Access Control Mechanisms

Who gets access: Principal vs users

• Users are people
• Principal: the agents/software representing
users, communicating entities, or system
processes.
• A principal has associated privileges specifying
the resources it is authorized to access.
 Access Control Matrix
• Columns of access control matrix
file1 file2 file3
r=read
Andy rx r rwo w=write
Betty rwxo r x=execute
Charlie rx rwo w o=own (creator, allowed to
change (discretionary)
access control for the file

Access control list/ACLs (ah-ka-al):

• file1: { (Andy, rx) (Betty, rwxo) (Charlie, rx) }
• file2: { (Andy, r) (Betty, r) (Charlie, rwo) }
• file3: { (Andy, rwo) (Charlie, w) }
 Abbreviations (instead of ACL)
• ACLs can be long … so combine users
– UNIX: 3 classes of users: owner, group, everyone else
– rwx rwx rwx
everyone else
owner group (not owner’s group)
owner
– Ownership assigned based on creating process
• Group is the group of the creator of the file (but can be changed)
• Some systems: if directory has setgid permission, then file owned by group of directory (SunOS, Solaris). In this case, the
access control for the group depends on the location of the file, not the creator
– Left over rules right
• That is, the left-most is for the owner
• Middle is for user that are not the owner and in owner group
• Right-most is for user that are not the owner and not in the owner group
• Binary
– Text: r w x r w x r w x
– Binary: 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1
– E.g.,
• Text: rw- r-- --x
• Binary: 110 100 001
• Decimal: 6 4 1
• Number: 641
– E.g.,
• text: r– rw- rwx
• Binary: 4 6 7
• Number: 467
 Linux Abbreviations
• Make a file
– echo “123” > my_test_file.txt
– cat my_test_file.txt
• ls –l my_test_file.txt
• chmod 400 my_test_file.txt
 Linux Abbreviations
• Change file owner
– chown my_test_user my_test_file.txt
– Check ls –l
• It shows who is the owner
– Check access with cat my_test_file.txt
• Change access
– chmod 440 my_test_file.txt
• Need sudo since user is not the owner
• Change group
– chgrp my_test_group my_test_file.txt
• Check with ls –l
• Check access with cat my_test_file.txt
 Abbreviations vs ACL
(ACL = access control list)
• ACL specify exactly which user has which access
• Abbreviations only have three types of user
– The owner/creator
– Users in the owner-group
– Everyone else
• Abbreviations cannot assign arbitrary access control

Four people
Three files
Can we assign creator and
groups to achieve the desired
access control
 Linux ACLs
– In linux,
• type ls –l
– Shows user | group | others
– Too limited
– Allow my_test_user access via
– Users and groups ACL
• View current groups • Make file my_test_file.txt
– groups – gedit my_test_file.txt &
– Or, if any supplementary groups, then – Type something and save
» cat /etc/group
» NOTE: group no s, not groups • Show ACL
• List all users – getfacl my_test_file.txt
– cut –d: -f1 /etc/passwd • Add user
• List groups a user belongs to – setfacl –m u:my_test_user:rwx
– groups user my_test_file.txt
• make a user • Check
– sudo adduser my_test_user
– getfacl my_test_file.txt
• Add user to a group
– Check groups and groups id – Clean up
» cat /etc/group
» (see next slide for interpretation of values) • Remove group
– See the group id of the user we just added. Make a group – sudo groupdel <group_name>
with the next id (e.g., 1002)
» sudo groupadd -g group-ID my_test_group
• Check
– Check – cat /etc/group
» cat /etc/group – Is my_test_user in this group still?
– sudo usermod -G <group-name> username • Remove user
– Check
 cat /etc/group

1. group_name: It is the name of group. If you run ls -l command, you

will see this name printed in the group field.
2. Password: Generally password is not used, hence it is
empty/blank. It can store encrypted password. This is useful to
implement privileged groups.
3. Group ID (GID): Each user must be assigned a group ID. You can
see this number in your /etc/passwd file.
4. Group List: It is a list of user names of users who are members of
the group. The user names, must be separated by commas
 Permissions in IBM AIX
Access control for a particular file, instead of rw- r-- ---, we have

attributes:
base permissions
owner(bishop): rw-
group(sys): r--
others: ---
extended permissions enabled
specify rw- u:holly
permit -w- u:heidi, dev
permit rw- u:matt
deny -w- u:holly, g=faculty

