Transcription of Methods for Access Control: Advances and Limitations
1 Methods for Access control : Advances and LimitationsRyan Ausanka-CruesHarvey Mudd College301 Platt BlvdClaremont, paper surveys different models for providing systemlevel Access control and explores the benefits and limitationsinherent to various model in the model survey are Discretionary Access Con-trol (DAC), Mandatory Access control (MAC), Role-BasedAccess control (RBAC), Domain Type Enforcement (DTE)).Implementations explored are matrices, Access control lists(ACLs) capability lists, role based transactionsDomain covered include scalability, sparse matrices, safety problem, complexity, maintenance, and development Controls, DAC, MAC, RBAC1.
2 INTRODUCTIONThe application of security policies for computer systemsinto mechanisms of Access control is a vast and varied fieldwithin computer security. The fundamental goal of any ac-cess control mechanism is to provide a verifiable system forguaranteeing the protection of information from unautho-rized and inappropriate Access as outlined in one or moresecurity policies. In general, this translation from securitypolicy to Access control implementation depends on the na-ture of the policy but involves the inclusion of at least oneof the following controls: Confidentiality- control disclosure of information Integrity- control modification of informationThe wide array of policies, usage patterns, and protectableobjects make it difficult to develop an umbrella definition of unauthorized and inappropriate Access to guide develop-ment of a comprehensive Access control [4]
3 Identifiesmilitary security policiesandcommer-cial security policiesas two distinct types of policies thatunderline the difficulty in developing an all-purpose security policies are defined as primarily concernedwith preserving information confidentiality while commer-cial security policies primarily focus on guaranteeing infor-mation dichotomy between governmental and commercial needsled to the development of two distinct Access control mecha-nisms, Mandatory Access control (MAC) and DiscretionaryAccess control (DAC). MAC focuses on controlling disclo-sure of information by assigning security levels to objectsand subjects, limiting Access across security levels, and theconsolidation of all classification and Access controls into thesystem.
4 Conversely DAC focuses on fine-grained Access con-trol of objects through Access control Matrices and objectlevel permission in each model can be summarized as failingsof one or more of three characteristics of an ideal securitymodel:[6] Inescapableinability to break security policies by cir-cumventing Access controls set by the model Invisibleseamless user and administrative interactionwith model Feasiblecost-effective and practical to implement modelDiscovered Limitations that break the inescapability charac-teristic include lack of support for principle of least-privilege,assurance violation, storage inefficiency, reliance on un-verifiabletrusted components.
5 Limitations that affect workflows, in-teractions, and implementation feasibility include difficulty-of-use, difficulty-of-management, incompatibility, performancehits, and high implementation costs. Many of these prob-lems are fixable but at the cost of making the model eitherinfeasible or more flaws in MAC and DAC led to research in new waysof modeling and implementing Access control . Among therecent developments, Role Based Access control (RBAC)enjoys a strong and loyal following that advocates its ex-tension of UNIX groups to incorporate features from bothMAC and Access control MODELSA ccess control models are generally concerned with whethersubjects, any entity that can manipulate information ( , user process, system process), can Access objects, enti-ties through which information flows through the actions of asubject ( directory, file, screen, keyboard, memory, stor-age, printer), and how this Access can occur.
6 Access controlmodels are usually seen as frameworks for implementing andensuring the integrity of security policies that mandate howinformation can be accessed and shared on a system. Themost common, oldest, and most well-known Access controlmodels are Mandatory Access control and Discretionary Ac-cess control but Limitations inherent to each has stimulatedfurther research into alternatives including Role Based Ac-cess control , Dynamic Typed Access control , and DomainType Mandatory Access control (MAC)Loosely defined as any Access control model that enforcessecurity policies independent of user operations, MandatoryAccess control is usually associated with the 1973 Bell-LaPadula Model[2]
7 Of multi-level Bell-LaPadula Confidentiality ModelBell-LaPadula assigns security labels to subjects and ob-jects and uses two security properties,simple security prop-ertyand*-propertyto verifiably ensure military classifica-tion policies that restrict information flow from more secureclassification levels to less secure security propertystates that no process may ac-cess information labeled with a higher *-propertyprevents processes from writing to a two properties are supplemented by thetranquilityproperty, which is stated in two forms: strong and weak.
8 Un-der thestrong tranquility property, security labels can neverchange during system operation. Under theweak tranquilityproperty, however, labels can change during operation butnever in a way that violates defined security benefit of the weak tranquility property is that it allowsleast privilege by starting a user session in the lowest securitysession, regardless of the user s clearance level, and onlyupgrades the session when objects requiring higher clearancelevels are accessed. Once upgraded, the session can neverhave its classification level reduced and all objects createdor modified will have the clearance level held by the sessionwhen the object is created or modified, regardless of theobjects initial level.
9 This is known as thehigh water Biba Integrity ModelWhile Bell-LaPadulas model describes Methods for assur-ing confidentiality of information flows, Biba[3] developed asimilar method aimed at information integrity. Integrity ismaintained through adherence to reading writing principlesthat can be thought of as a reverse of the Bell-LaPadulaprinciples. In the Biba model, integrity levels are low tohigh with objects labeled high having high integrity. A sub-ject can read objects at a higher level but can only writeto objects of lower levels. This is known as thelow watermark principleand assigns created objects the lowest in-tegrity level that contributed to the creation of the the MAC method is primary developed for purposeswhere confidentiality is far more important than integrity,Bibas influence was minor on further development of BenefitsThrough its implementation of Bell-LaPadula in Multi-LayerSecure (MLS) systems, MAC is the main Access controlmodel used by the military and intelligence agencies to main-tain classification policy Access restrictions.
10 The combina-tion of Bell-LaPadula and trusted component assurance alsohas the nice benefit of making MLS systems immune to Tro-jan Horse attacks. In perfect implementations, MLS sys-tems implementing Bell-LaPadula MAC are not suscepti-ble Trojan Horse forced security violations because users donot have the ability to declassify information. Addition-ally, MAC is relatively straightforward and is considered agood model for commercial systems that operate in hostileenvironments (web servers and financial institutions) wherethe risk of attack is very high, confidentiality is a primaryaccess control concern, or the objects being protected arevaluable.