Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University University Park PA Advanced Systems Security Mandatory Access Control Models Trent Jaeger Systems and Internet Infrastructure Security SIIS Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security SIIS Laboratory February 9 2010 Page 1 Reference Monitor Components Interface Where to make access control decisions mediation Which access control decisions to make authorization Linux Security Modules interface Decision function Compute decision based on request and policy E g SELinux LIDS DTE etc modules Policy our focus today How to represent access control policy Main mechanism issue find mechanism to enable verification that policy achieves function and meets security guarantees Systems and Internet Infrastructure Security SIIS Laboratory Page Access Control Determine whether a principal can perform a requested operation on a target object Principal user process etc Operation read write etc Object file tuple etc Lampson defined the familiar access matrix and its two interpretations ACLs and capabilities Lampson70 Systems and Internet Infrastructure Security SIIS Laboratory Page Why are we still talking about access control An access control policy is a specification for an access decision function The policy aims to achieve Permit the principal s intended function availability Ensure security properties are met integrity confidentiality Limit to Least Privilege Protect system integrity Prevent unauthorized leakage etc Also known as constraints Enable administration of a changeable system simplicity Systems and Internet Infrastructure Security SIIS Laboratory Page Simple example Prof Alice manages access to course objects Assign access to individual principal Bob Assign access to aggregate course students Associate access to relation students course Assign students to project groups student course project group Prof Alice wants certain guarantees Students cannot modify objects written by Prof Alice Students cannot read modify objects of other groups Prof Alice must be able to maintain access policy Ensure that individual rights do not violate guarantees However exceptions are possible students may distribute their results from previous assignments for an exam Systems and Internet Infrastructure Security SIIS Laboratory Page Access Control is Hard Because Access control requirements are domain specific Generic approaches over generalize Access control requirements can change Anyone could be an administrator The Safety Problem HRU76 Can only know what is leaked right now Access is fail safe but Constraints are not And constraints must restrict all future states Systems and Internet Infrastructure Security SIIS Laboratory Page Safety Problem HRU76 Determine if an unauthorized permission is leaked given An initial set of permissions and An access control system mainly administrative operations For a traditional approach the safety problem is undecidable Access matrix model with multi operational commands Main culprit is create create object subject with own rights Prove reduction of a Turing machine to the multi operational access matrix system Result led to Safe but limited models take grant schematic protection model typed access matrix model Further support for models in which the constraints are implicit in the model e g lattice models Check safety on each policy change constraint approach of RBAC Systems and Internet Infrastructure Security SIIS Laboratory Page Compare to Other CS Problems Processor design Hard but can get some smart people together to construct one fixed testable design Network protocol design TCP A small number of control parameters necessary to manage all reasonable options within a layered architecture Constraints such as DDoS are ad hoc Software design Specific goals in mind to achieve function constraints are ad hoc Systems and Internet Infrastructure Security SIIS Laboratory Page Access Control Models Discretionary Access Matrix Mandatory Usually Access Matrix Bell LaPadula Biba Denning Predicate Models DTE SELinux Java Lattice Access Control Models TE RBAC groups and attributes parameterized Plus Transitions UNIX ACL various capability systems ASL OASIS domain specific models many others Safety Models Take grant Schematic Protection Model Typed Access Matrix Systems and Internet Infrastructure Security SIIS Laboratory Page Administration Discretionary Access Control Users typically object owner can decide permission assignments Mandatory Access Control System administrator decides on permission assignments Flexible Administrative Management Access control models can be used to express administrative privileges Systems and Internet Infrastructure Security SIIS Laboratory Page Type Enforcement BoebertKain84 Permission Assignment Object User User User Type Subject Type Object Subject Type Can Access Object Type To Perform Operations On Objects Systems and Internet Infrastructure Security SIIS Laboratory Object Object Page Group and Attributes Permission Assignment Object User User User Group User Systems and Internet Infrastructure Security SIIS Laboratory Attribute User Group Has Access To Objects With the Attribute Object Object Page Role based Access Control User Role Assignment Perm Role Assignment Role User User User Users in Role Can Access Objects Using Permissions Systems and Internet Infrastructure Security SIIS Laboratory Perm Object Perm Object Perm Object Page Role vs Types Data Structures RBAC U set of users P set of permissions R set of roles Type Enforcement E set of subjects or objects Permission Assignment ST set of subject types OT set of object types O set of operations Systems and Internet Infrastructure Security SIIS Laboratory Page Role based Access Control Model Users U Permissions P Roles R Assignments User role perm role role role Sessions S Function user S roles S Constraints C Systems and Internet Infrastructure Security SIIS Laboratory Page RBAC Family of Models RBAC0 contains all but hierarchies and constraints RBAC1 contains RBAC0 and hierarchies RBAC2 contains RBAC0 and constraints RBAC3 contains all The RBAC family idea has always been more a NIST initiative The RBAC families are present in the NIST RBAC standard NIST2001 with slight modifications RBAC0 RBAC1 options RBAC3 SSD RBAC3 DSD Systems and