Introduction Access Control Models Other models: Part II – The Chinese Wall Model – it combines elements of DAC and MAC – RBAC Model – it is a DAC model; however, it is Elisa Bertino sometimes considered a policy-neutral model CERIAS and CS &ECE Departments – T-RBAC – it is an example of access control model that Purdue University takes contextual information into account – The Information-Flow model – generalizes the ideas underlying MAC – The Biba Model – relevant for integrity Purdue University Purdue University Pag. 1 Pag. 2 Elisa Bertino Elisa Bertino Table of Contents The Chinese Wall • Conflict of Interests Access Control Model • Chinese Wall Policy – Information classification – Read Rule – Write Rule • Criticisms to this model (R. Sandu) Pag. 3 Purdue University Pag. 4 Purdue University Elisa Bertino Elisa Bertino
Purdue University Purdue University Pag. 5 Pag. 6 Elisa Bertino Elisa Bertino Chinese Wall Policy Conflict of Interest • It is a well known concept Introduced by Brewer and Nash in 1989 Introduced by Brewer and Nash in 1989 • An example in the financial world is that of a market analyst working for a financial institution providing corporate business The motivation for this work was to avoid that The motivation for this work was to avoid that services sensitive information concerning a company be sensitive information concerning a company be • Such analyst must uphold the confidentiality of information disclosed to competitor companies through the disclosed to competitor companies through the provided to him by his firm’s client; this means he/she cannot work of financial consultants work of financial consultants advise corporations where he/she has insider knowledge of the plans, status and standing of a competitor • It dynamically establishes the access rights of a user • However the analyst is free to advice corporations which are not in competition with each other, and also to draw on general based on what the user has already accessed market information Pag. 7 Purdue University Pag. 8 Purdue University Elisa Bertino Elisa Bertino
Data Classification Chinese Wall Policy Set of All Objects Set of All Objects • Subjects : Active entities accessing protected objects • Objects : Data organized according to 3 levels CoI 2 2 CoI 1 1 CoI CoI 3 3 CoI CoI » Information » DataSet » Conflict-of-Interest (CoI) classes Bank A Bank A Bank B Bank B Gas A Gas A Oil A Oil A Oil B Oil B • Access Rules » Read rule » Write rule Info Info Info Info Info Info Info Info Info Purdue University Purdue University Pag. 9 Pag. 10 Elisa Bertino Elisa Bertino Read Rule Read Rule = John = John Read Rule: A subject S can read an object O if : Set of All Objects Set of All Objects • O is in the same Dataset as an object already accessed by S OR • O belongs to a CoI from which S has not yet CoI 2 CoI 2 COI 1 COI 1 CoI 1 1 COI 3 COI 3 CoI 3 3 CoI CoI accessed any information X R X Consultant Consultant R R R Bank A Bank A Bank B Gas A Oil A Oil B Bank A Bank A Bank B Gas A Oil A Oil A Oil A Oil B Bank B Bank B Bank A Bank A R R R R R R Gas A Gas A Oil B Oil B Info Info Info Info Info Info Info Info Info Info Info Pag. 11 Purdue University Pag. 12 Purdue University Elisa Bertino Elisa Bertino
Comparison with Bell-LaPadula Write Rule • The Read Rule does not prevent indirect flow • The Chinese Wall Policy is a combination of information of free choice and mandatory control • Consider the following case: • Initially a subject is free to access any – John has access to object it wishes • Oil A and Bank A • Once the initial choice is made, a Chinese – Jane has access to Wall is created for that user around the • Oil B and Bank A dataset to which the object belongs – If John is allowed to read Oil A and write into • Note also that a Chinese Wall can be Bank A, it may transfer information about Oil A combined with DAC policies that can then be read by Jane Purdue University Purdue University Pag. 13 Pag. 14 Elisa Bertino Elisa Bertino Write Rule Write Rule = John Set of all objects Set of all objects Set of all objects Set of all objects = John = Jane = Jane CoI 2 2 COI 2 COI 1 CoI COI 3 CoI 3 3 COI 1 COI 2 COI 3 COI 3 COI 1 CoI 1 CoI 1 COI 3 CoI COI 1 COI 1 COI 1 COI 3 COI 3 Bank A Bank A Bank A Bank A Gas A Gas A Oil A Oil A Oil A Bank B Bank B Bank B Gas A Gas A Oil A Oil A Oil A Oil A Bank B Oil A Info Info Info ABC ABC Info Info Info Info Info ABC ABC Info ABC ABC Info Info Info Info ABC ABC Info Pag. 15 Purdue University Pag. 16 Purdue University Elisa Bertino Elisa Bertino
