Access Control

Models: Controlling

Resource

Authorization

Access Control Models:

Controlling Resource

Authorization

Mark Niebergall

@mbniebergall

About Mark Niebergall

▪ PHP since 2005

▪ MS degree in MIS

▪ Senior Software Engineer

▪ UPHPU President

▪ SSCP, CSSLP Certified and SME

▪ Drones, fishing, skiing, father,

husband

Overview

Overview

Access request flow

Define applicable terminology

Cover primary Access Control Models

Discuss pros and cons of each model

Access Request

Flow

Request Resource

Access

Authorize Request

Authenticate

Subject

Request Resource

Access

Authorize Request

Authenticate

Subject

Authentication

Authentication

Know Own Are

Authentication

You are who you say you are

Verify identity

Subject

Subject

Also known as requestor

Human or non-person entity (NPE)

Subject

Making request to access resource

Request Resource

Access

Authorize Request

Authenticate

Subject

Request Resource

Access

Authorize Request

Authenticate

Subject

Resource

Resource

Also known as object

Protected from unauthorized use

Resource

Something the system has or does

▪ Data

▪ Functionality

▪ Hardware

Request Resource

Access

Authorize Request

Authenticate

Subject

Request Resource

Access

Authorize Request

Authenticate

Subject

Authorization

Authorization

Allow an authenticated subject

access to a resource

Authorization

Allow or deny

Subject action on object (CRUD)

Request Resource

Access

Authorize Request

Authenticate

Subject

Request Resource

Access

Authorize Request

Authenticate

Subject

Access Control Model

Definitions

Questions?

Authentication

Authorization

Subject

Resource

Access Control

Model

Access Control Model

Dictates who gets to do what

Access Control Model

Framework for making authorization

decisions

Access Control Model

Deciding subject access to

resources

Access Control Model

#4 on 2017 OWASP Top 10: Broken

Access Control

Access Control Model

Primary Access Control Models

▪ DAC: Discretionary

▪ MAC: Mandatory

▪ RBAC: Role Based

▪ ABAC: Attribute Based

1Discretionary (DAC)

DAC

House keys

Email

DAC

DAC

Files on system

DAC

Clans in gaming

DAC

Subject Resource

DAC

Object owner grants permission

based on subject identity

Access Control List (ACL)

Deny by default

DAC

Subject Resource Authorization

Alice Report Allow

Alice Finance Deny

Alice Customer Allow

Bob Report Allow

Bob Finance Deny

Bob Customer Deny

DAC

SELECT is_allow

FROM acl

WHERE subject = ‘Alice’

AND resource = ‘Customer’

LIMIT 1;

DAC

$acl = new Acl;

$alice = new User(‘Alice’);

$bob = new User(‘Bob’);

$customer = new Resource(‘Customer’);

$acl->allow($alice, $customer);

$acl->deny($bob, $customer);

$acl->isAllowed($alice, $customer);

$acl->isAllowed($bob, $customer);

DAC

Simple implementation

High operational overhead

Access at discretion of resource

owner

DAC

Questions?

2Mandatory (MAC)

MAC

Classified documents

MAC

Military intelligence

MAC

Blog

MAC

Leveled-up character in game

MAC

Search engine rules

MAC

Top Secret

Secret

Confidential

Subject Classification Resource

MAC

Object sensitivity

Subject security level or clearance

Write up, read down

MAC

Owner sets object label

System sets subject security level

MAC

Subject Security

LevelObject Label

Top Secret Secret Confidential

Top Secret Allow Allow Allow

Secret Deny Allow Allow

Confidential Deny Deny Allow

Subject Security Level

Alice Top Secret

Bob Secret

Clara Confidential

Object Label

Report Top Secret

Finance Secret

Customer Confidential

MAC

Level Name

1 Top Secret

2 Secret

MAC

Subject: Security

LevelObject: Label

Report: Top

SecretFinance: Secret

Customer:

Confidential

Alice: Top Secret Allow Allow Allow

Bob: Secret Deny Allow Allow

Clara: Confidential Deny Deny Allow

MAC

SELECT s.security_level

FROM subject s

JOIN security_level sl_s

ON sl_s.name = s.name

JOIN resource r

ON r.resource = ‘Report’

JOIN security_level sl_r

ON sl_r.name = r.name

AND sl_r.level <= sl_s.level

WHERE s.subject = ‘Alice’

LIMIT 1;

MAC

$accessControl = new Mac;

$topSecret = new Level(‘Top Secret’);

$secret = new Level(‘Secret’);

$alice = new User(‘Alice’);

$bob = new User(‘Bob’);

$finances = new Resource(‘Finances’);

$accessControl->addLevel($topSecret, 1)

->addLevel($secret, 2);

$accessControl->addUser($alice, $topSecret)

->addUser($bob, $secret);

$accessControl->addResource($finances, $secret);

$accessControl->isAllowed($alice, $finances);

MAC

Multilevel security

System and owner determine access

No flexibility

Moderate overhead

MAC

Questions?

