Transcript Slide 1
INSTITUTE FOR CYBER SECURITY Security Models: Past, Present and Future Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at San Antonio August 2010 [email protected] www.profsandhu.com © Ravi Sandhu 1 INSTITUTE FOR CYBER SECURITY Security Objectives INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure © Ravi Sandhu 2 INSTITUTE FOR CYBER SECURITY Security Objectives USAGE purpose INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure © Ravi Sandhu 3 Security Objectives INSTITUTE FOR CYBER SECURITY USAGE purpose INTEGRITY modification USAGE AVAILABILITY access CONFIDENTIALITY disclosure © Ravi Sandhu 4 INSTITUTE FOR CYBER SECURITY Butler Lampson Paraphrased (I think) Computer scientists could never have designed the web because they would have tried to make it work. But the Web does “work.” What does it mean for the Web to “work”? Security geeks could never have designed the ATM network because they would have tried to make it secure. But the ATM network is “secure. What does it mean for the ATM network to be “secure”? © Ravi Sandhu 5 INSTITUTE FOR CYBER SECURITY Information needs to be protected Trying to approximate absolute security is a bad strategy “Good enough” security is feasible and meaningful Better than “good enough” is bad Security is meaningless without application context In motion At rest In use Absolute security is impossible and unnecessary Foundational Security Assumptions Cannot know we have “good enough” without this context Models and abstractions are all important Without a conceptual framework it is hard to separate “what needs to be done” from “how we do it” We are not very good at doing any of this © Ravi Sandhu 6 INSTITUTE FOR CYBER SECURITY PEI Models: 3 Layers/5 Layers This lecture is focused on the policy models layer Idealized Enforceable (Approximate) Codeable At the policy layer security models are essentially access control models © Ravi Sandhu 7 INSTITUTE FOR CYBER SECURITY THE PAST © Ravi Sandhu 8 INSTITUTE FOR CYBER SECURITY Discretionary Access Control (DAC) Owner controls access but only to the original, not to copies Mandatory Access Control (MAC) Same as Lattice-Based Access Control (LBAC) Access Control Models Access based on security labels Labels propagate to copies Role-Based Access Control (RBAC) Access based on roles Can be configured to do DAC or MAC Generalizes to Attribute-Based Access Control (ABAC) Numerous other models but only 3 successes © Ravi Sandhu 9 INSTITUTE FOR CYBER SECURITY DAC: ACCESS MATRIX MODEL Objects (and Subjects) G F S u b j e c t s U V rw own r rw own rights © Ravi Sandhu 10 INSTITUTE FOR CYBER SECURITY DAC: TROJAN HORSE EXAMPLE ACL A:r File F A:w B:r File G A:w B cannot read file F © Ravi Sandhu 11 INSTITUTE FOR CYBER SECURITY DAC: TROJAN HORSE EXAMPLE ACL A executes Program Goodies A:r read File F A:w Trojan Horse B:r write File G A:w B can read contents of file F copied to file G © Ravi Sandhu 12 INSTITUTE FOR CYBER SECURITY LBAC: LATTICE STRUCTURES Top Secret Secret Confidential Unclassified dominance © Ravi Sandhu can-flow 13 INSTITUTE FOR CYBER SECURITY LBAC: LATTICE STRUCTURES TS, {A,B} TS, {B} TS, {A} Hierarchical Classes with Compartments TS, {} S, {A,B} S, {A} S, {B} S, {} © Ravi Sandhu 14 INSTITUTE FOR CYBER SECURITY LBAC: BELL LAPADULA (BLP) SIMPLE-SECURITY Subject S can read object O only if • label(S) dominates label(O) STAR-PROPERTY (LIBERAL) Subject S can write object O only if • label(O) dominates label(S) STAR-PROPERTY (STRICT) Subject S can write object O only if • © Ravi Sandhu label(O) equals label(S) 15 INSTITUTE FOR CYBER SECURITY LBAC: COVERT CHANNELS High User Information is leaked unknown to the high user Low User © Ravi Sandhu High Trojan Horse Infected Subject COVERT CHANNEL Low Trojan Horse Infected Subject 16 INSTITUTE FOR CYBER SECURITY RBAC: Role-Based Access Control Access is determined by roles First emerged: mid 1970s A user’s roles are assigned by security First models: mid 1990s administrators A role’s permissions are assigned by security administrators Is RBAC MAC or DAC or neither? RBAC can be