views:

1916

answers:

4

How would you model a system that handles permissions for carrying out certain actions inside an application?

A: 

hi

go through the following link http://developer.android.com/guide/topics/security/security.html http://technet.microsoft.com/en-us/library/cc182298.aspx

thanks, Murali

murali
+48  A: 

Security models are a large (and open) field of research. There's a huge array of models available to choose from, ranging from the simple:

  • Lampson's Access control matrix lists every domain object and every principal in the system with the actions that principal is allowed to perform on that object. It is very verbose and if actually implemented in this fashion, very memory intensive.

  • Access control lists are a simplification of Lampson's matrix: consider it to be something akin to a sparse-matrix implementation that lists objects and principals and allowed actions, and doesn't encode all the "null" entries from Lampson's matrix. Access control lists can include 'groups' as a convenience, and the lists can be stored via object or via principal (sometimes, via program, as in AppArmor or TOMOYO or LIDS).

  • Capability systems are based on the idea of having a reference or pointer to objects; a process has access to an initial set of capabilities, and can get more capabilities only by receiving them from other objects on the system. This sounds pretty far-out, but think of Unix file descriptors: they are an unforgeable reference to a specific open file, and the file descriptor can be handed to other processes or not. If you give the descriptor to another process, it will have access to that file. Entire operating systems were written around this idea. (The most famous are probably KeyKOS and EROS, but I'm sure this is a debatable point. :)

... to the more complex, which have security labels assigned to objects and principals:

  • Security Rings, such as implemented in Multics and x86 CPUs, among others, and provide security traps or gates to allows processes to transition between the rings; each ring has a different set of privileges and objects.

  • Denning's Lattice is a model of which principals are allowed to interact with which security labels in a very hierarchical fashion.

  • Bell-LaPadula is similar to Denning's Lattice, and provides rules to prevent leaking top-secret data to unclassified levels and common extensions provide further compartmentalization and categorization to better provide military-style 'need to know' support.

  • The Biba Model is similar to Bell-LaPadula, but 'turned on its head' -- Bell-LaPadula is focused on confidentiality, but does nothing for integrity, and Biba is focused on integrity, but does nothing for confidentiality. (Bell-LaPadula prevents someone from reading The List Of All Spies, but would happily allow anyone to write anything into it. Biba would happily allow anyone to read The List Of All Spies, but forbid nearly everyone to write into it.)

  • Type Enforcement (and its sibling, Domain Type Enforcement) provides labels on principals and objects, and specifies the allowed object-verb-subject(class) tables. This is the familiar SELinux and SMACK.

.. and then there are some that incorporate the passage of time:

  • Chinese Wall was developed in business settings to separate employees within an organization that provides services to competitors in a given market: e.g., once Johnson has started working on the Exxon-Mobil account, he is not allowed access to the BP account. If Johnson had started working on BP first, he would be denied access to Exxon-Mobil's data.

  • LOMAC and high-watermark are two dynamic approaches: LOMAC modifies the privileges of processes as they access progressively-higher levels of data, and forbids writing to lower levels (processes migrate towards "top security"), and high-watermark modifies the labels on data as higher-levels of processes access it (data migrates towards "top security").

  • Clark-Wilson models are very open-ended; they include invariants and rules to ensure that every state transition does not violate the invariants. (This can be as simple as double-entry accounting or as complex as HIPPA.) Think database transactions and constraints.

Matt Bishop's "Computer security: art and science" is definitely worth reading if you'd like more depth on the published models.

sarnold
Excellent answer. Interesting read. I am wondering where this overly-simple, but not that uncommon, system fits in your list: "By default, guests have level 0, registered users have level 5, sys admins have level 9. Every action has a level associated with it, and can only be performed by someone at that level or higher."
Oddthinking
@Oddthinking, that simple model could be in several :) but the simplest 'match' is the Ring model. As implemented in the x86, it has four levels, as in your example, and each adds operations that can only be done by that level of code or higher. (What you name them is an orthogonal issue.) I can easily imagine ACL, Capability, Lattice, BLP, and TE implementations of this example as well. I wouldn't be surprised if the others could implement this model too; but simplicity is a good virtue. :)
sarnold
I think you mean "principal": http://en.wikipedia.org/wiki/Security_principal
Frank Schmitt
@Frank, thanks! My spelling is beyond atrocious, thanks for the catches.
sarnold
+1  A: 

I prefer RBAC. Although, you can find it very similar to ACL, but they differ semantically.

Sergiy
A: 

you can add a constraint at model level in a UML diagram.

alt text

related questions