share (sensitive, highly sensitive, etc) .. do the same for the entities you share with.•What are you allowing them to do with this information: e.g., share, alter, record, unknown?–Discuss and formulate a subject, object matrix for each right defined by this process. The interviewer should lead the process, I.e., the responder answers questions only.CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Access Policy Goals•Rights assignment is the process of describing a security goal•“Principle of least privilege”–You should provide the minimal set or rights necessary to perform the needed function–Implication 1: you want to reduce the protection domain to the smallest possible set of objects–Implication 2: you want to assign the minimal set of rights to each subject–Caveat: of course, you need to provide enough rights and a large enough protection domain to get the job done.–What other kinds of policy goals are there?CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Policy Goals•Secrecy–Don’t allow reading by unauthorized subjects–Control where data can be written by authorized subjects•Why is this important?•Integrity–Don’t permit dependence on lower integrity data/code•Why is this important?–What is “dependence”?•Availability–The necessary function must run–Doesn’t this conflict with above?CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Access Control Model•What language should I use to express policy?–Access Control Model•Oodles of these–Some specialize in secrecy•Bell-LaPadula–Some specialize in integrity•Clark-Wilson–Some focus on jobs•RBAC–Some specialize in least privilege•SELinux Type Enforcement•Q: Why are there so many different models?CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Groups•Groups are collections of identities who are assigned rights as a collective•Important in that it allows permissions to be assigned in aggregates of users …•This is really about membership•Standard DAC•Permissions are transientAliceBobTrentIvanGroupPermissionsUsersCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Job Functions•In an enterprise, we don’t really do anything as ourselves, we do things as some job function–E.g., student, professor, doctor•One could manage this as groups, right?–We are assigned to groups all the time, and given similar rights as them, i.e., mailing listsCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page •" A role is a collection of privileges/permissions associated with some function or affiliation•" NIST studied the way permissions are assigned and used in the real world, and this is it …•" Important: the permissions are static, the user-role membership is transient•" This is not standard DACRoleReadDeleteModifyWriteRolePermissionsUsersCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page RBAC•Role based access control is a class of access control not direct MAC and DAC, but may one or either of these.–A lot of literature deals with RBAC models–Most formulations are of the type•U: users -- these are the subjects in the system•R: roles -- these are the different roles users may assume•P: permissions --- these are the rights which can be assumed–There is a many-to-many relation between:•Users and roles•Roles and permissions–Relations define the role-based access control policyCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page RBAC Sessions•During a session, a user assumes a subset of the roles it may take on–Known as activating a set of roles–The set of rights given to a user is the union of the rights of the activated roles•Q: why not just activate all the roles?•Note: the session terminates at the user’s discretionCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Multilevel Security•A multi-level security system tags all object and subject with security tags classifying them in terms of sensitivity/access level.–We formulate an access control policy based on these levels–We can also add other dimensions, called categories which horizontally partition the rights space (in a way similar to that as was done by roles)security levelscategoriesCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Lattice Model•Used by the US military (and many others), the Lattice model uses MLS to define policy•Levels:unclassified < confidential < secret < top secret•Categories (actually unbounded set)NUC(lear), INTEL(igence), CRYPTO(graphy)•Note that these levels are used for physical documents in the US government as well.CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Assigning Security Levels•All subjects are assigned clearance levels and compartments–Alice: (SECRET, {CRYTPO, NUC})–Bob: (CONFIDENTIAL,
View Full Document