Computer Security:
Principles and Practice
Fourth Edition
By: William Stallings and Lawrie Brown
Chapter 4
Access Control
Access Control Definitions
1/2
NISTIR 7298 defines access control as:
“the process of granting or denying
specific requests to: (1) obtain and use
information and related information
processing services; and (2) enter specific
physical facilities”
Access Control Definitions
2/2
RFC 4949 defines access control as:
“a process by which use of system
resources is regulated according to a
security policy and is permitted only by
authorized entities (users, programs,
processes, or other systems) according to
that policy”
Table 4.1
Access
Control
Security
Requirements
( SP 800-171)
(Table is on page 107 in the textbook)
Access Control Principles
• In a broad sense, all of computer security is
concerned with access control
• RFC 4949 defines computer security as:
“measures that implement and assure
security services in a computer system,
particularly those that assure access control
service”
Source: Based on [SAND94].
Source: Based on [SAND94].
Access Control Policies
• Discretionary access
control (DAC)
o Controls access based on the
identity of the requestor and on
access rules (authorizations)
stating what requestors are (or
are not) allowed to do
• Mandatory access
control (MAC)
o Controls access based on
comparing security labels with
security clearances
• Role-based access
control (RBAC)
o Controls access based on the
roles that users have within the
system and on rules stating
what accesses are allowed to
users in given roles
• Attribute-based access
control (ABAC)
o Controls access based on
attributes of the user, the
resource to be accessed, and
current environmental
conditions
Subjects, Objects, and
Access Rights
Subject
An entity capable of
accessing objects
Three classes
• Owner
• Group
• World
Object
A resource to which
access is controlled
Access
right
Describes the way in
which a subject may
access an object
Could include:
Entity used to contain
and/or receive
information
•Read
•Write
•Execute
•Delete
•Create
•Search
Discretionary Access Control
(DAC)
• Scheme in which an entity may be granted access
•
rights that permit the entity, by its own violation, to
enable another entity to access some resource
Often provided using an access matrix
o One dimension consists of identified subjects that may
attempt data access to the resources
o The other dimension lists the objects that may be
accessed
• Each entry in the matrix indicates the access rights
of a particular subject for a particular object
Figure 4.2 Example of Access Control Structures
Table 4.2
Authorization
Table
for Files in
Figure 4.2
(Table is on page 113 in the textbook)
Table 4.3
Access
Control
System
Commands
(Table is on
page 116 in the
textbook)
Protection Domains
• Set of objects together with access rights to those objects
• More flexibility when associating capabilities with
protection domains
• In terms of the access matrix, a row defines a protection
domain
• User can spawn processes with a subset of the access
rights of the user
• Association between a process and a domain can be
static or dynamic
• In user mode certain areas of memory are protected
from use and certain instructions may not be executed
• In kernel mode privileged instructions may be executed
and protected areas of memory may be accessed
UNIX File Access Control
UNIX files are administered using inodes (index
nodes)
•
•
•
•
Control structures with key information needed for a particular file
Several file names may be associated with a single inode
An active inode is associated with exactly one file
File attributes, permissions and control information are sorted in the
inode
• On the disk there is an inode table, or inode list, that contains the
inodes of all the files in the file system
• When a file is opened its inode is brought into main memory and
stored in a memory resident inode table
Directories are structured in a hierarchical tree
• May contain files and/or other directories
• Contains file names plus pointers to associated inodes
UNIX
File Access Control
●
Unique user identification
number (user ID)
●
Member of a primary group
identified by a group ID
●
Belongs to a specific group
●
12 protection bits
●
●
Specify read, write, and
execute permission for the
owner of the file, members
of the group and all other
users
The owner ID, group ID, and
protection bits are part of the
file’s inode
Figure 4.5 UNIX File Access Control
Traditional UNIX
File Access Control
●
●
“Set user ID”(SetUID)
“Set group ID”(SetGID)
●
●
●
Sticky bit
●
●
System temporarily uses rights of the file owner/group in
addition to the real user’s rights when making access
control decisions
Enables privileged programs to access files/resources not
generally accessible
When applied to a directory it specifies that only the owner
of any file in the directory can rename, move, or delete
that file
