ACCESS CONTROL &
SECURITY MODELS
Center of gravity of computer
security
Fundamental Model of Access
Control
subject
Access request
Reference
Monitors
object
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
2
Controlling Access
 Access control policy: what can be used to
indicate who is allowed to do what to/with whom
on the system.
 Who is who ?
 Subject is what we call active entities
(processes, users, other computers) that want to “do
something”
 The what the subject does with the object can be
just about anything, and it may be multi-part.
 Typical manipulations include READ, MODIFY,
CREATE, CHANGE, DELETE
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
3
Access Control Policy
 Access right or privilege:
– An indication that a SUBJECT may
legitimately use a specific type of ACCESS
or MANIPULATION with respect to a
particular OBJECT or set of OBJECTS.
 The underlying system itself determines
which primitive (or bottom level) access
rights are available for which
user/object combinations
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
4
Levels of Access Control
 Application
 Middleware
 Operating system
 Hardware
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
5
Operating System Access Controls
 Authenticate prinicipals/users
– Passwords
– Kerberos
 Mediate access
– Files
– Communication ports
– System resources
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
6
Models of Security
 Need for a model
– High assurance security system
 What a model supposed to do?
– Express the security policy in a formal way
– Describe the entities governed by the policy
– State the rules that decide who gets access to
your data
 Scope and limitations of models
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
7
Security Models : Bell-LaPadula
– The Bell-LaPadula model is about
information confidentiality, and this
model formally represents the long
tradition of attitudes to the flow of
information concerning national
secrets.
– Multi-level security (MLS)
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
8
Security Models: Chinese Wall
– Large consultancies can easily find
there are conflicts of interest if
individual consultants are given
access to all information held by the
consultancy.
Chinese Wall models a particular
way of restricting information flow.
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
9
Security Models : Biba
 We need models – continued
 Based on the Cold War experiences,
information integrity is also
important, and the Biba model,
complementary to Bell-LaPadula, is
based on the flow of information
where preserving integrity is critical.
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
10
Security Models: Clarke-Wilson
 In the commercial sphere, the need is to
engage in well-formed transactions which
can only be undertaken by authorised
personnel, and the Clarke-Wilson model is
an attempt to formally model a policy based
on well-formed transactions.
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
11
Possible Access Control
Mechanisms are
 Control Matrix
 Control lists
 Groups and Roles
 Extension to Distributed (+file) Systems
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
12
Access Control Matrix
Object
Operating
system
Accounts Accounting
Program
Data
Audit
Trail
Users
Sam
rwx
rwx
rw
r
Alice
x
x
rw
-
Bob
rx
r
r
r
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
13
Example Access Control Matrix for
Bookkeeping
Operating
system
Accounts Accounting
Program
Data
Audit
Trail
Sam
rwx
rwx
r
r
Alice
rx
x
-
-
Accounts
program
Bob
rx
r
rw
w
rx
r
r
r
Srini
rx
r
r
Access Control
Srini & Nandita
r
CSE2500 System Security & Privacy
14
Access Control Matrices
 2/3 dimensions used to implement
protection mechanisms and model them
 Do not scale well
– A bank with 50,000 staff & 300 objects 
15million entries
– Update and performance problem
– Prone to administrators’ mistakes
 A more compact way is required
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
15
Groups and Roles
 Group is a list of users/principals--
categories
 Role is a fixed set of access permissions
that one or more principals may assume
 Group manager is a rank while the role of
acting manager can be taken up by an
assistant accountant standing in while the
manager, deputy manager and accountant
are all sick
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
16
Let us look at the example once again
Operating
system
Accounts Accounting
Program
Data
Audit
Trail
Sam
rwx
rwx
r
r
Alice
rx
x
-
-
Accounts
program
Bob
rx
r
w
w
rx
r
r
r
Srini
rx
r
r
r
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
17
ACLs per subject(Capabilities
list)
Sam
Alice
Bob
Srini
User
rx
Acc.
pgm
rx
rwx
rx
rx
OS
rwx
x
r
r
r
r
-
rw
r
r
r
-
w
r
r
A/C
Prgm
A/C
Data
Audit
trail
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
18
Access Control Lists
User
Accounting Data
Sam
rw
Alice
rw
Bob
r
Srini
r
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
19
Access Control Lists/Capabilities
 How do you modify the entries in the lists?
