IS 2150 / TEL 2810IS 2150 / TEL 2810Introduction to SecurityJames JoshiAssistant Professor, SISLecture 6September 30, 2008Hybrid ModelsRole based Access Control1Objective Define/Understand Chinese Wall Model Role-based Access Control model Overview the secure interoperation issue2Hybrid PoliciesHybrid Policies3Chinese Wall Model Supports confidentiality and integrity Information flow between items in a Conflict of Interest set Applicable to environment of stock exchange or investment pp ab e o e o e o s o e a ge o es ehouse Models conflict of interestObjects: items of information related to a companyCompany dataset(CD): contains objects related to a single company Written CD(O)Conflict of interest class(COI): contains datasets of companies in competition Written COI(O)Assume: each object belongs to exactly oneCOIclass4Assume: each object belongs to exactly one COIclassExampleBank COI ClassGasoline Company COI ClassBank COI ClassBank of AmericaBank of AmericaGasoline Company COI ClassShell OilShell Oil Standard OilStandard OilCitizens BankCitizens BankPNC BankPNC BankUnion’76Union’76ARCOARCO5CW-Simple Security Property (Read rule) CW-Simple Security Property scan read o iffany of the following holds ∃o’∈PR(s) such that CD(o’) = CD(o) ∀o’, o’∈PR(s) ⇒COI(o’) ≠COI(o), orohas been“sanitized”ohas been sanitized(o’∈PR(s) indicates o’has been previously read by s) Public information may belong to a CD no conflicts of interest ariseSensiti e data saniti ed6Sensitive data sanitizedWriting Alice, Bob work in same trading houseAlice can readBankOfAmercia’sCD,Alice can read BankOfAmercia sCD, Bob can read CitizensBanks’s CD, Both can readARCO’sCDBoth can read ARCO sCD Alice could write to ARCO’s CD, what is a problem?what is a problem?7CW-*-Property (Write rule) CW-*- Propertyscan write oiff the following holdsThe CW-simple security condition permits S to read O. For all unsanitized objects o’, s can read o’ ⇒CD(o’) = CD(o)CD(o) Alice can read both CDs Is Condition 1 met?Is Condition 1 met? She can read unsanitized objects of BankOfAmercia, hence condition 2 is falseC Ali it t bj t i ARCO’ CD?8Can Alice write to objects in ARCO’s CD?Role-Based Access ControlRoleBased Access Control9Role Based Access Control (RBAC) Access control in organizations is based on “roles that individual users take on as part of the organization”pg Access depends on function, not identity Example: Allison is bookkeeper for Math Dept. She has access to financial records. If she leaves and Betty is hired as the new bookkeeper, Betty now has access to those records. The role of “bookkeeper”dictates access, not the identity of the individual.bookkeeper dictates access, not the identity of the individual. A role is “is a collection of permissions”10RBACu1o1u1o1UsersPermissionUsersPermissionsManageru2o2u2o2RolerSeniorEngineerSeniorAdm inistratorunomunomAdm inistrator Engineern+ massignmentsn×massignmentsEmployeeTotal number Of assignmentsTotal number Of assignments11(a)(b)gPossible?gPossible?RBAC (NIST Standard)URlOtiObj tUAPAPermissionsUsersRolesOperationsObjectsuser_sessions(one-to-many)role_sessions(many-to-many)What model entity would relate toWhat model entity would relate toSessionsWhat model entity would relate to the traditional notion of subject?What model entity would relate to the traditional notion of subject?Total number of subjects possible?Total number of subjects possible?12Role vs Group?Role vs Group?Core RBAC (relations)Pii2OtiPermissions = 2Operations x Objects UA ⊆ Users x Rolesuser_sessions: Users → 2Sessions PA ⊆ Permissions x Rolesassigned users:Roles→session_user: Sessions → Userssession_roles: Sessions → 2Rolesl()assigned_users: Roles →2Usersassigned_permissions: Roles →2Permissionssession_roles(s) = {r| (session_user(s), r) ∈ UA)}avail session perms: Sessions→→2Op(p): set of operations associated with permission pavail_session_perms: Sessions →2Permissions13Ob(p): set of objects associated with permission pRBAC with Role HierarchyRH(role hierarchy)UAPAPermissionsUsers Roles Operations ObjectsPermissionsuser_sessions(one-to-many)role_sessions(many-to-many)14SessionsRBAC with General Role Hierarchyauthorized_users: Roles→ 2Usersauthorized_users(r) = {u| r’ ≥ r&(r’, u) ∈UA}th i d i iRl2Permissionsauthorized_permissions: Roles→2Permissionsauthorized_permissions(r) = {p| r≥ r’&(p, r’) ∈PA} RH ك Roles x Roles is a partial order called the inheritance relation written as ≥written as ≥. (r1≥ r2) →authorized_users(r1) كauthorized_users(r2) &authorized_permisssions(r2) كauthorized_permisssions(r1)15What do these mean?What do these mean?authorized users(Employee)?authorized users(Employee)?Exampleauthorized_users(Employee)?authorized_users(Administrator)?authorized_permissions(Employee)? authorized permissions(Administrator)?authorized_users(Employee)?authorized_users(Administrator)?authorized_permissions(Employee)? authorized permissions(Administrator)?px, pye10authorized_permissions(Administrator)?authorized_permissions(Administrator)?Managerpx, pye5px, pye8, e9SeniorEngineerSeniorAdministratorpa, pbppe1e2px, pye3, e4px, pye6, e7poppAdministratorEmployeeEngineerpppapbpx, pye1, e2pm, pn16px, pyp1, p2pmpnConstrained RBACRHRH(role hierarchy)StaticSeparation of DutyPAUsers Roles Operations ObjectsUAPAPermissionsuser_sessions(one-to-many)DynamicSti17SessionsSeparation of DutyStatic Separation of DutySSDك2Rolesx N In absence of hierarchy Collection of pairs (RS, n) where RSis a role set, n≥ 2for all(RS, n) ∈SSD, for all tكRS: |t| ≥ n→ ∩r∈tassigned users(r)= ∅||r∈tg_() In presence of hierarchyCollection of pairs (RS n) where RS is a role set n ≥ 2;Describe!Collection of pairs (RS, n) where RS is a role set, n ≥ 2; for all(RS, n) ∈SSD, for all tكRS: |t| ≥ n→ ∩r∈tauthorized_uers(r)= ∅Describe!18Describe!Dynamic Separation of DutyDSD2Rolesx N Collection of pairs (RS, n) where RSis a role set, ≥ 2n≥ 2; A user cannot activate nor more roles from RS What is the difference between SSD or DSD containing:(RS, n)? Consider (RS, n) = ({r1, r2, r3}, 2)? If SSD – can r1, r2and r3be assigned to u? If DSD – can r1, r2and r3be assigned to
View Full Document
Unlocking...