Discretionary Access Control Models
Download
Report
Transcript Discretionary Access Control Models
Distributed Computer Security
8.2 Discretionary Access Control Models
- Liang Zhao
Outline
Security Policies
Discretionary Access Control Model
Access Control Matrix (ACM)
Distributed Compartments
ACM Implementation
ACL vs CL
References
Security Policy
There are two kinds of security policies:
Simple security policies
Access control matrix (ACM) models are widely used to
enforce the simple security policies.
Complex Security policies
Security requirements how and when the accesses are
performed( special constraints are involved).
Relevant to the distributed systems.
Discretionary Access Control
Discretionary security models provide access
control on an individual basis.
Access control is based on
User’s identity and
Access control rules
Most common administration: owner based
Users can protect what they own
Owner may grant access to others
Owner may define the type of access given to others
Access Control
An access control is a function that given a subject and
object pair i.e. (s,o) and a requested operation r , from
s to o , returns a true value if requested is permitted.
R=P(s,o)
P – access matrix
R – set of allowable operations.( ‘r’ is a particular operation
belonging to set ‘R’ ).
s – subject
o – object
Access Control matrix
Access Control Matrix model is perhaps the most
fundamental and widely used discretionary
access control model for enforcing simple
security policies.
Resource and process protection can use separate
access control matrices.
[Randy, 97]
Resource ACM
In a resource ACM subjects are users and objects are
the files to be accessed.
Access Rights - “read”, “write”, “execute”, “append”.
Special privileges may be like “owner” privilege.
Process ACM
In process ACM the subjects and objects are both
processes.
Operations are basically related to communication and
synchronization
Domain ACM
Set of objects with same access rights
Access Control Matrix
Reducing the Size of Access Control Matrix
Subject rows in the ACM that have identical entries i.e subjects
that have similar access rights on common objects , could be
merged into groups.
If a user belongs to more than one group, its access rights is the
union of all access rights of all the groups it belongs to.
Similarly Object columns with same entries could be merged
into ‘categories’
[Randy, 97]
A Distributed Compartment
Model
Compartment Access
using Distributed
Handles
Distributed Compartment
Collaborating Subjects & Objects
across nodes boundaries with
application oriented ACM
Local
Subjects
& Objects
Local
Subjects
& Objects
[Randy, 97]
Advantages of Distributed compartment model
The grouping of subjects and objects is logical and
application specific.
The accesses are more transparent since they do not
depend on the operating systems and administrative
units.
Since the application manages the distributed handles,
it allows different security policies to be implemented
[Randy, 97]
ACM implementations
For efficiency and organizational purposes , access control
matrices need to be partitioned
The Linked list structure that contains all entries in a
column for a particular object is called a Access control List
(ACL) for the object - specifies the permissible rights that
various subjects have on the object
Likewise all entries in a row for a subject is called a
Capability List (CL) for the subject - CL specifies privileges
to various objects held by a subject – like movie tickets
Comparison of ACL & CL
Comparison in terms of management functions
Authentication
Reviewing of Access Rights
Propagation of Access Rights
Revocation of Access Rights
Conversion between ACL and CL
[Randy, 97]
Authentication
ACL Authenticates subjects, which is performed by the
system
While in CL, authentication is performed on
capabilities of objects , by the object server.
Objects have knowledge of the capabilities ,but do not
know the users or processors. This is one of the
reasons why many Distributed implementations
favour the CL approach
Review of Access rights
To know which subjects are authorized to use a certain
objects.
Easier to review ACL, because ACL contains exactly this
information. For storage efficiency subject grouping,
wildcards ,prohibitive rights could also be used.
It is difficult to review for a CL unless some type of activity
log is kept for all subjects that are given the capability
Propagation Of Access Rights
Access rights must be replicatable to facilitate sharing.
Propagation is Duplication of some or all the privileges from
one subject to the others.
Propagation is not transfer of rights, it is only duplication.
In ACL, propagation of rights is explicitly initiated by a request
to the object server, which modifies or adds an entry to its ACL.
[Randy, 97]
Propagation Of Access Rights
Propagation of rights must adhere to the principle of least
principles.
i.e. Only the minimum privileges required to perform the tasks
are given when propagating the rights
In CL, theoretically it is propagate rights between subjects
without intervention of object server.
This could result in an uncontrollable system and hence is
avoided.
Revocation Of Access Rights
Revocation is trivial in ACL because it is easy to delete subject
entries from the ACL.
It is difficult for CL’s to revoke access selectively.
Conversion Between ACL & CL
Interactions among processes involving different Access control
models would require gateways for conversions.
Conversion to ACL is straightforward.
Consider example of processes in a CL requiring to access
remote objects in ACL
Gateway Authenticates the process identifier.
It Then verifies the operation in the capability list.
The request is then converted to ACL and is presented to the remote
host
Source: Randy, 97
Conversion Between ACL & CL
Converting a ACL request to CL is slightly more complex
Requires a database with resource capabilities for the
interacting processes
Gateway validates the ACL request
obtains the resource capability from the database server
Capability is then presented to capability based object server.
A system utilizing both ACL and CL suffers the drawback of
both approaches
Furthermore the conversions causes additional security hazards
My current research
Distributed Computing in Smart Grid
Distributed Computing in SG
WAMS
PDC
PDC
PMU
PMU
PMU
PMU
PMU
Distributed Computing in SG
PDC 5
PDC 1
PDC 2
PDC 4
PDC 3
Shared States
References
[1]
Randy Chow & Theodore Johnson, 1997,“Distributed Operating Systems
& Algorithms”, (Addison-Wesley), p. 271 to 278
[2] Samarati, P.; Bertino, E.; Ciampichetti, A.; Jajodia, S.; “Information flow
control in object-oriented systems”. Knowledge and Data Engineering,
IEEE Transactions on Volume 9, Issue 4, July-Aug. 1997 Page(s):524 538
[3] Izaki, K.; Tanaka, K.; Takizawa, M.; “Access control model in objectoriented systems” Parallel and Distributed Systems: Workshops, Seventh
International Conference on, 2000 4-7 July 2000 Page(s):69 - 74
[4] Lin, Tsau Young (T. Y.); “Managing Information Flows on Discretionary
Access Control Models” Systems, Man and Cybernetics, 2006. ICSMC '06.
IEEE International Conference onVolume 6, 8-11 Oct. 2006 Page(s):4759
- 4762
[5] Solworth, J.A.; Sloan, R.H.; “A layered design of discretionary access
controls with decidable safety properties” Security and Privacy, 2004.
Proceedings. 2004 IEEE Symposium on 9-12 May 2004 Page(s):56 - 67
QUESTIONS ?
Thank you!