CSC 435 – Computer Security

Access Control
Access Control Definition (1)
NISTIR 7298 defines access control as:

“the process of granting or denying specific requests to: (1)

obtain and use information and related information processing
services; and (2) enter specific physical facilities”
Access Control Definition (2)
RFC 4949 defines access control as:

“a process by which use of system resources is regulated

according to a security policy and is permitted only by
authorized entities (users, programs, processes, or other
systems) according to that policy”
 Access Control Security Requirements
(SP 800-171)
Basic Security Requirements
1 Limit information system access to authorized users, processes acting on behalf of
authorized users, or devices (including other information systems).
2 Limit information system access to the types of transactions and functions that authorized
users are permitted to execute.

Derived Security Requirements

3 Control the flow of CUI in accordance with approved authorizations.
4 Separate the duties of individuals to reduce the risk of malevolent activity without
collusion.
5 Employ the principle of least privilege, including for specific security functions and
privileged accounts.
6 Use non-privileged accounts or roles when accessing nonsecurity functions.
7 Prevent non-privileged users from executing privileged functions and audit the execution
of such functions.
8 Limit unsuccessful logon attempts.
9 Provide privacy and security notices consistent with applicable CUI rules.
10 Use session lock with pattern-hiding displays to prevent access and viewing of data after
period of inactivity.
11 Terminate (automatically) a user session after a defined condition.
12 Monitor and control remote access sessions.
 7 Prevent non-privileged users from executing privileged functions and audit the execution
Access Control Security Requirements
of such functions.
8 Limit unsuccessful logon attempts.
(SP 800-171)
9 Provide privacy and security notices consistent with applicable CUI rules.
10 Use session lock with pattern-hiding displays to prevent access and viewing of data after
period of inactivity.
11 Terminate (automatically) a user session after a defined condition.
12 Monitor and control remote access sessions.
13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
14 Route remote access via managed access control points.
15 Authorize remote execution of privileged commands and remote access to security-
relevant information.
16 Authorize wireless access prior to allowing such connections.
17 Protect wireless access using authentication and encryption.
18 Control connection of mobile devices.
19 Encrypt CUI on mobile devices.
20 Verify and control/limit connections to and use of external information systems.
21 Limit use of organizational portable storage devices on external information systems.
22 Control CUI posted or processed on publicly accessible information systems.

CUI = controlled unclassified information

Access Control Principles
 In a broad sense, all of computer security is
concerned with access control

 RFC 4949 defines computer security as:

“measures that implement and assure security services

in a computer system, particularly those that assure
access control service”
Access Control and Other Security
Features
Access Control and Other Security
Features
 Authentication:Verification that the credentials of a
user or other system entity are valid.
 Authorization: The granting of a right or permission to
a system entity to access a system resource. This function
determines who is trusted for a given purpose.
 Audit: An independent review and examination of system
records and activities in order to test for adequacy of
system controls, to ensure compliance with established
policy and operational procedures, to detect breaches in
security, and to recommend any indicated changes in
control, policy and procedures.
Access Control Policies
 Discretionary access control (DAC): Controls access
based on the identity of the requestor and on access rules
(authorizations) stating what requestors are (or are not)
allowed to do
 Mandatory access control (MAC): Controls access based
on comparing security labels with security clearances
 Role-based access control (RBAC): Controls access based
on the roles that users have within the system and on rules
stating what accesses are allowed to users in given roles
 Attribute-based access control (ABAC): Controls access
based on attributes of the user, the resource to be accessed,
and current environmental conditions
Subjects, Objects, and Access Rights

Access
Subject Object
right

Describes the way in

An entity capable of A resource to which
which a subject may
accessing objects access is controlled
access an object

Three classes Could include:

• Owner •Read
Entity used to contain •Write
• Group and/or receive •Execute
• World information •Delete
•Create
•Search
Discretionary Access Control (DAC)
 Scheme in which an entity may be granted access rights that
permit the entity, by its own volition, to enable another entity
to access some resource
 Often provided using an access matrix by OS or DBMS
 One dimension consists of identified subjects that may attempt data
access to the resources
 The other dimension lists the objects that may be accessed
 Each entry in the matrix indicates the access rights of a
particular subject for a particular object
Example of Access Control Structures

OBJECTS
File 1 File 2 File 3 File 4
Own Own
User A Read Read
Write Write
Own
SUBJECTS User B Read Read Write Read
Write