Specify = override
Permit = add rights
Deny = delete rights if they exist
ACCESS CONTROL CHALLENGES
 Challenges: ACL Modification
• Who can change access control?
– For files: creator is given own right that allows this
– For databases, there is grant privilege.
• A user with grant privilege can grant others privilege
• In databases, this is called “grant option”
 Challenges: Privileged Users
• Do ACLs apply to privileged users (root)?
– Linux – super users can rwx and also modify ACL
– Solaris: If abbreviated lists are used, the root has full access. But the augmented
ACL allows root access to be denied.
– Other vendors: varies
• Privileged users might not have a need to know to the data stored in the
machine.
– Need-To-Know:
• DB admin’s role: Keep DB software up to date, keep DB running smoothly, …
• Does the DB admin need to have access to the DB data (e.g., health records)?
• Does the DB admin control who has access to the DB
– If so, the DB admin could provide themselves with access.
• In this way, Linux’s access control has a vulnerability
– Difficulties
• If the admin does not have access to the entire DB files, then the admin might not be
able to maintain the DB
• E.g., the admin does not have access to password file, but the DB upgrade needs to
change the password file format.
 Challenges: Conflicts
• Deny access if any entry would deny access
– AIX: if any entry denies access, regardless or rights given
so far, access is denied
• Apply first entry matching subject
– Cisco routers: run packet through a list of access control
rules (ACL entries) in order; on a match, stop, and forward
the packet; if no matches, deny
• Note default is deny so honors principle of fail-safe defaults
Challenges: Handling Default Permissions

• Apply ACL entry, and if none, then use defaults

– Cisco router: apply matching access control rule, if
any; otherwise, use default rule (deny)
• Augment ACL can augment the defaults
– E.g., change default permission to allow
– Windows allows the default permission to be
“allow” with other specific permissions “deny” or
“allow” (we’ll see this in detail soon)
 Challenges: Revocation
• How do you remove subject’s rights to a file?
– Owner deletes subject’s entries from ACL, or rights from
subject’s entry in ACL
• What if ownership or grant is involved?
– Depends on system
– If user had GRANT permission, and the user’s permissions are
removed, then restore ALL permissions to how they were
before that user was given permissions
• May mean deleting descendent rights too …
• If file is already open, then ACL might not have any impact
– Or if user is logged into the system, it might not have any impact
• Because during the log on process, the user system is given a secure id
that includes all permissions
 Window Access Control Lists
• ACLs contain access control entries (ACE)
• ACE has a trustee and access rights
• Trustee
– User account
– Group account
– Logon session
• Recall that in windows you can right-click to run with admin privileges
• A securable object has an associated security descriptor
• security descriptor has two types of ACLs, namely, DACLs and SACL
– DACL – discretionary ACL
• Discretionary means set by people as oppose to mandatory
– SACL – system ACL: access controlled by SACL triggers a log entry when access is successful or
unsuccessful (auditing)

• Windows has an API for working with ACL, they are not accessed directly by an
application
– The application cannot read the DACL object, only get the results (that is, access allowed or
access is denied)
 Windows: Search ACL
• Trustee (or subject)
– Token is used to identify the trustee
– Primary access token
• Belongs to the thread/process
– Impersonation token
• E.g., database process has a token, but when a user is accessing
data, the database should impersonate the user
– When a user is accessing the database, the database app is
accessing data on behalf of the user. The database app uses an
impersonation token
– Note that the database is always running, so the database app
cannot use the users token, as oppose to when a user starts an
app
• When a set of access (e.g., r+w) are requested, the
system examines each ACE in sequence until one of
• Thread A requests r+w the following events occurs:
access. Denied because ACE – An access-denied ACE explicitly denies any of the
requested access rights to one of the trustees listed in the
is checked before ACE 2
thread's access token.
• ACE 3 implements allow by
– One or more access-allowed ACEs for trustees listed in the
default, but this needed to
thread's access token explicitly grant all the requested
be explicitly configured access rights.
• If ACE 1 is last, then Andres – All ACEs have been checked and there is still at least one
would get access, because requested access right that has not been explicitly allowed,
once the access question is in which case, access is implicitly denied.
answered, iteration through
• Deny by default
the list is stopped
• Sequence of ACE is used to resolve conflicts
 Object

