PRIVILEGE STATES BASED
ACCESS CONTROL FOR
FINE GRAINED
INTRUSION RESPONSE
Ashish Kamra, Elisa Bertino
Purdue University
Presenter:
Ashish Kundu
1
The Real Authors
[email protected]
[email protected]
2
Motivation
 Databases
 Anomaly Detection
 Anomaly Response
 Access Control
3
4
Access Control Decision
Semantics
Allow
Deny
Request
Reference
Monitor
5
Extended Decision Semantics
Allow
Deny
Request
Reference
Monitor
Taint
Suspend
6
Primary Contribution
Mechanism to enhance the
decision semantics of an
access control implementation
7
Why do we want to do that?
8
Support for fine-grained
intrusion response
Detection
engine
Request
Response
engine
Drop
Request
Anomaly
Log
Request
2nd factor of
authentication
Passive
Monitoring
9
Mapping
Passive
Monitoring
Taint
decision
semantic
2nd factor of
authentication
Suspend
decision
semantics
10
Privilege States - glue for
the mapping
 Assign states to privileges
 Response system changes privilege state
 fine-grained response actions
 Response : access control decision semantics
11
Privilege States
 “state” to every privilege
 a user or role
 Five privilege states
DENY
SUSPEND
TAINT
GRANT
UNASSIGN
12
Privilege State Semantics
 “DENY”: negative authorizations
 “SUSPEND”: request suspension
 “TAINT”: request tainting
 “GRANT”: standard SQL GRANT
 “UNASSIGN”: standard SQL REVOKE
13
Example
 U1 is a member of role R1
 DBA assigns
 SELECT privilege in DENY on T1 to user U1
 SELECT privilege in TAINT on T1 to role R1
 Privilege state of SELECT on T1 for U1 ???
14
Privilege State Dominance
DENY
SUSPEND
X
means ‘X’ overrides ‘Y’
TAINT
Y
GRANT
UNASSIGN
15
Privilege State Transitions
unassign
+
+
grant
deny
?
suspend
/
taint
GRANT
REVOKE
?
/
/
?
?
/
+
DENY
TAINT
/
?
+
SUSPEND
?
16
Formal model
For details, please refer to the paper …
17
Considering Role Hierarchies
 Role hierarchy based on privilege inheritance
R_parent
{insert}
{select}
R_child
{select}
 What about privileges in “deny”, “suspend”
and “taint” states?
18
Privilege Orientation Modes
unassign, grant
up
down
deny, taint, suspend
neutral
19
Privilege Propagation
R8
R5
R6
{select,grant}
R7
{insert,deny,down}
R2
R3
R4
{select,grant}
{insert,deny,down}
R1
Recursive Propagation
20
Implementation in PostgreSQL
 New SQL commands
 TAINT, SUSPEND
 Enhanced Access Control Lists
 To support privilege states and orientation modes
 Re-authentication procedure for a privilege in
“suspend” state
21
Access Control Check Overhead
No Role Hierarchy
Overhead (microseconds)
60
50
40
BASE
30
PSAC
20
10
0
16
32
64
128
ACL Size
256
512
22
Access Control Check Overhead
With Role Hierarchy
Overhead (microseconds)
120
100
80
BASE
60
PSAC
40
20
0
16
32
64
128
ACL Size
256
512
23
Conclusions
 Fine-granular access control in databases
 Anomaly response mechanisms
 Facilitates policy development
 Formal model and experimental evaluation
24