catbac: a generic framework for designing and validating hybrid access control models
DESCRIPTION
CatBAC: A Generic Framework for Designing and Validating Hybrid Access Control Models. Bernard Stepien, University of Ottawa Hemanth Khambhammettu Kamel Adi Luigi Logrippo. Université du Québec en Outaouais. - PowerPoint PPT PresentationTRANSCRIPT
CatBAC: A Generic Framework for Designing and Validating
Hybrid Access Control Models
Bernard Stepien, University of Ottawa
Hemanth Khambhammettu
Kamel Adi
Luigi Logrippo
Université du Québec en Outaouais
Université du Québec en OutaouaisSmall university of about 8,000 studentsPart of the “Université du Québec” network
2
Selective access control Alice
works in project 1A and has security level Unclassified, can she write on file RFP?
RFP
Thousand of Alices, thousands of resources …
Access Control Many subjects, many resources in an organization
Virtual, real subjects and resources What each subject can do on the resources can
depend on many factors The role or group of the subject in the organization
(RBAC) The other roles it may have (SOD) The other files it may have accessed (CW) Its security level (BLP) Delegation Etc.
5
Models and languages Many access control models have been
developed Are associated with access control
languages to specify access control properties of subjects
Languages express access control policies
Issues in Access Control (AC) Access control policies in an organization can contain
tens of thousands of rules that can be implemented at different levels of abstraction with a variety of methods.
We address issues of: Homogeneity and expressiveness:
Identifying common high-level concepts, leading to unified terminology and languages
Consistency, completeness Are there inconsistencies in set of rules? Do we have all the rules that we need?
Lifecycle From the initial design stages to the final set of implemented
policies through refinement and formal verification stages
Homogeneity and expressiveness
In business, RBAC, Role Based Access Control, is a prevalent AC model
We have a real ‘alphabet soup’ of other models that complement RBAC DAC, Discretionary Access Control GBAC, Group-Based Access Control ABAC, Attribute-Based Access Control BLP, Bell-Lapadula, Biba, etc.
Combining access control models Combine AC models in a single Hybrid policy model for
maximum power and flexibility In a company, one may wish to have:
RBAC as a basic model Bell-LaPadula as an auxiliary model
E.g. within a role, subjects can have different clearance levels Complex combinations may be desirable RBAC research has shown how many AC control
models can be represented in RBAC But this is not always intuitive
Specification of combined models Defined a framework for combined AC specs starting
from an abstract UML meta-model Provided a language for it, together with an engine for
execution and verification
Concept of Category Categories can be roles, groups, security
levels, etc. Can be assigned to other categories
E.g. A role can be assigned to a security level Can be organized in hierarchies
E.g. Role hierarchies
Combined model in UML and text
resources
actions
categoriessubjects
In more compact textual form:assign subject Alice to role Consultant;assign subject Alice to group Project 1A;assign subject Alice to security level Unclassified;
CAtBAC language
A strongly typed, user-friendly language to be the textual representation of UACML
CatBAC Features Assign subjects to categories
assign subject Alice to role Consultant; Assignments between categories
assign category group Project_1B to category security_level Classified;
Assignments of permissions to resources-actions assign permission permit to categories role Consultant,
Manager for resources Input_RFP, Bid_RFP and actions read, write;
Mandatory assignments assign mandatory permission permit to category group
Project_1A for resource Input_RFP and action Read;
Authorization Constraints Constraints that specify restrictions on
subject-category assignments, category-resource assignments and resource-action assignments E.g. separation of duties
Constraints in CatBAC Mutual exclusion
category role teacher and category role student are mutually exclusive;
Requirements category assignment role teacher requires
category assignment role researcher; Cardinality
category role President assignments should not exceed 1;
Execution and verification CatBAC has operational semantics based on
Prolog (Horn-clauses predicate calculus) CatBAC can be executed and can be queried
For verification of consistency: find all possible outcomes of an access request
Find whether there are violations of mandatory assignments
Find whether there are violations of constraints
Practical use Security administrators can
Express high-level security policies in graphic UML form Compile the graphic form into a form that allows the inclusion of
detailed low-level security policies Textual form
Enables expressing policy sets of realistic sizes Can be validated to detect design faults:
inconsistency, separation of duties, etc.
This top-down approach enables an integrated view of the security policies of a whole enterprise, using a unified model and language
Conclusion UACML and CatBAC form a powerful
conceptual framework for the expression and combination of Access Control methods
Most common access control systems can coexist within this framework
Lifecycle support is provided, by allowing iterative development from UML notation to executable code, with verification steps in between