The process: o A computer system controls the interaction between users and system resources To implement a security policy, which may be determined by o organisational requirements o statutory requirements (ex, medical records) Policy requirements may include o confidentiality (restrictions on read access) o integrity (restrictions on write access) o availability
30/10/2017 Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE Introduction to access control and access control structures ACL and Capability lists Administration and aggregation of access control structures BRAC Models ACL in Linux ACL in Windows 30/10/2017 30/10/2017 The process: o a computer system controls the interaction between users and system resources To implement a security policy, which may be determined by o organisational requirements o statutory requirements (ex, medical records) Policy requirements may include o confidentiality (restrictions on read access) o integrity (restrictions on write access) o availability A user requests access (read, write, print, etc.) to a resource in the computer system The reference monitor o establishes the validity of the request … o … and returns a decision either granting or denying access to the user Access Request Reference Monitor System Decision Ex: RM o a paper-based office: the set of (locked) filing cabinets o a night club: the security guard + the guest list 30/10/2017 U- Subject (user): Active entity in a computer system o User, process, thread O- Object: Passive entity or resource in a computer system o Files, directories, printers A principal: an attribute or property associated with a subject o User ID, Public key, Process, Thread Principal and subject: used to refer to the active entity in an access operation A subject may be represented by more than one principal ● Access Control: who is allowed to access what ● Two parts ● Part I: Decide who should have access to certain resources (access control policy) ● Part II: Enforcement – only accesses defined by the access control policy are granted ● Complete mediation is essential for successful enforcement 30/10/2017 ● Introduced by Lampson (1972) and extended by Harrison, Ruzzo and Ullman (1976-8) ● An access control matrix (ACM) abstracts the state relevant to access control ● Rows of ACM correspond to users/subjects/groups ● Columns correspond to resources that need to be protected ● ACM defines who can access what ● ACM [U,O] define what access rights user U has for object O Objects Subjects jason mick trash a.out allfiles.txt {r,w} {r,w,x} {r,w} {r,x} {r} The request (jason, allfiles.txt, w) is granted The request (mick, allfiles.txt, w) is denied 30/10/2017 Abstract formulation of access control Not suitable for direct implementation o The matrix is likely to be extremely sparse and therefore implementation is inefficient o Management of the matrix is likely to be extremely difficult if there are 0000s of files and 00s of users (resulting in 000000s of matrix entries) Access control lists focus on the objects o Typically implemented at operating system level o Windows NT uses ACLs o an ACL be stored In trusted part of the system An ACL corresponds to a column in the access control matrix Ex: [a.out: (jason, {r,w,x}), (mick, {r,x})] How would a reference monitor that uses ACLs check the validity of the request (jason, a.out, r)? Objects Subjects jason mick trash a.out allfiles.txt {r,w} {r,w,x} {r,w} {r,x} {r} 30/10/2017 A capability list corresponds to a row in the access control matrix Ex [jason: (trash, {r,w}), (a.out, {r,w,x}), (allfiles.txt, {r,w})] How would such a reference monitor check the validity of the request (jason, a.out, r)? Objects Subjects jason trash a.out allfiles.txt {r,w} {r,w,x} {r,w} {r,x} {r} mick Where C-lists go? o o o User catalogue of capabilities defines what a certain user can access Can be stored in objects/resources themselves (Hydra) Sharing requires propagation of capabilities Capability lists focus on the subjects in services and application software Database applications: use capability lists to implement finegrained access to tables and queries o Renewed interest in capability-based access control for distributed systems o o Disdavantage o How can we check which subjects can access a given object (“before-the-act per-object review”)? 