Authorization and Access Control

University of Regensburg Department of Information Systems Günther Pernul, Torsten Priebe Authorization and Access Control European Intensive Progra...
5 downloads 4 Views 3MB Size
University of Regensburg Department of Information Systems

Günther Pernul, Torsten Priebe

Authorization and Access Control European Intensive Programme on Information and Communication Security (IPICS) University of the Aegean, Chios, July 2005

Agenda 1. Introduction 2. Authorization and access control models … Discretionary

access controls … Mandatory access controls … Role-based access controls … Attribute-based access controls … Other approaches

Authorization and Access Control

Agenda (2) 3. Cases (partly optional) … DAC

and SQL security … MAC and multi-level secure databases … IRO-DB: an advanced RBAC authorization schema … CSAP: an adaptable security module for web-based information systems … ABAC with SAML and XACML … RBAC and Enterprise Java Beans

Authorization and Access Control

1. Introduction „

„

IT systems are generally represented by a number of objects (i.e. data, files), subjects (i.e. users), possible actions (i.e. read, write), within a certain environment A security policy consists of a set of rules which define the threats the IT system has to cope with and the way, in which certain subjects can access certain objects

Authorization and Access Control

Security requirements „

Remember the security requirements of an IT system … Confidentiality … Integrity … Availability … (Authenticity,

non-repudiation, privacy, …)

Authorization and Access Control

Security services „ „

What are the basic services a trustworthy IT system has to provide? Usually you find… … User

identification and authentication … Authorization and access control … Auditing … (Secure

communication, cryptography, digital signature, …)

Authorization and Access Control

User identification and authentication „ „ „

Identification is the process of determining a subject’s identity During the authentication process a subject proves his indicated identity E.g., if a user logs on to the IT system, he indicates an identity using a user name and proves his identity by entering of a password

Authorization and Access Control

Authorization and access control Authorization deals with defining, which access rights (e.g. read, write, delete, execute) regarding a certain object a certain subject possesses „ Access control examines whether a certain subject possesses the authorization to access a desired object; as a result the action is granted or denied ÖAccess control addresses confidentiality (read access) and integrity (write access) security requirements „

Authorization and Access Control

Auditing „

Auditing aims at (reactively) uncovering and proving offenses against the security policy by preservation of evidence (i.e. logging user activities)

Authorization and Access Control

Access control basics „

„

„

Security object: Passive entity that contains or receives information (file, database, relation, tuple, memory segment, printer, …) Security subject: Active entity, often in form of a person (user), accessing an object, changing its state, or causing information to flow within different objects and subjects Action: Abstract operations initiated by a subject on an object; among others, creation or deletion of files, database requests, modification of documents, … Authorization and Access Control

Access control matrix

„

„

The simplest way to implement an access control policy is an access control matrix On one axis all subjects and on the other axis all objects are listed The intersecting cell stores the permitted actions (e.g. read, write, execute, …) for the subject on the object

Security objects o1 Subjects

„

s1

o2

rw

s2 …

Authorization and Access Control

r



Access control list „ „

Another possibility is the use of access control lists (ACL) Two possible implementations: …

A list is assigned to each object, containing all users that have access to the object (and their permitted actions) … A list is assigned to each subject, storing all access rights granted to the subject for accessing certain objects „

Access control lists can be understood as a matrix, which is divided into their individual columns or lines (without the empty cells) Authorization and Access Control

2. Access control models „ „

An access control model is an abstraction used to represent a security policy of an organization The models are independent of a specific domain … They

can be used by a DBMS to provide database security … The same models can be applied on application level, i.e. an application program can use an API to check a user’s permissions and react correspondingly

Authorization and Access Control

Discretionary access control model (DAC) „ „

Stated in terms of security objects, security subjects, and access privileges Basic primitives: … Users

can protect the data they “own” … The owner may grant access to others … The owner may define the type of access (read, write, execute, …) given to others … Granting and revoking of access privileges is under the discretion of the users themselves Authorization and Access Control