– add a new entry
– delete an existing entry
– modify the access right to an object?
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
20
Access Control Triples
 Subject
 Object
 Access  r, w, x, ?
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
21
Capabilities
 While ACLs are kept by the O/S,capabilities
are kept by the subject.
 Capabilities give the possessor (of the token)
certain rights to an object
 Capabilities do not require authentication of
subjects, but do require that the token be
unforgeable (encrypted or in inaccessible
storage) and that the propagation of
capabilities be controlled.
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
22
Access Control lists (cont.)
 Users manage their own file security, Unix
 Data-oriented protection, for centrally set access
control policy
 OS checks the ACL at each file access
 Not efficient security checking at runtime, though
simple to implement
 Tedious to find all files to which a user has access
or perform system-wide checks
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
23
Let us look at an example of ACL
implementations
UNIX
NT
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
24
Unix Operating System Security
 Superuser account on Unix is root
– UID (user identifier) equal to ‘0’
 The superuser can effectively do anything
within the system
 Superuser password is the most valuable
password in the system
 Don’t share the superuser password outside
the administrative group.
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
25
Basic file security
-rw-rw-r--
1 root sys
1344 Jul
2 22:57 /etc/vfstab
Others
Group
Owner
Access Control
-rwxrwxrwx
Owner permissions
-rwxrwxrwx
Group permissions
-rwxrwxrwx
Other permissions
Srini & Nandita
CSE2500 System Security & Privacy
26
Basic file security
 Important system files must have appropriate file
permissions
 e.g:
-r--r--r--r--------rw-r--r-drwxr-xr-x
1
1
1
18
root
root
root
root
other
sys
sys
sys
/etc/passwd
/etc/shadow
/etc/profile
/usr
 A finer granularity of file permissions can be
achieved with access control lists (ACLs), e.g.
AIX, HP-UX.
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
27
Unix Operating System
Security(cont.)
 A common defense against root compromise
by hackers -- is system log to a printer in a
locked room or to another machine/server,
eg. Berkeley, FreeBSD
 ACLs have only names of users, not of
programs
 Indirect method => suid and sgid file
attributes
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
28
SUID and SGID Security
 Owner of a program can mark it as suid,
enabling a user, special privileges of access
control attributes
 sgid for groups
 What is the security issue here?
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
29
SUID and SGID Security(cont.)
 SUID root programs are particularly vulnerable to
attack.
 If it is possible to subvert the program in some
way, then root access can be gained.
 A very well known method of such subversion is
the buffer overflow.
 Buffer overflow vulnerability results from bad
coding practices on the part of the original
programmer of the SUID root program!
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
30
Authentication means
 to establish the proof of identity.
 Authentication techniques may vary
depending on the kind of resource being
accessed.
 The various kinds of access can be
classified into
– user-to-host
– host-to-host
– user(or process) –to – user (process)
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
31
Trusted hosts
 UNIX allows hosts to trust another.
 If host A trusts host B, then a user who has
the same user name on B and A can access
resources on A from B without a password.
 Implemented using .rhosts and
/etc/hosts.equiv
 rlogin, rsh, rcp
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
32
Trusted hosts - advantages
 Password cannot be sniffed because it is not
transmitted.
 Users can log in once and then subsequently
move to any machine in the trusted
network.
 Convenience.
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
33
Trusted hosts - disadvantages
 If one host is compromised (e.g. boot B to single
user mode then change to any user you like), then
the other host is also compromised – read that
user’s files on A.
 Even if B cannot be booted to single user mode
without a password, can physically replace B with
another machine.