configured to do MAC RBAC can be configured to do DAC RBAC is policy neutral RBAC is neither MAC nor DAC! © Ravi Sandhu 17 RBAC: RBAC96 Model INSTITUTE FOR CYBER SECURITY ROLE HIERARCHIES USER-ROLE ASSIGNMENT ROLES USERS ... © Ravi Sandhu PERMISSIONS-ROLE ASSIGNMENT PERMISSIONS SESSIONS CONSTRAINTS 18 RBAC: The RBAC Story INSTITUTE FOR CYBER SECURITY Amount of Publications Standard Adopted Proposed Standard 100 80 RBAC96 paper 60 40 20 0 1992 3 Pre-RBAC © Ravi Sandhu 1995 2 7 Early RBAC 3 2000 28 30 30 35 40 1st expansion phase 48 53 88 85 88 Year of Publication 2008 2005 112 103 111 866 2nd expansion phase 19 INSTITUTE FOR CYBER SECURITY THE PRESENT © Ravi Sandhu 20 UCON: Usage Control Scope INSTITUTE FOR CYBER SECURITY Privacy Protection Security Objectives Intellectual Property Rights Protection Sensitive Information Protection DRM Traditional Trust Access Management Control Server-side Reference Monitor (SRM) Usage Control Client-side Reference Monitor SRM & CRM (CRM) Security Architectures © Ravi Sandhu 21 UCON: Usage Control Model INSTITUTE FOR CYBER SECURITY unified model integrating • authorization • obligation • conditions • and incorporating • continuity of decisions • mutability of attributes • Continuity of Decisions pre-decision ongoing-decision before-usage ongoing-Usage pre-update ongoing-update Mutability of Attributes © Ravi Sandhu Rights (R) Subjects (S) Objects (O) Usage Decisions Subject Attributes (SA) after-usage Object Attributes (OA) Authoriz ations (A) Obliga tions (B) Condi tions (C) post-update UCON is ABAC on steroids 22 INSTITUTE FOR CYBER SECURITY THE FUTURE © Ravi Sandhu 23 INSTITUTE FOR CYBER SECURITY Our Basic Premise Application-Centric Security Models There can be no security model without application context So how does one customize an application-centric security model? Meaningfully combine the essential insights of DAC, LBAC, RBAC, ABAC, UCON, etcetera Directly address the application-specific trade-offs Within the security objectives of confidentiality, integrity and availability Across security, performance, cost and usability objectives Separate the real-world concerns of practical distributed systems and ensuing staleness and approximations (enforcement layer) from © Ravi Sandhu policy concerns in a idealized environment (policy layer) 24 Dissemination-Centric Sharing INSTITUTE FOR CYBER SECURITY Extensive research in the last two decades ORCON, DRM, ERM, XrML, ODRL, etc. Copy/usage control has received major attention Manageability problem largely unaddressed Attribute + Policy Cloud Object Alice Attribute Cloud Object Bob Attribute Cloud Attribute + Policy Cloud Attribute + Policy Cloud Attribute + Policy Cloud Object Charlie Attribute Cloud Object Eve Attribute Cloud Susie Attribute Cloud Dissemination Chain with Sticky Policies on Objects © Ravi Sandhu 25 INSTITUTE FOR CYBER SECURITY Brings users & objects together in a group Focuses on manageability using groups Co-exists with dissemination-centric Two metaphors Secure Meeting Room (E.g. Program committee) Subscription Model (E.g. Secure multicast) join Group characteristics leave Group Authz (u,o,r)? E.g. Are there any core properties? Group operation semantics E.g. What is authorized by join, add, etc.? Read-only Vs Read-Write Administrative aspects Users Operational aspects Group-Centric Sharing (g-SIS) E.g. Who authorizes join, add, etc.? May be application dependant Multiple groups Inter-group relationship © Ravi Sandhu remove add Objects 26 INSTITUTE FOR CYBER SECURITY CONCLUSION © Ravi Sandhu 27 INSTITUTE FOR CYBER SECURITY Conclusion THE PAST Discretionary Access Control (DAC) Mandatory Access Control (MAC) Equivalently Lattice-Based Access Control (LBAC) Role-Based Access Control (RBAC) THE PRESENT Usage Control (UCON) Attribute-Based Access Control (ABAC) on steroids THE FUTURE Application-Centric Access Control Models Technology-Centric Access Control Models Models are all important A Policy Language is not a substitute for a good model Lots of interesting/impactful research to be done at P, E and I layers © Ravi Sandhu 28