Access control security mechanism and related models

Chapter 1 concept of access control

Access control category

Network Access Control

Host/Operating System Access Control

Application access control

Application of encryption in Access Control System

Chapter 2 Mandatory Access Control and autonomous access control

Mandatory Access Control (MAC)

Independent access control (DAC)

Chapter 3 Access Control Model

BELL-LAPADULA confidentiality Model

Lattice Security Model

Biba integrity Model

Clark Wilson Integrity Model

Chinese wall model

Introduction

Access control is widely used in firewalls, file access,VPNAnd physical security. All these technologies can be attributed to several types of access control models. This article will introduce them one by one and describe them with examples to help designers solve security problems in a changing environment.

Chapter 1 concept of access control

Access control is the core content of the information security assurance mechanism. It is the main means to achieve data confidentiality and integrity mechanisms. Access control aims to restrict the access permission of the access subject (or the initiator) to access the object (resources to be protected) by an active entity, such as a user, process, or service, so that the computer system can be used within the legal scope. The access control mechanism determines what the user can do and how much the program can do to represent a certain user's interests.

Two important processes of access control:
1. Identify (Authentication) "To check the legal identity of the subject
2. Authorize (Authorization) "To limit the user's access level to resources

Access includes reading data, changing data, running programs, and initiating a connection.

Access control category

Because of the different basic concepts, access control can be divided into the following two types:

• Mandatory Access Control)
• Discretionary Access Control)
  (This article will introduce the mandatory access control and autonomous access control in the second chapter .)

For example, when a user logs on toWindowsSystem Time,WindowsThe file access control mechanism checks which files in the system can be accessed by the user.

Ram has the following actions: Reading data, running executable files, and initiating network connections.

Access Control Application Type

Depending on the application environment, there are three types of access control:

• Network Access Control
• Host and Operating System Access Control
• Application access control

Network Access Control

Figure 1-1

The application of the access control mechanism in the network security environment mainly limits the connections that users can establish and the data transmitted over the network. This is the traditional network firewall. The firewall filters network sessions and data transmission as network boundary congestion points. Based on the performance and functions of the firewall, this control can reach different levels.

The firewall can implement the following types of access control:

1) Connection Control: controls which application endpoints can establish connections. For example, the firewall can control some internal users to initiate connections between external web sites.

2) Protocol control controls what operations a user can perform through an application. For example, the firewall allows users to browse a page and refuse users to publish data on untrusted servers.

3) Data Control: the firewall can control the passage of application data streams. For example, the firewall can block viruses in email attachments.

The scale of firewall access control depends on the technologies it can implement.

Host/Operating System Access Control

Figure 1-2

Currently, mainstream operating systems provide access control functions at different levels. Generally, the operating system uses the access control mechanism to restrict access to files and system devices.

For example: Windows NT/2000The application access control list of the operating system is used to protect local files. The Access Control List specifies that a user can read, write, or execute a file. The file owner can change the attributes of the file access control list.

Application access control

Access control is often embedded into applications (or middleware) to provide more fine-grained data access control. When access control needs to be implemented based on data records or smaller data units, the application will provide its built-in access control model.

For example, most databases (suchOracle) Provides access control mechanisms independent of the operating system,OracleUse its internal user database, and each table in the database has its own access control policy to control access to its records.

Another typical example is an e-commerce application that authenticates a user's identity and places it in a specific group. These groups have access to a part of the data in the application.

Application of encryption in Access Control System

Encryption methods are often used to implement access control. Or implement access control independently, or as a means to enhance other access control mechanisms. For example, encryption allows only users with decryption keys to have access to specific resources.

　　IPSec VPNUse a strong encryption mechanism to provide access control for users in untrusted networksVPNTransmitted data. In addition, encryption and key management can also implement access control mechanisms, and only have the corresponding key (IPSecTo decrypt and access data.

Data stored on the local hard disk can also be encrypted. Therefore, users in the same system cannot read the data without the corresponding decryption key. This can replace the traditional File Permission control method. Some database products can encrypt the database files on the local disk, which can make up for the lack of the access control mechanism of the operating system.

Chapter 2 Mandatory Access Control and autonomous access control

Mandatory Access Control (MAC)

It is used to protect the objects identified by the system and cannot be changed. That is to say, the system enforces access control independently of user behavior, and users cannot change their security level or object security attributes. Such access control rules generally classify data and users according to security levels. The access control mechanism uses security tags to determine whether to grant or reject user access to resources. Mandatory Access control is very hierarchical, so it is often used for military purposes.

Figure 2-1

In the mandatory access control system, all subjects (users, processes) and objects (files, data) are assigned security labels, which identify a security level.

• The subject (user, process) is assigned a security level
• Objects (files, data) are also assigned a security level.
• Comparison of the security level of the subject and object during access control execution

Use an example to describe the application of a mandatory access control rule, as shown in figureWebThe service runs at the "secret" level. Assume thatWebWhen the server is attacked, the attacker operates at the "secret" security level in the target system and cannot access data with the "secret" and "high secret" security level in the system.

