• No results found

Security Models: Past, Present and Future

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security Models: Past, Present and Future"

Copied!
28
0
0

Loading.... (view fulltext now)

Download now ( 28 Page )

Full text

(1)

Security Models:

Past, Present and Future

Prof. Ravi Sandhu

Executive Director and Endowed Chair Institute for Cyber Security

University of Texas at San Antonio August 2010

[email protected] www.profsandhu.com

(2)

INSTITUTE FOR CYBER SECURITY

Security Objectives

2 INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure © Ravi Sandhu

(3)

INSTITUTE FOR CYBER SECURITY

Security Objectives

INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure USAGE purpose

(4)

INSTITUTE FOR CYBER SECURITY

Security Objectives

4 INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure USAGE purpose USAGE © Ravi Sandhu

(5)

Butler Lampson Paraphrased (I think)

Computer scientists could never have designed the web

because they would have tried to make it work.

But the Web does “work.”

What does it mean for the Web to “work”?

Security geeks could never have designed the ATM network

because they would have tried to make it secure.

But the ATM network is “secure.

(6)

Foundational Security Assumptions

Information needs to be protected

 In motion

 At rest

 In use

Absolute security is impossible and unnecessary

 Trying to approximate absolute security is a bad strategy

 “Good enough” security is feasible and meaningful

 Better than “good enough” is bad

Security is meaningless without application context

 Cannot know we have “good enough” without this context

Models and abstractions are all important

 Without a conceptual framework it is hard to separate “what needs to be done” from “how we do it”

© Ravi Sandhu 6

(7)

PEI Models: 3 Layers/5 Layers

Idealized

Enforceable (Approximate)

Codeable

This lecture is focused on the policy models layer

At the policy layer security models are essentially access control models

(8)

8

THE PAST

(9)

INSTITUTE FOR CYBER SECURITY

Access Control Models

Discretionary Access Control (DAC)

 Owner controls access but only to the original, not to copies

Mandatory Access Control (MAC)

Same as Lattice-Based Access Control (LBAC)

 Access based on security labels

 Labels propagate to copies

Role-Based Access Control (RBAC)

 Access based on roles

 Can be configured to do DAC or MAC

 Generalizes to Attribute-Based Access Control (ABAC)

(10)

INSTITUTE FOR CYBER SECURITY

DAC: ACCESS MATRIX MODEL

U

r w

own

V

F

S

u

b

j

e

c

t

s

Objects (and Subjects)

r w

own

G

r

rights

© Ravi Sandhu 10

(11)

DAC: TROJAN HORSE EXAMPLE

File F

A:r

A:w

File G

B:r

A:w

B cannot read file F

B cannot read file F

(12)

INSTITUTE FOR CYBER SECURITY

DAC: TROJAN HORSE EXAMPLE

File F

A:r

A:w

File G

B:r

A:w

B can read contents of file F copied to file G

B can read contents of file F copied to file G

ACL

A

Program Goodies

Trojan Horse

executes

read

write

© Ravi Sandhu 12

(13)

INSTITUTE FOR CYBER SECURITY

LBAC: LATTICE STRUCTURES

Unclassified

Confidential

Secret

Top Secret

can-flow

dominance

(14)

INSTITUTE FOR CYBER SECURITY

LBAC: LATTICE STRUCTURES

Hierarchical

Classes with

Compartments

S,

{A,B}

{}

{A}

{B}

S,

S,

S,

TS,

{A,B}

{}

{A}

{B}

TS,

TS,

TS,

© Ravi Sandhu 14

(15)

INSTITUTE FOR CYBER SECURITY

LBAC: BELL LAPADULA (BLP)

SIMPLE-SECURITY

Subject S can read object O only if

• label(S) dominates label(O)

STAR-PROPERTY (LIBERAL)

Subject S can write object O only if

• label(O) dominates label(S)

STAR-PROPERTY (STRICT)

Subject S can write object O only if

(16)

INSTITUTE FOR CYBER SECURITY

LBAC: COVERT CHANNELS

Low User

High Trojan Horse

Infected Subject

High User

Low Trojan Horse

Infected Subject

COVERT

CHANNEL

Information is leaked unknown

to the high user

Information is leaked unknown

to the high user

(17)

INSTITUTE FOR CYBER SECURITY

RBAC: Role-Based Access Control

 Access is determined by roles

 A user’s roles are assigned by security administrators

 A role’s permissions are assigned by security administrators

First emerged: mid 1970s First models: mid 1990s

Is RBAC MAC or DAC or neither?

RBAC can be configured to do MAC

RBAC can be configured to do DAC

RBAC is policy neutral

(18)

INSTITUTE FOR CYBER SECURITY

RBAC: RBAC96 Model

ROLES

USER-ROLE

ASSIGNMENT

PERMISSIONS-ROLE

ASSIGNMENT

USERS

PERMISSIONS

...

