CSC 8320 Advanced Operating System

1
CSC 8320 Advanced Operating System
Discretionary Access Control Models Presenter Ke
Gao Instructor Professor Zhang
2
Overview

• Part 1 Fundamental Knowledge
• Part 2 Current Technology
• Part 3 Future Research

3
Part 1 Fundamental Knowledge
4
The Access Control Matrix (ACM) 1, Randy Chow,
1997
The Access Control Matrix (ACM) is the most
fundamental and widely used discretionary access
control model for simple security
policies. Access control is a function that given
a subject and object pair, (s, o) and a requested
operation, r from s to o, return true if the
request is permitted.
5
Two Types of Security Policies

• Simple Security Policy
• A statement that specifies what privileges and
  limitation a certain subject has on an object,
  without ant special constraints.
• Complex Security Policy
• Security requirements that are dependent on how
  and when other access are being performed. Eg. a
  subject can access object x if it has not already
  access object y.

6
Example of ACM - Resource ACM
7
Example of ACM - Process ACM
8
Example of ACM - Domain ACM
9
Reducing the Size of Access Control Matrix

• The user subjects are generally related and could
  have similar access rights to some commom
  objects.
• Rows in ACM can be mergerd as a single group of
  user.
• A user is identfied with a group name which is
  based on group rather than the user name.
• Object columns can be merged as categories which
  a based on objects rather than the attributes of
  the users.

10
Distributed Compartments
A distributed application with collaborating
processes may consists of subject users and
object resources crossing the physical boundaries
of physical resources. Because it is impossible
to have a global ACM, a logical ACM called a
distributed compartment that regulates access
among the collaborating users would serve a
better purpose.
11

• Each distributed compartment has at least one
  member called an owner which has the maximum
  privleged.
• Access to the distributed compartments are based
  on distributed handles rather than user ID.
• These handles are application oriented and they
  provide a protective wall around an application
  and are authenticated by the application.

12
(No Transcript)
13
ACM Implementations
The Linked list structure that contains all
entries in a column for a particular object is
called a Access control List (ACL) for the
object. An ACL specifies the permissible rights
that various subjects have on the
object. Likewise all entries in a row for a
subject is called a Capability List (CL) for the
subject. A CL specifies privileges to various
objects held by a subject
14
ACM Implementations
Subject Client
Object Server
ACL lt (si, Rsi)gt S Si s ? S and r ? Rs?
s
(r, s)
ACL Implementation
Object Server
Subject Client
o ? O and r ? Ro?
CL lt (Oi, Roi) gt O Oi
(o, s)
CL Implementation
15
ACM Implementations
Object Server
Subject Client
LL lt (Li, Rli) gt o ? O ? Kl? r ? Rl?
CL lt (Oi, Ki) gt O Oi
(o, r, k)
Lock-key Implemtation
16
Comparison of ACL CL

• Authentication
• Reviewing of Access Rights
• Propagation of Access Rights
• Revocation of Access Rights
• Conversion between ACL and CL

17
Authentication

• ACL Authenticates subjects, which is performed by
  the system, no overhead.
• In CL, authentication is performed by the object
  server. But its easiler. Its widely used in
  distributed system.

18
Review of Access Right

• Easier to review ACL, because ACL contains
  exactly this information.
• Difficult for CL unless some type of activity log
  is kept.

19
Propagation Of Access Rights

• In ACL, propagation of rights is initiated by a
  request to the object server, which modifies or
  adds an entry to its ACL.
• In CL, theoretically it is propagate rights
  between subjects without intervention of object
  server. But it may result in uncontrollable
  system.

20
Revocation of Access Rights

• Revocation is trivial in ACL because it is easy
  to delete subject entries from the ACL.
• It is difficult for CLs to revoke access
  selectively.

21
Conversion Between ACL CL

• Conversion from CL to ACL is straight forward.
• Conversion from ACL to CL
• Gateway Authenticates the process identifier and
  verifies the operation in the capability list.
• The remote host grants the accss request if its
  ACL contains the process as a subject and the
  requested opertion is within the authorized
  range.

22
Part 2 Current Technology
23
Role-based Access Control (RBAC)

• Access decisions are based on the roles that
  individual users have as part of an organization.
• Users take on assigned roles (such as doctor,
  nurse, teller, manager). The operations that a
  user is permitted to perform are based on the
  user's role.
• Role hierarchies can be established to provide
  for the natural structure of an enterprise.
• Organizations establish the rules for the
  association of operations with roles.

24
Application of Role-Based Access Control for Web
Environment 2, Robles, R.J, 2004

• Secure cookies provide three types of security
  services authentication, integrity, and
  confidentiality.
• Authentication verifies the cookies owner.
• Integrity protects against unauthorized
  modification of cookies.
• Confidentiality protects against the cookies
  values being revealed to an unauthorized entity.

25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
Part 3 Future Research
29
(No Transcript)
30
Reference

• 1 Randy Chow, Theodore Johnson, Distributed
  Operating Systems Algorithms, Addison Wesley,
  1997
• 2 Robles, R.J. Min-Kyu Choi Sang-Soo Yeo
  Tai-hoon Kim, "Application of Role-Based Access
  Control for Web Environment," Ubiquitous
  Multimedia Computing, 2008. UMC '08.
  International Symposium on , vol., no.,
  pp.171-174, 13-15 Oct. 2008
• 3 Ravi Sandhu, The PEI Framework for
  Application-Centric Security, 2009
• 4 Krishnan, Ram and Sandhu, Ravi and
  anganathan, Kumar, PEI models towards scalable,
  usable and high-assurance information sharing,
  Proceedings of the 12th ACM symposium on Access
  control models and technologies

31
Thank You Q A