Read Own
User C Read Read
Write Write
(a) Access matrix

File 1 A B C User A File 1 File 3

Own R Own Own
 Read Own
User C Read Read
Write Write
(a) Access matrix
Example of Access Control Structures
File 1 A B C User A File 1 File 3 Easier to determine
Own R Own Own
R R R R access rights for a
W
W W W given user
• • •

File 2 B C User B File 1 File 2 File 3 File 4

Own Own
R R R R W R
W W
• • • •

File 3 A B User C File 1 File 2 File 4

Own R Own
R W W R R
W W
• Easier to determine • •
users with specific
File 4 B C access rights for a
Own (c) Capability lists for files of part (a)
R R specific resource
W capability tickets
•
- greater security problem than access
(b) Access control lists for files of part (a) control lists.
ACL - A ticket must be unforgeable
Figure 4.2 Example of Access Control Structures
Authorization Table for Files in Example
Subject Access Object
Mode
A Own File 1
A Read File 1
A Write File 1
A Own File 3
A Read File 3
A Write File 3 not sparse like access matrix
B Read File 1 but more convenient than ACLs
B Own File 2 or capability lists
B Read File 2
B Write File 2
B Write File 3
B Read File 4
C Read File 1
C Write File 1
C Read File 2
C Own File 4
C Read File 4
C Write File 4
 Extended Access Control Matrix

OBJECTS
subjects files processes disk drives
S1 S2 S3 F1 F2 P1 P2 D1 D2

control owner owner read * read

S1 wakeup wakeup seek owner
control owner

SUBJECTS S2 control write * execute owner seek *

S3 control write stop

* - copy flag set

Figure 4.3 Extended Access Control Matrix

An Organization of the Access Control
Function
Protection Domains
 Set of objects together with access rights to those objects
 More flexibility when associating capabilities with protection
domains
 In terms of the access matrix, a row defines a protection
domain
 User can spawn processes with a subset of the access rights of
the user
 Association between a process and a domain can be static or
dynamic
 In UNIX OS:
 In user mode certain areas of memory are protected from use and
certain instructions may not be executed
 In kernel mode privileged instructions may be executed and
protected areas of memory may be accessed
UNIX File Access Control
UNIX files are administered using inodes (index nodes)

• Control structures with key information needed for a particular file

• Several file names may be associated with a single inode
• An active inode is associated with exactly one file
• File attributes, permissions and control information are sorted in the
inode
• On the disk there is an inode table, or inode list, that contains the inodes
of all the files in the file system
• When a file is opened its inode is brought into main memory and stored
in a memory resident inode table

Directories are structured in a hierarchical tree

• May contain files and/or other directories

• Contains file names plus pointers to associated inodes
Traditional UNIX File Access Control
 Unique user identification number (user ID)
 Member of a primary group identified by a group ID
 Belongs to a specific group

ss
as

s
as
a
12 protection bits that specifies

cl

cl


cl
r

er
ne

u
ro

th
w
read, write, and execute permission

O
rw- r-- ---
for the owner of the file,
user: :rw-
members of the group group::r--
and all other users other::---

 The owner ID, group ID,

(a) Traditional UNIX approach (minimal access control list)
and protection bits
are part of the file’s inode

s
as

s
as

as
cl

cl

cl
r

er
ne

u
ro

th
w
O

O
Traditional UNIX File Access Control
 “Set user ID”(SetUID)
 “Set group ID”(SetGID)
 System temporarily uses rights of the file owner/group in
addition to the real user’s rights when making access control
decisions (only effective while the program is being executed)
 Enables privileged programs to access files/resources not
generally accessible
 Sticky bit: When applied to a directory it specifies that
only the owner of any file in the directory can rename,
move, or delete that file
 Superuser:
 Is exempt from usual access control restrictions
 Has system-wide access
Access Control Lists (ACLs) in UNIX
Modern UNIX systems support ACLs
• FreeBSD, OpenBSD, Linux, Solaris

FreeBSD
• Setfacl command assigns a list of UNIX user IDs and groups
• Any number of users and groups can be associated with a file
• Read, write, execute protection bits
• A file does not need to have an ACL
• Includes an additional protection bit that indicates whether the file has an extended ACL

When a process requests access to a file system object two steps

are performed:

• Step 1 selects the most appropriate ACL

• Step 2 checks if the matching entry contains sufficient permissions
 other::---
UNIX File Access Control –
Extended(a) Traditional
File Access Control
UNIX approach (minimal access control list)

ss

s
as
la

as
cl
rc

cl
up

er
ne

ro

th
w
O

O
rw- rw- ---
user: :rw-
masked user:joe:rw-
entries group::r--
mask::rw-
other::---
(b) Extended access control list
Role-based Access Control Model
[RBAC]
Users Roles Resources

