1

PRIVILEGE STATES BASED ACCESS CONTROL FOR

FINE GRAINEDINTRUSION RESPONSE

Ashish Kamra, Elisa BertinoPurdue University

Presenter:Ashish Kundu

2

The Real Authors

bertino@cs.purdue.edu

akamra@purdue.edu

3

Motivation

Databases

Anomaly Detection

Anomaly Response

Access Control

4

5

Access Control Decision Semantics

RequestReferenceMonitor

AllowDeny

6

Extended Decision Semantics

RequestReferenceMonitor

AllowDeny

Taint

Suspend

7

Primary Contribution

Mechanism to enhance the

decision semantics of an

access control implementation

8

Why do we want to do that?

9

Support for fine-grained intrusion response

Request

Detectionengine

Responseengine

Anomaly

Drop Reques

t

LogReques

t

2nd factor of authentication

Passive Monitoring

10

Mapping

Passive Monitoring

Taint decision semantic

2nd factor of

authentication

Suspend decision

semantics

11

Privilege States - glue for the mapping

Assign states to privileges

Response system changes privilege state fine-grained response actions

Response : access control decision semantics

12

Privilege States

“state” to every privilege a user or role

Five privilege states

DENY

SUSPEND

TAINT

GRANT

UNASSIGN

13

Privilege State Semantics

“DENY”: negative authorizations

“SUSPEND”: request suspension

“TAINT”: request tainting

“GRANT”: standard SQL GRANT

“UNASSIGN”: standard SQL REVOKE

14

Example

U1 is a member of role R1

DBA assigns SELECT privilege in DENY on T1 to user

U1 SELECT privilege in TAINT on T1 to role

R1

Privilege state of SELECT on T1 for U1 ???

15

Privilege State Dominance

X

means ‘X’ overrides ‘Y’

DENY

SUSPEND

TAINT

UNASSIGN

GRANT

Y

16

Privilege State Transitions

+

/

+

+

??

?

/

/

/

+ /+ grant

deny

? suspend

/

unassign

taint

?

+

TAINT

SUSPEND

DENY

GRANT REVOKE

?

17

Formal model

For details, please refer to the paper …

18

Considering Role Hierarchies

Role hierarchy based on privilege inheritance

What about privileges in “deny”, “suspend” and “taint” states?

R_parent{insert}

R_child{select

}

{select}

19

Privilege Orientation Modes

up

down

neutral

unassign, grant

deny, taint, suspend

20

Privilege Propagation

R8

R5 R6 R7

R2 R3 R4

R1

{select,grant}

{select,grant}

{insert,deny,down}

{insert,deny,down}

Recursive Propagation

21

Implementation in PostgreSQL

New SQL commands TAINT, SUSPEND

Enhanced Access Control Lists To support privilege states and

orientation modes

Re-authentication procedure for a privilege in “suspend” state

22

Access Control Check Overhead No Role Hierarchy

16 32 64 128 256 5120

10

20

30

40

50

60

BASEPSAC

Overh

ead

(m

icro

secon

ds)

ACL Size

23

16 32 64 128 256 5120

20

40

60

80

100

120

BASEPSAC

Overh

ead

(m

icro

secon

ds)

ACL Size

Access Control Check Overhead With Role Hierarchy

24

Conclusions

Fine-granular access control in databases

Anomaly response mechanisms

Facilitates policy development

Formal model and experimental evaluation