an administration model which specifies how the access control policy can be ... since the only way to enforce the security policy is to control all information flows.
Web Access Control Strategies Alban Gabillon Université de la Polynésie Française Laboratoire Gepasud French Polynesia
Synonym Access Control Models
Related concepts and keywords Discretionary access control; Mandatory access control; Role based access control; Contextbased access control
Definitions Access Control Model An access control model consists of: - an access control policy which specifies the authorized accesses of a protection system - an administration model which specifies how the access control policy can be updated
Access Control Mechanism An access control mechanism is a hardware or software solution for enforcing an access control policy.
Theory Access Control Models Access control models can be grouped in several classes. We distinguish between Discretionary Access Control (DAC) models, Mandatory Access Control (MAC) models, Role Based Access Control (RBAC) models and more advanced control models that we refer to as Context-Based Access Control (CBAC) models. In Discretionary Access Control models such as the Harrison, Ruzzo, Ullman model [1], the security policy is specified by using the concepts of subjects, actions and objects. Subjects are the active entities of the system, objects are the passive entities and actions are the direct accesses that subjects can perform on objects. The access control policy consists of a set of triples (subject, action, object). Each triple (s, a, o) reads “subject s has the permission to perform action a on object o” 1. Such models are called discretionary since permissions address the concrete identity of subjects. Many DAC models support the concept of user group. User groups simplify the management of authorizations since a single permission granted to a group propagates to all group members. Most of the DAC models incorporate the concept of ownership. Subjects may grant or revoke rights for objects they own (basically objects they have created). In other words, subjects administrate the security policy for their objects.
1
Sometimes, these triples are internally represented in the system by means of Access Control Lists (ACL). An ACL is a list of pairs (subject, action) attached to an object.
In Mandatory Access Control models, a security level is assigned to each subject and each object. The security policy applies to all users and cannot be modified. If the objective is to guarantee the data confidentiality2 then the security policy (referred to as the multilevel security policy) can be expressed as follows: “subjects at a given confidentiality level are forbidden to know anything about data at a higher level and are permitted to know everything about data at the same or a lower level”. Bell & La Padula [2] showed that it is necessary to enforce the following two access control properties in order to guarantee the confidentiality policy: - The no read-up property states that a subject at a given level of confidentiality cannot read an object at a higher level - The no write-down property states that a subject at a given level of confidentiality cannot write to an object at a lower level. The no write down restriction is necessary to prevent a Trojan horse, running on behalf of a high level user, from copying high level data into a low level object. However, the above mentioned access control properties are not sufficient to enforce the confidentiality policy. MAC models fall, in fact, into the category of information flow control models since the only way to enforce the security policy is to control all information flows that may arise in the system. Information may flow along some hidden channels, which are different from those resulting from read and write operations. These hidden channels which are globally referred to as covert channels, can be of various kinds (e.g. timing channel, inference channel etc.). Unfortunately, many of these covert channels are difficult to identify and difficult to control in a cost effective way. Administrating the security policy in MAC models means assigning security levels to subjects and objects. This is usually done under the responsibility of a single security officer. DAC and MAC models are not well adapted to business organizations. MAC models are suitable for military applications whereas DAC models have long been integrated into computer file systems. In business organizations, there is a need to specify privileges based on roles that users assume in the organization. Consequently, the Role Based Access Control model [4] has been proposed as an alternative to traditional MAC and DAC models. In 2004, American National Standards Institute, International Committee for Information Technology Standards (ANSI/INCITS) adopted Sandhu, Ferraiolo and Kuhn RBAC proposal [5] as a standard. Main principles of RBAC are the following: - In DAC, permissions are rather related to low level operations such as read and write data whereas in RBAC, they are more related to organizational tasks, such as transferring money or buying a flight ticket. - RBAC models define a role as a job function. Permissions to perform operations are assigned to roles instead of users. In turn, roles are assigned to users according to their responsibilities. The same permission can be assigned to several roles and different roles can be assigned to the same user. - The primary objective of Separation of Duties (SoD) policies is to prevent a single individual from executing several transactions that could be used for fraud purposes, for instance, authorizing a payment and initiating a payment. SoD policies can easily be expressed with RBAC by declaring some roles as mutually exclusive. Two mutually exclusive roles cannot then be assigned to the same user. The standard RBAC model does not have an administration model. It implicitly assumes that definition of roles, assignment of permissions to roles and distribution of roles to users should be carried out by a central authority. The Administrative Role-Based Access Control 2
For a mandatory access control model addressing data integrity, see the biba model [3].