Role 1

Role 2

Role 3
 U3
Access Control Matrix Representation of
U4
RBAC
U5

U6
R1 R2 Rn

U1

U2
Um
U3

U4

U5 OBJECTS
R1 R2 Rn F1 F1 P1 P2 D1 D2
U6

control owner owner read * read

R1 wakeup wakeup seek owner
control owner

R2 control write * execute owner seek *

Um
ROLES

OBJECTS
R control write stop
R2 Rn F1 F1 P1 P2 Dn
1 D2

owner owner read * read

wakeup wakeup seek owner
control owner

control write * execute owner Figure

seek * 4.7 Access Control Matrix Representation of RBAC
Example of Role Hierarchy
Director

Project Lead 1 Project Lead 2

Production Quality Production Quality

Engineer 1 Engineer 1 Engineer 2 Engineer 2

Engineer 1 Engineer 2

Engineering Dept
Constraints in RBAC
 A constraint is a defined relationship among roles or a
condition related to roles
 Provide a means of adapting RBAC to the specifics of
administrative and security policies of an organization
 Types:
Mutually exclusive
Cardinality Prerequisite roles
roles
• A user can only be • Setting a maximum • Dictates that a user
assigned to one role number with respect can only be assigned
in the set (either to roles to a particular role if
during a session or it is already
statically) assigned to some
• Any permission other specified role
(access right) can be
granted to only one
role in the set
Attribute-Based Access Control (ABAC)

Main obstacle
to its adoption
Web services
in real systems
have been
Can define has been three key
pioneering
authorizations concern about elements to an
technologies
that express Strength is its the ABAC:
through the
conditions on flexibility and performance attributes,
introduction of
properties of expressive impact of policy model,
the eXtensible
both the power evaluating and
Access Control
resource and predicates on architecture
Markup
the subject both resource model
Language
and user
(XAMCL)
properties for
each access
 ABAC Model: Attributes
Subject Object Environment
attributes attributes attributes
• A subject is an active • An object (or • Describe the
entity that causes resource) is a passive operational,
information to flow information system- technical, and even
among objects or related entity situational
changes the system containing or environment or
state receiving information context in which the
information access
• Attributes define the • Objects have occurs
identity and attributes that can • These attributes
characteristics of the be leverages to make have so far been
subject access control largely ignored in
decisions most access control
• Ex: identifier, name, • Ex: title, subject, policies
organization, job date, author,
title, subject’s role ... metadata, ... • Ex: current date and
time, network’s
security level (e.g.,
Internet vs. intranet)
ABAC

Relies upon the

evaluation of attributes of
Distinguishable because it
the subject, attributes of
controls access to objects
the object, and a formal
by evaluating rules
relationship or access
against the attributes of
control rule defining the
entities, operations, and
allowable operations for
the environment relevant
subject-object attribute
to a request
combinations in a given
environment

Allows an unlimited
Systems are capable of
number of attributes to
enforcing DAC, RBAC,
be combined to satisfy
and MAC concepts
any access control rule
ABAC Scenario
Subject Object Environmental
Attributes Attributes Attributes

Clearance Owner Temperature

Name Type Time
Affiliation Classification Security
Etc. Etc. Etc.

2b 2c 2d

Permit
1 3

Access
control Deny
mechanism
Subject (user)
2a

Access Control
Policies

Figure 4.10 ABAC Scenario

ABAC Policies
A policy is a set of rules and relationships that govern allowable behavior within
an organization, based on the privileges of subjects and how resources or
objects are to be protected under which environment conditions

Typically
written Privileges represent the authorized behavior of a subject and
from the are defined by an authority and embodied in a policy
perspective
of the
object that
needs
protecting
and the Other terms commonly used instead of privileges are: rights,
privileges authorizations, and entitlements
available to
subjects
Identity, Credential, and Access
Management (ICAM)
 A comprehensive approach to managing and implementing
digital identities, credentials, and access control
 Developed by the U.S. government
 Designed to:
 Create trusted digital identity representations of individuals and
nonperson entities (NPEs)
 Bind those identities to credentials that may serve as a proxy for the
individual of NPE in access transactions
 A credential is an object or data structure that authoritatively binds
an identity to a token possessed and controlled by a subscriber
 Use the credentials to provide authorized access to an agency’s
resources
ICAM – Identity, Credential, and Access
Management
Credential Management Identity Management

