access control a meta-model 1dennis kafura – cs5204 – operating systems
TRANSCRIPT
Access Control
A Meta-Model
1Dennis Kafura – CS5204 – Operating Systems
Access Control Meta-Model
Dennis Kafura – CS5204 – Operating Systems
Motivation
Goal: develop a general and semantically well grounded model of access control from which specific access control systems can be expressed by specialization of the model’s elements.
Advantages: Explicates the fundamental principles of access control Provides a common basis for specifying access control
and understanding relationship among access control models
Facilitates sharing of access control policy information across models
Is the basis for developing policy languages with solid semantic foundation
2
Steve BarkerKing’s College London
(Deceased: Jan 2012)
Access Control Meta-Model
Fundamental Concepts
Elements (all countable sets) Categories, C, denoted co, c1, …
Principals, P, denoted po, p1, …
Actions, A, denoted ao, a1, …
Resource identifiers, R, denoted ro, r1, …
Situational identifiers, S, denoted so, s1, …
Event identifiers, E, denoted eo, e1, …
Meaning Categories represent groups or classes sharing, for example, a common
attribute, a similar level of trust, or the same security clearance. Principals are individuals or agents Actions are operations that can be performed on Resources Situations are contexts and Events are significant occurrences
Dennis Kafura – CS5204 – Operating Systems 3
Access Control Meta-Model
Fundamental Concepts
Relations
Dennis Kafura – CS5204 – Operating Systems 4
Access Control Meta-Model
Fundamental Concepts
Meta-model, M core axiom:
By choosing different definitions of pca, contains, and arca the model M can be specialized to define different access control models
Dennis Kafura – CS5204 – Operating Systems 5
C(p)
(a,r)(p,a,r) (a,r): permission
(p,a,r): authorization
PCA
ARCA C’
Access Control Meta-Model
Defining the PCA Relation
Form where Pi is a condition, Li is a literal, and Ci is a constraint
Example“Principals are assigned to the pref(erred) category if they are categorized as being loyal and their current account balance is greater than 1000 Euro (which causes them to be categorized as members of the goodbalance category).”
Dennis Kafura – CS5204 – Operating Systems 6
Access Control Meta-Model
Defining the PCA Relation
Conditions and literals may also be defined “remotely” (by another authority) written as:
Example“Principals that are categorized by having a clean driving license (CDL) according to the Driving Vehicle Licensing Authority database (dvla) or have preferred status (ps) are assigned to the “most-valued” customer (NVC) category. “
Dennis Kafura – CS5204 – Operating Systems 7
Access Control Meta-Model
Specializing contains and par Relations
Hierarchical RBAC Each role is represented by a category The contains relation is defined as a partial order between pairs of
categories (roles) The RBAC model can then be expressed as:
Note: this is just the core axiom for a particular interpretation of categories and containment
Dennis Kafura – CS5204 – Operating Systems 8
Access Control Meta-Model
Specializing contains and par Relations
The Bell-LaPadula (multilevel security) model Relations
The categories are interpreted as security level (e.g., public, classified, secret, top secret) The contains relation is an ordering of categories consistent with the
notion of security level (e.g., contains(top secret, secret). The par relation is defined as:
The first rule is “no read up” and the second is “write at same level”
Dennis Kafura – CS5204 – Operating Systems 9
Access Control Meta-Model
Specializing the arca Relation
Example: Policy: A principal’s request to buy gold is permitted provided
that the amount of gold requested is not greater than the current stock level recorded in v1. In a gold market that is currently categorized as “volatile”, according to the source v2, a principal is permitted to buy a maximum of 50 units of gold. All principals are permitted provided that the principal is not in the “debtor” category
Rules:
Dennis Kafura – CS5204 – Operating Systems 10
Access Control Meta-Model
Other Expressions
Time dependent expressions For a time interval [Tstart, Tstop] Relations may be defined as
and
Dennis Kafura – CS5204 – Operating Systems 11
Access Control Meta-Model
Other Expressions
Trust third-party claims (aka, certificates) A claim/certificate issued by v can be expressed as
Composition The authorizations of two models can be combined as
Inconsistencies Single assignment: Separation of duties: Prerequisites:
Dennis Kafura – CS5204 – Operating Systems 12
Note: me(C,C’) means mutually exclusive.
Access Control Meta-Model
Examples
Example No principal that v1 says is a debtor can be given anything other than
unclassified clearance by v2
Example A resource may not be read more than once per day (useful to satisfy
Principle of Least Privilege) by a given principal
Dennis Kafura – CS5204 – Operating Systems 13
Access Control Meta-Model
Practical Benefits
Facilitates sharing of access control information Across applications Across models
Aids policy administrators/authors Via specialization of general axioms Rapid prototyping of access control policies
Supports development of policy languages Various syntaxes built on top of precise semantics E.g., can be represented in RuleML
Dennis Kafura – CS5204 – Operating Systems 14