SESSIONS

ROLE HIERARCHIES

CONSTRAINTS

© Ravi Sandhu 18

(19)

INSTITUTE FOR CYBER SECURITY

RBAC: The RBAC Story

 RBAC96 paper Proposed Standard Standard Adopted

(20)

20

THE PRESENT

(21)

INSTITUTE FOR CYBER SECURITY

UCON: Usage Control Scope

Server-side Reference Monitor (SRM) Client-side Reference Monitor (CRM) Traditional Access Control Trust

Management Usage Control

Sensitive Information Protection Intellectual Property Rights Protection Privacy Protection DRM SRM & CRM Security Objectives Security Architectures

(22)

UCON: Usage Control Model

© Ravi Sandhu 22 Rights (R) Authoriz ations (A) Subjects (S) Objects (O)

Subject Attributes (SA) Object Attributes (OA)

Obliga tions (B) Condi tions (C) Usage Decisions

before-usage ongoing-Usage after-usage

Continuity of Decisions

pre-decision ongoing-decision

pre-update ongoing-update post-update

Mutability of Attributes

• unified model integrating

• authorization • obligation • conditions • and incorporating • continuity of decisions • mutability of attributes

(23)
(24)

Application-Centric Security Models

Our Basic Premise

 There can be no security model without application context

So how does one customize an application-centric

security model?

 Meaningfully combine the essential insights of

 DAC, LBAC, RBAC, ABAC, UCON, etcetera

 Directly address the application-specific trade-offs

 Within the security objectives of confidentiality, integrity

and availability

 Across security, performance, cost and usability objectives

 Separate the real-world concerns of

 practical distributed systems and ensuing staleness and

approximations (enforcement layer) from

 policy concerns in a idealized environment (policy layer)

(25)

INSTITUTE FOR CYBER SECURITY

Dissemination‐Centric Sharing

Extensive research in the last two decades

 ORCON, DRM, ERM, XrML, ODRL, etc.

Copy/usage control has received major attention

Manageability problem largely unaddressed

Alice Bob Charlie Eve Susie

Attribute +  Policy Cloud Object Attribute +  Policy  Cloud Object Attribute +  Policy Cloud Object Attribute  + Policy  Cloud Object Dissemination Chain with Sticky Policies on Objects Attribute  Cloud Attribute  Cloud Attribute  Cloud Attribute  Cloud Attribute  Cloud

(26)

INSTITUTE FOR CYBER SECURITY

Group‐Centric Sharing (g‐SIS)

 Brings users & objects together in a group

 Focuses on manageability using groups

 Co-exists with dissemination-centric

 Two metaphors

 Secure Meeting Room (E.g. Program committee)  Subscription Model (E.g. Secure multicast)

 Operational aspects

 Group characteristics

 E.g. Are there any core properties?

 Group operation semantics

 E.g. What is authorized by join, add, etc.?

 Read-only Vs Read-Write

 Administrative aspects

 E.g. Who authorizes join, add, etc.?

 May be application dependant

 Multiple groups  Inter-group relationship

Group

Authz (u,o,r)?

join

leave

add

remove

Users Objects © Ravi Sandhu 26

(27)
(28)

Conclusion

THE PAST

Discretionary Access Control (DAC)

Mandatory Access Control (MAC)

 Equivalently Lattice-Based Access Control (LBAC)

Role-Based Access Control (RBAC)

THE PRESENT

Usage Control (UCON)

 Attribute-Based Access Control (ABAC) on steroids

THE FUTURE

Application-Centric Access Control Models

Technology-Centric Access Control Models

© Ravi Sandhu 28

Models are all important

A Policy Language is not a substitute for a good model

References

Download now ( PDF - 28 Page - 162.58 KB )

Related documents

Heading to our second year. New business properties. Special property. Nr. 4 Houses Lands Businesses Hotels

It is quite common for people that have just retired, to sell their house, buy a smaller home instead, and invests the remaining money in overseas property - buying a house

Taking stock of Rwanda’s decentralisation: changing local governance in a post-conflict environment

3 Through tight monitoring of local governments underpinned by a result-oriented governance, and enhanced coordination of local officials, decentralisation has allowed the

PROJECT MANAGEMENT METHODOLOGY OF OBJECT- ORIENTED SOFTWARE DEVELOPMENT

When we were developing methodology we firstly created simple software development life cycle for object oriented software development and then we integrated

ARABIC TOP-LEVEL DOMAIN NAMES

Therefore, it is important to establish standardized Arabic solutions including selecting the Arabic generic and country code top-level domain names (Arabic gTLD and ccTLD)..

Butterfly diversity in a tropical urban habitat (Lepidoptera: Papilionoidea)

Keywords: Biodiversity, Bangladesh, Conservation, Entomology, Seasonal Distribution, Species Richness, Urban Ecosystems... The affiliation(s) and address(es) of

Telecommunications, media and technology

deals including its collaboration with Google, to enable Google to deliver its internet search feature to China Telecom’s mobile portals; its collaboration with Microsoft, to

How Might an SDR Allocation be Better Tailored to Support Low-Income Countries?

For example, applying just 5 percent of an assumed allocation of SDR 476 billion to the PRGT would triple its current stock of lending to LICs.. However, lending on this scale

Determination of changes in process management within industry

This method has four step – plan (planning the intended improvement), do (implementation of plan), check (verification of the result of the implementation compared to the