Dan Fleck
CS 469: Security Engineering
Coming up: Access Control Policies
Access Control
Policies
1
These slides are modified with permission from Bill Young (Univ of Texas)
Access Control Policies
• The basic idea is to introduce rules that control what accesses
(i.e., actions) subjects may take with respect to objects.
Coming up: Aside: MAC vs. DAC
• The Bell and LaPadula Model is an example of an Access
Control Policy. This is a popular way of conceptualizing and
implementing security.
2
Aside: MAC vs. DAC
Specifically, BLP is a mandatory access control system, as distinguished
from a discretionary system.
Discretionary Access Controls (DAC): rule enforcement may be waived
or modified by some users.
What that means for BLP is that no access is ever allowed unless it
satisfies the Simple Security Property and *-Property.
Contrast that with Unix file protection system; Unix implements DAC
since file protections can be modified by a file’s owner.
Coming up: Access Control Matrix
Mandatory Access Controls (MAC): rules are enforced on every
attempted access, not at the discretion of any system user;
3
Access Control Matrix
Coming up: BLP Access Control
Matrix
In general, any access control policy can be represented by an
access control matrix (ACM). Given all subjects and objects in
the system, the matrix shows explicitly what accesses are
allowed for each subject/object pair.
4
BLP Access Control Matrix
Subjects
Level
Objects
Level
Subj1
(H,{A,B,C})
Obj1
(L,{A,B,C})
Subj2
(L,{})
Obj2
(L,{})
Subj3
(L,{A,B})
Obj3
(L,{B,C})
The following is the associated access control matrix.
Obj1
Obj2
Obj3
Subj1
R
R
R
Subj2
W
R,W
W
Subj3
W
R
-
Using the dominates relationship, which are R, W, both, neither?
Coming up: Access Control Matrix
Suppose we had a BLP system with exactly three subjects and
objects with the given labels. Suppose also that H > L.
5
Access Control Matrix
The matrix is implicit in the rules (Simple Security and the *Property), so access permissions can be computed on the fly.
Coming up: Real MAC
Implementations
As with any access control policy, you could define an ACM for a
large Bell and LaPadula system. However, the matrix would be
huge for most realistic systems.
6
• SELinux has MAC options built into the kernel. These are used
by default on Red Had (in a limited way)
• SUSE and Ubuntu apply MAC using AppArmor which focuses
on programs (not users)
• Windows from Vista forward implements Mandatory Integrity
Control (MIC) and Integrity Levels which a user/process acts:
• Low, medium, high, system, trusted installer
• Apple’s OS X implements MAC using a TrustedBSD
implementation
Versions of MAC are quite common, although
none are used exclusively!
Source: http://en.wikipedia.org/wiki/Mandatory_Access_Control
Coming up: Lessons
Real MAC Implementations
7
Lessons
• BLP is also an example of a mandatory policy in that the rules
are enforced on every attempted access.
• Any access control policy can be modeled as an explicit matrix.
End of presentation
• BLP is an example of a class of policies called “access control
policies.”
• Most current operating systems use MAC in some limited way.
8
7