Transcript Distributed computer security

Distributed computer security
8.2 Discretionary Access Control Models
-Ranjitha Shivarudraiah
Agenda

Concepts
 What are security policies?
 What is Access control?
 Different types of ACM.
 Concept of distributed compartment
 ACM implementations
 ACL vs CL

Research
 Case study: ACM for grid networks
 Example of an ACM for Mobile devices by virtualization.
Future expectations

CONCEPTS
Security policy

There are two kinds of security policies:

Simple security policies


Access control matrix (ACM) models are widely used to
enforce the simple security policies.
Complex Security policies


Security requirements how and when the accesses are
performed( special constraints are involved).
Relevant to the distributed systems.
Access control

An access control is a function that given a subject
and object pair i.e. (s,o) and a requested operation
r , from s to o , returns a true value if requested is
permitted.
R = P(s,o).
P – access matrix
R – set of allowable operations.( ‘r’ is a particular operation belonging to set ‘R’
).
s – subject
o – object
Access Control contd..

The process of access validation is
performed by a ‘reference monitor’ with an
ACM for all subjects and objects

Practically it is preferable to have separate
reference monitors for different categories of
subjects and objects.
Resource ACM
•In a resource ACM subjects are users, objects are the files to be accessed.
•Access Rights may include “read”, ”write”, ”execute”, ”append”.
•Special privileges may be the “owner” and copy privilege.[1]
[1]Randy Chow & Theodore Johnson, 1997,“Distributed Operating Systems &
Algorithms”,
Process ACM
•In process ACM the subjects and objects are both processes.
•Operations are basically related to communication and synchronization.[1]
[1]Randy Chow & Theodore Johnson, 1997,“Distributed Operating Systems & Algorithms”,
Domain ACM

Set of objects with same access rights.[1]
[1]Randy Chow & Theodore Johnson, 1997,“Distributed Operating Systems & Algorithms”,
ACM contd..

Reducing the Size of Access Control Matrix

Subject rows in the ACM that have identical entries i.e
subjects that have similar access rights on common objects
, could be merged into groups.

If a user belongs to more than one group, its access rights
is the union of all access rights of all the groups it belongs
to.

Similarly Object columns with same entries could be
merged into ‘categories’.
Distributed compartment.
Figure: Distributed Compartment [1]
[1] Randy 1997
Distributed compartment.
Contd..

A distributed application with collaborating processes may consists of
subject users and object resources crossing the physical boundaries of
physical resources.

Here, a logical ACM called a ‘distributed compartment’ that regulates
access among the collaborating users would serve a better purpose.

Access to the distributed compartments are based on ‘distributed
handles’.

These handles are application oriented and they provide a protective
wall around an application and are authenticated by the application
DCM contd..

The distributed compartment model has a number of advantages

The grouping of subjects and objects is logical and
application specific.

The accesses are more transparent since they do not
depend on the operating systems and administrative units.

Since the application manages the distributed handles, it
allows different security policies to be implemented
ACM implementations

For efficiency and organizational purposes , access control
matrices need to be partitioned

The Linked list structure that contains all entries in a column for a
particular object is called a Access control List (ACL) for the
object.
 An ACL specifies the permissible rights that various subjects
have on the object

Likewise all entries in a row for a subject is called a Capability
List (CL) for the subject .
 A CL specifies privileges to various objects held by a subject
ACL vs CL
Comparison between
ACLs and capabilities for
protecting objects.
Using an ACL 
Using capabilities.
Source: Randy 1997
Lock –Key implementation
ACL vs CL contd..

Comparison in terms of management functions

Authentication

Reviewing of Access Rights

Propagation of Access Rights

Revocation of Access Rights

Conversion between ACL and CL
Authentication

ACL Authenticates subjects, which is performed by the
system

While in CL, authentication is performed
capabilities of objects , by the object server.

Objects have knowledge of the capabilities ,but do not
know the users or processors. This is one of the
reasons why many Distributed implementations favor
the CL approach
on
Review Of Access Rights

To know which subjects are authorized to use a certain
objects.

Easier to review ACL, because ACL contains exactly this
information. For storage efficiency subject grouping,
wildcards ,prohibitive rights could also be used.

It is difficult to review for a CL unless some type of activity
log is kept for all subjects that are given the capability
Propagation of access rights

Access rights must be replicable to facilitate sharing.

Propagation is Duplication of some or all the privileges from
one subject to the others.

Propagation is not transfer of rights, it is only duplication.

In ACL, propagation of rights is explicitly initiated by a
request to the object server, which modifies or adds an
entry to its ACL.
Propagation of access rights contd..




Propagation of rights must adhere to the principle of
least principles.
i.e. Only the minimum privileges required to perform
the tasks are given when propagating the rights
In CL, theoretically it is propagate rights between
subjects without intervention of object server.
This could result in an uncontrollable system and
hence is avoided.
Revocation of access rights


Revocation is trivial in ACL because it is
easy to delete subject entries from the
ACL.
It is difficult for CL’s to revoke access
selectively.
Conversion between ACL & CL

Interactions among processes involving
different Access control models would require
gateways for conversions.

Conversion to ACL is straightforward.
Consider example of processes in a CL
requiring to access remote objects in ACL




Gateway Authenticates the process identifier.
It Then verifies the operation in the capability list.
The request is then converted to ACL and is presented to the
remote host
Research
Case study:
ACM for grid networks[2]
“Access control of global distributed storage system”(Dr Xie et al ,2004)
Local distributed storage system.
Certification and
Authentication
Server
Name Server
Source: “Access control of global distributed storage system” (Dr Xie et al -2004 )
3. Requirements of Access Control in Data grid
Environment





Single sign on
Separation of duties
High efficiency
Centralized management and autonomy
Support Qos( Quality of service).
Source: “Access control of global distributed storage system” Dr Xie et al -2004 )
Access control methods for mobile
devices[5]
ACM for Mobile devices.
Provides
security
Root of
trust.
Rom has
The
master
key.
[5] ACM for mobile devices( Dr Lee et.al. 2008 ).
Provides
Flexibilty
Virtual
Machine
Monitor
Future Expectations



Absolute trust mechanism in access control
system is an important subject of P2P
security research.
Also secure efficient ACM for huge networks
especially the data-centric networks will be
effectively realized.
Excellent Access control methods for highly
dynamic real time systems.
References
[1] Randy Chow & Theodore Johnson, 1997,“Distributed Operating Systems & Algorithms”, (AddisonWesley), p. 271 to 278.
[2] Access control of global distributed storage system
Chao Xie; Hai Jin; Song Wu; Shengli Li; Zhiping Wang;
Computer and Information Technology, 2004. CIT '04 .
[3] Samarati, P.; Bertino, E.; Ciampichetti, A.; Jajodia, S.; “Information flow control in object-oriented
systems”. Knowledge and Data Engineering, IEEE Transactions on Volume 9, Issue 4, July-Aug. 1997
Page(s):524 - 538
[4] Lin, Tsau Young (T. Y.); “Managing Information Flows on Discretionary Access Control Models” Systems,
Man and Cybernetics, 2006. ICSMC '06. IEEE International Conference onVolume 6, 8-11 Oct. 2006
Page(s):4759 - 4762
[5] A Multi-Layer Mandatory Access Control Mechanism for Mobile Devices Based on Virtualization
Sung-Min Lee; Sang-bum Suh; Bokdeuk Jeong; Sangdok Mo;
Consumer Communications and Networking Conference, 2008. CCNC 2008. 5th IEEE
[6] http://en.wikipedia.org/wiki/Access_control(
Accessed on 27th October 2008).