Technical view on DAC „

„

Let O be a set of objects, S be a set of security subjects, T be a set of access types, and in order to represent content-based access rules P be a set of predicates The tuple is called authorization and a function f is defined to determine if an authorization f(o, s, t, p) is valid or not: … f:

O × S × T × P → {true, false}

Authorization and Access Control

Technical view on DAC (2) „

„

For any , if f(o, s, t, p) evaluates to true, subject s has the authorization to access object o applying the access type t within the range defined by the predicate p Principle of delegation of rights …A

right is the portion of an authorization … A subject si who holds the right may be allowed to delegate that right to another subject sj (i ≠ j) Authorization and Access Control

Discussion of DAC „

Advantages: …A

well known technique, only few open research issues … Support by many commercial software systems (e.g. DBMS) „

Problems: … Cannot

withstand sophisticated attacks (e.g. Trojan horse attacks) … No information flow control, “copy”-problem Authorization and Access Control

Control of information flow

„

The existence of file T reveals information about the value of profit; its content even more .... Authorization and Access Control

Mandatory access control policies (MAC) „ „

Aim: regulate the flow of information between subjects and objects Examples: … Military

security model … Need-to-know principle … Bell and LaPadula model

Authorization and Access Control

Military security model „

Security objects and security subjects are assigned security labels, e.g. … Confidential

< Classified < Secret < Top_Secret … Public < Company_Confidential < High_Security „ „ „

The security level of an object O is called its classification, class (O) A subject S must be cleared to access sensitive information, clear (S) Access is granted, if clear (S) ≥ class (O) Authorization and Access Control

Need-to-know principle „ „

„

Each security object is associated with one or more “projects”, called compartments A security subject is allowed to access an object if the subject has a need to know the content of the object Example: … Compartments:

{medical data, financial data, private

data} … Comp (O) = {medical data, financial data} „

Access is granted, if Comp (O) ⊆ NTK (S) Authorization and Access Control

Need-to-know principle (2) „

Extending need-to-know principle to cover information flow S is allowed to read O, if Comp (O) ⊆ NTK (S) … Write: S may write O, if Comp (O) ⊇ NTK (S) … Read:

Authorization and Access Control

Need-to-know principle (2) „

Example: … Compartments:

{medical data (M), financial data (F), private data (P)} … Comp (O) = {M, F} … NTK (S1) = {F}, NTK (S2) = {P}, NTK (S3) = {P, M}, NTK (S4) = {F, M, P} „

Results: … S1

may only write O … S4 may only read O … S2 and S3 may not access O Authorization and Access Control

Bell and LaPadula model „ „

„

Objective of the model: trying to keep secrets A security level consists of two components, an entry of a hierarchical list of sensitivity levels and a member of a set of compartments Dominance relation between security levels: “≥” … Simple

Security Property: Successful read access, if Clear (S) ≥ Class (O) … *-Property: Successful write access, if Class (O) ≥ [=] Clear (S) Authorization and Access Control

Bell and LaPadula model (2) „ „

The *-property protects information from being “writtendown” along the hierarchy of sensitivity levels. Write but no read to higher classified data!

Authorization and Access Control

Biba model „ „

„

Objective of the model: trying to keep the integrity Biba defines “integrity levels” which are analogous to the sensitivity levels of Bell and LaPadula Objects with a high level of integrity should not be modified from subjects with a lower level of integrity

Authorization and Access Control

Biba model (2) „ „

„

Simple Integrity Property: Subject S can modify object O, if I (S) ≥ I (O) Integrity *-Property: If subject S has read access to object O with I (O), S can have write access to object P only if I (O) ≥ I (P) The *-property protects information from flowing up along the hierarchy of integrity levels

Authorization and Access Control

Biba model (3)

Authorization and Access Control

Chinese wall policy

Authorization and Access Control

Role-based access control (RBAC) „

„ „

Compared to the models described so far, rolebased access control introduces an additional indirection by means of the concept of a role This concept removes the direct links between authorizations and subjects (users) Roles are a suitable means to encapsulate the organizational functions/duties (e.g. secretary, operator) of a user