Superuser
●
●
Is exempt from usual access control restrictions
Has system-wide access
Access Control Lists (ACLs)
in UNIX
Modern UNIX systems support
ACLs
• FreeBSD, OpenBSD, Linux, Solaris
FreeBSD
• Setfacl command assigns a list of UNIX user IDs and groups
• Any number of users and groups can be associated with a file
• Read, write, execute protection bits
• A file does not need to have an ACL
• Includes an additional protection bit that indicates whether the file has an extended ACL
When a process requests access to a file system object two
steps are performed:
• Step 1 selects the most appropriate ACL
• Step 2 checks if the matching entry contains sufficient permissions
Table 4.4
Scope RBAC Models
Constraints - RBAC
• Provide a means of adapting RBAC to the specifics
of administrative and security policies of an
organization
• A defined relationship among roles or a condition
related to roles
• Types:
Mutually exclusive
roles
•A user can only be
assigned to one role in
the set (either during a
session or statically)
•Any permission
(access right) can be
granted to only one
role in the set
Cardinality
•Setting a maximum
number with respect
to roles
Prerequisite roles
•Dictates that a user
can only be assigned
to a particular role if it
is already assigned to
some other specified
role
Attribute-Based Access
Control (ABAC)
Can define
authorizations
that express
conditions on
properties of
both the
resource and the
subject
Strength is its
flexibility and
expressive
power
Main obstacle to
its adoption in
real systems has
been concern
about the
performance
impact of
evaluating
predicates on
both resource
and user
properties for
each access
Web services
have been
pioneering
technologies
through the
introduction of
the eXtensible
Access Control
Markup
Language
(XAMCL)
There is
considerable
interest in
applying the
model to cloud
services
ABAC Model: Attributes
Subject
attributes
Object
attributes
Environmen
t attributes
• A subject is an
active entity that
causes information
to flow among
objects or changes
the system state
• An object (or
resource) is a
passive information
system-related
entity containing or
receiving
information
• Describe the
operational,
technical, and even
situational
environment or
context in which the
information access
occurs
• These attributes
have so far been
largely ignored in
most access control
policies
• Attributes define the
identity and
characteristics of
the subject
• Objects have
attributes that can
be leverages to
make access
control decisions
ABAC
Distinguishable because
it controls access to
objects by evaluating
rules against the
attributes of entities,
operations, and the
environment relevant to a
request
Relies upon the
evaluation of attributes of
the subject, attributes of
the object, and a formal
relationship or access
control rule defining the
allowable operations for
subject-object attribute
combinations in a given
environment
Systems are capable of
enforcing DAC, RBAC,
and MAC concepts
Allows an unlimited
number of attributes to be
combined to satisfy any
access control rule
ABAC Policies
A policy is a set of rules and relationships that govern allowable behavior
within an organization, based on the privileges of subjects and how
resources or objects are to be protected under which environment conditions
Typically
written
from the
perspectiv
e of the
object that
needs
protecting
and the
privileges
available to
subjects
Privileges represent the authorized behavior of a subject
and are defined by an authority and embodied in a policy
Other terms commonly used instead of privileges are: rights,
authorizations, and entitlements
Identity, Credential, and
Access Management (ICAM)
• A comprehensive approach to managing and
implementing digital identities, credentials, and
access control
• Developed by the U.S. government
• Designed to:
o Create trusted digital identity representations of individuals and
nonperson entities (NPEs)
o Bind those identities to credentials that may serve as a proxy for the
individual of NPE in access transactions
• A credential is an object or data structure that authoritatively binds
an identity to a token possessed and controlled by a subscriber
o Use the credentials to provide authorized access to an agency’s
resources
Identity Management
Concerned with assigning attributes to a
digital identity and connecting that digital
identity to an individual or NPE
Goal is to establish a trustworthy digital
identity that is independent of a specific
application or context
Most common approach to access
control for applications and programs is
to create a digital representation of an
identity for the specific use of the
application or program
Maintenance and protection of the
identity itself is treated as secondary to
the mission associated with the
application
Final element is lifecycle management
which includes:
• Mechanisms, policies, and procedures for protecting personal