Background
Sponsorship Enrollment Investigation On-boarding

Credential
Issuance Production Authoritative Attribute Sources

Credential Digital Identity

Lifecycle Lifecycle
Management Management

Provisioning/Deprovisioning
External
Agency

Resource Privilege Policy

State or Local
Management Management Management
Government

Business Physical Logical

Partner Access Access

Citizen
Access Management

Identity Federation

Figure 4.12 Identity, Credential, and Access Management (ICAM)

Identity Management (1)
 Concerned with assigning attributes to a digital
identity and connecting that digital identity to an
individual or NPE
 Goal is to establish a trustworthy digital identity that
is independent of a specific application or context
 Most common approach to access control for
applications and programs is to create a digital
representation of an identity for the specific use of
the application or program
Identity Management (2)
 Maintenance and protection of the identity itself is
treated as secondary to the mission associated with
the application
 Final element is lifecycle management which
includes:
 Mechanisms, policies, and procedures for protecting
personal identity information
 Controlling access to identity data
 Techniques for sharing authoritative identity data with
applications that need it
 Revocation of an enterprise identity
Credential Management
The management of the Encompasses five logical
life cycle of the credential components:

Examples of credentials are smart cards, An authorized individual sponsors an individual or

private/public cryptographic keys, and digital entity for a credential to establish the need for the
certificates credential

The sponsored individual enrolls for the credential

• Process typically consists of identity proofing and the capture of
biographic and biometric data
• This step may also involve incorporating authoritative attribute
data, maintained by the identity management component

A credential is produced
• Depending on the credential type, production may involve
encryption, the use of a digital signature, the production of a smart
card or other functions

The credential is issued to the individual or NPE

A credential must be maintained over its life cycle

• Might include revocation, reissuance/replacement, reenrollment,
expiration, personal identification number (PIN) reset, suspension,
or reinstatement
Credential Management (1)
 The management of the life cycle of the credential
 Examples of credentials are smart cards, private/public
cryptographic keys, and digital certificates
 Encompasses five logical components:
1. An authorized individual sponsors an individual or entity for a
credential to establish the need for the credential
2. The sponsored individual enrolls for the credential
 Process typically consists of identity proofing and the capture of
biographic and biometric data
 This step may also involve incorporating authoritative attribute data,
maintained by the identity management component
Credential Management (2)
3. A credential is produced
Depending on the credential type, production may involve encryption,
the use of a digital signature, the production of a smart card or other
functions

3. The credential is issued to the individual or NPE

3. A credential must be maintained over its life cycle

Might include revocation, reissuance/replacement, reenrollment,
expiration, personal identification number (PIN) reset, suspension, or
reinstatement
Access Management

Deals with the

management and control Covers both logical and May be internal to a system
of the ways entities are physical access or an external element
granted access to resources

Purpose is to ensure that Three support elements

the proper identity
verification is made when
an individual attempts to
access a security sensitive
building, computer
systems, or data
are needed for an
enterprise-wide access
control facility:
• Resource management
• Privilege management
• Policy management
Three support elements are needed for an
enterprise-wide access control facility:
Resource management

• Concerned with defining rules for a resource that requires access control
• Rules would include credential requirements and what user attributes,
resource attributes, and environmental conditions are required for access of
a given resource for a given function

Privilege management

• Concerned with establishing and maintaining the entitlement or privilege

attributes that comprise an individual’s access profile
• These attributes represent features of an individual that can be used as the
basis for determining access decisions to both physical and logical resources
• Privileges are considered attributes that can be linked to a digital identity

Policy management

• Governs what is allowable and unallowable in an access transaction

Identity Federation
 Term used to describe the technology, standards, policies,
and processes that allow an organization to trust digital
identities, identity attributes, and credentials created and
issued by another organization
 Addresses two questions:
 How do you trust identities of individuals from external organizations
who need access to your systems
 How do you vouch for identities of individuals in your organization when
they need to collaborate with external organizations
Identity Information Exchange
Approach

Identity (Possible contract)

Service Relying
Provider Party
T
(T erm

en e
em ic
O s

t
re rv
S) of

a g Se
a g Se

S) o f
re rv

O s
em ic

(T erm
en e

T
t

Users

(a) Traditional triangle of parties involved in an exchange of identity information

Trust Framework
Providers
Identity Information Exchange
Approach
Case Study: RBAC System for a Bank
Functions and Roles for a Banking
Example
Functions and Roles for a Banking
Example
Example of Access Control
Administration
Human Resources Department Application Administration

Roles
User
IDs Functions
1 1-4 N M Access
Application
Right
Assigns
Positions

Authorization Administration

N M
Role Application
Thank You