Literature Search of Topics Related to
Flexible Distributed Security Management
Relative to Access Control
Fred Cohen
Sandia National Laboratories
Feb, 1997
Introduction and Context
This brief overview of literature is based on an initial
investigation into the issues surrounding flexible access controls for
possible future use in remote monitoring of the nuclear test ban treaty
under the assumptions that nation-state monitoring rights are changeable
with time based on policy and the ever-changing geo-political situation.
We begin by describing some of the well-known and often cited works
related to access control in information systems, briefly examine the issues
of static and dynamic access control and some of the technical limitations
we currently face in these areas, discuss issues related to access control
in distributed systems, consider take-grant systems and other issues related
to revocation, and finally summarize.
Static Access Control
Access control has been widely studied and analyzed. The basics
of access control and the theoretical underpinnings for analyzing access
control in information systems and networks derives from the works of
several authors published in the 1970s and 80s. [Harrison76]
[Cohen86-2] [Bell73] [Denning82] [Biba77] [Denning75]
[Cohen86] [Cohen87-2] An overview of this work is available on-line.
Overview Drill Down
As a general rule, access controls are implemented based on some
sort of marking scheme wherein objects are marked and a decision process is
used to determine wheter or not the subject attempting to access the object
is authorized to do so. Basic priciples of implementing marking and the
techniques for marking and evaluating markings are outlined in early works in
this area. [Denning82] [Landwehr83] [Klein83] [Cohen86]
An overview of historical work in these areas is available on-line.
Overview Drill Down
This introduces the issue of authentication, because, in order for
authorization (another name for access control) to work, separation
mechanisms must have a reliable way to differentiate between the subjects to
whom they grant authority. An overview of a limited portion of the
historical work in this areas is available on-line along with some
less-related information, and this subject matter will not be discussed in
further detail here.
Overview Drill Down
In systems providing controlled access to statistical or similar
content (as opposed to whole files), additional controls are required
related to inferences. A substantial body of work has been done on inference
control. The early part of this work was well summarized in Denning's fine
book on cryptography and data security [Denning82] and in her 1983
paper on the subject. [Denning83-2] Extended labeling has been
demonstrated to augment trusted computing bases to provide enforcable
record-level controls, [Picciotto94] while view-based access control has
been suggested as an alternative labeling scheme for managing fine grained
access controls. [Qian96]
Formal models of access control systems have ben studied in some
depth. For example, formal models of capability-based protection systems,
[Snyder81] analysis and synthesis of access control systems,
[Bilbao83] role-based access control, [Giuri96] [Thomsen91]
and validation and verification of access controls [Denning77]
[OShea94] have all been studied in some depth.
In a typical computer system, there are millions of protection bits,
and yet most systems have little or no capability for effectively managing
these bits. [Cohen91] A partial solution to this problem is provided by
security management systems developed in recent years. The simplest of these
systems simply verify that known flaws in protection settings permitting
easy exploit are avioded. [Baldwin90] More complex change-control
system provide detection of changes in the protection state and allow
automated recovery. [Cohen91] Protection management systems typically go
a step further and provide automation for setting protection according to a
policy. [Bernardi94]
In today's market, there are numerous systems that provide automated
protection management of heterogeneous networks of computers based on
central policy specifications, distribute these settings through
cryptographically secured protocols, analyze audit trails from these diverse
systems, and report on and react to detected intrusions. This is a special
case (two-level) of a hierarchical protection system. Hierarchical protection
systems have been studied for some time, both in their application to
networks [Wu81] [Cohen87-8] and in their application within a trusted
computing base under the name of roles.
Dynamic Access Control
While protection setting in the static case is non-trivial and, in
most cases, inadequately managed in most computer systems, things become far
more complex when issues of time are considered. We will consider only
operation within a single processor environment in this section to retain as
much simplicity as possible. Some of the issues are outlined here:
- Synchronization and races: Within a single system, many events
may be hapenning nearly simultaneously. Timesharing provides the means for
multiple processes to have near-simultaneous access, but access controls are
typically implemented under the assumption that only a single process is
present. Race conditions have been induced when (for example) a trusted
process creates a file, writes to it, then sets privileges to allow that file
to run as a trusted process. If the attacker can induce a rename operation
after the file is created and written, but before the protection mode is
changed, they can (for example) substitute their own file content for the
trusted program. This class of problems can be solved by more careful
implementation of trusted processes.
- Opened files and inconsistencies: Suppose a file is readable by a
given user, opened for read access by that user, and is being read when the
protection is changed. This is inconsistent by the semantics of most modern
computer languages because they do not have error return values for and are
not designed to operate over a change in protection state. Even if they
did, how should a program react to such a change, and what are the
implications of partially completed operations that can only be completed
based on the availability of information that is no longer available. An
even more complicated situation is one where a directory in which a readable
file resides has its protection changed while the file is being read. Is the
system to track each directory containing a given file all the way up the
file tree and instantaneously alter the readability to operating programs as
those changes take place? No system does this today.