Write Rule Write Rule Write Rule: A subject S can write an object O if: Thus, according to the write rule: • S can read O according to the Read Rule AND • No object has been read by S which is in a different company dataset to the one on which write is The flow of information is confined to its own performed company dataset X W W X Consultant Consultant Bank B Bank B R R A A Oil B Oil B X X R R W W Consultant Consultant Bank A Bank A B B Purdue University Purdue University Pag. 17 Pag. 18 Elisa Bertino Elisa Bertino Criticisms to the Model (R. Sandhu) Sanitized Information The Write Rule of BN is very restrictive: • Brewer and Nash recognize the need for The Write Rule of BN is very restrictive: analysts to be able to compare information they • A user that has read objects from more than one dataset is have with that relating to other corporations not able to write any object • The user can only read and write objects from a single • Thus they recognize that access restriction can dataset be lifted for sanitized information • Sanitization takes the form of disguising a corporation’s information, so to prevent the discovery of that corporation identity Pag. 19 Purdue University Pag. 20 Purdue University Elisa Bertino Elisa Bertino
References Rick Wayman What is the “Chinese Wall” and why is it in the • Role Based Access (RBAC) News” ResearchStorck.com, 2001. • D.Brewer and Dr. M. Nash Control Model The Chinese Wall Policy Proc. In IEEE Symposium on Research in Security and Privacy May 1989, Oakland, California Ravi S. Sandhu A lattice Interpretation of the Chinese Wall Policy • Proc. Of 15 th NIST-NCSC National Computer Security Conference Ottobre 1992, Baltimore USA • V. Atluri, S. Chun, P. Mazzoleni A Chinese Wall Security Model for Decentralized Workflow Systems Proc. of 8th ACM Conference on Computer and Communications Security (CCS-8), Novembre 2001 Philadelphia, USA Purdue University Purdue University Pag. 21 Pag. 22 Elisa Bertino Elisa Bertino RBAC: Motivations RBAC: Motivations • One challenging problem in managing large • End users often do not own the information for systems is the complexity of security which they are allowed access. The corporation administration or agency is the actual owner of data objects • Whenever the number of subjects and objects is • Control is often based on employee functions high, the number of authorizations can become rather than data ownership extremely large • RBAC has been proposed as an alternative • Moreover, if the user population is highly approach to DAC and MAC both to simplify the dynamic, the number of grant and revoke task of access control management and to operations to be performed can become very difficult to manage directly support function-based access control Pag. 23 Purdue University Pag. 24 Purdue University Elisa Bertino Elisa Bertino
RBAC: Basic Concepts RBAC: Benefits • Because roles represent organizational • Roles represent functions within a given functions, an RBAC model can directly support organization and authorizations are granted to security policies of the organization roles instead of to single users • Granting and revoking of user authorizations is • Users are thus simply authorized to "play" the greatly simplified appropriate roles, thereby acquiring the roles’ • RBAC models have been shown to be policy- authorizations neutral Purdue University Purdue University Pag. 25 Pag. 26 Elisa Bertino Elisa Bertino RBAC NIST Model • DBMS vendors have recognized the importance and the advantages of RBAC, and today most of the • Three main levels of increasing functional commercial DBMSs support RBAC features at some capabilities extents – Core RBAC – also called Flat RBAC • There is some consensus on a standard RBAC model • The NIST model [Sandhu,Ferraiolo,Kuhn 00] has – Hierarchical RBAC been the first step towards the definition of a – Constrained RBAC standard • A recent definition is by ANSI. American national standard for information technology – role based access control. ANSI INCITS 359-2004, February 2004 Pag. 27 Purdue University Pag. 28 Purdue University Elisa Bertino Elisa Bertino
Recommend
More recommend