30/10/2017 Tasks include o Creation of new objects and subjects o Deletion of objects and subjects o Changing entries in access control matrix (changing entries in ACLs and capability lists) The administration of access control structures is extremely time-consuming, complicated and error-prone To simplify the administrative burden: AC structures that aggregate subjects and objects are used Aggregation techniques o User groups o Roles o Procedures o Data types Access rights are often defined for groups of users o In UNIX three groups are associated with each object • Owner • Group (owner) • Others o In VMS there are four groups • • • • Owner Group World System 30/10/2017 A data type is a set of objects with the same structure (bank accounts, for example) We define access operations (procedures or permissions) on a data type Permissions are assigned to roles Users are assigned to roles Roles are (usually) arranged in a hierarchy ACL is used by many OS to determine whether users are authorized to conduct different actions o the mandatory access control (MAC): computer system the computer system decides exactly who has access to which resource in the system o the discretionary access control (DAC): users users are authorized to determine which other users can access files or other resources that they create o the role-based access control (RBAC): MAC in special the system decides exactly which users are allowed to access which resources—but the system does this in a special way The Bell-LaPadula Model: certain level of access 30/10/2017 16 30/10/2017 MAC DAC BRAC 30/10/2017 17 BRAC Model: the system decides exactly which users are allowed to access which resources—but the system does this in a special way 30/10/2017 18 30/10/2017 • • • • RBAC0 : the minimum functionality RBAC1 : the RBAC0 functionality + role hierarchies, which enable one role to inherit permissions from another role RBAC2 : RBAC0 + constraints, which restricts the ways in which the components of a RBAC system may be configured RBAC3 : RBAC0 + RBAC1 + RBAC2 - An RBAC0 system contains the four types of entities (the minimum functionality for an RBAC system): • User: An individuals - access to this computer system • Role: job function - controls this computer system • Permission: approval of access to one or more objects • S ession: : A mapping between a user and an activated subset of the set of roles to which the user is assigned 10 30/10/2017 RBAC0 contains all but hierarchies and constraints RBAC1 contains RBAC0 and hierarchies RBAC2 contains RBAC0 and constraints RBAC3 contains all The RBAC family idea has always been more a NIST initiative The RBAC families are present in the NIST RBAC standard [NIST2001] with slight modifications: o RBAC0, RBAC1 (options), RBAC3 (SSD) , RBAC3 (DSD) We only need to assign users and permissions to roles We can use inheritance in the role hierarchy to reduce the number of assignments that are required Simplifies administration 11 30/10/2017 NIST (Ferraiolo et al., 1992-2000) RBAC96 (Sandhu et al., 1996) ARBAC97 (Sandhu et al., 1997-99) OASIS (Hayton et al., 1996-2001) Role Graph model (Nyanchama and Osborn, 1995-2001) Unified RBAC96 NIST model (Ferraiolo, Sandhu et al., 2001) Roles implemented in o Window NT (as global and local groups) o IBM’s OS/400 o Oracle onwards o NET framework There is no generally accepted standard for RBAC o Role hierarchies o Semantics of role hierarchies 12 30/10/2017 Practical ease of specification o Abstraction for users, permissions, constraints, administration Natural access control aggregations – based on organizational roles o As new employees join, their permission assignments are determined by their job o Permission assignment is largely static Central control and maintenance of access rights Flexible enough to enforce o least privilege, separation of duties, etc Role hierarchy Problem: does organizational hierarchy correspond to a permission inheritance hierarchy? o Problem: organizational roles make sense for building hierarchies? o Constraints Problem: constraints apply to all states, so they require a predicate calculus in general o Problem: Only certain types of constraints can effectively be administered? Mutual exclusion, separation of duty, cardinality, etc o Conflicts o May find other concepts useful for resolving conflicts between constraints and hierarchies/assignments 13 30/10/2017 Practical ease of specification o Clear base model – need more help for constraints, admin Natural access control aggregations – based on organizational roles o In some cases, but not clear that organizational roles help with permission assignment – particularly with inheritance Central control and maintenance of access rights o Central view is a selling feature of products, but a single view of all can be complex (layering?) Flexible enough to enforce o Flexible access control expression, but difficult to determine if we enforce our security goals (constraints) Each file has an owner, who has a unique user ID (UID) Access is possible for an owner, group, and world Permissions are read, write, execute Special permission: permissions allow users and groups who are not the owner or group of a file to execute that file as though they were o SETUID - set user ID on execute o SETGID - set group ID on execute o StickyBit - puts the directory in sticky mode 14 30/10/2017 Example: chmod 4762 myfile translates to: setuid = on setgid = off sticky bit = off user = read + write + execute group = read + write other = write Set UID, GID, Sticky