 Trusted hosts uses IP address authentication.
 Vulnerable to IP spoofing.
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
34
NFS
 Network File System
 Developed by Sun Microsystems
 Supported by most UNIX systems
 Allows remote access to local file systems
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
35
NFS example (Solaris)
Host A
NFS Server
Network
NFS calls
NFS calls
/files
Host B
share -F nfs -o
rw=B,root=B /files
Access Control
mount –t nfs A:/files /mnt/files
CSE2500 System Security & Privacy
Srini & Nandita
36
NFS Security Considerations
 Export only to trusted hosts
 Export only those parts of the filesystem which
require remote access
 Export read-only unless writing absolutely
required
 Be very careful mapping root on the server to root
on the client.
 Remove group write permissions for exported files
and directories.
 Be careful exporting user home directories
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
37
NFS Security Considerations
 Do not allow users to log into NFS server.
 Do not accept incoming NFS call requests
on non-privileged ports.
 Use Secure NFS.
 Don’t use NFS! (Is it absolutely necessary?)
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
38
Threats to Availability
 “Denial of Service” attacks
 Probably more of a threat when carried out
via the network than on the local machine
alone.
 Not UNIX specific
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
39
Windows NT
 Based on ACLs
 Attributes to users & groups
– Read, Write, Execute
– Take ownership, change permissions, and
delete
 Multiple values to attributes instead of
on/off
– AccessDenied, AccessAllowed, SystemAudit
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
40
Benefits
 Less than full administrator privileges
required for routine tasks, eg. installing
printers
 Users and resources can be partitioned into
domains with distinct administrators
 Trust can be inherited between domains in
one direction or both
 Registry is the data structure used to hide
the ACL details from the user interface
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
41
Problems
 Not very suitable for large organisations
 Naming issues
 Domains scale badly when number of
principals increase
 Complex interactions between local and
global groups due to restrictions that a user
in another domain can’t be administrator
 Peculiarity of ‘everyone’ is a principal, and
a resource can be locked quickly
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
42
Other Access Control methods
 Sandboxing
– Software that provides limited access rights to
programs of unknown origins
 Proof-carrying code
– Programs to be executed must carry a proof that
it doesn’t do anything that contravenes the local
security policy
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
43
Policies (1)
 Historical considerations
– The history of information systems and their automation is a
history of compromise. Automation had to fit into existing
schemes of information management. Similarly, the addition
of security mechanisms has to fit into existing structures and
systems. Highly secure systems are often a consequence of
redesign and re-engineering of existing systems.
 Mandatory Security Policies
– A system wide policy decrees that all subjects and all objects
are classified. Access classes are associated with every
subject-object pair.
– Access rights depend on the triple subject-object-access class
for all triplets
<Sam, Production Log, Write>
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
44
Policies (2)
 Discretionary Security Policies
– Users are allowed to grant access to other users
- often the OWNER of an object can grant access
privileges to other users, (at the owners discretion )
 Discretionary Policies may allow one user to pass
data to another user without the authority of the
creator of the data
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
45
Security Models
Formal Methods
 One benefit of using formal models is that
mathematical (sometimes called formal) methods
can be used to confirm that all transitions allowed
by the model preserve the secure state of the
system being modeled
 For real systems, modeling is not easy
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
46
Access Control - Ranked Model (1)




Multi-level
Often called Lattice methods
Basis of military and commercial security
Set of ordered security levels, users assigned to a
level
 User subjects are privileged to access a rank
and all lower ranks
 Students do not need to master the notation used
in ‘Gollman’
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
47
Access Control - Ranked Model (2)
 We are also concerned about
need to know
 Compartment the information to be secured
 Granting access :
– A subject is cleared to access object
– only if rank(subject) >= rank (object) AND
– The set of all compartments that contain the object are
contained within the set of compartments that the
subject is cleared to access
– (The personnel manager will not be allowed to access
confidential production data)
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
48
Access Control - Ranked Model
(3)
 Companies often use the ranks:
– Public, Company Confidential, Executive-only
 Deciding what lies in what compartment
keeps security staff occupied
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
49
Bell - LaPadula (1)
 Earliest formal model
 Each user subject and information object
has a fixed security class
 Use the notation >= to indicate dominance
 Simple Security (ss) property:
the no read-up (NRU) property
– A subject has read access to an object if the
– class of the subject C(s) is greater than or equal to the
class of the object C(o)
– need C(s) >= C(o)
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
50
Bell - LaPadula (2)
 * property (star):
the no write-down (NRD) property
– While a subject has read access to object O, the subject can only
write to object P if
C(P) >= C (O)
 Leads to concentration of irrelevant detail at upper levels
 Discretionary Security (ds) property
If discretionary policies are in place, accesses are further limited to
this access matrix
– Although all users in the personnel department can read all
[personnel] documents, the personnel manager would expect to
limit the readers of a document that dealt with redundancies in
the personnel department !
