Professional Documents
Culture Documents
Comparative Study
Abstract- This paper is devoted to the state of the art on the to models of flow control and at the end, section 4 presents the
access control models and a more specific classification of administration part.
security models, which are: Access Control, Flow Control and
Administration. We propose a comparative study of access
II. ACCES CONTROL
control models and we evaluate their advantages and limitations
and also their security policies. Then we present models of flow
control and finally models of administration.
A. Generalities
Access control consists in verifying whether an entity
Keywords-security models; access control models; flow requesting the access to a resource has the rights necessary to.
control;security; policy; organization;... This is governed by three levels of abstraction: the access
control policy, the access control model and the access control
I. INTRODUCTION mechanism [31].
Research in the field of information security systems and J) Access Control Policy
access control were initiated in the early seventies by the
An access control policy defines the rights, prohibitions,
United States Department of Defense, following the emergence
audited information as well as authorized persons to
of new technical, scientific and social challenges.
applications and data, or to change the policy of access
Thus, for over forty years, several security models have control. The security policy aims to ensure the confidentiality,
been successfully developed and implemented within integrity, non-repudiation and availability. In addition, access
companies or computer system. May be mentioned the models: control policies adapt over time depending of standards or
DAC [8], MAC [lO], I-BAC [18], R-BAC [1,9,15], T-BAC regulations of the company strategy.
[12], V-BAC [24], T-MAC [14] or Or-BAC [25]. New models
2) Access Control Model
generally appear to respond to military problems that require a
high degree of confidentiality, while the problems of civil order The model of access control is the intermediary allowing
are more interested in ensuring the integrity. to bridge the gap between policy and implementation. The
model will help to support the predefmed policies.
Access control models are often declined following the
main security policies : Discretionary (discretionary access We will see later that the DAC model gives the possibility
control DAC), Mandatory (mandatory access control MAC), to the resource's owner to manage its permissions. This model
Role-based (role based access control R-BAC) or based on the ensures data confidentiality.
organization (organization-based access control Or-BAC ).
3) Access Control Mechanism
There are also a number of combinations of these models
such as T-MAC (team-based access control) and T-BAC (task The access control mechanism allows the implementation
based access control), to refine and to adapt the logical access of the predefined security policy. To determine if a subject can
control depending on the environment in which it is read information contained in an object, the mechanism can
implemented and which are more or less adapted to the security check if that permission is included in the list of access
policy of the company. control.
In this paper, we are interested in a more specific B. State of the Art on Access Control models
classification of security models, which are: Access Control
[11], Flow Control [3] and Administration.
J) I-BAe Model
Roles are assigned to subjects in accordance with the Policies and security models that we presented do not take
function assigned to these subjects in the organization. The into account:
basic principle of the R-BAC model is to consider that the
permissions are directly related to roles and not to the • Rules that specify permissions or contextual
individual. prohibitions;
Compared to the model I-BAC, management authorization
policy is simplified since it is not necessary to update the • Rules that specify obligations or recommendations,
policy when a new subject is created. models and policies of conventional access control are
generally limited to permissions;
However, the actions generally correspond to elementary
commands, such as reading the contents of an object or writing • Specific rules for the organization. In particular, the
an object. But in recent applications, the need arises to control organization can be structured into several sub
of the achievements of composite actions, called tasks or organizations, each with its own security policy. The
activities. security policy should thus provide a homogeneous
3) T-BAC Model framework for managing multiple security policies
within the same organization.
The T-BAC model (Task Based Access Control [20]) was
the first model to introduce the concept of task. In other words, The Or-BAC model is the result of work carried out RNRT
access is granted depending on the task, so the acces MP6 [30] project. The objective of this model is to allow the
verification compares this task to the roles containing the task. modeling of a variety of security policies. To reach this goal,
In other words, tasks can be considered as "sub-roles." and to reduce the complexity of managing access rights, the
Or-BAC model is based on four main principles:
Obviously the T-BAC model adds a huge improvement
compared to R-BAC, as it gives a certain granularity and • The organization is the central entity policies and
dynamic work, but still remains an extended form of the R security models;
BAC model.