bit chmod u+s = add setuid chmod g-s = remove setgid chmod o+t = add sticky bit Others: chmod a+w = add write to *all* chmod a-wx = remove write and execute from *all chmod -R 755 myfolder provide a finer-grained control over which users can access specific directories and files Using ACLs, you can specify the ways in which each of several users and groups can access a directory or file Commands: o displays the file name, owner, group and the existing ACL for a file: getfacl o sets ACLs of files and directories: setfacl -m setfacl -m ugo:u/g_name:permissions fil/fol_name o removes rules in a file or folder's: setfacl –x Use numeric or character to set permission 15 30/10/2017 Commands: o List: net user, net localgroup o Change the permisions o Testing - quickly start a program as another user: runas Ex, runas /User:jack cmd.exe Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE 16 30/10/2017 NAC: o is an authority term for managing access to a network o authenticates users logging into the network and o determines what data they can access and actions they can perform o examines the health of the user’s computer or mobile device (endpoints) Elements of a Network Access Control System o Access requestor (AR): the node that is attempting to access the: workstations , servers, printers, cameras, and other IP-enabled devices Policy server: determines what access should be granted: including antivirus, patch management, or a user directory, to help determine the host’s condition o Network access server (NAS): as an access control point for users in remote locations connecting to an enterprise’s internal network Also called a media gateway, a remote access server (RAS), or a policy server, an NAS may include its own authentication services or rely on a 30/10/2017 separate authentication service from the policy server 33 o 30/10/2017 34 17 30/10/2017 applied to ARs to regulate access to the enterprise network Many vendors support multiple enforcement methods simultaneously, allowing the customer to tailor the configuration by using one or a combination of methods The following are common NAC enforcement methods o IEEE 802.1X: This is a link layer protocol that enforces authorization before a port is assigned an IP address (Extensible Authentication Protocol o Virtual local area networks (VLANs): NAC system decides to which of the network’s VLANs it will direct an AR, based on whether the device needs security remediation o Firewall: provides a form of NAC by allowing or denying network traffic between an enterprise host and an external user o DHCP management: NAC enforcement occurs at the IP layer based on subnet and IP assignment (gainst to IP spoofing) 30/10/2017 35 EAP, defined in RFC 3748: o a framework for network access and authentication protocols o provides a set of protocol messages that can encapsulate various authentication methods to be used between a client and an authentication server o operate over a variety of network and link level facilities, including point-to-point links, LANs, and other networks, o can accommodate the authentication needs of the various links and networks 30/10/2017 36 18 30/10/2017 30/10/2017 37 EAP-TLS (EAP Transport Layer Security): EAP-TLS (RFC 5216) defines how the TLS protocol can be encapsulated in EAP messages uses the handshake protocol in TLS, not its encryption method o Client and server authenticate each other using digital certificates o o EAP-TTLS (EAP Tunneled TLS) (RFC 5281): o o like EAP-TLS, but only the server has a certificate to authenticate itself to the client a secure connection is established w ith secret keys in authentication process EAP-GPSK (EAP Generalized Pre-Shared Key): defined in RFC 5433, is an EAP method for mutual authentication and session key derivation using a PreShared Key (PSK) o specifies an EAP method based on pre-shared keys and employs secret key-based cryptographic algorithms o is efficient in terms of message flow s and computational costs, but requires the existence of pre-shared keys between each peer and EAP server o EAP-IKEv2: Internet Key Exchange (based on the IKEv2) o 30/10/2017 It supports mutual authentication and session key establishment using a variety of methods 38 19 30/10/2017 30/10/2017 39 was designed to provide access control functions for LANs 30/10/2017 40 20 ... chmod g-s = remove setgid chmod o+t = add sticky bit Others: chmod a+w = add write to *all* chmod a-wx = remove write and execute from *all chmod -R 755 myfolder provide a finer-grained control. .. (endpoints) Elements of a Network Access Control System o Access requestor (AR): the node that is attempting to access the: workstations , servers, printers, cameras, and other IP-enabled devices Policy... Lampson (1972) and extended by Harrison, Ruzzo and Ullman (197 6-8 ) ● An access control matrix (ACM) abstracts the state relevant to access control ● Rows of ACM correspond to users/subjects/groups