DACL
• Access denied 1. Suppose Stephan is in group C
ACE 1
• Stephan 1. Can Stephan read the file?
• Read, write, 2. Suppose Stephan and in Group B
execute
1. Can Stephan Write to the file?
• Access allowed 3. Suppose Sam is in Group A and B
ACE 2 • Group A
• Write, execute 1. Can Sam Write to the file?
4. Suppose Sam is in Group A and B
• Access denied
ACE 3 • Group B
1. Can Sam Read to the file?
• Write 5. Suppose Sam is in Group B
1. Can Sam get Read+Write access to the file?
• Access allowed
ACE 4 • Group B
6. Suppose Mary is in Group C
• Read 1. Can Mary read the file?
7. Suppose Mary is in Group C
• Access allowed 1. Can Mary write to the file?
ACE 5 • everyone
• Read
 Does changing the order have an impact?
Object

DACL
1. Suppose Stephan is in group C
1. Can Stephan read the file?
2. Suppose Stephan and in Group B
1. Can Stephan Write to the file?
• Access allowed 3. Suppose Sam is in Group A and B
ACE 2 • Sam
• Write, execute 1. Can Sam Write to the file?
4. Suppose Sam is in Group A and B
• Access denied
ACE 3 • Group B
1. Can Sam Read to the file?
• Write 5. Suppose Sam is in Group B
1. Can Sam get Read+Write access to the file?
• Access allowed
ACE 4 • Group B
6. Suppose Mary is in Group C
• Read 1. Can Mary read the file?
7. Suppose Mary is in Group C
• Access allowed 1. Can Mary write to the file?
ACE 5 • everyone
• Read

• Access denied
• Stephan
ACE 1
• Read, write,
execute
 Windows NT ACLs
• Different sets of rights
– Basic: read, write, execute, delete, change permission, take ownership
– Generic:
• no access,
• read (read/execute),
• change (read/write/execute/delete),
• full control (all),
• special access (assign any combination of the basics)
– Access control for a directory:
• no access,
• read (read/execute files in directory),
• list,
• add,
• add and read,
• change (create, add, read, execute, write files; delete subdirectories),
• full control,
• special access
– Default is deny
 Role-based Access Control (RBAC)
• Access depends on function, not identity
– Example:
• Allison, bookkeeper for Math Dept, has access to financial records.
• She leaves/changes jobs.
– Challenge: If ACLs are used, the ACL needs to be change for each file
• Betty hired as the new bookkeeper, so she now has access to those records
– Challenge: If ACLs are used, the ACL needs to be change for each file
– The role of “bookkeeper” dictates access, not the identity of the individual.
– Solution: Assign access based on role (i.e., job), not based on identify
• That is, assign access based on job not person’s user name
– RBAC
• Assign access to roles
– E.g., bookkeeper gets access to set of files
» Once this is set up, it never changes
• Assign people to roles
– When people change jobs, their role changes
• Access control is based on the user’s role and the access allowed by that role
– Automatically solves the problem of adjusting access control when people change jobs
 Definitions
trans(r), actr(s), authr(s), canexec(s,t)

• Role r: collection of job functions

– trans(r): set of authorized transactions for r
• Active role of subject s: role s is currently in
– actr(s)
– Allows someone to logon as bookkeeper or as purchasing
– Recall adjustable level in multi-level access control
• Authorized roles of a subject s: set of roles s is
authorized to assume
– authr(s)
– E.g., authr(me) = {professor, CTO}
• canexec(s, t) is true iff subject s can execute transaction t
at current time
 Examples
trans(r) is the set of transactions allowed by someone in role r. Let’s consider the special case where
trans(r) = the set of files someone can read in role r

• Trans(r): the set of files someone can read in role r • Authr(s) is the set of all possible roles that subject s can
– trans(professor) = {grading sheets, class list, homework take
assignments, turned in homework} – Authr(John) = {student}
– trans(student) = {homework assignment, class videos, graded – Authr(Stephan) = {CTO, Professor}
homework}
– Authr(Olivia) = {student}
– trans(dean) = {homework assignment, class videos}

– Authr(Sam) = {Tech lead in group A, programmer in group A)