Independent access control (DAC)

The autonomous access control mechanism allows the owner of an object to formulate protection policies for this object. UsuallyDACThe authorization list (or access control list) is used to specify which subjects can perform operations on which objects. In this way, the policy can be adjusted flexibly. Because of its ease of use and scalability, the autonomous access control mechanism is often used in commercial systems.

In autonomous access control, you can develop your own protection policies for protected objects.

• Each subject has a user name and belongs to a group or has a role.
• Each object has an access control list (ACL)
• When an access request occurs, the user ID is checked based on the access control list to control its access permissions.

In a business environment, you will often encounter autonomous access control mechanisms because they are easy to expand and understand. Most systems only implement access control based on autonomous access control mechanisms, such as mainstream operating systems (Windows NT Server, UnixSystem), firewall (ACLS.

Mandatory Access Control and autonomous access control are sometimes used in combination. For example, the system may first execute force access control to check whether the user has the permission to access a file group (this protection is mandatory, that is, these policies cannot be changed by the user ), then, create an access control list (autonomous access control policy) for each file in the group ).

 

Chapter 3 Access Control Model

Bell-LaPadulaThe confidentiality model is the first security policy model that provides classified data confidentiality protection (Multilevel security ).

David Bell, 1973AndLen LaPadulaThe first formal security model is proposed. This model is based on the mandatory access control system and uses sensitivity to divide the security level of resources. A system that divides data into multiple security levels and sensitivity is called a multi-level security system.

Bell-LaPadula (BLP)The security model classifies subjects and objects according to the philosophy of the Mandatory Access Control System. This classification method is generally used for military purposes.

Data and users are classified into the following security levels

• Public (Unclassified)
• Restricted (Restricted)
• Secret (Confidential)
• Confidential (Secret)
• High-density (Top secret)

BLPThe confidentiality model ensures data confidentiality and sensitivity based on two rules:

• Read (NRU), The subject's unreadable security level is higher than its data
• Write down (Nwd), The primary check cannot write data whose security level is lower than its data level.

Data confidentiality should be considered directly. for example. if a user wants to access a document whose security level is "high secret" and whose security level is "secret", he will be able to read the file but cannot write it into it; if the security level is "secret", the user's access security level is "high secret", the reading will fail, but he can write. In this way, the confidentiality of documents is guaranteed.

In addition, security classification cannot be performed directly in the original operating system. That is to say, before solving ease of use and feature singularity,BLPModels cannot be directly used in commercial systems.

 

Figure 3-1Figure 3-1This is an example of user and resource security classification.BLPThe model allows users to read resources with a lower security level than others. On the contrary, the security level of the written object can only be higher than the user level. In short, an information system is a low-to-high hierarchical structure.
 

 

Figure 3-2

Figure 3-2The example shows how to embody the BLP Model Idea in the communication process.BLPThe actual application of the model is rare. When two branch networks of an enterprise need to be interconnected across untrusted networks, we can set virtual security labels for the data transmitted between the two networks, it can be assumed that the security levels of both branches are "confidential", andInternet,VPNAccording to the BLP model,InternetOnly public data can be seen. The data security level between the two branch networks is "confidential". Therefore, the access control mechanism causesInternetUsers cannot access "confidential" data, because VPN uses encryption technology to implement access control.

Another example is the one-way Access Mechanism Implemented by the firewall. It does not allow the flow of sensitive data from the internal network (for example, its security level is "confidential ").Internet(The security level is "public"). All internal data is marked as "confidential" or "highly confidential ". The firewall provides the "Read-on" function to blockInternetFor internal network access, the "Write down" function is provided to restrict inbound traffic to internal data streams only through connections initiated from inside and outside (for example, allowHTTP"Get"Operation rejected"Post"Operation, or block any outgoing emails ).

Lattice Security Model

LatticeThe model divides security boundary PairsBLPThe model is expanded to classify users and resources and allow information exchange between them, which is the basis of the multilateral security system.

The focus of multilateral security is to control the flow of information between different security clusters (departments, organizations, etc.), rather than vertical tests of their sensitivity levels.

The basis for establishing multilateral security is to divide security levels for subjects belonging to different security clusters. Likewise, objects in different security clusters must also be classified into security levels, A subject can belong to multiple security clusters at the same time, while an object can only be located in one security cluster.

When implementing the access control function,LatticeThe model is essentially the sameBLPThe models are the same, whileLatticeThe model pays more attention to the Formation of "Security bundle ".BLPThe "read-write-down" Principle in the model still applies here, but the prerequisite must be that each object is in the same security cluster. The subject and the object are not comparable when they are in different security clusters, so there is no information in them that can be circulated.

