Unit 5:

Access Control
EECS710: Information Security
Professor
Fall 2014
 Access Control
• “a process by which use of system resources is regulated according to a
security policy and is permitted only by authorized entities (users,
programs, processes, or other systems) according to that policy”
It consists of two parts:
(1) authorization administration: decide authorization rules;
(2) reference monitor: given an access request, determine whether it is
authorized or not (according to authorization rules).

“The prevention of unauthorized use of a resource, including the

prevention of use of a resource in an unauthorized manner“

• Access control systems perform identification, authentication, and

authorization of users and entities by evaluating required login credentials
that may include passwords, pins, bio-metric scans or other authentication
factors. There is multi-factor authentication which requires two or more
authentication factors which is often an important part of the layered
defense to protect access control systems.
Access Control Security Requirements
 Identification, Authentication,
Authorization
• Access control systems provide the essential services
of identification and authentication (I&A),
authorization, and accountability where:
• identification and authentication determine who can
log on to a system, and the association of users with
the software subjects that they are able to control as
a result of logging in;
• authorization determines what a subject can do;
• accountability identifies what a subject (or all
subjects associated with a user) did.
 Identification, Authentication,
Authorization
• Authenticators are commonly based on at least one of the
following four factors:
• Something you know, such as a password or a personal
identification number (PIN). This assumes that only the owner of
the account knows the password or PIN needed to access the
account.
• Something you have, such as a smart card or security token. This
assumes that only the owner of the account has the necessary
smart card or token needed to unlock the account.
• Something you are, such as fingerprint, voice, retina, or iris
characteristics.
• Where you are, for example inside or outside a company firewall,
or proximity of login location to a personal GPS device.
 Identification, Authentication, Authorization
• Authorization: Authorization applies to subjects. Authorization
determines what a subject can do on the system.
• Most modern operating systems define sets of permissions that
are variations or extensions of three basic types of access:
• Read (R): The subject can
– Read file contents, List directory contents
• Write (W): The subject can change the contents of a file or
directory with the following tasks:
– Add, Create, Delete, Rename
• Execute (X): If the file is a program, the subject can cause the
program to be run. (In Unix systems, the 'execute' permission
doubles as a 'traverse directory' permission when granted for a
directory.)
 Authentication Mechanism:
• Two-factor authentication
• Multi factor authentication
• one-time password
• Three-factor authentication
• Bio metrics
• Hard Tokens
• Soft Tokens
• Contextual Authentication
• Device identification
Different access control models are used depending on the
compliance requirements and the security levels of
information technology that is to be protected. Basically access
control is of 2 types:
• Physical Access Control: Physical access control restricts entry
to campuses, buildings, rooms and physical IT assets.
• Logical Access Control: Logical access control limits
connections to computer networks, system files and data.
 Identification, Authentication, Authorization
• These rights and permissions are implemented differently in systems based
on discretionary access control (DAC) and mandatory access control (MAC).
• Accountability: Accountability uses such system components as audit trails
(records) and logs to associate a subject with its actions. The information
recorded should be sufficient to map the subject to a controlling user.
• Audit trails and logs are important for Detecting security violations, Re-
creating security incidents
• If no one is regularly reviewing your logs and they are not maintained in a
secure and consistent manner, they may not be admissible as evidence.
• Many systems can generate automated reports based on certain predefined
criteria or thresholds, known as clipping levels. For example, a clipping level
may be set to generate a report for the following: More than three failed
logon attempts in a given period, Any attempt to use a disabled user
account, These reports help a system administrator or security
administrator to more easily identify possible break-in attempts.
Access Control Principles
 Access control policies(models)
• Attribute-based Access Control (ABAC): In this model, access is granted or declined by
evaluating a set of rules, policies, and relationships using the attributes of users, systems
and environmental conditions.
• Discretionary Access Control (DAC): In DAC, the owner of data determines who can access
specific resources.
• History-Based Access Control (HBAC): Access is granted or declined by evaluating the
history of activities of the inquiring party that includes behavior, the time between requests
and content of requests.
• Identity-Based Access Control (IBAC): By using this model network administrators can more
effectively manage activity and access based on individual requirements.
• Mandatory Access Control (MAC): A control model in which access rights are regulated by a
central authority based on multiple levels of security. Security Enhanced Linux is
implemented using MAC on the Linux operating system.
• Organization-Based Access control (OrBAC): This model allows the policy designer to define
a security policy independently of the implementation.
• Role-Based Access Control (RBAC): RBAC allows access based on the job title. RBAC
eliminates discretion on a large scale when providing access to objects. For example, there
should not be permissions for human resources specialist to create network accounts.
• Rule-Based Access Control (RAC): RAC method is largely context based. Example of this
would be only allowing students to use the labs during a certain time of day.
 Discretionary Access Control
• DAC is easier to implement.
• DAC is less secure to use.
• In DAC, the owner can determine the access and privileges and
can restrict the resources based on the identity of the users.
• DAC can be applied in all domains.
• DAC has high flexibility with no rules and regulations.
• Decisions will be based only on user ID and ownership.
• DAC is vulnerable to trojan horses.
• Attributes of DAC –
• Users can transfer their object ownership to another user.
• The access type of other users can be determined by the user.
• Authorization failure can restrict the user access after several
failed attempts.
• Unauthorized users will be blind to object characteristics called
file size, directory path, and file name.
• Examples- Permitting the Linux file operating system is an
example of DAC.
How Discretionary Access Control Works, With Examples
Social Networks
• Many social media networks allow users to limit or regulate access to the content they
create. Facebook’s friend list can be used like an ACL, essentially allowing anyone on
the list to view content. The platform doesn’t allow users that see friend-locked content
to share the data easily, so users with access to data don’t necessarily have the right to
grant access to other users.
• In social media networks, DAC allows the data owner to decide who can or can’t view
it.
• 2. Productivity and collaboration platform
• You can see Google’s DAC system in all their document creation services, such as Google
Docs and Google Sheets. The owner and creator of the document can grant access
privileges to the document on several different levels. Viewing permissions will not
allow a user to modify the document, but Editor permission will allow the user to
modify the content and to further grant access to the document to other users at their
discretion. The original creator of the document can also transfer ownership of the
document.
• In each document, you can see the ACL and who the owner shared it with. The
document owner can revoke user access but doesn’t have to manually grant
permission to every new user unless they choose to maintain such control.
• Smartphone applications
• A typical example of DAC that everyone is familiar with nowadays is smart phone
applications. The application author must request permission to perform any
potentially insecure operations, and the user must manually grant these
permissions. If the application requires access to your location, contacts, or media
folders, granting those permissions is at the user’s discretion.
 Conceptual model and implementation
Conceptual model : access matrix
• It involves three concepts: a subject is a user or a
process run by a user;
• an object is resource or data in system;
• access rights are possible operations on the objects,
such as read, write in operating system.
• The access matrix specifies the access rights that each
subject has for each object. There is one column for
each object and one row for each subject. Each cell of
the matrix specifies the access rights authorized for
the subject in the row to the object in the column.
 Discretionary Access Control
• Access matrix is often sparse
A sparse matrix is a special case of a matrix in which the
number of zero elements is much higher than the number
of non-zero elements.
Why to use Sparse Matrix instead of simple matrix ?
• Storage: There are lesser non-zero elements than zeros
and thus lesser memory can be used to store only those
elements.
• Computing time: Computing time can be saved by logically
designing a data structure traversing only non-zero
elements..
 Access Control Structures
• An access control matrix is a table that defines
access permissions between specific subjects
and objects. A matrix is a data structure that
acts as a table lookup for the operating
system.
• Can decompose by either row or column
• Access control lists (decomposed by column)
• Capability tickets (decomposed by row)
 An access matrix

