Computer Security:

Principles and Practice

Fourth Edition

By: William Stallings and Lawrie Brown

Chapter 4
Access Control
Access Control Definitions
1/2
NISTIR 7298 defines access control as:

“the process of granting or denying specific

requests to: (1) obtain and use information and
related information processing services; and (2) enter
specific physical facilities”
Access Control Definitions
2/2
RFC 4949 defines access control as:

“a process by which use of system resources is

regulated according to a security policy and is
permitted only by authorized entities (users,
programs, processes, or other systems) according to
that policy”
 Table 4.1

Access Control
Security
Requirements
( SP 800-171)

(Table is on page 107 in the textbook)

 Access Control Principles
• In a broad sense, all of computer security is
concerned with access control

• RFC 4949 defines computer security as:

“measures that implement and assure security

services in a computer system, particularly those that
assure access control service”
 Source: Based on [SAND94].

Source: Based on [SAND94].

 Access Control Policies
• Discretionary access control • Role-based access control
(DAC) (RBAC)
o Controls access based on the identity o Controls access based on the roles
of the requestor and on access rules that users have within the system and
(authorizations) stating what on rules stating what accesses are
requestors are (or are not) allowed to allowed to users in given roles
do
• Attribute-based access
• Mandatory access control control (ABAC)
(MAC) o Controls access based on attributes of
o Controls access based on comparing the user, the resource to be accessed,
security labels with security and current environmental conditions
clearances
 Subjects, Objects, and
Access Rights
Access
Subject Object
right

An entity capable of A resource to which access is Describes the way in which a

accessing objects controlled subject may access an object

Three classes Could include:

• Owner • Read
Entity used to contain • Write
• Group • Execute
and/or receive information
• World • Delete
• Create
• Search
 Discretionary Access Control
(DAC)
• Scheme in which an entity may be granted access rights that
permit the entity, by its own violation, to enable another entity
to access some resource
• Often provided using an access matrix
o One dimension consists of identified subjects that may attempt data
access to the resources
o The other dimension lists the objects that may be accessed
• Each entry in the matrix indicates the access rights of a
particular subject for a particular object
Figure 4.2 Example of Access Control Structures
 Table 4.2
Authorization
Table
for Files in
Figure 4.2

(Table is on page 113 in the textbook)

Table 4.3

Access
Control
System
Commands

(Table is on page
116 in the
textbook)
 Protection Domains
• Set of objects together with access rights to those objects
• More flexibility when associating capabilities with protection
domains
• In terms of the access matrix, a row defines a protection domain
• User can spawn processes with a subset of the access rights of the
user
• Association between a process and a domain can be static or dynamic
• In user mode certain areas of memory are protected from use and
certain instructions may not be executed
• In kernel mode privileged instructions may be executed and
protected areas of memory may be accessed
UNIX File Access Control
UNIX files are administered using inodes (index
nodes)
• Control structures with key information needed for a particular file
• Several file names may be associated with a single inode
• An active inode is associated with exactly one file
• File attributes, permissions and control information are sorted in the
inode
• On the disk there is an inode table, or inode list, that contains the
inodes of all the files in the file system
• When a file is opened its inode is brought into main memory and
stored in a memory resident inode table

Directories are structured in a hierarchical tree

• May contain files and/or other directories

• Contains file names plus pointers to associated inodes
 UNIX
File Access Control

 Unique user identification

number (user ID)
 Member of a primary group
identified by a group ID
 Belongs to a specific group
 12 protection bits
 Specify read, write, and
Figure 4.5 UNIX File Access Control
execute permission for the
owner of the file, members of
the group and all other users
 The owner ID, group ID, and
protection bits are part of the
 Traditional UNIX
File Access Control
 “Set user ID”(SetUID)
 “Set group ID”(SetGID)
 System temporarily uses rights of the file owner/group in addition to
the real user’s rights when making access control decisions
 Enables privileged programs to access files/resources not generally
accessible
 Sticky bit
 When applied to a directory it specifies that only the owner of any file
in the directory can rename, move, or delete that file
 Superuser
 Is exempt from usual access control restrictions
 Has system-wide access
 Access Control Lists (ACLs)
in UNIX
Modern UNIX systems support ACLs
• FreeBSD, OpenBSD, Linux, Solaris

