280 likes | 283 Vues
A Perspective on Graphs and Access Control Models. Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu. Outline. A perspective on security A perspective on access control The safety problem in access control Looking ahead
E N D
A Perspective on Graphs andAccess Control Models Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu
Outline • A perspective on security • A perspective on access control • The safety problem in access control • Looking ahead • Discussion
USAGE purpose Security Confusion • electronic commerce, electronic business • digital rights management, client-side controls INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure
Good enough security Real-world users Security geeks SECURE EASY • end users • operations staff • help desk • whose security • perception or reality of security System owner Business models will dominate security models • system cost • operational cost • opportunity cost • cost of fraud COST
Good enough security COST L M H Entrepreneurial mindset Academic mindset H 1 2 3 R I S K 2 3 4 M L 3 4 5
Access Control Models Authentication • who is trying to access a protected resource? Access Control Models Access Control Architecture Authorization Enforcement • who should be allowed to access which protected resources? • who should be allowed to change the access? • how does the system enforce the specified authorization
The OM-AM Way A s s u r a n c e • Objectives • Models • Architectures • Mechanisms What? How?
Access Control Status • Ten years ago • Emphasis on • Cryptography and intrusion detection • Access control relegated to back burner • Ravi Sandhu, “Access Control: The Neglected Frontier.” Proc. First Australasian Conference on Information Security and Privacy, LNCS, 1996. • Today • Strong industry interest • Growing need • Growing research
Safety in Access Control Authentication • who is trying to access a protected resource? Access Control Models Access Control Architecture Authorization Enforcement • who should be allowed to access which protected resources? • who should be allowed to change the access? • how does the system enforce the specified authorization The Safety Problem
The HRU (Harrison-Ruzzo-Ullman) Model, 1976 G F U r w r V r w
U V F G The HRU (Harrison-Ruzzo-Ullman) Model, 1976 r, w r r, w
U V F G The HRU (Harrison-Ruzzo-Ullman) Model, 1976 r, w r r, w
HRU Commands and Operations • command α(X1, X2 , . . ., Xk) • if rl in (Xs1, Xo1) and r2 in (Xs2, Xo2) and ri in (Xsi, Xoi) • then • op1; op2; … opn • end • enter r into (Xs, Xo) • delete r from (Xs, Xo) • create subject Xs • create object Xo • destroy subject Xs • destroy object Xo
Safety in HRU (late 1970’s) • Safety Problem: Is there a reachable state with edge labeled z from X to Y? • Undecidable in general • HRU unable to find interesting decidable cases. • Mono-operational: decidable but uninteresting • Monotonic: undecidable • Bi-conditional monotonic: undecidable • Mono-conditional monotonic: decidable but uninteresting
The Safety Problem • HRU 1976: • “It would be nice if we could provide for protection systems an algorithm which decided safety for a wide class of systems, especially if it included all or most of the systems that people seriously contemplate. Unfortunately, our one result along these lines involves a class of systems called “mono-operational,” which are not terribly realistic. Our attempts to extend these results have not succeeded, and the problem of giving a decision algorithm for a class of protection systems as useful as the LR(k) class is to grammar theory appears very difficult.” • 2004: • Considerable progress has been made but much remains to be done and practical application of known results is essentially non-existent. • Progress includes: Take-Grant Model (Jones, Lipton, Snyder, Denning, Bishop; late 79’s early 80’s), Schematic Protection Model (Sandhu, 80’s), Typed Access Matrix Model (Sandhu, 1990’s), Graph Transformations (Koch, Mancini, Parisi-Pressice 2000’s)
Safety with Types • Typed Access Matrix or TAM model (Sandhu 1992) • Safety is polynomial-decidable for monotonic ternary TAM with acyclic create-graph • Typed Graphs (Koch et al 2002) • Safety is decidable for transformations that are either expanding or deleting • The given algorithm is exponential but actual complexity remains an open question
A A B B The Take-Grant Model (late 70’s, early 80’s) t (a) B/t Є dom(A) g Original graph representation, late 70’s (b) B/g Є dom(A)
A A B B The Take-Grant Model (late 70’s, early 80’s) t (a) B/t Є dom(A) g Lockman-Minsky representation, 1982 (b) B/g Є dom(A)
A t g A’ Creation in Take-Grant A t g A’ (a) The Original View (b) The Lockman-Minsky View
A B Reversal of Take-Grant Flow: case t t t t g g A’
A B Reversal of Take-Grant Flow: case g g t, g t g g A’
A B Reversal of Grant-Only Flow g g g g g A’
A B Non-Reversal of Take-Only Flow t t t t A’
Safety in more recent (and practical) models • RBAC96 (foundation of a new NIST/ANSI/ISO standard) • Safety is undecidable in general • Sandhu, Munawer, Crampton, 1998 • Decidable cases exist • Li, Mitchell, Winsborough, Solworth, Sloan, 2000’s • UCON (Usage Control Models) • Safety is undecidable in general • Decidable cases exist • Park, Sandhu, Zhang, Parisi-Pressice 2000’s
Looking ahead • Security lags information technology applications • Information technology applications are moving extremely rapidly • The need for decentralized and automatic authorization is growing very rapidly • The safety problem of access control remains a critical path problem • Challenges • Develop new real-world relevant theory • Apply old and new theory • Can theory of graph transformations help us?
... RBAC96 model (Currently foundation of a NIST/ANSI/ISO standard) ROLE HIERARCHIES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERS ROLES PERMISSIONS CONSTRAINTS SESSIONS
ongoing N/A UCON (Usage Control) Models