Authorization and Access Control

Role-based access control (RBAC) (2) „

„

„

Different roles can be designed, each for different types of competences, which are then assigned to the users The assignment of users to roles is unaffected if the competences of a role and thus its authorizations are changed Likewise the membership of users in roles may also change without having to touch the definition of the respective roles Authorization and Access Control

Role-based access control (RBAC) (3) „

„

RBAC realizes the security principle of “least privilege” by assigning only those authorizations, that are absolutely necessary for the fulfillment of the subject’s functions A subject cannot obtain more authorizations from a second subject, i.e. contrary to DAC, there is no delegation of rights

Authorization and Access Control

Role-based access control (RBAC) (4)

Authorization and Access Control

Formal RBAC model „

An RBAC model can formally be described by the following tuple: … RBAC

„

=

The elements are: …A

set of subjects (users) U … A set of objects O … A set of roles R … A set of access permissions P

Authorization and Access Control

Formal RBAC model (2) „

RBAC elements (contd.): …A

relation UA (user assignment), that describes, which roles from the set of R are assigned to a certain subject (user) … A relation PA (permission assignment), that describes, which authorizations from the set P are assigned to a role … A relation session describing pairs (u, r); a user can activate a subset of his possible roles in a session

Authorization and Access Control

RBAC reference model „

The proposed standard for role-based access control of the National Institute of Standards and Technology (NIST) contains a reference model, which is divided into four sub models: … Core

RBAC … Hierarchical RBAC … Constraint RBAC … Consolidated model (hierarchical and constraint RBAC) Authorization and Access Control

RBAC reference model (2)

Authorization and Access Control

Core RBAC

Authorization and Access Control

Hierarchical RBAC

Authorization and Access Control

Hierarchical RBAC (2)

Authorization and Access Control

Constraint RBAC

Authorization and Access Control

Static separation of duty „

„

The static separation of duties is useful where fields of activities are in a conflict of interest that could be broken by the simultaneous membership of a user in multiple roles or by role inheritance In constrained RBAC constraints can be defined for the UA relation and the role hierarchy to limit the possible instances

Authorization and Access Control

Dynamic separation of duty „

„

Constraints can as well be applied to the session_role relation in order to limit the dynamic allocation of roles to sessions I.e. in contrast to core RBAC, where a user can activate as many of the assigned roles as desired, in constraint RBAC only those roles can be activated, which do not conflict with any dynamic limitation of competences

Authorization and Access Control

Dynamic separation of duty (2) „

For example, it might be important, that only one super user can be active in a system at a time; another user who is also assigned to the super user role cannot activate that role in his session, unless the other user deactivates it

Authorization and Access Control

Discussion „

Problems of regular RBAC models in open, heterogeneous environments … Complex,

fine granular role hierarchies, especially in an Internet (e-Commerce, e-Government) context … Short-term or dynamic “roles”, e.g. for projects, location-based … Unmanageable number of subjects and objects (e.g. documents), users not known beforehand or anonymous … Manual assignment of roles and permissions unfeasible Authorization and Access Control

Attribute-based Access Control (ABAC) „

Solution: authorizations based on user and object attributes

Authorization and Access Control

Attribute-based Access Control (2) „

Example (e-Government environment) … “Documents

concerning a certain city development project in Regensburg may be accessed by adult neighbors” … The role “adults living on Hemauerstraße in Regensburg” is fine granular, its necessity not known beforehand „

Goal: an access control model providing more flexibility without loosing the intuitive handling Authorization and Access Control

Attribute-based Access Control (3) „

Several attribute-based access control models have been defined in the literature … DLAM

(Adam et al., 2002) … UCONABC (Park and Sandhu, 2004) … XACML (OASIS Standard, 2003) …… „

Unified ABAC model presented as a security pattern (IFIP11.3 2004) Authorization and Access Control

