Week 6 - Access Control Policies and Models Flashcards
Discretionary access control (DAC)
Discretionary access control (DAC) is a class of policy that permits system users to allow or disallow other users’ access to objects that are placed under their control (ownership is one form of control).
Mandatory access control (MAC)
Mandatory access control (MAC) policies require that access control policy decisions are regulated by a central authority, not by the individual owner of an object.
Under MAC policies, subjects and objects are typically classified into or labeled with distinct categories (in general security levels)
Security level assigned to objects (resources) is often referred to as
Classification Level or Sensitivity Level
The purpose of Access Control Models
The purpose of Access Control Models to bridge the wide gap in abstraction between access control policies and the actual mechanisms in computer systems implemented to enforce those policies.
examples of models that implement MAC policies
Bell-Lapadula and Chinese Wall
DAC policies are implemented through…
ACLs
DAC potentially has two inherent weaknesses
The first is the inability for an owner to control access to an object once permissions are passed on to another subject
The second weakness is vulnerability to Trojan horse attacks, which is common weakness for all DAC models. In a Trojan horse attack, a process operating on behalf a user may contain malware that surreptitiously performs other actions unknown to the user.
Multi-Level Security Model (Bell-LaPadula Model)
This is the first model that was defined to implement Mandatory Access Control (MAC) policies
Multi-Level Security Model (Bell-LaPadula Model) Simple Security Property
A Subject is permitted read access to an object if the subject’s security level dominates the security level of the object (e.g., A subject or user with clearance level TS can read a document (object) that is classified at sensitivity level S)
Multi-Level Security Model (Bell-LaPadula Model) Star Property
A subject is permitted write access to an object, if the object’s security (sensitivity) level dominates the security level (classification) of the subject.
Chinese Wall Policy and Model
The Chinese Wall policy evolved to address conflict-of-interest issues related to consulting activities within banking and other financial disciplines. The stated objective of the Chinese Wall policy and its associated model is to prevent illicit flows of information that can result in conflicts of interest.
The Chinese Wall model is based on several key entities: subjects, objects, and security labels. A security label designates the conflict-of-interest (COI) class and the company dataset (CD) of each object.
Chinese Wall Policy and Model CD and COI relationship
It relies on the company’s information resources to be logically organized such that each CD belongs to exactly one COI class, and each object belongs to exactly one CD (as shown in figure next page).
A subject can have access to at most one CD in each COI class. However, the choice of dataset is at the subject’s discretion. Once a subject accesses (i.e., reads or writes) an object in a CD, the only other objects accessible to that subject lie within the same dataset (CD) or within the datasets of a different COI class.
The Chinese wall model is summarized using two rules, one for reading, and one for writing: defined by Brewer and Nash
Read Rule—Subject S can read object O only if: O is in the same CD as some object previously read by S, or O belongs to a COI class for which S has yet to read an object.
Write Rule—Subject S can write object O only if S can read O under the read rule, and No object can be read within a different CD than the one for which write access is requested.
An access control mechanism is based on the concept of what is known as a….
Reference Monitor
The requirements of a reference monitor are comprised of three fundamental implementation principles, described as follows
Completeness: It must be always invoked and impossible to bypass.
Isolation: It must be tamper-proof.
Verifiability: It must be small enough to be subject to analysis and testing to ensure that it is properly implemented.