Example of Access control structures

Access matrix data structures
Example of Access Control Lists
Example of Capability Lists
 Alternate authorization table

Example of authorization table

UNIX File Access Control
 UNIX File Access Control
• Unique user identification number
(user ID)
• Member of a primary group
identified by a group ID
• Belongs to a specific group

• 12 protection bits
• specify read, write, and execute
permission for the owner of the file,
members of the group and all other
users
• The owner ID, group ID, and
protection bits are part of the file’s
inode
 UNIX File Access Control
• “set user ID”(SetUID) or “set group ID”(SetGID)
– system temporarily uses rights of the file owner/group in
addition to the real user’s rights when making access control
decisions
– enables privileged programs to access files/resources not
generally accessible
– Enables privileged programs to access files/resources not
generally accessible
• Sticky bit
 When applied to a directory it specifies that only the owner of
any file in the directory can rename, move, or delete that file
• Superuser
– is exempt from usual access control restrictions
– Has system-wide access
Access Control Lists (ACLs)
in UNIX
UNIX extended access control list
 Mandatory access control
• Mandatory access control: (MAC) is an access policy determined by the
system, not the owner. MAC is used in multilevel systems that process
highly sensitive data, such as classified government and military
information. A multilevel system is a single computer system that
handles multiple classification levels between subjects and objects.
• Sensitivity labels: In a MAC-based system, all subjects and objects must
have labels assigned to them. A subject's sensitivity label specifies its
level of trust. An object's sensitivity label specifies the level of trust
required for access. In order to access a given object, the subject must
have a sensitivity level equal to or higher than the requested object.
• Data import and export: Controlling the import of information from other
systems and export to other systems (including printers) is a critical
function of MAC-based systems, which must ensure that sensitivity labels
are properly maintained and implemented so that sensitive information
is appropriately protected at all times.
 mandatory access control
• Two methods are commonly used for applying mandatory access
control:
• Rule-based (or label-based) access control: This type of control further
defines specific conditions for access to a requested object. All MAC-
based systems implement a simple form of rule-based access control to
determine whether access should be granted or denied by matching:
– An object's sensitivity label
– A subject's sensitivity label
• Lattice-based access control: These can be used for complex access
control decisions involving multiple objects and/or subjects. A lattice
model is a mathematical structure that defines greatest lower-bound
and least upper-bound values for a pair of elements, such as a subject
and an object.
 Role-Based
Access Control
Access based on
‘role’, not identity