• There are two levels of abstraction :
o a concrete level: subject, action, object,
o an abstract level: the role, activity, view,
• The possibility to express permIssIOns, prohibitions,
obligations and recommendations [21,22];
Abstract level
Concrete level
Fig. 1. Subject Organization and Role Fig. 2. Schema of Or-BAC model interactions [29].
-Is based on the concept of view. -Does not take into account the
V-BAC -Allows the structuring of objects in a -Allows access to all objects in the view. simultaneous cooperation of users
security policy. from various organizations.
Secret
Resource
Top Secret
/
Confi denti al
User
.. ' � Secret
�
Resource
Fig. 4. Example of the Biba model
� Confi denti al
With constraints, the number of subjects that can change a
object is limited and the objective of integrity is achieved.
IV. ADMINISTRATION
Fig. 3. Example of the Bell-LaPadula model The administration is the management and control of all the
components of the security policy such as users, actions,
Confidentiality is achieved by this model by limiting the objects, roles, permissions, etc.
number of subjects who read access to sensitive objects at a
The specification of the security policy and its update are
higher level than their own.
the two most important administration tasks. Security templates
are not all accompanied by a model for the administration. The
B. Biba Model (Integrity)
discretionary model of Harrison, Ruzzo and Ullman (HRU)
The usual definition of mandatory access control specifies [11,13] is the most famous administration model.
that the restrictions on the flow of information are independent
of the subject's actions. Although this defmition often refers to The discretionary access control (discretionary access
the Bell-LaPadula model for confidentiality, several systems control, DAC [18]) is a conceptual model whose principle is to
set up this type of control to ensure integrity (such as banks). limit access to objects in relation to the identity of users
(human, machine, etc ... ) or groups to which they belong.
The Biba model [4,19], called Bell-LaPadula inverted [29],
This model is based on the concept of property, each object
is the first model that takes into account the integrity. Indeed,
(or resource) has a proprietary who decides what subjects who
Biba noticed that confidentiality and integrity are dual
have access to this object.
concepts. Confidentiality is a constraint on who is allowed to
read the object while integrity is a constraint on who is allowed The control of an object is said discretionary in the sense
to write on the object or change it. that a proprietary with a predefined access authorization can
delegate to another subject the access rights (except restriction
Thus, in the Bell-LaPadula model, information cannot of mandatory access control).
circulate to lower levels to prevent leakage of sensitive data.
[7] 1. B. D. Joshi, E. Bertino et A. Ghafoor, Formal foundations for hybrid
role hierarchy. ACM Transactions in Information and Systems Security,
This type of policy has major flaws: Novembre, 2007.
[8] R.J. Feiertag, A technique for proving specification are multilevel
• The overall security policy can be compromised by a secure. Computer Science Lab Report, CSL-I09. Menlo Park Cal. : SRI
single subject if he commits an error intentionally or International, 1980.
not, [9] S. Gavrila et J. Barkley, Formal specification for role based access
control user-role and role-role relationship management. Third ACM
• At each change of entity (subject or object), you must Workshop on Role-Based Access Control, 1998.
recalculate the matrix of access control, [10] C.E. Landwehr, c.L. Heitmeyer et J. McLean, A security model for
military message system. ACM Trans. Comput. Syst, Vol. 2 :198-222,
• A subject who is able to gain access to resources may 1984.
delegate the access rights to an unauthorized subject. [II] B.W. Lampson, Protection. ACM, Vol.8 N I :18-24, Jan 1974.
[12] N. Dimmock, J. Bacon, D. Ingram et K. Moody, Risk models for trust
HRU is a matricial model which is defined from a set of based access control (tbac). iTrust. International conference. Paris,
subjects, a set of objects and a set of rules of administration. Springer Berlin vo1.3477 No3.
[l3] M.A. Harrizon, W.L. Ruzzo et 1.0. Ullman, Protection in operating
However, its implementation consumes lots of memory systems. ACM, Vo1.l9 N. 8 :461-471, Aofit 1976.
when the number of users is important, and thus the [14] Roshan K. Thomas, Team-based access control (tmac) : a primitive for
constitution and maintenance of groups are delicate because a applying role-based access controls in collaborative environments.
subject can belong to several groups. The HRU model Proceedings of the second ACM workshop on Role-based access
nevertheless has the advantage of being simple to describe, control, pages 13-19, 1997.
allows a simply modeling and have a decentralized policy. [15] R. E. Brooks, Role-based access control ..www.rbac.com ...
