Post on 25-Feb-2016
description
8.2 DISCRETIONARY ACCESS CONTROL
MODELS
Lakshmi Narayana Gupta Kollepara10/26/2009
CSC-8320
Outline
Part 1 : Discretionary Access Control Models
Part 2 : Recent Studies Part 3 : Future work
Discretionary Access Control Models (Chow, Johnson, 1997)
Discretionary access control (DAC) is a kind of access control ' which restricts access to objects based on the identity of subjects and/or groups to which they belong'. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject
Discretionary security models provide access control on an individual basis.
Access Control matrix is a fundamental and widely used Discretionary Access control Model for enforcing security policies
A security policy is a statement that specifies what privileges and limitations a certain subject has on an object
Ex: subject s can access object x if it has not accessed object y.
There are two kinds of security policies:
Simple security policiesAccess control matrix (ACM) models are widely used
to enforce the simple security policies.
Complex Security policiesSecurity requirements how and when the accesses are
performed( special constraints are involved).Relevant to the distributed systems.
(Chow, Johnson, 1997)
An access control is a function that given a subject and object pair(s,o) and a requested operation r , from s to o , returns a true value if requested is permittedR = P(s,o)
P – access matrix, R – set of allowable operations.( ‘r’ is a particular operation belonging to set ‘R’ ), s – subject, o – object
The process of access validation is performed by a ‘reference monitor’ with a ACM for all subjects and objects
Practically it is preferable to have separate reference monitors for different categories of subjects and objects.
(Chow, Johnson, 1997)
In a resource ACM subjects are users, objects are the files to be accessed.
Access Rights may include “read”, ”write”, ”execute”, ”append”. Special privileges may be the “owner” and copy privilege.
(Chow, Johnson, 1997)
Resource ACM
In process ACM the subjects and objects are both processes.
Operations are basically related to communication and synchronization.
(Chow, Johnson, 1997)
Process ACM
Reducing the Size of Access Control Matrix
Subject rows in the ACM that have identical entries i.e subjects that have similar access rights on common objects , could be merged into groups.
If a user belongs to more than one group, its access rights is the union of all access rights of all the groups it belongs to.
Similarly Object columns with same entries could be merged into ‘categories’ .
(Chow, Johnson, 1997)
Distributed Compartment Model
A distributed application with collaborating processes may consists of subject users and object resources crossing the physical boundaries of physical resources.
Here, a logical ACM called a ‘distributed compartment’ that regulates access among the collaborating users would serve a better purpose.
Access to the distributed compartments are based on ‘distributed
handles’.
These handles are application oriented and they provide a protective wall around an application and are authenticated by the application
(Chow, Johnson, 1997)
Distributed compartment (Chow, Johnson, 1997)
The distributed compartment model has a number of advantages
The grouping of subjects and objects is logical and application specific.
The accesses are more transparent since they do not depend on the operating systems and administrative units.
Since the application manages the distributed handles, it allows different security policies to be implemented.
(Chow, Johnson, 1997)
Implementations OF ACM For efficiency and organizational purposes , access control
matrices need to be partitioned
The Linked list structure that contains all entries in a column for a particular object is called a Access control List (ACL) for the object.
Likewise all entries in a row for a subject is called a Capability List (CL) for the subject
the ACL resides in the object server and contains the pairs(si,Rsi)
While the CL is a part of the subject (client process) containing the pairs (oi,Roi)
(Chow, Johnson, 1997)
Comparison of ACL and CL (Chow, Johnson, 1997)
Comparison between ACLs and capabilities for protecting objects.
Using an ACL
Using capabilities
ACL Vs CL Comparison in terms of management functions
• Authentication• Reviewing of Access Rights• Propagation of Access Rights• Revocation of Access Rights• Conversion between ACL and CL
(Chow, Johnson, 1997)
ACL Authenticates subjects, which is performed by the system
While in CL, authentication is performed on capabilities of objects , by the object server.
Objects have knowledge of the capabilities ,but do not know the users or processors. This is one of the reasons why many Distributed implementations favor the CL approach
(Chow, Johnson, 1997)
Authentication
Review Of Access Rights
To know which subjects are authorized to use a certain objects.
Easier to review ACL, because ACL contains exactly this information. For storage efficiency subject grouping, wildcards ,prohibitive rights could also be used.
It is difficult to review for a CL unless some type of activity log is kept for all subjects that are given the capability
(Chow, Johnson, 1997)
Propagation of access rights Access rights must be replicable to facilitate sharing.
Propagation is Duplication of some or all the privileges from one subject to the others.
Propagation is not transfer of rights, it is only duplication.
In ACL, propagation of rights is explicitly initiated by a request to the object server, which modifies or adds an entry to its ACL.
(Chow, Johnson, 1997)
Propagation of rights must adhere to the principle of least principles. i.e. Only the minimum privileges required to perform the tasks are given when propagating the rights
In CL, theoretically it is propagate rights between subjects without intervention of object server.
This could result in an uncontrollable system and hence is avoided.
(Chow, Johnson, 1997)
Revocation of access rights
Revocation is trivial in ACL because it is easy to delete subject entries from the ACL.
It is difficult for CL’s to revoke access selectively.
(Chow, Johnson, 1997)
Conversion Between ACL & CL
Interactions among processes involving different Access control models would require gateways for conversions.
Conversion to ACL is straightforward.
Consider example of processes in a CL requiring to access remote objects in ACL Gateway Authenticates the process identifier.It Then verifies the operation in the capability list.The request is then converted to ACL and is presented
to the remote host(Chow, Johnson, 1997)
Converting a ACL request to CL is slightly more complex
Requires a database with resource capabilities for the interacting processesGateway validates the ACL request obtains the resource capability from the database serverCapability is then presented to capability based object
server.
A system utilizing both ACL and CL suffers the drawback of both approaches
Furthermore the conversions causes additional security hazards
(Chow, Johnson, 1997)
Part 2Local distributed storage system
(Xie, et al -2004)
Certification andAuthentication Server
Requirements of Access Control in Data grid Environment Single sign on Separation of duties High efficiency Centralized management and autonomy Support Qos( Quality of service).
(Xie, et al -2004)
(Xie, et al -2004)
Future Work
Absolute trust mechanism in access control system is an important subject of P2P security research.
Also secure efficient ACM for huge networks especially the data-centric networks will be effectively realized.
Excellent Access control methods for highly dynamic real time systems.
References Randy Chow,Theodore Johnson, “Distributed
Operating Systems & Algorithms”, 1997 Access control of global distributed storage
systemChao Xie; Hai Jin; Song Wu; Shengli Li; Zhiping Wang;Computer and Information Technology, 2004. CIT '04 .
http://en.wikipedia.org/wiki/Access_control( Accessed on 27th October 2008)
Thank you
Questions…