Post on 26-Mar-2015
© 2004 Ravi Sandhuwww.list.gmu.edu
Cyber-Identity, Authority and Trust in an Uncertain World
Prof. Ravi SandhuLaboratory for Information Security Technology
George Mason University
www.list.gmu.edu
sandhu@gmu.edu
2
© 2004 Ravi Sandhuwww.list.gmu.edu
Outline
• Perspective on security
• Role Based Access Control (RBAC)
• Objective Model-Architecture Mechanism (OM-AM) Framework
• Usage Control (UCON)
• Discussion
© 2004 Ravi Sandhuwww.list.gmu.edu
PERSPECTIVE
4
© 2004 Ravi Sandhuwww.list.gmu.edu
Security Conundrum
• Nobody knows WHAT security is
• Some of us do know HOW to implement pieces of it
Result: hammers in search of nails
5
© 2004 Ravi Sandhuwww.list.gmu.edu
Security Confusion
INTEGRITYmodification
AVAILABILITYaccess
CONFIDENTIALITYdisclosure
USAGEpurpose
• electronic commerce, electronic business• DRM, client-side controls
6
© 2004 Ravi Sandhuwww.list.gmu.edu
Security Successes
• On-line banking
• On-line trading
• Automatic teller machines (ATMs)
• GSM phones
• Set-top boxes
• …………………….
Success is largely unrecognizedby the security community
7
© 2004 Ravi Sandhuwww.list.gmu.edu
Good enough security
• Exceeding good enough is not good• You will pay a price in user convenience, ease of
operation, cost, performance, availability, …• There is no such thing as free security
• Determining good enough is hard• Necessarily a moving target
8
© 2004 Ravi Sandhuwww.list.gmu.edu
Good enough security
EASY SECURE
COST
Security geeksReal-world users
System owner
• whose security• perception or reality of security
• end users• operations staff• help desk
• system cost• operational cost• opportunity cost• cost of fraud
Business models dominatesecurity models
9
© 2004 Ravi Sandhuwww.list.gmu.edu
Good enough security
• In many cases good enough is achievable at a pretty low threshold• The “entrepreneurial” mindset
• In extreme cases good enough will require a painfully high threshold• The “academic” mindset
10
© 2004 Ravi Sandhuwww.list.gmu.edu
Good enough security
RISK
COST
H
M
L
L M H
1
2
3
2
3
4
3
4
5
Entrepreneurialmindset
Academicmindset
© 2004 Ravi Sandhuwww.list.gmu.edu
ROLE-BASED ACCESS CONTROL (RBAC)
12
© 2004 Ravi Sandhuwww.list.gmu.edu
MAC and DAC
• For 25 years access control has been divided into• Mandatory Access Control (MAC)• Discretionary Access Control (DAC)
• In the past 10 years RBAC has become a dominant force• RBAC subsumes MAC and DAC
13
© 2004 Ravi Sandhuwww.list.gmu.edu
Mandatory Access Control (MAC)
TS
S
C
U
InformationFlow
Dominance
Lattice ofsecuritylabels
14
© 2004 Ravi Sandhuwww.list.gmu.edu
Mandatory Access Control (MAC)
InformationFlow
DominanceLattice ofsecuritylabels
S,{A,B}
S,{A] S,{B}
S,{}
15
© 2004 Ravi Sandhuwww.list.gmu.edu
Discretionary Access Control (DAC)
• The owner of a resource determines access to that resource• The owner is often the creator of the resource
• Fails to distinguish read from copy
16
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC96 model(Currently foundation of a NIST/ANSI/ISO standard)
ROLES
USER-ROLEASSIGNMENT
PERMISSIONS-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
CONSTRAINTS
17
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC SECURITY PRINCIPLES
• least privilege
• separation of duties
• separation of administration and access
• abstract operations
18
© 2004 Ravi Sandhuwww.list.gmu.edu
HIERARCHICAL ROLES
Health-Care Provider
Physician
Primary-CarePhysician
SpecialistPhysician
19
© 2004 Ravi Sandhuwww.list.gmu.edu
Fundamental Theorem of RBAC
• RBAC can be configured to do MAC
• RBAC can be configured to do DAC
RBAC is policy neutral
© 2004 Ravi Sandhuwww.list.gmu.edu
OM-AM (Objective/Model Architecture/Mechanism) Framework
21
© 2004 Ravi Sandhuwww.list.gmu.edu
THE OM-AM WAY
Objectives
Model
Architecture
Mechanism
What?
How?
Assurance
22
© 2004 Ravi Sandhuwww.list.gmu.edu
LAYERS AND LAYERS
• Multics rings• Layered abstractions• Waterfall model• Network protocol stacks• Napolean layers• RoFi layers• OM-AM• etcetera
23
© 2004 Ravi Sandhuwww.list.gmu.edu
OM-AM AND MANDATORY ACCESS CONTROL (MAC)
What?