- Dynamic resource allocation: Further complications come when the
program pre-allocates resources for a process based on availability of
resources, and then finds that the resources become dynamically unavailable
as a result of protection changes during operation. How are we to design
systems so that all resource allocations can be dynamically reset after those
resources have been partially used?
- Programming errors because of static assumptions: Almost every
program is written under the assumption that the protection state of the
machine is static,and the vast majority of programs can be made to fail if
this assumption is not very nearly true.
- Access change races: When two users or processes are both
changing the protection state of the same directories and files, the order
of execution dictates that final protection state. This means that some of
the possible outcomes will likely be inconsistent with the states expected
by both of these processes or users - perhaps some of the changes will even
fail because of sequencing problems.
- Testing: We have no way to test systems relaiably for their
actions under dynamic access control conditions. The few tests that have
been done are not encouraging. [Cohen94] They indicatet hat dynamic
access controls produce unpredictable results for some period after changes
are made and that testing under timing conditions is far too complex to be
done with substantial coverage.
In practice, all of these phenomena have been observed both in
experiments in in real-world attacks against computer systems. There are
solutions to many of these challenges, but they all involve substantially
increased programming cost and a level of sophistocation rarely found in
modern programmers. Language support to address these issues is also
lacking, making the task system dependent and manual.
Substantial results have been attained relating to these issues.
[Istrail93] [Trueblood86] [Bishop96] [Cohen94]
Distributed System Issues
Dynamic access control is a highly co
mplex problem in a single
system, but when dynamic access control is distributed throughout a network,
thigs get even more complex. Several key issues have to be addressed:
- Commensurability: Heterogeneous networks typically include
components like routers, switches, firewalls, gateways, PCs, Unix boxes, VMS
systems, mainframes, and MacIntosh computers. The protection models used in
these systems are quite different - to the point where concepts such as
directory protection, user identity, and network addresses aren't even
available in all of the systems, or in other cases, don't mean the same
things. The result is that, while an access control requirement may indicate
that Joe cannot read File-A, this doesn't translate cleanly into a
configuration on a Cisco router that may sit in between Joe and a DOS
platform holding File-A. Without some way of translating requirement
between systems and between policy requirements and system configurations,
there is no sensible way to set protection or determine if it is properly
set.
- Synchronization and time-base differences: If synchronization
inside a single processor is complex, the problem for a distributed system
is far more so. For example, the caches used to afford network performance
in many networks prevent rechecking of protection settings over substantial
periods of time. This can result in a wide range of protection failures.
- Operation under partial failures: When a part of a network fails,
protection updating becomes very complex, and in some cases, prevents
updates that lead to further protection problems. Since service denial is so
easy to accomplish in most modern networks, central servers used for key
revocation and other key management functions may be key targets for attack.
- Network Caches: Even cached Web pages present potential security
problems, including retention of passwords for long durations in cached
form, retention of access information, prevention of access controls which
protect against other users gaining access to controlled Web pages,
persistence of now-deleted pointers after updates, and retention of old
versions of dynamically changing information.
- Revocation: While granting of privileges over a network may be
straightforward with modern cryptography, revocation is far more complex.
Current solutions can easily be driven into situations requiring high levels
of network traffic, delays in revocation can grant undesired access over
long periods, denial of services can impact revocation success or failure,
and massive traffic and loss of access when central servers are broken into.
- Testing: Testing of access controls in networks is almost never
done, and when it is done, issues related to time shifts, commensurability,
and similar effects are almost never considered. When they are considered,
coverage is usually extremely small.
Related work has been done for some time. [Karger89] [Gligor79]
[Corsini84] [Minsky81] [Cohen94] [Ammann93]
[Goldberg89] [Kumar94] [Lampson92] [Bishop81] [Ramamritham86]
[Villiers88] [Stubblebine95]
Alternative Methodologies
While the access control methods considered to date in the Flexible
Distributed Security Management project are potentially useful, there are
many alternative lines that might be better suited to the treaty
verification issue central to the project's underlying purpose. For example:
- Access controls could be replaced by a strong auditing capability with
administrative and treaty-based response to unauthorized access.
- Source encryption using time varient keys could be used in concert
with a shared key scheme to provide periodic reauthorization based on a
treaty-dictated signatory voting procedures.
- Periodic inspection of signal sources could be used to extract
treaty-related data with physical access limited to authorized individuals.
- A collection site in neutral territory could be used to gather data
from multiple sources with access granted at that facility to authorized
recipients.
- Local reprogramming and rekeying of signal sources could be used to
implement policy changes on a site-by-site basis, exploiting physical access
control implemented by the host country providing the data source.
- Satellites uplinks could be used to collect data from sources and
space-stations or satellites could be used to provide more centralized
access controls facilities. These facilities could be controlled by shared
secret schemes implemented by the parties to the treaty.
This list is by no means comprehensive, but it gives a flavor for
some of the variations that might be considered for implementing a flexible
distributed access control system for this application.
Summary
There has been a substantial amount of research in the field of
access control that relates to issues in flexible policy management for
distributed systems. This short overview is neither complete nor
comprehensive, but it does give an introduction to the topic that we hope
will be of some use in further investigation in this area.
fc@pc31