Are You Allowed to Do That? - Access control matrix has all relevant info
- Could be 100’s of users, 10,000’s of resources
- Then matrix has 1,000,000’s of entries
- How to manage such a large matrix?
- Note: We need to check this matrix before access to any resource by any user
- How to make this more efficient/practical?
Access Control Lists (ACLs) - ACL: store access control matrix by column
- Example: ACL for insurance data is in blue
rx
|
rx
|
r
|
|
|
rx
|
rx
|
r
|
rw
|
rw
|
rwx
|
rwx
|
r
|
rw
|
rw
|
rx
|
rx
|
rw
|
rw
|
rw
|
OS
Accounting
program
Accounting
data
Insurance
data
Payroll
data
Bob
Alice
Sam
Accounting
program
Capabilities (or C-Lists) - Store access control matrix by row
- Example: Capability for Alice is in red
rx
|
rx
|
r
|
|
|
rx
|
rx
|
r
|
rw
|
rw
|
rwx
|
rwx
|
r
|
rw
|
rw
|
rx
|
rx
|
rw
|
rw
|
rw
|
OS
Accounting
program
Accounting
data
Insurance
data
Payroll
data
Bob
Alice
Sam
Accounting
program
ACLs vs Capabilities
Access Control List
Capability
file1
file2
file3
file1
file2
file3
r
---
r
Alice
Bob
Fred
w
r
---
rw
r
r
Alice
Bob
Fred
r
w
rw
---
r
r
r
---
r
Confused Deputy - Two resources
- Compiler and BILL file (billing info)
- Compiler can write file BILL
- Alice can invoke compiler with a debug filename
- Alice not allowed to write to BILL
Compiler
BILL
Alice
Compiler
ACL’s and Confused Deputy - Compiler is deputy acting on behalf of Alice
- Compiler is confused
- Alice is not allowed to write BILL
- Compiler has confused its rights with Alice’s
Alice
BILL
Compiler
debug
filename BILL
BILL
Confused Deputy - Compiler acting for Alice is confused
- There has been a separation of authority from the purpose for which it is used
- With ACLs, more difficult to prevent this
- With Capabilities, easier to prevent problem
- Must maintain association between authority and intended purpose
- Capabilities easy to delegate authority
ACLs vs Capabilities - ACLs
- Good when users manage their own files
- Protection is data-oriented
- Easy to change rights to a resource
- Capabilities
- Easy to delegate avoid the confused deputy
- Easy to add/delete users
- More difficult to implement
- The “Zen of information security”
- Capabilities loved by academics
- Capability Myths Demolished
Multilevel Security (MLS) Models Classifications and Clearances - Classifications apply to objects
- Clearances apply to subjects
- US Department of Defense (DoD) uses 4 levels:
TOP SECRET SECRET CONFIDENTIAL UNCLASSIFIED - To obtain a SECRET clearance requires a routine background check
- A TOP SECRET clearance requires extensive background check
- Practical classification problems
- Proper classification not always clear
- Level of granularity to apply classifications
- Aggregation flipside of granularity
Subjects and Objects - Let O be an object, S a subject
- O has a classification
- S has a clearance
- Security level denoted L(O) and L(S)
- For DoD levels, we have
TOP SECRET > SECRET > CONFIDENTIAL > UNCLASSIFIED Multilevel Security (MLS) - MLS needed when subjects/objects at different levels access same system
- MLS is a form of Access Control
- Military and government interest in MLS for many decades
- Lots of research into MLS
- Strengths and weaknesses of MLS well understood (almost entirely theoretical)
- Many possible uses of MLS outside military
MLS Applications - Classified government/military systems
- Business example: info restricted to
- Senior management only, all management, everyone in company, or general public
- Network firewall
- Confidential medical info, databases, etc.
- Usually, MLS not really a technical system
- More like part of a legal structure
MLS Security Models - MLS models explain what needs to be done
- Models do not tell you how to implement
- Models are descriptive, not prescriptive
- That is, high-level description, not an algorithm
- There are many MLS models
- We’ll discuss simplest MLS model
- Other models are more realistic
- Other models also more complex, more difficult to enforce, harder to verify, etc.
Bell-LaPadula - BLP security model designed to express essential requirements for MLS
- BLP deals with confidentiality
- To prevent unauthorized reading
- Recall that O is an object, S a subject
- Object O has a classification
- Subject S has a clearance
- Security level denoted L(O) and L(S)
Bell-LaPadula - BLP consists of
Simple Security Condition: S can read O if and only if L(O) L(S) *-Property (Star Property): S can write O if and only if L(S) L(O) - No read up, no write down
McLean’s Criticisms of BLP - McLean: BLP is “so trivial that it is hard to imagine a realistic security model for which it does not hold”
- McLean’s “system Z” allowed administrator to reclassify object, then “write down”
- Is this fair?
- Violates spirit of BLP, but not expressly forbidden in statement of BLP
- Raises fundamental questions about the nature of (and limits of) modeling
Chia sẻ với bạn bè của bạn: |