How?
No information leakage
Lattices (Bell-LaPadula)
Security kernel
Security labels
Assurance
24
© 2004 Ravi Sandhuwww.list.gmu.edu
OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC)
What?
How?
Owner-based discretion
numerous
numerous
ACLs, Capabilities, etc
Assurance
25
© 2004 Ravi Sandhuwww.list.gmu.edu
OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC)
What?
How?
Objective neutral
RBAC96, ARBAC97, etc.
user-pull, server-pull, etc.
certificates, tickets, PACs, etc.
Assurance
26
© 2004 Ravi Sandhuwww.list.gmu.edu
RBAC96 model(Currently foundation of a NIST/ANSI/ISO standard)
ROLES
USER-ROLEASSIGNMENT
PERMISSIONS-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
CONSTRAINTS
27
© 2004 Ravi Sandhuwww.list.gmu.edu
Server-Pull Architecture
Client Server
User-roleAuthorization
Server
28
© 2004 Ravi Sandhuwww.list.gmu.edu
User-Pull Architecture
Client Server
User-roleAuthorization
Server
29
© 2004 Ravi Sandhuwww.list.gmu.edu
Proxy-Based Architecture
Client ServerProxyServer
User-roleAuthorization
Server
© 2004 Ravi Sandhuwww.list.gmu.edu
USAGE CONTROL (UCON)
31
© 2004 Ravi Sandhuwww.list.gmu.edu
The UCON Vision: A unified model
• Traditional access control models are not adequate for today’s distributed, network-connected digital environment.• Authorization only – No obligation or condition
based control• Decision is made before access – No ongoing
control• No consumable rights - No mutable attributes • Rights are pre-defined and granted to subjects
32
© 2004 Ravi Sandhuwww.list.gmu.edu
OM-AM layered Approach
What ?
How ?
Assurance
Objective
Mechanism
Architecture
Model
Policy Neutral
ABC model
CRM/SRM, CDID architectures
DRM technologies, certificates, etc.
OM-AM Framework Usage Control System
33
© 2004 Ravi Sandhuwww.list.gmu.edu
Prior Work
• Problem-specific enhancement to traditional access control• Digital Rights Management (DRM)
– mainly focus on intellectual property rights protection.
– Architecture and Mechanism level studies, Functional specification languages – Lack of access control model
• Trust Management– Authorization for strangers’ access based on credentials
34
© 2004 Ravi Sandhuwww.list.gmu.edu
Prior Work
• Incrementally enhanced models• Provisional authorization [Kudo & Hada, 2000]• EACL [Ryutov & Neuman, 2001]• Task-based Access Control [Thomas & Sandhu,
1997]• Ponder [Damianou et al., 2001]
35
© 2004 Ravi Sandhuwww.list.gmu.edu
Usage Control (UCON) Coverage
Protection Objectives• Sensitive information
protection• IPR protection• Privacy protection
Protection Architectures• Server-side reference
monitor (SRM)• Client-side reference
monitor (CRM)• Both SRM and CRMServer-side
Reference Monitor(SRM)
Client-sideReference Monitor
(CRM)
TraditionalAccessControl
TrustManagement
Usage ControlSensitive
InformationProtection
IntellectualProperty Rights
Protection
PrivacyProtection
DRM
SRM & CRM
36
© 2004 Ravi Sandhuwww.list.gmu.edu
Core UCON (Usage Control) Models
Rights(R)
UsageDecision
Authoriza-tions (A)
Subjects(S)
Objects(O)
Subject Attributes(ATT(S))
Object Attributes(ATT(O))
Obligations(B)
Conditions(C)
ongoing prepost
Continuity of decisions
Mutability of attributes
37
© 2004 Ravi Sandhuwww.list.gmu.edu
Examples
• Long-distance phone (pre-authorization with post-update)
• Pre-paid phone card (ongoing-authorization with ongoing-update)
• Pay-per-view (pre-authorization with pre-updates)• Click Ad within every 30 minutes (ongoing-
obligation with ongoing-updates)• Business Hour (pre-/ongoing-condition)
38
© 2004 Ravi Sandhuwww.list.gmu.edu
Beyond the UCON Core Models
Objects(O)
ConsumerSubjects
(CS)
ProviderSubjects
(PS) SerialUsage Controls
Usage Control
IdentifieeSubjects
(IS)
ParallelUsage Controls
© 2004 Ravi Sandhuwww.list.gmu.edu
DISCUSSION
40
© 2004 Ravi Sandhuwww.list.gmu.edu
THE OM-AM WAY
Objectives
Model
Architecture
Mechanism
What?
How?
Assurance
41
© 2004 Ravi Sandhuwww.list.gmu.edu
Good enough security
RISK
COST
H
M
L
L M H
1
2
3
2
3
4
3
4
5
Entrepreneurialmindset
Academicmindset