Unified ABAC Model

Authorization accessType

Subject Descriptor

Object Descriptor * * isAuthorized For

Subject Attribute

1

*

* Subject Qualifier

* Object Qualifier

operator value

operator value

*

1

Object Attribute

1

1

*

*

Subject AttributeValue

Object AttributeValue

value

value

*

*

Object

Subject

Authorization and Access Control

Unified ABAC Model (2)

Authorization and Access Control

ABAC Terminology

„

UCONABC and XACML do not use sessions, attributes are sent with every request Authorization and Access Control

ABAC Policies „

User attributes (credentials), e.g. following X.500, possibly coming from attribute certificates … dn

(Distinguished Name) … l (Locality) … street … role …… „

Also dynamic attributes (e.g. current location) Authorization and Access Control

ABAC Policies (2) „

Object attributes (properties), e.g. following the Dublin Core metadata standard … type … creator … subject … coverage ……

„

Can be represented in RDF, use an ontology e.g. as the domain for coverage Authorization and Access Control

UML-based Notation for ABAC Policies

Authorization and Access Control

ABAC Example „

See above e-Government scenario

Authorization and Access Control

ABAC Example (2) „

Sample Subject … role

= “Citizen“ … dn = “cn=Torsten Priebe,l=Regensburg,c=de” … street = “Hemauerstraße” … l = “Regensburg”, c = “de” … age = “30” …… „ „

The subject gets access as he is considered as NeighborHemauer due to his attribute values A manual role assignment is not necessary Authorization and Access Control

ABAC Examples with Conditions Customer

Movie

role {= "Customer"} age

Applicant dn

view {age >= rating}

create read {dn = creator}

type {= "Movie"} rating

Application creator

modify {dn = creator}

Authorization and Access Control

ABAC and Discretionary Access Control „

The mapping of DAC policies to ABAC is quite straightforward …A

subject descriptor is defined for each subject (using an identifying attribute as a subject qualifier) … An object descriptor is defined for each object (again, using an identifying attribute) … Authorizations are defined between those descriptors

Authorization and Access Control

ABAC and Mandatory Access Control „ „

Subjects are expected to have a clearance attribute, objects to have a classification attribute The Bell and LaPadula properties are defined as ABAC conditions

Authorization and Access Control

ABAC and Role-based Access Control „

„ „

„

A subject attribute “role” is used pointing to a predefined set of role names (see above examples, e.g. job applicant) In addition, a subject descriptor is defined for each role On the object side, an object descriptor is defined for each individual object (using an identifying attribute) Sessions are supported by the extended ABAC model Authorization and Access Control

ABAC and AAIs „

„

Also upcoming distributed Authentication and Authorization Infrastructures (AAI) use attributes for authorization and access control purposes The attribute assignment (attribute authority) can be decoupled from the authorization authority

Authorization and Access Control

ABAC and AAIs (2) „

Shiboleth (http://shibboleth.internet2.edu) is used for interoperation between universities … Attributes

are provided by the student’s home university, access may be granted anonymously also by other service providers … Shiboleth transports subject attributes using SAML, however, the access control policies and their evaluation are out of the scope of the system „

PERMIS (http://www.permis.org) uses X.509 subject attributes for a role-based authorization system Authorization and Access Control

Discussion „

„

ABAC is an expressive, flexible access control model that can also be used to express policies from classic models Problems: … The

operators used for checking the attribute values are only vaguely defined (UCONABC) or very complex (XACML) … Should they be part of the access control model at all?