Many-to-many
relationship between
users and roles

Roles often static

 Role-Based
Access Control

Role-users and
roles-object
access matrix
 General RBAC, Variations
• A family of RBAC with four models
1. RBAC0: min functionality
2. RBAC1: RBAC0 plus role (permission) inheritance
3. RBAC2: RBAC0 plus constraints (restrictions)
4. RBAC3: RBAC0 plus all of the above

Scope RBAC Models

 Example of role hierarchy
• Hierarchy of an
organization can be
reflected in roles.
• A higher role includes all
access rights of lower role
• Director has most
privileges
• Each role inherits all
privileges from lower roles
• A role can inherit from
multiple roles
• Additional privileges can
be assigned to a role
 Attribute-based access control
• Attribute-Based Access Control (ABAC), sometimes referred
to as Policy-Based Access Control (PBAC) or Claims-Based
Access Control (CBAC), is an identity management-related
authentication and authorization system that determines
user access based on attributes (or characteristics) rather
than roles. The attributes associated with subjects
(requesters), objects to be accessed, and others have a set
of related characteristics, such as location, time of creation,
access privileges, and so on.
• ABAC’s primary goal is to ensure that objects, including
sensitive data, network infrastructure, and IT resources, are
protected against unauthorized users and activities, namely,
those that don’t meet the criteria for “approved” attributes
as set out by a company’s security policies.
 Types of attributes
• Subject attributes
• Object attributes
• Environment attributes
 Subject attributes
• A subject is an active entity that causes
information to flow among objects or
changes the system state
• Attributes define the identity and
characteristics of the subject
– Name
– Organization
– Job title
 Object attribute
• An object (or resource) is a passive
information system-related entity
containing or receiving information
• Objects have attributes that can be
leveraged to make access control
decisions
– Title
– Author
– Date
 Environment attributes
• Describe the operational, technical, and
even situational environment or context in
which the information access occurs
– Current date
– Current virus/hacker activities
– Network security level
– Not associated with a resource or subject
• These attributes have so far been largely
ignored in most access control policies
 Sample ABAC scenario
1. A subject requests
access to an object
2. AC is governed by
a set of rules (2a):
assesses the attr of
subject (2b), object
(2c) and env (2d)
3. AC grants subject
access to object if
authorized
ACL Trust Chain
ABAC Trust Chain
ABAC Policies
 Identity, Credential, and Access
Management (ICAM)
• A comprehensive approach to managing and
implementing digital identities, credentials, and access
control
• Developed by the U.S. government
• Designed to:
– Create trusted digital identity representations of individuals
and nonperson entities (NPEs)
– Bind those identities to credentials that may serve as a proxy
for the individual of NPE in access transactions
• A credential is an object or data structure that authoritatively binds
an identity to a token possessed and controlled by a subscriber
– Use the credentials to provide authorized access to an
agency’s resources
 1. Connects digital identity
to individuals

ICAM

2. Data structures that binds

a token possessed
by a subscriber

4. Identity verification of
individuals from external
organizations 3. Management of how access
is granted to entities
Identity Management
Credential Management
Access Management
Three support elements are needed for an
enterprise-wide access control facility:
 Identity Federation
• Term used to describe the technology,
standards, policies, and processes that allow
an organization to trust digital identities,
identity attributes, and credentials created
and issued by another organization
• Addresses two questions:
– How do you trust identities of individuals from external organizations
who need access to your systems
– How do you vouch for identities of individuals in your organization
when they need to collaborate with external organizations
 Trust frameworks
• A trust framework is a common set of best
practice standards-based rules that ensure
minimum requirements are met for security,
privacy, identification management and
interoperability through accreditation and
governance.
• These operating rules provide a common
framework for ecosystem participants,
increasing trust between them.
Open Identity Trust Framework
Case study: RBAC system for a bank

Functions and Roles for Banking Example

 Case study: RBAC system for a
•
bank
b has more access than A (strict ordering)
• Inheritance makes tables simpler

Functions and Roles for Banking Example

Case study: RBAC system for a
bank
 Summary
• Access control principles • Attribute-based
– Access control context access control
– Access control policies – Attributes
• Subjects, objects, and – ABAC logical architecture
– ABAC policies
access rights
• Identity, credential,
• Discretionary access
control and access
– Access control model management
– Identity management
– Protection domains – Credential management
• UNIX file access control – Access management
– Identity federation
– Traditional UNIX file access
control • Trust frameworks
– Traditional identity exchange
– Access control lists in UNIX approach
• Role-based access control – Open identity trust framework
– RBAC reference models • Bank RBAC system