(ARBAC) model [6] is a role based administration model for the RBAC model. This model defines some administrative roles corresponding to the functions of assigning permissions to application roles and assigning application roles to users. In more and more applications, the security policy can no longer be defined with static authorization rules. In such applications, privileges granted to users depend on contextual conditions. Access control models that support the management of dynamic security policies where authorizations depend on contextual conditions are sometimes referred to as ContextBased Access Control models. The following can be considered CBAC models: - In Attribute-Based Access Control (ABAC) models [7], permissions are based on boolean conditions over subject attributes, object attributes and environment attributes. - Some access control models extend the RBAC model to deal with access control based on user location (see [8] for instance) or on temporal conditions (see [9] for instance). Most of these approaches define roles that are activated/triggered depending on some temporal or spatial conditions. - The Organization Based Access Control (Or-BAC) model [10] define a complete taxonomy of contexts (i.e. spatial, temporal, user declared, prerequisite and provisional) and provide a framework based on first-order logic to express them. One key feature which deserves attention with most of CBAC models is that they can express authorization rules which do not require identifying users. A user can gain access to a protected resource as long as some contextual conditions are met. This ability to determine access without identifying users can be critical in some interconnected web applications. Let us also mention that many recent access control models (see [11] for instance) support the declaration of negative authorizations (prohibitions). Explicit prohibitions are useful for specifying exceptions, for instance “the kids are all allowed to play computer games except the little one”. However, specifying security policies that include both permission and prohibitions may lead to conflicts. There are several existing approaches to solve these conflicts. Some of them assign priorities to authorizations, whereas others apply principles such as “the most specific takes precedence” or “negative authorization takes precedence”.
Access Control Enforcement The access control mechanisms of a system are trusted hardware or software solutions to enforce the system security policy. The Internet Engineering Task Force (IETF) defines an abstract model for policy enforcement which is used in most commercial implementation of access control mechanisms. This abstract model makes a clear distinction between the Policy Decision Point (PDP) component and the Policy Enforcement Point (PEP) component: - The PEP intercepts the access request and forwards it to the PDP. After it has received the decision from the PDP, it enforces the decision against the requester. - The PDP analyzes the access request, evaluates contextual conditions, solves potential conflicts between security rules and then decides on the concrete outcome of the request (i.e. access granted or access denied). The processing model of eXtensible Access Control Markup Language3 (XACML) defines two further components: - The Policy Administration Point (PAP) can be seen as a repository for storing and managing the security policies. - The Policy Information Point (PIP) helps the PDP to acquire external contextual information. 3
XACML is a declarative access control policy language which aims at becoming a standard for expressing security policies.
Future Directions Access Control is still a very active field of research. Among several research directions, we can isolate the following: - Interoperability. Information systems are more and more distributed and interconnected. Some technological tools to ensure secure interactions already exist (see Web Single Sign On and SAML chapter). However, existing access models should be extended to cover all cases of interactions between organizations. Several steps toward such a model have already been made. Among existing works, let us mention the following: o Trust negotiation [12]: Trust negotiation is an approach to gradually establish trust between strangers, through the iterative exchange of digital credentials. Once trust has been established the interaction can take place i.e. the requesting party can access to the online resource from the other party. Exchange of digital credentials is iterative because credentials are themselves considered as sensitive objects which should be disclosed only when certain conditions are met. Underlying access control model used in trust negotiation is the ABAC model. Rules are expressed to define the security policy protecting not only the online resource but also the credentials exchanged during the negotiation. o Virtual private organization [13]: Whenever an organization in charge of an online resource receives an access request to the resource, it will create a virtual private organization that will exist as long as the requesting organization uses the resource. The organization in charge of the online resource defines the security policy for the virtual private organization. Underlying access control model used in virtual private organizations is the Or-BAC model that can express multiple organizations policies. - Usage Control. Some 30 years ago, Dorothy Denning wrote [14] “Access controls regulate the accessing of objects but not what subjects might do with the information contained in them”. Information flow models provide a partial answer to this problem. For instance the no-write restriction of the Bell & La Padula model prevents high level subjects from copying high level data into low level objects. However, Information flow models are either impractical or not flexible enough to be used in an open environment such as the web. Consequently, some new usage control models have been proposed [15][16]. Usage control specifies requirements that should be met before, during, or after an access. Usage control is closely related to the use of obligations in the security policy. Regarding enforcement, Digital Rights Management (DRM) techniques can be used to enforce some usage control policies.
