Access Control

Security Models
System Architecture Security
Access Control
• Access Control: the process of restricting access to resources
according to a security policy
– A security policy regulates who can do what
– Access control implements a security policy
• Authorization: the action of granting access
• Access Control usually starts from Authentication (i.e., verifying the
identity of a user)

2
Examples of Access Control
• The Moodle system
• Operating Systems
• Database systems
• Governments
• Intelligence Departments

3
Question
• Consider “Entering UIT university building” as an example, point out
“Policy”, “Access Control”, “Authentication”, “Authorization”?
• Policy: only UIT students, faculty and employees or verified visitors
are allowed to enter the building.
• Access Control: the process of restricting people who can enter the
building.
• Authentication: verifying the identity of a person.
• Authorization: allowing a person to enter the building.

4
Access Control
• who can access what in which ways
– the “who” are called subjects (e.g. users, processes etc.)
– the “what” are called objects (e.g. individual files, sockets, processes etc.),
includes all subjects
– the “ways” are called permissions (e.g. read, write, execute etc.) are usually
specific to each kind of object. Include those meta-permissions that allow
modification of the protection state – e.g. own

5
Concepts
• Subjects: entities to access resources
– Users, processes, threads
• Objects: resources whose access is controlled
– Files, relations, memory
• Access Rights: actions that are taken
– Read, Write, Execute, Delete, Create, Search

6
Access Control

7
Goals of Access Control
• Confidentiality (Secrecy)
• Integrity

8
Question
• To achieve confidentiality, is it sufficient by correctly restricting the
read operation only?
• It is insufficient. A malicious or buggy subject (e.g., a process) may
read information from a sensitive file and then write to a file
accessible by public.
• Sensitive Object -> Subject -> Non-sensitive object -> Public
• Therefore, the access control has to regulate not only read but also
write.

9
Access (Control) Matrix
• An Access Matrix describes the rights of each subject with regard to
each object in an Access Control system at some point of time.
• But it does NOT model the rules by which rights are changed; thus, it
is not equal with the access control policy.

10
Access Matrix

11
Three Ways to Express the Access Matrix
• One Access Tuple per cell:
– <subject, object, rights>
– E.g., <Bob, File2, read/write>
• One Access Control List per object (column)
• One Capability List per subject (row)

12
Access Control Lists
• An ACL is a list of subjects and their
rights to an object
• One ACL per object
• It is difficult to find out all files
accessible by a given user
• Widely used in
Unix/Linux/Windows

13
Access Control Lists in Unix

14
Capability Lists
• A Capability List is the
list of objects accessible
by a subject and the
corresponding rights

15
Types of Access Control Policies
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Role-Based Access Control (RBAC)
•…

16
Discretionary Access Control (DAC)
• DAC means subjects themselves can grant rights to other subjects
– E.g., in Unix/Linux, the owner of a file can set up and change
the ACL of the file
• Convenient but cannot achieve the goals of confidentiality and
integrity
– Subjects make decisions about access permissions; the
decisions may be bad decisions

17
Discretionary Access Control
• Restricts access to objects based solely on the identity of users who
are trying to access them.

Individuals Resources
Application
Server 1 Access List
Name Access
Server 2 Tom Yes
John No
Cindy Yes
Server 3

18
Question
• There are two ACLs defined in a DAC system:
• File 1: <Alice: write, Bob: read>
• File 2: <Bob: write, Charlie: read>
The confidentiality goal is that: “Alice does not leak info to Charlie”. Can
this goal be achieved here?
• No. Alice -‐> File1 -‐> Bob -‐> File2 -‐> Charilie

19
Mandatory Access Control (MAC)
• A mandatory access control (MAC) policy is a means of assigning
access rights based on regulations by a central authority
• The underlying philosophy the information in a file belongs to the
organization rather than the file owner. So it should be the
organization who assigns access rights and regulates the information
flow