FreeBSD
• Setfacl command assigns a list of UNIX user IDs and groups
• Any number of users and groups can be associated with a file
• Read, write, execute protection bits
• A file does not need to have an ACL
• Includes an additional protection bit that indicates whether the file has an extended ACL

When a process requests access to a file system object two steps

are performed:
• Step 1 selects the most appropriate ACL
• Step 2 checks if the matching entry contains sufficient permissions
 Table 4.4
Scope RBAC Models
 Constraints - RBAC
• Provide a means of adapting RBAC to the specifics of
administrative and security policies of an organization
• A defined relationship among roles or a condition related to
roles
• Types:

Mutually exclusive
Cardinality Prerequisite roles
roles
• A user can only be • Setting a maximum • Dictates that a user can
assigned to one role in the number with respect to only be assigned to a
set (either during a session roles particular role if it is
or statically) already assigned to some
• Any permission (access other specified role
right) can be granted to
only one role in the set
 Attribute-Based Access
Control (ABAC)

Main obstacle to its

adoption in real Web services have
systems has been been pioneering
Can define
concern about the technologies There is
authorizations that
Strength is its performance through the considerable
express conditions
flexibility and impact of introduction of the interest in applying
on properties of
expressive power evaluating eXtensible Access the model to cloud
both the resource
predicates on both Control Markup services
and the subject
resource and user Language
properties for each (XAMCL)
access
 ABAC Model: Attributes
Subject Object Environment
attributes attributes attributes
• A subject is an active • An object (or resource) • Describe the
entity that causes is a passive information operational, technical,
information to flow system-related entity and even situational
among objects or containing or receiving environment or context
changes the system state information in which the
information access
• Attributes define the • Objects have attributes occurs
identity and that can be leverages to • These attributes have so
characteristics of the make access control far been largely ignored
subject decisions in most access control
policies
 ABAC
Relies upon the
evaluation of attributes
Distinguishable because
of the subject, attributes
it controls access to
of the object, and a
objects by evaluating
formal relationship or
rules against the
access control rule
attributes of entities,
defining the allowable
operations, and the
operations for subject-
environment relevant to
object attribute
a request
combinations in a given
environment

Allows an unlimited
Systems are capable of
number of attributes to
enforcing DAC, RBAC,
be combined to satisfy
and MAC concepts
any access control rule
 ABAC Policies
A policy is a set of rules and relationships that govern allowable behavior
within an organization, based on the privileges of subjects and how
resources or objects are to be protected under which environment
conditions

Typically Privileges represent the authorized behavior of a subject

written
from the and are defined by an authority and embodied in a policy
perspectiv
e of the
object that
needs
protecting
and the Other terms commonly used instead of privileges are: rights,
privileges authorizations, and entitlements
available
to subjects
 Identity, Credential, and
Access Management (ICAM)
• A comprehensive approach to managing and implementing
digital identities, credentials, and access control
• Developed by the U.S. government
• Designed to:
o Create trusted digital identity representations of individuals and nonperson entities
(NPEs)
o Bind those identities to credentials that may serve as a proxy for the individual of NPE in
access transactions
• A credential is an object or data structure that authoritatively binds an identity to a
token possessed and controlled by a subscriber
o Use the credentials to provide authorized access to an agency’s resources
Identity Management
Concerned with assigning attributes to a
digital identity and connecting that digital
identity to an individual or NPE

Goal is to establish a trustworthy digital

identity that is independent of a specific
application or context

Most common approach to access control

for applications and programs is to create a
digital representation of an identity for the
specific use of the application or program