identity information
• Controlling access to identity data
• Techniques for sharing authoritative identity data with
applications that need it
• Revocation of an enterprise identity
Credential Management
The management of the
life cycle of the credential
Encompasses five logical
components:
Examples of credentials are smart cards,
private/public cryptographic keys, and digital
certificates
An authorized individual sponsors an individual or entity
for a credential to establish the need for the credential
The sponsored individual enrolls for the credential
• Process typically consists of identity proofing and the capture of biographic
and biometric data
• This step may also involve incorporating authoritative attribute data,
maintained by the identity management component
A credential is produced
• Depending on the credential type, production may involve encryption, the
use of a digital signature, the production of a smart card or other functions
The credential is issued to the individual or NPE
A credential must be maintained over its life cycle
• Might include revocation, reissuance/replacement, reenrollment, expiration,
personal identification number (PIN) reset, suspension, or reinstatement
Access Management
Deals with the management
and control of the ways
entities are granted access
to resources
Covers both logical and
physical access
May be internal to a system
or an external element
Purpose is to ensure that
the proper identity
verification is made when
an individual attempts to
access a security sensitive
building, computer
systems, or data
Three support elements are
needed for an enterprisewide access control facility:
• Resource management
• Privilege management
• Policy management
Three support elements are needed for an
enterprise-wide access control facility:
Resource management
• Concerned with defining rules for a resource that requires access control
• Rules would include credential requirements and what user attributes,
resource attributes, and environmental conditions are required for access
of a given resource for a given function
Privilege management
• Concerned with establishing and maintaining the entitlement or privilege
attributes that comprise an individual’s access profile
• These attributes represent features of an individual that can be used as the
basis for determining access decisions to both physical and logical
resources
• Privileges are considered attributes that can be linked to a digital identity
Policy management
• Governs what is allowable and unallowable in an access transaction
Identity Federation
• Term used to describe the technology, standards,
policies, and processes that allow an organization
to trust digital identities, identity attributes, and
credentials created and issued by another
organization
• Addresses two questions:
o How do you trust identities of individuals from external
organizations who need access to your systems
o How do you vouch for identities of individuals in your
organization when they need to collaborate with external
organizations
Open Identity Trust
Framework
OpenID
OIDF
ICF
• An open standard that allows users to
be authenticated by certain cooperating
sites using a third party service
• OpenID Foundation is an international
nonprofit organization of individuals
and companies committed to enabling,
promoting, and protecting OpenID
technologies
• Information Card Foundation is a
nonprofit community of companies and
individuals working together to evolve
the Information Card ecosystem
OITF
OIX
AXN
• Open Identity Trust Framework is a
standardized, open specification of a
trust framework for identity and
attribute exchange, developed jointly by
OIDF and ICF
• Open Identity Exchange Corporation is
an independent, neutral, international
provider of certification trust
frameworks conforming to the OITF
model
• Attribute Exchange Network is an
online Internet-scale gateway for
identity service providers and relying
parties to efficiently access user
asserted, permissioned, and verified
online identity attributes in high
volumes at affordable costs
Table 4.5
Functions and Roles for Banking Example
Table 4.5
Functions and Roles for Banking Example
Summary
• Access control principles
o Access control context
o Access control policies
• Subjects, objects, and
access rights
• Discretionary access
control
o Access control model
o Protection domains
• UNIX file access control
o Traditional UNIX file access control
o Access control lists in UNIX
• Role-based access
control
o RBAC reference models
• Attribute-based
access control
o
o
o
Attributes
ABAC logical architecture
ABAC policies
• Identity, credential,
and access
management
o
o
o
o
Identity management
Credential management
Access management
Identity federation
• Trust frameworks
o
o
Traditional identity
exchange approach
Open identity trust
framework
• Bank RBAC system
Purchase answer to see full
attachment