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
51
Transitions
 If a system starts in a secure state, and all
transitions are secure, then the system remains in a
secure state.
 But what if we allow users to downgrade all
objects, and then modify the access control matrix
so all modes are allowed for each entry
?
 So we need to beware of transitions that change
access rights
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
52
Tranquility
 Gollman p 49 Pfleeger (3ed) p 305
 Starting with a Bell-LaPadula model, with ranked
classes of users
– Say Executive, Company-confidential, Public
 And segregated compartments,
– Say Sales, Production
 And all users assigned a rank,
 And all files assigned a rank and a compartment
TRANQUILITY is when these assignments do not
change – or are not allowed to change
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
53
Tranquility in practice
 Production program systems need to open
and use work files, and open and use spool
print files, class or subroutine libraries need
to be accessed.
 For systems with mandatory security, these
entities all need labels and levels.
 In practice assigning security levels to these
sorts of entities is not easy.
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
54
Chinese Wall Model
 Suppose a consultancy has several airlines as clients
– It is a conflict of interest if a consultant working with Quantas
has access to confidential data on Gulf gathered from another
assignment
– Security policy builds on 3 levels of abstraction:
• Objects: lowest levels, eg. Files
• Company groups : all objects concerning a particular company are
grouped together
• Conflict classes: at the highest level, all groups of objects for
competing companies are clustered.
– No information flow that causes a conflict of interest
• For this model to work, a history of access rights has to be
maintained
System Security & Privacy
– (Also, if confidential information is written acrossCSE2500
conflict
classes, an effective conflict of interest is created)
Access Control
Srini & Nandita
55
Biba
 Concerned with integrity of information
 We wish to prevent the spread of untrusted information
 A Cold war issue - the intelligence services of the UK
were known to have been compromised by the Soviets.
How then could the USA ensure that USA intelligence
data was not ‘corrupted’ by possibly misleading data
flowing from UK sources ?
 Subject s can only modify object o
if I(s) >= I(o) ( no write up)
 Integrity * property
If s can read o, s can only write to p
if I(o) >= I(p)
 So ‘clean’ objects do not become ‘contaminated’
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
56
Clark-Wilson (1)
 The security requirements of commercial transactions
are about integrity, and the prevention of error and
fraud.
 There is an established principle of separation of
duties, which aims to ensure that users must
collaborate to validly manipulate data, and hence
users must collude to commit fraud.
 Clark-Wilson aim to define well-formed transactions,
so users cannot directly access data,
 and specific data items can only be modified by
defined programs.
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
57
Clark-Wilson (2)
 Internal consistency of data items should be
ensured by the system
Overall:
– Subjects have to be identified and authenticated
– Objects can be manipulated by a restricted set of
programs
– Subjects can execute only a restricted set of
programs
– A proper audit has to be maintained.
– The system has to be certified to work properly.
 An application oriented IT system model, a
framework and guideline for security policy
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
58