1 / 28

A Perspective on Graphs and Access Control Models

A Perspective on Graphs and Access Control Models. Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu. Outline. A perspective on security A perspective on access control The safety problem in access control Looking ahead

jstec
Télécharger la présentation

A Perspective on Graphs and Access Control Models

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Perspective on Graphs andAccess Control Models Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu

  2. Outline • A perspective on security • A perspective on access control • The safety problem in access control • Looking ahead • Discussion

  3. USAGE purpose Security Confusion • electronic commerce, electronic business • digital rights management, client-side controls INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure

  4. Good enough security Real-world users Security geeks SECURE EASY • end users • operations staff • help desk • whose security • perception or reality of security System owner Business models will dominate security models • system cost • operational cost • opportunity cost • cost of fraud COST

  5. Good enough security COST L M H Entrepreneurial mindset Academic mindset H 1 2 3 R I S K 2 3 4 M L 3 4 5

  6. Access Control Models Authentication • who is trying to access a protected resource? Access Control Models Access Control Architecture Authorization Enforcement • who should be allowed to access which protected resources? • who should be allowed to change the access? • how does the system enforce the specified authorization

  7. The OM-AM Way A s s u r a n c e • Objectives • Models • Architectures • Mechanisms What? How?

  8. Access Control Status • Ten years ago • Emphasis on • Cryptography and intrusion detection • Access control relegated to back burner • Ravi Sandhu, “Access Control: The Neglected Frontier.” Proc. First Australasian Conference on Information Security and Privacy, LNCS, 1996. • Today • Strong industry interest • Growing need • Growing research

  9. Safety in Access Control Authentication • who is trying to access a protected resource? Access Control Models Access Control Architecture Authorization Enforcement • who should be allowed to access which protected resources? • who should be allowed to change the access? • how does the system enforce the specified authorization The Safety Problem

  10. The HRU (Harrison-Ruzzo-Ullman) Model, 1976 G F U r w r V r w

  11. U V F G The HRU (Harrison-Ruzzo-Ullman) Model, 1976 r, w r r, w

  12. U V F G The HRU (Harrison-Ruzzo-Ullman) Model, 1976 r, w r r, w

  13. HRU Commands and Operations • command α(X1, X2 , . . ., Xk) • if rl in (Xs1, Xo1) and r2 in (Xs2, Xo2) and ri in (Xsi, Xoi) • then • op1; op2; … opn • end • enter r into (Xs, Xo) • delete r from (Xs, Xo) • create subject Xs • create object Xo • destroy subject Xs • destroy object Xo

  14. HRU as Graph Rules (from Koch et al 2002)

  15. Safety in HRU (late 1970’s) • Safety Problem: Is there a reachable state with edge labeled z from X to Y? • Undecidable in general • HRU unable to find interesting decidable cases. • Mono-operational: decidable but uninteresting • Monotonic: undecidable • Bi-conditional monotonic: undecidable • Mono-conditional monotonic: decidable but uninteresting

  16. The Safety Problem • HRU 1976: • “It would be nice if we could provide for protection systems an algorithm which decided safety for a wide class of systems, especially if it included all or most of the systems that people seriously contemplate. Unfortunately, our one result along these lines involves a class of systems called “mono-operational,” which are not terribly realistic. Our attempts to extend these results have not succeeded, and the problem of giving a decision algorithm for a class of protection systems as useful as the LR(k) class is to grammar theory appears very difficult.” • 2004: • Considerable progress has been made but much remains to be done and practical application of known results is essentially non-existent. • Progress includes: Take-Grant Model (Jones, Lipton, Snyder, Denning, Bishop; late 79’s early 80’s), Schematic Protection Model (Sandhu, 80’s), Typed Access Matrix Model (Sandhu, 1990’s), Graph Transformations (Koch, Mancini, Parisi-Pressice 2000’s)

  17. Safety with Types • Typed Access Matrix or TAM model (Sandhu 1992) • Safety is polynomial-decidable for monotonic ternary TAM with acyclic create-graph • Typed Graphs (Koch et al 2002) • Safety is decidable for transformations that are either expanding or deleting • The given algorithm is exponential but actual complexity remains an open question

  18. A A B B The Take-Grant Model (late 70’s, early 80’s) t (a) B/t Є dom(A) g Original graph representation, late 70’s (b) B/g Є dom(A)

  19. A A B B The Take-Grant Model (late 70’s, early 80’s) t (a) B/t Є dom(A) g Lockman-Minsky representation, 1982 (b) B/g Є dom(A)

  20. A t g A’ Creation in Take-Grant A t g A’ (a) The Original View (b) The Lockman-Minsky View

  21. A B Reversal of Take-Grant Flow: case t t t t g g A’

  22. A B Reversal of Take-Grant Flow: case g g t, g t g g A’

  23. A B Reversal of Grant-Only Flow g g g g g A’

  24. A B Non-Reversal of Take-Only Flow t t t t A’

  25. Safety in more recent (and practical) models • RBAC96 (foundation of a new NIST/ANSI/ISO standard) • Safety is undecidable in general • Sandhu, Munawer, Crampton, 1998 • Decidable cases exist • Li, Mitchell, Winsborough, Solworth, Sloan, 2000’s • UCON (Usage Control Models) • Safety is undecidable in general • Decidable cases exist • Park, Sandhu, Zhang, Parisi-Pressice 2000’s

  26. Looking ahead • Security lags information technology applications • Information technology applications are moving extremely rapidly • The need for decentralized and automatic authorization is growing very rapidly • The safety problem of access control remains a critical path problem • Challenges • Develop new real-world relevant theory • Apply old and new theory • Can theory of graph transformations help us?

  27. ... RBAC96 model (Currently foundation of a NIST/ANSI/ISO standard) ROLE HIERARCHIES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERS ROLES PERMISSIONS CONSTRAINTS SESSIONS

  28. ongoing N/A UCON (Usage Control) Models

More Related