20
MAC

Individuals Resources

Server 1
“Top Secret”

Server 2
“Secret”

Server 3
“Classified”

21
A Simple Example of MAC
• In Military department, there are four levels of clearance
– Unclassified
– Confidential
– Secret
– Top Secret
• Assume you, as an employee, created a file labeled as
<“Secret”, Nuclear>
– You are not allowed to decide who can access the file
– People who have the “Secret” or “Top Secret” learance and the Nuclear
duty can access the file

22
Mandatory Access Control
• Common in areas with global security requirements
– e.g. national security classifications
• Less useful for general-purpose settings:
– hard to support different kinds of policies
– all policy changes must go through sysadmin
– hard to dynamically delegate only specific rights required at runtime

23
Mandatory vs Discretionary Access Control
• Discretionary Access Control (DAC):
– Users can make access control decisions (delegate their access to other users
etc. )
• Mandatory Access Control (MAC):
– enforcement of administrator-defined policy
– users cannot make access control decisions
– can prevent untrusted applications running with user’s privileges from causing
damage

24
Role Based Access Control (RBAC)
• In the real world, especially in enterprises, the responsibilities of a
person change dynamically
– In a large company, every day many people change their jobs
– Is there a convenient way to access control?
• Role Based Access Control assign access rights to roles rather than
subjects
• A role is a job function or title and can be translated to rights in a
RBAC system

25
The Principle of Least Privilege
• A user can be assigned with multiple roles
• But when a user logs in, she can only activate one role
• This complies with the Principle of Least Privilege. That is, one is
granted rights just needed to finish the intended task

26
Example
• Employees:
- Alice: Accountant
- Bob: IT guy
- Mary: CEO
- Fred: Web designer
• Resources:
- Financial Database
- External Webserver
- Email Server

27
28
Role vs. Group
• A role is a job title, while a group is a set of users
• A user can have zero or one active role at any given time, but can
belong to many groups at any time

29
Summary
• Concepts
– Access Control
– Subject, Object
• Goals of Access Control
– Confidentiality
– Integrity
• Access Matrix
– View of Columns: Access Control Lists
– View of Rows: Capability Lists
• Types of Access Control Policies
– DAC
– MAC
– RBAC

30
Question
• In which scenarios DAC, MAC and RBAC should be used, respectively?
• Does RBAC belong to DAC or MAC?

31
DAC and RBAC
• DAC is based on personal permissions, RBAC on "group"-level permissions
• DAC is set by the data owner, RBAC by the system owner/s (usually the developer
defines the access given to each role, and the operational admin puts users into
roles)
• DAC definitions are typically attached to the data/resource, whereas RBAC is
usually defined in two places: in code/configuration/metadata (the roles access),
and on the user object (or table - the roles each user has).
• On the other hand, RBAC roles are centrally administered (who is associated with
which roles), whereas DAC is administered "on the resource" (i.e. you administer
each resource individually).
• The definition of permissions per role is typically static in RBAC, and users are
only granted roles; in DAC the permissions per resource are often changed at
runtime.
• DAC should be seen as enumerating "who has access to my data", and RBAC
defines "what can this user do".
32
DAC, MAC and RBAC
• DAC: if the information you create really belongs to you and security
is not the top priority, DAC is not a bad choice. It is flexible and
convenient. E.g., social networks
• MAC: if the information you create belongs to your employer and it is
highly sensitive, MAC is the choice
• RBAC: it can enforce DAC or MAC. When employees change jobs, the
admin only needs to grant and revoke roles

33
Security Models
• Implementation of Policy Models
– Decoupling Mechanisms and Policies
– Reference Monitor
• Basics of MAC and Information Flow
• Mandatory Access Control Policy Models
– Multi-level Security
• Models for Confidentiality: e.g., Bell-LaPadula Model
• Models for Integrity: e.g., Biba Model
– Multi-lateral Security
• Chinese-wall

