Access ControlBackgroundThe Agenda for TodayA Model for Access ControlAuthentication and AuthorisationPrincipals and SubjectsMy RecommendationBasic TerminologyChanging FocusAccess ModesAccess Rights in BLPRationaleMulticsUnixMore operationsCreation and Deletion of FilesAccess Control StructuresAccess Control MatrixAccess Control Matrix ctd.CapabilitiesAccess Control Lists (ACLs)Intermediate ControlsGroups and Negative PermissionsRole Based Access Control (RBAC)RBAC continuedNew ParadigmsWho Sets the Policy?Protection RingsPartial orderingsAbilities in the VSTa MicrokernelTowards LatticesThe Lattice (L,)Lattices - Example 1Lattices - Example 2More LatticesNot a LatticeMulti level security (MLS)CompartmentsCompartments - ExampleState Machine ModelsExercisesFurther readingMT5104 - Computer Security - Access Control1Access Control•Our working definition: Computer security deals with the prevention and detection of unauthorised actions by users of a computer system.•Computer systems control access to data and shared resources, like memory, printers, etc., more often for reasons of integrity than for confidentiality.•Access control is at the core of computer security.MT5104 - Computer Security - Access Control2Background•Computer systems and their use have changed over the last decades.•Traditional multi-user operating systems provide generic services to a wide variety of users and do not ‘know’ about the meaning of the files they handle.•Modern PC operating systems support individual users in performing their job. Access operations are complex and application specific. Users are not interested in the lower level details of the execution of their programs.•It is often difficult to map high level security requirements to low level security controls.MT5104 - Computer Security - Access Control3The Agenda for Today•Terminology for access control•Basic access control structures: ACLs, capabilities, etc.•New paradigms•Mathematical concepts – partial orderings and lattices•Exercises and further readingMT5104 - Computer Security - Access Control4A Model for Access Controlprincipal do operationreferencemonitorobjectsource request guard resourceLampson et al.: Authentication in Distributed Systems: Theory and Practice, ACM ToCS, 1992MT5104 - Computer Security - Access Control5Authentication and Authorisation•If s is a statement authentication answers the question ‘Who said s?’ with a principal. Thus principals make statements; this is what they are for. •Likewise, if o is an object authorisation answers the question ‘Who is trusted to access o?’ with a principal.MT5104 - Computer Security - Access Control6Principals and Subjects•‘Principal’ and ‘subject’ are both used to denote the active entity in an access operation.•The word ‘principal’ has many different meanings and is the source of much confusion:–Principals are subjects in the TCSEC sense, but not all subjects are principals. [Morrie Gasser, 1989]–Principals are public keys. [SDSI, 1996]–The term principal represents a name associated with a subject. Since subjects may have multiple names, a subject essentially consists of a collection of principals. [Li Gong, 1999]MT5104 - Computer Security - Access Control7My Recommendation•Policy: A principal is an entity that can be granted access to objects or can make statements affecting access control decisions.•System: Subjects operate on behalf of (human users we call) principals, and access is based on the principal’s name bound to the subject in some unforgeable manner at authentication time.MT5104 - Computer Security - Access Control8Basic Terminology•Subject/Principal: active entity – user or process•Object: passive entity – file or resource•Access operations: read, write, ... •Access operations vary from basic memory access to method calls in an object-oriented system.•Comparable systems may use different access operations or attach different meanings to operations which appear to be the same.MT5104 - Computer Security - Access Control9Changing Focus-Subjects and objects provide a different focus of control (first design principle):What is the subject allowed to do?What may be done with an object? -Traditionally, multi-user operating systems manage files and resources, i.e. objects. Access control takes the second approach.-Application oriented IT systems, like database management systems, offer services directed to the user and may well control the actions of subjects.MT5104 - Computer Security - Access Control10Access Modes•On the most elementary level, a subject may observe an object, or  alter an object.•Observe and Alter are called access modes.•At the next level of complexity, we find the access rights of the Bell-LaPadula security model and the access attributes of the Multics operating system.MT5104 - Computer Security - Access Control11•The four Bell LaPadula access rights:executereadappend, also called blind write write•Mapping between access rights and access modes.Access Rights in BLPwritereadappendexecuteObserve XXAlter XXMT5104 - Computer Security - Access Control12Rationale•In a multi-user O/S, users open files to get access. Files are opened for read access or for write access so that the O/S can avoid conflicts like two users simultaneously writing to the same file.•Write access usually includes read access. A user editing a file should not be asked to open it twice. Hence, the write right includes Observe and Alter mode.•Few systems actually implement append. Allowing users to alter an object without observing its content is rarely useful (exception: audit log).•A file can be used without being opened (read). Example: use of a cryptographic key. This can be expressed by an execute right that includes neither Observe nor Alter mode.MT5104 - Computer Security - Access Control13Multics•Data segmentsread rexecute e, rread and write wwrite a•Directory segmentsstatus rsearch estatus & modify wappend aMultics has access attributes for data segments and access attributes for directory segmentsBell-LaPadula access rights: e, r, a, wMT5104 - Computer Security - Access Control14Unix•Access control expressed in terms of three operations:read: read from a filewrite: write to a fileexecute: execute a file•Applied to a directory, the access operations take this meaning:read: list contentswrite: create or