Authorization and Access Control

Discussion (2) „

Current research: … Simple

RBAC-like policies (only role and type attributes with a “=“ operator) … External rules to map actual user and object attributes to these policy attributes (e.g., using Semantic Web technologies) … Authorization is handled by the access control model, resolving the subject and object descriptors rather by an attribute management environment

Authorization and Access Control

3a. DAC and SQL security „

Today’s SQL database management systems (DBMS) provide two basic concepts for implementing access control … Database

views as “virtual” relations … Granting and revoking of access privileges, based on the discretionary access control model (allowing the use of views as security objects)

Authorization and Access Control

Scenario database

Authorization and Access Control

Scenario database (2)

Authorization and Access Control

Database views

„

Horizontal view: (1) CREATE VIEW earning_little AS SELECT * FROM Employee WHERE Salary < 5K

„

Vertical view: (2) CREATE VIEW emp AS SELECT SSN, Name, Department FROM Employee

Authorization and Access Control

Database views (2) „

Mixed view (3) CREATE VIEW emp_research AS SELECT SSN, Name, Department FROM Employee WHERE Department = ‘Research’ (4) CREATE VIEW dep_involved AS SELECT Title, Subject, Department FROM Project, Assignment, Employee WHERE Employee.SSN = Assignment.SSN AND Assignment.Title = Project.Title

Authorization and Access Control

Database views (3) (5) CREATE VIEW dep_avg_salary AS SELECT Department, AVG(Salary) FROM Employee GROUP BY Department

(6) CREATE VIEW my_employees AS SELECT SSN, Name, Department, Salary FROM Project, Assignment, Employee WHERE Employee.SSN = Assignment.SSN AND Assignment.Title = Project.Title AND Manager = USER Authorization and Access Control

Discussion of views „

Advantages: … Query

simplicity: Multiple table-queries may be expressed against a single view … Structural simplicity: Views can give a user a “personalized” interpretation of the database „

Views are flexible… … Value

independent controls: (2) … Value dependent controls: (1), (3), (4) … Statistical controls: (5) … Context dependent controls: (6) Authorization and Access Control

Discussion of views (2) „

Problems: … Performance:

Queries against the view must be translated into queries against the base tables … Update restrictions: Many views are read-only, or it is not required that a new or updated tuple must satisfy the predicate in the view definition … Insertion through a view may lead to many null-values in the base relations … Within one view it is not possible to distinguish between read and write access Ö 2 Views Authorization and Access Control

Granting access privileges

Authorization and Access Control

Revoking access privileges

Authorization and Access Control

Problems with revoking privileges

Authorization and Access Control

Problems with revoking privileges (2)

Authorization and Access Control

Cascading revoke

Authorization and Access Control

Cascading revoke (2) „

„

The SQL92 standard introduces a so-called privilege dependency graph and the notion of “abandoned privileges” to handle revokes In a cascading revoke, privileges that are abandoned due to the revoke should be revoked as well

Authorization and Access Control

Example „

Privilege list of the above example … a0(_SYSTEM,

Ann, T, SELECT, 0) … a1(Ann, Bob, T, SELECT, 10) … a2(Ann, Chris, T, SELECT, 20) … a3(Bob, David, T, SELECT, 30) … a4(David, Ellen, T, SELECT, 40) … a5(Chris, David, T, SELECT, 50) … a6(David, Frank, T, SELECT, 60) … a7(Ellen, Jim, T, SELECT, 70) Authorization and Access Control

Example (2) „

Resulting privilege dependency graph

Authorization and Access Control

Example (3) „

Revoking a3 creates two abandoned privileges (a4 and a7)

Authorization and Access Control

Other approaches „

Besides the cascading revoke the SQL92 standard defines a restricted revoke (i.e. the revoke fails if abandoned privileges would be created)

„

Further extensions are proposed in the literature: … Non-cascading

revoke (reconnect abandoned privileges to the pivilege dependency graph)

… Negative

authorizations (explicit denials) Authorization and Access Control

Non-cascading revoke

Authorization and Access Control

3b. MAC and Multilevel-secure databases „ „

Support mandatory access controls (MAC) Require labeled data (security objects) and user processes (security subjects) …A

label for an object is called its classification while the label for a subject its clearance

„

Access is granted based on a comparison of associated labels and the following two rules (Bell and LaPadula paradigm): read: clear(u) ≥ class(d) … Successful write: clear(u) ≤ class(d) … Successful

Authorization and Access Control

Example ProjectTS

UC

Suggest Documents