34
Security Mechanism and Policy
• A security policy dictates what is, and what is not, allowed
• A security mechanism is a method, tool, or procedure for enforcing a
security policy
• Therefore, the same mechanism can be used to enforce multiple
different policies

35
Decoupling Mechanisms and Policies
• When you implement some techniques or tools as the policy-
enforcing mechanism, keep in mind that the policy may change. So
the mechanism and policies should not be closely coupled
• The mechanism should leave room of flexibility of changing policies
• E.g., even the legislation department changes the traffic rules
(policies), the same police (mechanism) can be used

36
Security Policy Models
• A Security Policy Model provides a formal representation of the
access control security policy and its working
• The formalization allows the proof of properties on the security
provided by the access control system being designed

37
MAC
• A mandatory access control (MAC) policy is a means of assigning
access rights based on regulations by a central authority
• Goal: To prevent illegitimate information flow
• Idea: Attach a security label to each subject and object; and then
perform authorization based on label comparison

38
Military Security
• Initially (‘70s) most research in information security was applied to
the military domain
• Need to protect information that, if known by an enemy, might
damage national security

39
Security Level
• Each subject and each object is assigned a security level
– E.g., unclassified < confidential < secret < top secret
• A security level
– for a subject is called a clearance
– for an object is called a classification
• The clearance assigned to subjects reflects their trustworthiness, and
the classification assigned to objects reflects theirs sensitivity

40
“Need to know” and compartments
• Even one has the “top secret” clearance, it should not mean that she
can access everything
• “Need to know”: the access authorization is limited to information
needed to perform duties
• How to enforce it?
– Compartmentalization
– Fewer people know the object, the less probability the information is leaked
• E.g., Manhattan Project

41
Security Class and the Ordering
• A security class = (security_level, compartments)
• E.g., (confidential, {nuclear, missile})
– Security level: confidential
– Compartments: {nuclear, missile}
• Ordering relation: SC 1 = (l 1 , c 1 ), SC 2 = (l 2 , c 2 )
– SC 1 ≤ SC 2 if l 1 ≤ l 2 && c 1 ⊆ c 2
• Some security classes are incomparable
– (top_secret, {aircraft}) and (securet, {shelters})

42
Multi-level Security
• When access control is enforced according to the security levels (and
compartments) assigned to subject and objects, it is a Multi-level
Security (MLS) system
• A MLS system is typically a Mandatory Access Control system

43
Information flow policies
• Defined by Denning (’76)
• Concerned with the flow of information from one security class to
another
• Information flow as an ordering relation
• Instead of a list of axioms governing users’ accesses, it simply require
that information transfers obey the ordering relation

44
Implementations Access Control Models
• Bell-LaPadula model
• Biba model
• Clark-Wilson model
• Chinese wall model

45
Bell-LaPadula Model
• Was developed in 1970s to address the concern about the security of
time-sharing mainframe systems and leakage of classified information
• A system that employs the Bell-LaPadula model is called a multilevel
security system.
• The Bell-LaPadula model is a state machine model that enforces the
confidentiality aspects of access control.

46
The Bell-LaPadula model
• A model for Confidentiality (i.e., Secrecy)
• Information cannot flow from a high security class to a low one (or an
incomparable one)
– How to define “high” and “low”?
– Recall SC1 ≤ SC2 if l1 ≤ l2 && c1 ⊆ c2 where SC1 = (l1, c1 ), SC2 = (l2, c2)

47
Bell-LaPadula Model
• The simple security rule: A subject cannot read data within an object
that resides at a higher security level (the “no read up” rule).
• The *-property rule: A subject cannot write to an object at a lower
security level (the “no write down” rule).
• The strong star property rule: A subject that has read and write
capabilities can only perform those functions at the same security
level; nothing higher and nothing lower. So, for a subject to be able to
read and write to an object, the subject’s clearance and the object
classification must be equal.

