Access control models

Page 1

THE UNIVERSITY OF DODOMA

College Of Informatics and Virtual Education

NAME: Makame, Makame H REGISTRATION No: T/UDOM/2010/00410 PROGRAM: B Sc. Computer and Information Security

ASSIGNMENT NO.1

COURSE NAME: Introduction to IT Security COURSE CODE: IS 102 COUSE INSTRUCTOR: Florence Rashidi

Question: Write short notes on the following access control models; state machine, Bell-LaPadula, Biba, ClarkWilson, Information Flow, Take-Grant and Access control matrix.

Answer Access control models Is a generic term for the process by which a computer system controls the interaction between users and system resources. There are different forms of access control models, these include:

Take-Grant models The Take-Grant protection model is a formal access control model, which represents transformation of rights and information between entities inside a protection system.  Take-Grant Models represent a system using a directed graph  Nodes in the graph are either subjects or objects

 An arc directed from node A to node B indicates that the subject/object A has some access rights to subject or object B.  Access rights are: read (r), write (w), take (t), grant (g)  Take implies that node A can take node B’s access rights to any other node  Grant implies that node B can be given any access right A possesses  Create Rule: A subject A can create a new graph G1 from an old graph G0 by adding a vertex B and an edge from A to B with rights set X.

 Remove Rule: Let A and B be distinct vertices. Suppose there is an edge with rights X. Rules Y may be removed from X to produce X\Y. If X\Y is empty, the edge is deleted.  Since the graph only includes arcs corresponding to non-empty entries in the access control matrix, the model provides a compact representation  Question of Take-Grant Models: Can an initial protection graph and rules be manipulated to produce a particular access right for A to access C with?  Example:

Bell LaPadula Model  The Bell-LaPadula model describes the allowable flows of information in a secure system, and is a formalization of the military security policy. 

Allow for concurrent computation on data at two different security levels  One machine should be able to be used for top-secret and confidential data at the same time  Programs processing top-secret data would be prevented from leaking top-secret data to confidential data, and confidential users would be prevented from accessing topsecret data.

 The key idea in BLP is to augment DAC with MAC to enforce information flow policies

 In addition to an access control matrix, BLP also includes the military security levels  Each subject has a clearance, and each object has a classification  Authorization in the DAC is not sufficient, a subject must also be authorized in the MAC  Formally, BLP involves a set of subjects S and a set of objects O.  Each subject s and object o have fixed security classes l(s) and l(o)  Tranquility Principle: Subjects and objects cannot change their security levels once they have been instantiated.  There are two principles that characterize the secure flow of information: 1. Simple-Security Property: A subject s may have read access to an object o if and only if  (o)   (s) . 2. *-Property: A subject s can write to object o if and only if  (s)   (o)  Read access implies a flow from object to subject  o   s   Write access implies a flow from subject to object  s    o  The *-property is not applied to users:  Humans are trusted not to leak information  Programs are assumed untrustworthy… could be Trojan Horses  The *-property prohibits a program running at the secret level from writing to unclassified documents.  Sometimes *-property is modified to require l(s)=l(o) in order to prevent “write-up” problems.

Biba model  BLP was concerned with confidentiality– keeping data inaccessible to those without proper access privileges.  The Biba model is the integrity counterpart to BLP –

Low-integrity information should not be allowed to flow to high-integrity objects.

High-integrity is placed at the top of the lattice and low integrity at the bottom. Information flows from top to bottom (opposite direction of BLP).

 Biba’s model principles 1. Simple-Integrity Property: Subject s can read object o if and only if  ( s)   (o) 2. Integrity *-Property: Subject s can write object o only if  (o)   ( s)  In this sense, Biba is the dual of BLP and there is very little difference between Biba and BLP: –

Both are concerned with information flow in a lattice of security classes.

Information flow Information flow one among the two ways to look at the notion of the security privileges. –

Every object is given a security class (or a security label): Information flowing from objects implies information flowing between the corresponding security classes.

We define a can-flow relationship A  B to specify that information is allowed to flow from entities in security class A to entities in security class B.

We also define a class-combining operator A  B  C to specify that objects that contain information from security classes A and B should be labeled with security class C.

Implicitly, there is the notion of cannot-flow.

Access control matrix  Access control matrix arose in both OS research and database research.  Example:

 What does it mean for a process to read/write/execute another process?

Read is to receive signals from, write is to send signals to, and execute is to run as a sub process.

 Formally, an access control matrix is a table in which each row represents a subject and each column represents an object. –

Each entry in the table specifies the set of access rights for that subject to that object.

In general access control matrices are sparse: most subjects do not have access rights to most objects.

Every subject is also an object.

 All accesses to objects by subjects are mediated by an enforcement mechanism that uses the access matrix. –

This enforcement mechanism is the reference monitor.

Some operations allow for modification of the matrix (e.g. owner might be allowed to grant permission to another user to read a file).

Owner has complete discretion to change the access rules of an object it owns (discretionary access control).

 The access control matrix is a generic way of specifying rules, and is not beholden to any specific access rules –

It is therefore very flexible and suitable to a broad variety of scenarios.

However, it is difficult to prove assertions about the protection provided by systems following an access control matrix without looking at the specific meanings of subjects, objects, and rules.

Not suitable for specialized requirements, like the military access control model.

State machine model    

Describe the system that is always secure despite the state it is in. A state is a snapshot of a system at a specific instance is time. A state is considered secure only if all its aspect meets the requirement of the security policy. A system can be labeled as secure state machine if all possible state transition results in another secure state.  Allows subject to access resource only in secure manner compliant with the security policy.

Noninterference model  Loosely based on information flow model.  Concerned with action of one subject affecting the system state or actions of another subject.  Basically the action of subject A should not affect the action of subject B or even noticed by subject B.  The real concern is to prevent the actions of subject A at high level security classification from affecting the system at lower level. Clark-Wilson Also called Restricted Interface Model, as it uses classification based restrictions to offer only subject specific authorized uniform and functions. It is an integrity model.  Uses three part relationship of subject/program/object/ known as a triple.  Subject does not have direct access while objects can only be accessed through programs.  Two principles are use, Well-formed transactions and Separation of duties. – Separation of duties  Divides critical functions into two or more parts each to be completed by different subject – Well-formed transactions  A subject is able to access an object only using a program.  Each program has specific limitation on what it can and cannot do to an object.  For properly designed programs the triple relationship provides the means to protect the integrity of the system.  Auditing is also performed that tracks changes and access to objects as well as inputs from outside the system.

REFERENCES  James Michael Stewart Mike Chapple , Certified Information Systems Security Professional.  Access Control Models: From the real-world to trusted computing, Wireless Information Network Laboratory.  Jeff Smith, CISSP ,Access Control Systems & Methodology.

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.