260 likes | 336 Views
8.2 Discretionary Access Control Models. Weiling Li. Outline. I. Introduction Access Control Matrix (ACM) Implementations of ACM Comparison of Access Control List ( ACL ) & Capability List ( CL ) II. Research A Privacy-Enhanced Access Control Model III. Future expectations.
E N D
8.2 Discretionary Access Control Models Weiling Li
Outline I. Introduction • Access Control Matrix (ACM) • Implementations of ACM • Comparison of Access Control List (ACL) & Capability List (CL) II. Research • A Privacy-Enhanced Access Control Model III. Future expectations
8.2.1 Access Control Matrix • a fundamental and widely used Disc Access control Model for enforcing security policies. • An access control is a function that given a subject and object pair(s,o) and a requested operation r , from s to o , returns a true value if the request is permitted and a false value otherwise. R = P(s,o).—matrix form P – access matrix R – set of allowable operations.( ‘r’ is a particular operation belonging to set ‘R’ ). s – subject o – object
Access Control Matrix • In a resource ACM, subjects are users and objects are the files to be accessed. • Access Rights may include “read”, “write”, “execute” and “append”. • Special privileges may be the “owner” and copy privilege.[1]
Access Control Matrix • In process ACM the subjects and objects are both processes. • Operations are basically related to communication and synchronization.[1]
Access Control Matrix • In Domain ACM, domain is defined as a set of objects with same access rights.[1]
Reducing the Size of ACM • Subject rows in the ACM that have identical entries i.e subjects that have similar access rights on common objects , could be merged into groups. • If a user belongs to more than one group, its access rights is the union of all access rights of all the groups it belongs to. • Similarly Object columns with same entries could be merged into ‘categories’
Local Subjects & Objects Local Subjects & Objects Distributed Compartment Compartment Access using Distributed Handles Collaborating Subjects & Objects across nodes boundaries with application oriented ACM Distributed Compartments • A distributed compartment is a logical group composed of objects from physically distributed nodes.
Advantages of Distributed Compartment Model • The grouping of subjects and objects is logical and application specific. • The accesses are more transparent since they do not depend on the operating systems and administrative units. • Since the application manages the distributed handles, it allows different security policies to be implemented
8.2.2 Implementations OF ACM • For efficiency and organizational purposes , access control matrices need to be partitioned and implemented independently. • The Linked list structure that contains all entries in a column for a particular object is called a Access control List (ACL) for the object. • Likewise all entries in a row for a subject is called a Capability List (CL) for the subject.
ACL & CL • ACL: a subject client (s) presents and access request (s, r) to an object server. the object server validates the request against its ACL. • CL: the object server compares the access request (o, r) against the CL in the subject.
Lock –Key implementation • provides capability with some safety. • combination of CL and ACL.
8.2.3 Comparison of ACL & CL • Comparisons in terms of managing functions • Authentication • Reviewing of Access Rights • Propagation of Access Rights • Revocation of Access Rights • Conversion between ACL and CL
Authentication • ACL Authenticates subjects, which is performed by the system • While in CL, authentication is performed on capabilities of objects , by the object server. • Objects have knowledge of the capabilities ,but do not know the users or processors. This is one of the reasons why many Distributed implementations favor the CL approach
Review Of Access Rights • To know which subjects are authorized to use a certain objects. • Easier to review ACL, because ACL contains exactly this information. • It is difficult to review for a CL unless some type of activity log is kept for all subjects that are given the capability
Propagation Of Access Rights • Propagation is Duplication of some or all the privileges from one subject to the others. It is not transfer of rights, it is only duplication. • In ACL, propagation of rights is explicitly initiated by a request to the object server, which modifies or adds an entry to its ACL. Propagation of rights must adhere to the principle of least principles. • In CL, theoretically it is propagate rights between subjects without intervention of object server.This could result in an uncontrollable system and hence is avoided.
Revocation Of Access Rights • Revocation is trivial in ACL because it is easy to delete subject entries from the ACL. • It is difficult for CL to revoke access selectively.
Conversion Between ACL & CL • Interactions among processes involving different Access control models would require gateways for conversions. • Conversion to ACL is straightforward. • Gateway Authenticates the process identifier and then verifies the operation in the capability list. • The request is then converted to ACL and is presented to the remote host • Converting a ACL request to CL is slightly more complex • Gateway validates the ACL request and obtains the resource capability from the database server • Capability is then presented to capability based object server.
II. Research • a three-dimensional access control model enhanced with privacy compared with the traditional two-dimensional AC model [5]
privacy-enhanced access control model • A. Basic Model Elements • Definition 1. The set of entities that can be accessed and consequently need to be protected in a system are called objects O. The set of entities that can issue requests to access objects are called subjects S. Subjects are active entities while objects are passive ones. Access rights are the different ways in which a subject is permitted to execute on an object in any access. • Definition 2. Privacy-concerning subjects S’ is a subset of the subjects S whose privacy needs to be protected when any of the objects O is accessed. Privacy-concerning subjects with respect to an object is a subset of the privacy-concerning subjects S’ whose privacy could be violated when any access to the object is executed.
privacy-enhanced access control model • B. Privacy Access Rights • Definition 3. Privacy access rights are a set of two-tuples: {<right, condition>} in which “right” represents a specific type of access that a subject can execute on an object (e.g.,read, write, execute) and “condition” is a Boolean expression stating the condition under which the preceding access right can be authorized. When the Boolean expression is true, the preceding access right can be authorized by the system.
privacy-enhanced access control model • Definition 4. A three-dimensional access control matrix is an enhancement of the traditional two-dimensional access control matrix with the third dimension representing the set of privacy-concerning subjects S’. Any privacy access right <right, condition> in an entry [s, o, s’] in the matrix indicates the access right that subject s has on object o subject to privacy control by privacy-concerning subject s’. In the matrix, the absence of a particular access right in an entry [s,o, s’] would indicate that subject s’ is not a privacy-concerning subject with respect to object o for this particular access right while the presence of <right, “no”> in only one of the entries [s, o, S’] would indicate that the access right is not permitted at all.
Three dimensional access control model Figure 1 illustrates the three-dimensional access control matrix with the subjects S, the objects O and the privacy-concerning subjects S’ representing one dimension of the matrix, respectively. Each entry in the matrix could be empty or could include one or more privacy access rights that the corresponding subject s has on the corresponding object o subject to privacy control by the corresponding privacy-concerning subject s’. Each privacy access right is expressed in the form <right, condition> indicating a particular access right along with a condition that determines whether the access right can be authorized. Figure 1. Three-dimensional access control model
III. Future Expectations • Tool support for analysis of access control and information flow is critical. • Integrating different models of access control requires work, especially regarding efficient implementations. • the development of global rules to resolve any possible inconsistencies among the conditions in the privacy access rights during the process of making access decisions.
References • [1] Randy Chow & Theodore Johnson, 1997,“Distributed Operating Systems & Algorithms”, (Addison-Wesley), p. 271 to 278. • [2] http://en.wikipedia.org/wiki/Access_control • [3] Ninghui Li and Mahesh V. Tripunitara, IEEE Symposium on Security and Privacy, May 2005. "Safety in Discretionary Access Control". • [4] K. Gopinath, Communication System Software and Middleware, 2006, "Access Control in Communication Systems" • [5] Fei Xu; Jingsha He; Xu Wu; Jing Xu; Networks Security, Wireless Communications and Trusted Computing, 2009. "A Privacy-Enhanced Access Control Model". NSWCTC '09. International Conference onVolume 2, 25-26 April 2009 Page(s):703 - 706.