Maintenance and protection of the identity

itself is treated as secondary to the mission
associated with the application

• Mechanisms, policies, and procedures for protecting personal

identity information
Final element is lifecycle management • Controlling access to identity data
which includes: • Techniques for sharing authoritative identity data with applications
that need it
• Revocation of an enterprise identity
Credential Management
The management of the Encompasses five logical
life cycle of the credential components:

Examples of credentials are smart cards, private/public An authorized individual sponsors an individual or entity
cryptographic keys, and digital certificates for a credential to establish the need for the credential

The sponsored individual enrolls for the credential

• Process typically consists of identity proofing and the capture of biographic
and biometric data
• This step may also involve incorporating authoritative attribute data,
maintained by the identity management component

A credential is produced
• Depending on the credential type, production may involve encryption, the
use of a digital signature, the production of a smart card or other functions

The credential is issued to the individual or NPE

A credential must be maintained over its life cycle

• Might include revocation, reissuance/replacement, reenrollment, expiration,
personal identification number (PIN) reset, suspension, or reinstatement
Access Management
Deals with the management
and control of the ways Covers both logical and
entities are granted access to physical access
resources

Purpose is to ensure that the

proper identity verification is
May be internal to a system made when an individual
or an external element attempts to access a security
sensitive building, computer
systems, or data

Three support elements are

needed for an enterprise-
wide access control facility:
• Resource management
• Privilege management
• Policy management
Three support elements are needed for an
enterprise-wide access control facility:
Resource management

• Concerned with defining rules for a resource that requires access control
• Rules would include credential requirements and what user attributes,
resource attributes, and environmental conditions are required for access of
a given resource for a given function

Privilege management

• Concerned with establishing and maintaining the entitlement or privilege

attributes that comprise an individual’s access profile
• These attributes represent features of an individual that can be used as the
basis for determining access decisions to both physical and logical
resources
• Privileges are considered attributes that can be linked to a digital identity

Policy management

• Governs what is allowable and unallowable in an access transaction

 Identity Federation
• Term used to describe the technology, standards, policies, and
processes that allow an organization to trust digital identities,
identity attributes, and credentials created and issued by
another organization
• Addresses two questions:
o How do you trust identities of individuals from external organizations
who need access to your systems
o How do you vouch for identities of individuals in your organization
when they need to collaborate with external organizations
 Open Identity Trust
Framework
OpenID OIDF ICF
• An open standard that allows users to be • OpenID Foundation is an international • Information Card Foundation is a
authenticated by certain cooperating sites nonprofit organization of individuals nonprofit community of companies and
using a third party service and companies committed to enabling, individuals working together to evolve
promoting, and protecting OpenID the Information Card ecosystem
technologies

OITF OIX AXN

• Open Identity Trust Framework is a • Open Identity Exchange Corporation is • Attribute Exchange Network is an online
standardized, open specification of a an independent, neutral, international Internet-scale gateway for identity
trust framework for identity and attribute provider of certification trust frameworks service providers and relying parties to
exchange, developed jointly by OIDF conforming to the OITF model efficiently access user asserted,
and ICF permissioned, and verified online
identity attributes in high volumes at
affordable costs
 Table 4.5
Functions and Roles for Banking Example
 Table 4.5
Functions and Roles for Banking Example
 Summary
• Access control principles • Attribute-based access
o Access control context control
o Access control policies o Attributes
o ABAC logical architecture
• Subjects, objects, and access o ABAC policies
rights • Identity, credential,
• Discretionary access control and access
o Access control model
o Protection domains
management
o Identity management
• UNIX file access control o Credential management
o Traditional UNIX file access control o Access management
o Identity federation
o Access control lists in UNIX

• Role-based access control • Trust frameworks

o Traditional identity exchange
o RBAC reference models approach
o Open identity trust framework

• Bank RBAC system