48
Bell-LaPadula Model

49
50
Limitations of the BLP Model
• Sometimes “illegal” information flow is desired
– E.g., a teacher (high security class) may create a file called “paper”, which
should be read by students (low security class)
– E.g., a teacher may comment on the answers submitted by a student
– Both are not disallowed in the BLP Model
– Therefore in practice a declassifying component is needed
• BLP only provides confidentiality
– In some cases, integrity is the main concern

51
Biba Model
• Biba was developed after the Bell-LaPadula model.
• It is a state machine model similar to the Bell-LaPadula model.
• Biba addresses the integrity of data within applications.

52
Biba Model
This model has 3 main rules:
• *-integrity axiom: A subject cannot write data to an object at a highe
integrity level (referred to as “no write up”).
• Simple integrity axiom: A subject cannot read data from a lower
integrity level (referred to as “no read down”).
• Invocation property: A subject cannot request service (invoke) of
higher integrity.

53
Biba Model
Example:
– Security level: soldier < captain < general
– A captain should not trust an order forged by a soldier
– An order issued by a general cannot be modified by a captain

54
Biba Model vs Bell-LaPadula Model
• BLP Model:
o No read up
o No write down
o Confidentiality
• Biba Model:
o No read down
o No write up
o Integrity

55
Multi-Lateral Security
• Instead of enforcing vertical information flow rules, multi-lateral
security prevents information from flowing across departments
• Classic Model: the Chinese Wall Model
• Goal: to prevent conflict of interest
– E.g., in a financial consultant company, an employee who has read the
documents of Bank A (to provide advices) should not access those of Bank B

56
The Chinese Wall Model

57
Multi-Lateral Security
• A Dataset (DS): all objects that belong to the same corporation
• Conflict of Interest (CI) class: All datasets whose corporations are in
competition
• A subject S can read on object O only if
– O is in the same DS as an object accessed by S, or
– O belongs to a CI from which S has not yet accessed any information

58
59
Summary
• Bell-LaPadula (BLP) Secrecy Model
– No read up
– No write down
• Biba Integrity Model
– No read down
– No write up
• Chinese Wall Model
– If you have accessed a corporation, you cannot read data from its competitors

60
Clark-Wilson Model
• Users: Active agents
• Transformation procedures (TPs): Programmed abstract operations,
such as read, write, and modify
• Constrained data items (CDIs): Can be manipulated only by TPs
• Unconstrained data items (UDIs): Can be manipulated by users via
primitive read and write operations
• Integrity verification procedures (IVPs): Check the consistency of CDIs
with external reality

61
Clark-Wilson Model

62
Goals of Integrity Models
The following are the three main goals of integrity models:
• Prevent unauthorized users from making modifications
• Prevent authorized users from making improper modifications
(separation of duties)
• Maintain internal and external consistency (well-formed transaction)

Clark-Wilson addresses each of these goals in its model. Biba only

addresses the first goal.

63
64
Other Models
• Information flow model: This is a model in which information is
restricted in its flow to only go to and from entities in a way that does
not negate or violate the security policy.
• Noninterference model: This formal multilevel security model states
that commands and activities performed at one security level should
not be seen by, or affect, subjects or objects at a different security
level.
• Brewer and Nash model: This model allows for dynamically changing
access controls that protect against conflicts of interest. Also known
as the Chinese Wall model.

65
Other Models (con’t)
• Graham-Denning model This model shows how subjects and objects
should be created and deleted. It also addresses how to assign
specific access rights.
• Harrison-Ruzzo-Ullman model This model shows how a finite set of
procedures can be available to edit the access rights of a subject.

66
Question
• Can a user cleared for (S, {dog, cat, pig}) access to documents
classified in the following ways under the BLP model?
– (TS, {dog})
– (S, {dog})
– (S, {dog, cow})
– (S, {monkey})
– (C, {dog, pig, cat})
– (C, { })
• Can BLP and Biba be enforced in the same system?

67