For example, if a user has a high security level and is under a security cluster"Alpha", Another security level is" confidential "cluster"Beta"The user in attempts to access files from multiple security bundle. If the user needs to access the bundle"Alpha"Files whose security level is" confidential "are allowed to access, while access to the cluster is allowed"BetaAttempts to "confidential" files in "will be rejected. Attempting to access the cluster"Gamma"Any object in will be rejected because it is in the cluster"Gamma"Does not have any security level

Biba integrity Model

1970s,Ken BibaProposedBibaAccess control model, which provides hierarchical integrity assurance for data, similarBLPConfidentiality model,BibaThe model also uses a forced access control system.

BibaThe integrity model classifies subjects and objects according to the philosophy of the Mandatory Access Control System. This classification method is generally used for military purposes.

Data and users are classified into the following security levels

• Public (Unclassified)
• Restricted (Restricted)
• Secret (Confidential)
• Confidential (Secret)
• High-density (Top secret)

BibaThe model is based on two rules to ensure the confidentiality of data integrity.

• Next read (NRU) Attribute, the subject cannot read data whose security level is lower
• Write on (Nwd) Attribute, the subject cannot write data whose security level is higher than its

From the two attributes, we find thatBibaAndBLPThe two properties of the model are the opposite. The BLP model provides confidentiality, whileBibaThe model guarantees data integrity.

　BibaThe model is not used to design a secure operating system, but most integrity assurance mechanisms are based onBibaBuild two basic attributes of the model.

3-4. If a user with a security level of "confidential" wants to access a document with a security level of "secret", the user will be allowed to write the document but cannot read it. If he attempts to access a "high-key" document, the read operation will be allowed, and the write operation will be rejected. In this way, the resource integrity is guaranteed.

Therefore, only when the security level of the user is higher than the security level of the resource can write the resource. On the contrary, only when the security level of the user is lower than the security level of the resource can read the resource. In short, information can only flow from top to bottom in the system.

Example:

BibaAn example of a model in an application isWebThe access process of the server. -5, definitionWebThe security level of resources published on the server is "secret ",InternetThe user's security level is "public", accordingBibaModel, the data integrity on the web server will be guaranteed,InternetThe user can only read data on the server but cannot change it. Therefore, any"Post"The operation will be rejected.

Another example is the collection of system status information. network devices are used as objects. The assigned security level is "confidential", and the network management workstation's security level is "secret ", the network management workstation can only be used.SNMP"Get"Command to collect the status information of network devices, instead of using"Set"Command to change the device settings. In this way, the configuration integrity of network devices is guaranteed.

 

Clark Wilson Integrity Model

Clark-WilsonThe data integrity security model was proposed in 1987 and is usually used in banking systems to ensure data integrity. This model is slightly complex and is tailored for modern data storage technologies.

Clark WilsonIntegrity models are often used in banking applications to ensure data integrity, and their implementation is based on a forming transaction processing mechanism.

• The system accepts "free data entries (Udi) "And convert it to" restricted data entries (CDI)"
• "Restricted data entries (CDI) "Can only be" converter (TP) "Changed
• "Conversion Program (TP) "Guaranteed" restricted data entries
  CDI"Integrity
• Each restricted data entry (CDI) Has a integrity check program (IVP)
• The access control mechanism consists of three elements (subject,TP,CDI)

Example:
 

Figure 3-6As shown inClark WilsonIntegrity model in e-commerce applications, the user receives the independent data entries (Udi) And by the Conversion Program (TP) Convert it to a restricted data entry (CDI)Cdi1,Cdi1Used to updateCdi2(For example, the customer's order) andCdi3(Such as the customer's Bill), integrity check procedures (IVP) Always check whetherCdi2(Order) andCdi3 (Balance between inbound and outbound traffic, so the integrity of the entire transaction can be ensured.

Chinese wall model

Chinese WallA model is a security model applied to a multilateral security system (that is, an access control system between multiple organizations). It is applied to organizations that may have conflicts of interests. It was initially designed for investment banks, but it can also be applied in other similar scenarios.

Chinese WallThe security policy is based on the fact that the information accessed by the customer does not conflict with the information currently at their disposal. In an investment bank, a bank has multiple competitors at the same time. A banker may work for a customer, but he can access information of all customers. Therefore, bankers should be prevented from accessing data from other customers.

Chinese WallTwo main attributes of the security model:

• You must select an accessible area.
• The user must automatically deny access from other regions in conflict of interest with the user's selected region

This model also includesDACAndMacAttribute: the banker can select who to work (DAC), But once selected, he is only able to work for this customer (Mac).

Application Example:

Figure 3-7

Chinese WallA typical example of applying the security model in the network security system is a server located inside the firewall that connects internal and external networks. If the policy prohibits data forwarding by this server, the server will be exposed to external networks (that is, the server can only communicate with external networks, rather than internal networks)

Figure 3-8

Remote AccessVPNFor exampleInternetUsers and internal networks onVPNAfter the session. As recommended by the China wall security modelInternetCommunication, or communication with the company network, either of which is optional (that is, tunnel is inseparable)

One-way sessions only take place within a limited period of time. The core of this security model is that the user chooses to communicate with one party, and thus gives up the right to talk to the other party.