[16] Fabien, OrBAC: Organization Based Access Control "www.orbac.org"
[17] M.Abrams, K.Eggers, L.LaPadula et I.Olson. A generalized framework
V. CONCLUSION
for access control : An informal description. Proceedings of the 13th
National Computer Security Conference, Washington, Octobre 1990.
We presented in this paper a state of the art on access [18] B. Lampson, Protection. 5th Princeton Symposium on Information
control models by showing their advantages and limitations. Sciences and Systems, pages 437-443, Mars 1971.
We also presented the best known models of flow control and [19] K. 1. Biba, Integrity consideration for secure computer systems.
administration. Technical Report MTR-3153, The MITRE Corporation, Juin 1975.
[20] R. Thomas et R. Sandhu, Task-based Authorization Controls (TBAC): A
Family of Models for Active and Enterprise-oriented Authorization
We can say that the Or-BAC model is the most evolved and Management. 11th IFIP Working Conference on Database Security,
which associated with a flow control model, allowing to take Lake Tahoe, California, USA, 1997.
into account the integrity, would be more complete. [21] N. Damianou, N. Dulay, E. Lupu et M. Sloman, The Ponder Policy
Specification Language. International Workshop, Policies for
Distributed Systems and Neworks (Policy 2001). Bristol, UK, 29-31
As perspective, we will focus on the implementation of a Janvier 200 I.
case of an organization. [22] C. Bettini, S. Jajodia, X. S. Wang et D. Wijesekera, Obligation
Monitoring in Policy Management. International Workshop, Policies for
ACKNOWLEDGMENT Distributed Systems and Neworks (Policy 2002), Monterey CA, 5-7 Juin
2002.
[23] R. Sandhu, E. 1. Coyne, H. L. Feinstein et C.E. Youman. Role-based
This work is supported by the National Center for
access control models. IEEE Computer, 29(2):38-47, 1996.
Scientific and Technical Research (CNRST) by an excellence
[24] R. Lentzner.,SQL 3 : Initiation et Programmation, 2004.
scholarship (J 006/009).
[25] A. Abou EI Kalam, R. EIBaida, P. Balbiani, S. Benferhat, F. Cuppens,
Y. Deswarte, A. Miege, c. Saurel et G. Trouessin, Or-BAC: un modele
REFERENCES de controle d'acces base sur les organisations, Cahiers francophones de
la recherche en securite de I'information, Numero II, ler trimestre
[I] J. Barkley. Implementing role based access control using object
2003,pp30-43.
technology. First ACM Workshop on Role-Based Access Control, 1995.
[26] C. K. Georgiadis , I. Mavridis , G. Pangalos et R. K. Thomas , Flexible
[2] D.E. Bell et L.J. La Padula, Security computer systems. Mathematical
Team-based Access Control Using Contexts, 2001.
Foundations. Hanscom AFB, Bedford. MA. Rep. FSD-TR-73-278. vol.l
ESD/AFSC, 1973. [27] T. Albain, "L'insuffisance du modele R-BAC", Septembre 2011.
[3] D.E. Bell et L.J. La Padula, Secure computer systems. Unified [28] A. Ghadi, Modele hierarchique de controle d'acces d'UNIX base sur un
exposition and MULTICS interpretation, MITRE Corp. MTR-2997, graphe de roles, These, Janvier 2010.
1975. [29] Y. Deswarte et L. Me, Traite IC2 Securite des reseaux et systemes
[4] K.J. Biba, Integrity considerations for secure computer systems. repartis, tome 2, septembre 2005
Technical Report ESD-TR-76-372, USAF Electronic Systems Division, [30] RNRT MP6 project (communication and information system models and
Bedford, MA, Avril 1977. security policies of health care and social matters).
[5] D.D. Clark et D.R. Wilson, A comparison of commercial and military [31] A. Jumelet, Le controle d'acces logique: gestion des autorisations,
computer security policies. IEEE, 1987. TechNet Blogs, Novembre 2010.
[6] U.S. Dep. Defense, Defense trusted computer system evaluation criteria.
Rep. DOD, 5200.28-STD, 1985.