Week 3 – Part 1
Deakin University CRICOS Provider Code: 00113B
SIT182 – Real World Practices For Cyber Security
Trimester 2 – 2021
Deakin College
Week 3 – Part 1
Deakin University CRICOS Provider Code: 00113B
• Access Control Basics
2
Topics,
Deakin University CRICOS Provider Code: 00113B
Access Control – The oldest information security mechanism.
3
Access control systems are a security mechanism that ensures all accesses and “actions on system
objects by principals are within the security policy”.
Examples:
– Can Alice read file “/users/Bob/readme.txt”?
– Can Bob open a TCP socket to “http://abc.com/”?
– Can Charlie write to row 15 of table BILLS?
• If YES, we say they are “authorized” or have “permission”,
• If NO, they are “unauthorized” and “access is denied”.
Remember: only events within the security policy (remember Week 1?) should be
authorized.
Deakin University CRICOS Provider Code: 00113B
What is Access Control?
4
Authentication:
• Are the principals/Subject who they claim to be?
Authorization:
• What should the principals/Subject be allowed to do?
Authorization
Access Control includes both Authentication and Authorization:
Deakin University CRICOS Provider Code: 00113B
Access Control – Basic Concepts
5
• The very nature of access control suggests that there is an active subject requiring
access to a passive object to perform some specific access operation.
• We will look at each of these components in the next few slides.
Deakin University CRICOS Provider Code: 00113B
Access Control – Object
6
• Anything that holds data and a subject wishes access to.
• Example: Files, Directories, System Processes, Inter-process messages, Network
packets, I/O devices, or physical media.
Processes in a system
Files in a system
Objects
Deakin University CRICOS Provider Code: 00113B
Access Control – Subject
7
• Any active entity that performs computation in the system.
• Users: single individuals connecting to the system
• Groups: set of users
• Roles: collections of privileges (e.g., Admin, Student, Lecturer)
• Processes: executing programs on behalf of the the users
Subjects can be classified into:
Deakin University CRICOS Provider Code: 00113B
Access Control – Access Operations/Modes
8
• Operations that a subject can exercise on an objects in the
system
• Most common are READ (observe only) and WRITE
observe and alter).
• The basic idea is that several different types of operation may
be executed on a given type of object; the access control
system must be able to control the specific type of operation.
Deakin University CRICOS Provider Code: 00113B
Access Control – Access Operations/Modes
9
• In UNIX operating system,
Files:
Folder:
READ: read from a file
WRITE: write to a file
EXECUTE: execute a file (program)
READ: list a directory content
WRITE: create or rename a file in a directory
EXECUTE: search a directory
Note: You will be learning about UNIX operating system access control (the famous 9 bits) in Week 3 tasks …
Deakin University CRICOS Provider Code: 00113B
Access Control – Reference Monitor
10
• Module that controls all software access to objects.
Tamperproof
Always-invoked = non-bypassable
(aka. Complete Mediation principle)
Economical, and Simple Fully tested and analyzed
Reference monitor must be:
• How does the reference monitor decided whether to give access or not?
• Using Access Control Policies. For example:
• Policy A: Tom can have READ access for File B
• Policy B: Tom is a Military General and can have READ access to all files classified as
SECRET
• To formalize access control policies, Access Control Models are used.
Deakin University CRICOS Provider Code: 00113B
Access Control Models & Access Control Structures
11
Access Control
Policies
Deakin University CRICOS Provider Code: 00113B
Access Control Models
12
• Access Control Models allows to formally prove security properties of a system.
• And if security is not achieved (or is compromised), whether the model is incorrect or
the implementation.
• THREE main types:
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Role-Based Access Control (RBAC)
Deakin University CRICOS Provider Code: 00113B
Discretionary Access Control (DAC)
13
• Restrict access to objects based on the identity of the subjects and a set of explicit access rules
• Objects have owners and the owners have the ability to grant/revoke access rights for others
The simplest way of implementing DAC is using Access Control Matrix:
Lists subjects in one dimension (rows)
Lists objects in the other dimension (columns)
Each entry specifies access rights of the specified subject to that object
Subject
Object
Access Right
Deakin University CRICOS Provider Code: 00113B
DAC- Access Control Lists (ACL)
14
• Access Control Matrix (ACM) is easy to define and verify but it does not scale well
• E.g., 1000 users, 1000 resources ➔ 1,000,000 entries – Now, Subject X wants to access File Y, you need
to browse through the whole matrix …
• Easy solution? Split ACM into Columns or Rows. If by column, then we have Access Control List (ACL)
os
Accounting
program
Accounting
data
Insurance
data
Payroll
data
Bob rx rx r — —
Alice rx rx r rw rw
Sam rwx rwx r rw rw
Accounting program rx rx rw rw rw
ACL(insurance data)
= {(Bob,—), (Alice,rw), (Sam,rw), (Acc prog, rw)}
Deakin University CRICOS Provider Code: 00113B
DAC- Capabilities or C-List
15
• If ACM is stored by row, then we have Capabilities or C-List.
os
Accounting
program
Accounting
data
Insurance
data
Payroll
data
Bob rx rx r — —
Alice rx rx r rw rw
Sam rwx rwx r rw rw
Accounting program rx rx rw rw rw
C-list(Alice)
= {(OS,rx), (Acct prog,rx), (Acct data,r),
(Insur data,rw), (payroll data, rw)}
Deakin University CRICOS Provider Code: 00113B
DAC – ACL vs Capabilities
16
file1Alice
Bob
Fred
r
—
r
w
r
—
rw
r
r
r
w
rw
—
r
r
r
—
r
Access Control List Capability
file2
file3
Alice
Bob
Fred
file1
file2
file3
+ Easy transfer of
ownership
– Poor view of access
rights per object
– Difficult of revocation of
access rights
+ Easy access to object
access rights
– Poor view of access
rights per subject
• Naturally fit for
DAC
• Widely used in
Operating Systems:
Linux, Windows,
Mac, …
• Much harder to
implement
• Better support for
least-privilege
principle (Remember
Week 1?)