– trans(CTO) = {plans for project A, plans for project B, hiring plans,
code, engineering salaries, project A status, project B status} – Authr(Lisa) = {tech lead in group B, programmer in group B)
– trans(programmer in group A) = {code set A, plans for project A} – Authr(Ivan) = {programmer in group A)
– trans(programmer in group B) = {code set B, plans for project B}
– trans(tech lead in group A) = {code set A, plans for project A, • Homework: Answer the following true or false and if false
project A status} explain why
– trans(tech lead in group B) = {code set B, plans for project B, project
– Canexec(John, open homework assignment) = true/false ?
B status}
–
– Canexec(Stephan, open plans for project A) = true/false ?
trans(CEO) = {hiring place, engineering salaries, project A status,
project B status} – Canexec(Olivia, open homework assignment) = true/false ?
•
– Canexec(Ivan, code set A) = true/false ?
• actr(s) role subject s is in at the current time (now) – Canexec(Sam, status project A) = true/false ?
– Actr(Stephan) = professor – Canexec(Lisa, code set A) = true/false ?
– Actr(Olivia) = dean
– Actr(John) = student

– Actr(Sam) = CEO
– Actr(Lisa) = tech lead in group B
– Actr(Ivan) = programmer in group A
 Examples
trans(r) is the set of transactions allowed by someone in role r. Let’s consider the special case where
trans(r) = the set of files someone can read in role r

• Trans(r): the set of files someone can read in role r • Authr(s) is the set of all possible roles that subject s can take
– trans(professor) = {grading sheets, class list, homework assignments, – Authr(John) = {student}
turned in homework, to do list} – Authr(Stephan) = {CTO, Professor}
– trans(student) = {homework assignment, class videos, graded – Authr(Olivia) = {student}
homework}
– trans(dean) = {homework assignment, class videos}
– Authr(Sam) = {Tech lead in group A, programmer in group A)
– Authr(Lisa) = {tech lead in group B, programmer in group B)
– trans(CTO) = {plans for project A, plans for project B, hiring plans,
code, engineering salaries, project A status, project B status, to do list} – Authr(Ivan) = {programmer in group A)
– trans(programmer in group A) = {code set A, plans for project A}
– trans(programmer in group B) = {code set B, plans for project B} • Homework: Answer the following true or false and if false
– trans(tech lead in group A) = {code set A, plans for project A, project A explain why
status}
– Canexec(John, open homework assignment) = true/false ?
– trans(tech lead in group B) = {code set B, plans for project B, project B
status} – Canexec(Stephan, open plans for project A) = true/false ?
– trans(CEO) = {hiring place, engineering salaries, project A status, – Canexec(Olivia, open homework assignment) = true/false ?
project B status} •
– Canexec(Ivan, code set A) = true/false ?
– Canexec(Sam, status project A) = true/false ?
• actr(s) role subject s is in at the current time (now) – Canexec(Lisa, code set A) = true/false ?
– Actr(Stephan) = professor
– Actr(Olivia) = dean – Could Stephan allow student’s to get access to project plans A
– Actr(John) = student • Yes, entering into CTO role, copying project plans A to “to do list”,
changing role to prof. Copying to do list to homework assignments
– Actr(Sam) = CEO
– Actr(Lisa) = tech lead in group B
– Actr(Ivan) = programmer in group A
 Separation of Duty / Privilege
• Recall risk-based analysis where we detected we could reduce risk by separating DB
administrator from Back-up Administrator
– How can we enforce this separation? DB admin and Back-up Admin often have similar resumes
– Can we have a technical security mechanism?
• Investment trader cannot also be an IT admin
– Société Générale
– Jérôme Kerviel join the middle offices working on compliance
– Promoted to junior trader
– Made trades for more than authorized, like 49 billion
– Access not updated
• (perhaps)
– Also, Jérôme knew the details of the compliance system and knew how to get around it
– Also, managers ignored the occasional violation
– We need a technical security mechanism

• RBAC enforced separation of duty/privilege

– Let r be a role, and let s be a subject such that r  auth(s). Then the predicate meauth(r) (for
mutually exclusive authorizations) is the set of roles that s cannot assume because of the separation
of duty requirement.
• If user s can perform role r (e.g., CTO), then user s cannot perform role meauth(r). E.g., CEO in meauth(CTO)
means the CTO cannot also be the CEO