REFERENCES [1] [2]
[3] [4]
M.A. Harrison, W.L. Ruzzo, and J.D. Ullman. Protection in Operating Systems, Communication of the ACM, 19(8):461-471, August, 1976. D. Bell and L. La Padula. Secure Computer Systems: Unified Exposition and Multics Interpretation, Technical Report ESD-TR-75-306, MTR-2997, MITRE, Bedford, Mass, 1975. K. Biba. Integrity Considerations for Computer Systems, Technical Report ESD-TR-76372, MITRE, Bedford, Mass, 1976. Ferraiolo, D.F. and Kuhn, D.R. (October 1992). Role Based Access Controls. 15th National Computer Security Conference. pp. 554-563. October 1992.
[5]
[6]
[7] [8]
[9]
[10] [11] [12]
[13]
[14] [15] [16]
D.F. Ferraiolo, R.Sandhu, S.Gavrila, D.R. Kuhn, and R.Chandramouli. Proposed NIST Standard for Role-Based Access Control, ACM Transactions on Information and System Security, 4(3):222-274, August, 2001. Ravi Sandhu, Bhamidipati, and Qamar Munawer. The ARBAC97 Model for Role-Based Administration of Roles, ACM Transactions on Information and System Security, February, 1999. Yuan, E., Tong, J.: Attributed Based Access Control (ABAC) for Web Services. In: Proc. of the IEEE International Conference on Web Services (ICWS'05). E. Bertino, E. Catania, M. Damiani, and P. Persasca. GEO-RBAC: A Spatially Aware RBAC. In 10th ACM Symposium on Access Control Models and Technologies (SACMAT), Stockholm, Sweden 2005, pp. 29–37. J. B. D. Joshi, E. Bertino, U. Latif, and A. Ghafoor. Generalized Temporal Role-Based Access Control Model. IEEE Transactions on Knowledge and Data Engineering. 17(1):4–23, January 2005. F. Cuppens et N. Cuppens-Boulahia. Modeling contextual security policies. International Journal of Information Security (IJIS). Vol. 7, no. 4. août, 2008. S.Jajodia, P.Samarati, M.L. Sapino, and V.S. Subrahmanian. Flexible Support for Multiple Access Control Policies, ACM Transactions on Database Systems, June, 2001 T. Yu, M. Winslett, and K. E. Seamons, Supporting Structured Credentials and Sensitive Policies through Interoperable Strategies for Automated Trust Negotiation. ACM Transactions on Information and System Security, volume 6, number 1, February 2003. F. Cuppens, N. Cuppens-Boulahia et C. Coma. O2O: Virtual Private Organizations to Manage Security Policy Interoperability. Second International Conference on Information Systems Security (ICISS'06), Calcutta, Inde, decembre 2006. Denning, Dorothy Elizabeth Robling. Cryptography and Data Security. AddisonWesley. 1982. J.Park and R.Sandhu. The UCON-ABC Usage Control Model, ACM Transactions on Information and System Security, 7(1):128--174,2004. Frédéric Cuppens. Nora Cuppens-Boulahia. Thierry Sans. Nomad: A Security Model with Non Atomic Actions and Deadlines, The computer security foundations workshop (CSFW), Aix en Provence, France, 2005.
