IS 2150 / TEL 2810IS 2150 / TEL 2810Introduction to SecurityJames JoshiAssociate Professor, SISLecture 6October 6, 2009Hybrid ModelsRole based Access Control1Objective Define/Understand various Integrity models Clark-Wilson Define/Understand Chinese Wall Model Role-based Access Control model Overview the secure interoperation issue2Clark-Wilson Integrity Model Transactions as the basic operation Integrity defined by a set of constraintsData in aconsistentor valid state when it satisfies theseData in a consistentor valid state when it satisfies these Example: BankDtoday’s deposits, Wwithdrawals, YByesterday’s balance, TBtoday’s balanceIi iDYBWIntegrity constraint: D+ YB–WWell-formed transaction A series of operations that move system from one consistent state to anotherstate to another State before transaction consistent ⇒ state after transaction consistent Issue: who examines, certifies transactions done correctly?Separation of duty is crucial3Separation of duty is crucialClark/Wilson Model Entities Constrained Data Items (CDI) : data subject to Integrity ControlEg Account balancesEg. Account balances Unconstrained Data Items (UDI): data not subject to IC Eg. Gifts given to the account holders Integrity Verification Procedures (IVP)Test CDIs’conformance to integrity constraints at theTest CDIs conformance to integrity constraints at the time IVPs are run (checking that accounts balance) Transformation Procedures (TP); Examples?4Examples?Clark/Wilson:/Certification/Enforcement Rules C1: When any IVP is run, it must ensure all CDIs are in valid state C2: A TP must transform a set of CDIs from a valid state to another valid state TR must not be used on CDIs it is not certified forf E1: System must maintain certified relations TP/CDI sets enforced5Clark-Wilson:Certification/Enforcement Rules E2: System must control users(user, TP, {CDI})mappings enforced(,,{ })pp g C3: Relations between (user, TP, {CDI}) must support separation of duty{}) pp p y E3: Users must be authenticated to execute TP Note, unauthenticated users may manipulate UDIs6Clark-Wilson:Certification/Enforcement Rules C4: All TPs must log undo information to append-only CDI (to reconstruct an operation) C5: A TP taking a UDI as input must either reject it or transform it to a CDI E4: Only certifier of a TP may change the list fii idihhTPCifiof entities associated with that TP; Certifier cannot executeEnforces separation of duty (?)7Enforces separation of duty (?)Clark-Wilson Clark-Wilson introduced new ideas Commercial firms do not classify data using ygmultilevel scheme they enforce separation of duty Notion of certification is different from enforcement; enforcement rules can be enforcedenforcement rules can be enforced, certification rules need outside intervention, and process of certification is complex and error prone8Hybrid PoliciesHybrid Policies9Chinese Wall Model Supports confidentiality and integrity Information flow between items in a Conflict of Interest set Applicable to environment of stock exchange or investment pp ab e o e o e o s o e a ge o es ehouse Models conflict of interestObjects: items of information related to a companyCompany dataset(CD): contains objects related to a single company Written CD(O)Conflict of interest class(COI): contains datasets of companies in competition Written COI(O)Assume: each object belongs to exactly oneCOIclass10Assume: each object belongs to exactly one COIclassExampleBank COI ClassGasoline Company COI ClassBank COI ClassBank of AmericaBank of AmericaGasoline Company COI ClassShell OilShell Oil Standard OilStandard OilCitizens BankCitizens BankPNC BankPNC BankUnion’76Union’76ARCOARCO11CW-Simple Security Property (Read rule) CW-Simple Security Property scan read o iffany of the following holds ∃o’∈PR(s) such that CD(o’) = CD(o) ∀o’, o’∈PR(s) ⇒COI(o’) ≠COI(o), orohas been“sanitized”ohas been sanitized(o’∈PR(s) indicates o’has been previously read by s) Public information may belong to a CD no conflicts of interest ariseSensiti e data saniti ed12Sensitive data sanitizedWriting Alice, Bob work in same trading houseAlice can readBankOfAmercia’sCD,Alice can read BankOfAmercia sCD, Bob can read CitizensBanks’s CD, Both can readARCO’sCDBoth can read ARCO sCD Alice could write to ARCO’s CD, what is a problem?what is a problem?13CW-*-Property (Write rule) CW-*- Propertyscan write oiff the following holdsThe CW-simple security condition permits S to read O. For all unsanitized objects o’, s can read o’ ⇒CD(o’) = CD(o)CD(o) Alice can read both CDs Is Condition 1 met?Is Condition 1 met? She can read unsanitized objects of BankOfAmercia, hence condition 2 is falseC Ali it t bj t i ARCO’ CD?14Can Alice write to objects in ARCO’s CD?Role-Based Access ControlRoleBased Access Control15Role Based Access Control (RBAC) Access control in organizations is based on “roles that individual users take on as part of the organization”pg Access depends on function, not identity Example: Allison is bookkeeper for Math Dept. She has access to financial records. If she leaves and Betty is hired as the new bookkeeper, Betty now has access to those records. The role of “bookkeeper”dictates access, not the identity of the individual.bookkeeper dictates access, not the identity of the individual. A role is “is a collection of permissions”16RBACu1o1u1o1UsersPermissionUsersPermissionsManageru2o2u2o2RolerSeniorEngineerSeniorAdm inistratorunomunomAdm inistrator Engineern+ massignmentsn×massignmentsEmployeeTotal number Of assignmentsTotal number Of assignments17(a)(b)gPossible?gPossible?RBAC (NIST Standard)URlOtiObj tUAPAPermissionsUsersRolesOperationsObjectsuser_sessions(one-to-many)role_sessions(many-to-many)What model entity would relate toWhat model entity would relate toSessionsWhat model entity would relate to the traditional notion of subject?What model entity would relate to the traditional notion of subject?Total number of subjects possible?Total number of subjects possible?18Role vs Group?Role vs Group?Core RBAC (relations)Pii2OtiPermissions = 2Operations x Objects UA ⊆ Users x Rolesuser_sessions: Users → 2Sessions PA ⊆ Permissions x
View Full Document