Deakin University CRICOS Provider Code: 00113B
Question
17
The confused deputy problem/attack is defined as when a process tricks another process to an action it does
not have permission to do so.
Which one can prevent this problem to occur? ACL or Capabilities?
[Extra optional reading: https://en.wikipedia.org/wiki/Confused_deputy_problem]
Deakin University CRICOS Provider Code: 00113B
Mandatory Access Control (MAC)
18
• Centralized access control by means of system-wide policy.
• Access control rights are fixed by administrators.
• A limited number of implementations, e.g. SELinux, Systrace.
• A group or a set of people are provided access based on the clearance
given to a specific level of access depending on the classification of
information/data.
• Data that is “top secret” is available to a set of people based on their
clearance level to access “top secret” documents.
• Commonly used in Military
Deakin University CRICOS Provider Code: 00113B
Role-Based Access Control (RBAC)
19
Alice Bob Carl Dave Eva
Windows
Account
Linux
Account
WebSphere
Account
DB2
Account
Users:
Permissions:
In an organization context, managing the access control system becomes overly complicated quickly:
Role-Based Access Control: Permission associated with roles and users assigned to appropriate roles.
Alice Bob Carl Dave Eva
Windows
Account
Linux
Account
WebSphere
Account
DB2
Account
DB Admin Web Admin Software Developer
Users:
Roles:
Permissions:
– Simple role-permission
relationship
– Ability to meet the
changing needs of an
organization
Roles = aggregated
privileges
Deakin University CRICOS Provider Code: 00113B
Role-Based Access Control (RBAC) – Main Components
20
• User – an individual (with UID) with access to a system
• Role – a named job function (indicates the level of authority)
• Permission – equivalent to access rights
• Session – a mapping between a user and a set of roles to which the user is assigned in the context of a
working time
• Object – a system resource that requires permission to access
• Operation – any action in the protected network (excluding Authentication)
• A user can execute an operation only if there is a role
assigned to the subject.
• All user activities are carried out through operations.
Deakin University CRICOS Provider Code: 00113B
Role-Based Access Control (RBAC) – key security benefits
21
RBAC supports:
• Least Privilege principle (remember Week 1?)
• Separation of Duties principle (remember Week 1?)
• Support for access authorization inheritance
• Role hierarchy defines specialization relationship (see figure)
• Access Control Operations simplified (Grant, Revoke, and Check)
• When a new employee comes to your company, it’s easy to assign a role to them. And
when someone leaves the company, you don’t need to change the role parameters or a
central policy.
Deakin University CRICOS Provider Code: 00113B
Role-Based Access Control (RBAC) – Limitations
22
Problem 1: Role Explosion
• Temptation to create fine grained roles, denying benefits of RBAC
• Not that small and simple
Problem 2: Simple RBAC has limited expressiveness
• Support for granular policies to implement the Least Privilege principle
• Some roles are relative: “George’s Doctor”
• Not “any Doctor”
Problem 3: Separation of duty policies
• Support for granular policies to implement Separation of Duty principle
• Example policy: Any two doctors can authorize a procedure.
• RBAC Mechanism needs to ensure they are distinct!
Deakin University CRICOS Provider Code: 00113B
Beyond RBAC
23
• Attribute-Based Access Control (ABAC)
• Context-Aware Access Control (CAC), …
Others exist that are domain specific or are used for solutions to specific access problem.
Despite being the oldest information security mechanism, it’s an active area of research specifically considering the
increase number of successful Insider Attacks (Cause: mainly failure of access control).
Deakin University CRICOS Provider Code: 00113B
Insider Threat & Access Control: The Wikileaks Case
24
Post 2001
Post 2011
Prevent terrorist attacks Prevent further leaks →
impact is much worse!
Interesting facts extracted from “WikiLeaks: Inside Julian Assange’s War on Secrecy”. 2010:
• Bradley Manning role: low-level serviceman.
• He had access to 2 machines: “each with privileged access to US state secrets”:
• one had access to Department of Defense and the State Department using Secret Internet Protocol Router Network.
• the other had access to Joint Worldwide Intelligence Communications System (JWICS) – Top secret information.
• He had unlimited access to all top-secure information with “virtually no supervision or safeguards ..”
• Manning transferred data on unmarked CDs. “Kind of sad. I didn’t even have to hide anything!” – Manning words.
Deakin University CRICOS Provider Code: 00113B
References and Further Reading
[Chapter 2] Matt Bishop, Introduction to computer security
[Page 180-183] Matt Bishop, Introduction to computer security
Deakin University CRICOS Provider Code: 00113B
Acknowledgement
Acknowledging the kind support and contribution of:
Dr Arash Shaghaghi (Deakin University, Australia), Prof. Chang-Tsun Li (Deakin University, Australia), Prof. Sanjay
Jha (The University of New South Wales, Australia), Dr. Nicolas Courtois (University College London, UK), Dr George
Danezis (University College London, UK), and Dr Michael March (University of Maryland, USA).