3Role Based (RBAC)

RBAC

Amazon Prime

RBAC

User roles on a computer

RBAC

Medical care staff

RBAC

LARPing

RBAC

Multiplayer Games

RBAC

Role A

Role B

Role C

Role D

Subject Role Resource

RBAC

Subject assigned to role

Role granted access to resource

RBAC

Subject Role

Alice Accounting

Alice Orders

Bob Payroll

Clara Orders

Clara Reporting

Role Resource

Accounting Finance

Accounting Reports

Orders Inventory

Orders Shipments

Payroll Finance

RBAC

SELECT sr.subject, rr.resource

FROM subject_role sr

JOIN role_resource rr

ON rr.subject = sr.subject

AND rr.role = sr.role

WHERE sr.subject = ‘Alice’

AND rr.resource = ‘Report’

LIMIT 1;

RBAC

$accessControl = new Rbac;

$accounting = new Role(‘Accounting’);

$ordering = new Role(‘Ordering’);

$alice = new User(‘Alice’);

$bob = new User(‘Bob’);

$inventory = new Resource(‘Inventory’);

$accessControl->addRole($accounting)

->addRole($ordering);

$accessControl->addUser($alice)

->addUser($bob);

$accessControl->addResource($inventory);

$accessControl->addUserToRole($alice, $accounting);

$accessControl->addResourceToRole($inventory, $ordering);

$accessControl->isAllowed($alice, $ordering);

$accessControl->isAllowed($bob, $inventory);

RBAC

Role explosion

Toxic combinations

RBAC

Very common

Lower overhead

More scalable

RBAC

Questions?

4Attribute Based (ABAC)

ABAC

Electronic key card system

ABAC

Credit card with monitoring

ABAC

Airport security check

ABAC

Gaming activities

ABAC

Conditional authorization based on

attributes

ABAC

Policy driven

ABAC

Subject Action Resource Environment

Policy

ABAC

Subject Action Environment Resource Access

Manager Create Region A Customer Allow

Manager Update Region B Customer Deny

Data Entry CreateRegion A

Any HourCustomer Allow

Data Entry CreateRegion B

Day ShiftCustomer Allow

Data Entry Create

Region B

After

hours

Customer Deny

ABAC

Subject attributes

Action attributes

Resource attributes

Environment attributes

ABAC

Subject attributes

▪ Who

▪ Where

▪ Roles

▪ Affiliation

▪ Clearance

ABAC

Action attributes

▪ Create, POST

▪ Read, GET

▪ Update, PUT

▪ Delete, DELETE

▪ Execute

ABAC

Resource attributes

▪ Type

▪ Owner

▪ Classification

ABAC

Environment attributes

▪ Time

▪ Network

▪ Operating system

▪ Encryption method

ABAC

Policy Enforcement Point (PEP)

Policy Decision Point (PDP)

PEP sends authorization request to

PDP

ABAC

Gartner predicts 70% of all

businesses will use ABAC by 2020

Keeps eyes on ABAC

ABAC

Attempt to standardize ABAC

policies into XML format is mostly

dead, eXtensible Access Control

Markup Language (XACML)

ABAC

Refined access

Meets demand for more advanced

access control

API access control

ABAC

Typically start with RBAC

implementation and then build onto

it with policies

Custom implementation so no example

ABAC

Questions?

Implementation

Considerations

Considerations

Model Development Operational

DAC

MAC

RBAC

ABAC

Considerations

Model Scalability Granularity Sensitivity

DAC

MAC

RBAC

ABAC

Implementation Considerations

Use cases for application

Sensitivity of resources

Scalability of model

Granularity requirements

Implementation Considerations

Existing frameworks and projects

APIs, external interfaces

Implementation Considerations

Questions?

Review

Review

Review

DAC: simple, high overhead, ACL

MAC: user and resource

classification

RBAC: most common, role driven,

smaller overhead

ABAC: most advanced, policy driven

Review

Operational overhead vs

authorization needs

Consider current implementation

Consider future implementation

Credits

CREDITS

▪ NIST publication on ABAC

http://nvlpubs.nist.gov/nistpubs/specialpublications/NI

ST.sp.800-162.pdf

▪ ABAC for ZF2

https://github.com/Eye4web/Eye4webZf2Abac/blob/master/d

ocs/README.md

▪ Presentation template by SlidesCarnival

▪ Axiomatics webinar, May 2014

http://www.slideshare.net/Axiomatics/attribute-based-ac

cess-control-for-data-protection-webinar-may-8

▪ OWASP

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_

Project

Thanks!

Questions?

Mark Niebergall

@mbniebergall