Re: Rule Set Based Access Control (RSBAC)

From: Simone Fischer-Hübner <Simone.Fischer-Huebner@kau.se>
Subject: Re: Rule Set Based Access Control (RSBAC)
Date: Fri, 06 Apr 2001 11:37:41 +0200

Next Article (by Subject): Re: Rule Set Based Access Control (RSBAC) Simone Fischer-Hübner
Previous Article (by Subject): Re: Rule Set Based Access Control (RSBAC) Amon Ott
Top of Thread: Re: Rule Set Based Access Control (RSBAC) Amon Ott
Next in Thread: Re: Rule Set Based Access Control (RSBAC) Simone Fischer-Hübner
Articles sorted by: [Date] [Author] [Subject]

Hi,

I have followed some of the discussions over the lists. As one of the main=
=20
authors of the Privacy Model (PM), which is implemented in RSBAC, it was=20
interesting to read that you think that PM can be easily expressed with TE.=
=20
However, I doubt that you can really express all necessary details and=20
security properties.

In particular, you have not discussed how the information flow property can=
=20
be expressed to prevent illegal information flow(see also example in our=20
NISS=B498 paper: in a hospital, medical data accessible for medical=
 treatment=20
purposes could be illegally copied to admission data accessible for=20
administration purposes, or another example: personal data could be copied=
=20
to data classified as non-personal) :
In order to prevent illegal information flow , subject (processes) have two=
=20
further security attributes: Input-purposes and output-purposes.
Initially (at process creation) input-purposes of a process is set to the=20
set of all purposes P and output-purposes is initially set to the empty set.
If a process gets read-access to an object, input-purposes(process) in the=
=20
new system state is set to the intersection of input-purposes(process) and=
=20
the purposes of the object class (O-purposes(class(object)).
If a process gets write or append access to an object,=20
output-purposes(subject) is set to the Union of output-purposes(subject)=20
and purposes of the object-class.
The information flow invariant that has to be guaranteed is stating that=20
Out-Purposes of a process is contained in Input-purposes of a process. This=
=20
prevents illegal information flow.
(A more detailed description of the model and information flow control will=
=20
this spring be published in my new book at Springer Lecture Notes of=20
Computer Science, LNCS 1958 ).
I do not see how this information flow control can be easily expressed with=
=20
RBAC/TE ?

Besides, in order to implement operational separation of duties and to=20
prevent misuse, all security attributes can only be defined and set by two=
=20
authorized person in cooperation. One is the user in the role data=20
protection officer (appointed according to German/European privacy=20
legislation), who creates a ticket to define the security attribute=20
value/allocation, and one is the user in the role security-officer, who can=
=20
then use the ticket to set the respective attribute.
Besides, there is another condition that only users in the role TP-manager=
=20
can define transformation procedures (TPs), but only the security officer=20
in cooperation with the data protection officer is allowed to authorize=20
users for the execution of TPs.
I do not think that you have such a functionality in RBAC/TE so far ?

Further comments:

At 09:36 2001-04-05 -0400, Stephen Smalley wrote:

>Ok, let's look at them one by one:
>
>1) Privacy Model (PM)
>
>Requirements (from your '98 NISS paper):
>a) A user may only have access to personal data if this access is
>necessary to perform his current task.
>
>This can be specified in the RBAC/TE configuration by defining
>appropriate types for personal data and defining appropriate
>roles/domains for users and tasks.
>
>b) The user may only access data in controlled manner by performing
>a certified transformation procedure for which the user's current
>task is authorized.
>
>This can be specified in the RBAC/TE configuration by binding
>the domains that can access personal data to specific program
>types, and only labeling certified transformation procedures
>with those types.

Can you also implement access 4-tuples (as we have them in PM), expressing=
=20
with what task by performing what TP you can access what object class in=20
what mode ?

>c) The purpose of the user's task must correspond to the purpose
>for which the personal data was obtained or there must be
>consent by the data subjects.
>
>This can be specified in the RBAC/TE configuration by encoding
>the purpose in the domains and types and only granting access
>when the purpose is consistent.  Consent can be expressed
>by relabeling the personal data to a type that is consistent
>with the desired purpose.

Well, this seems to be possible, but then you wont have any easy and=20
transparent administration of access rights any longer (which should be one=
=20
of the advantage of Role Based Access Control -RBAC).
Just imagine that you model in your system 10 different purposes. This=20
means that you have to model with TE 1024 different types (for all possible=
=20
subsets of purposes).
Besides, by relabeling the personal data to include another purpose to=20
which the data subjects have agreed, you change the real semantic of the=20
O-purposes attribute of data, which should only stand for the purposes for=
=20
which data for initially collected. Relabeling data in case of a consent=20
would in this case also require that you have to change the type (encoding=
=20
purposes) in the list of necessary accesses as well.

The whole access control right allocation and administration for enforcing=
=20
PM will be very cumbersome and wont be transparent any longer !

Best regards,
Simone Fischer-Huebner.

-----------------------------------------------------------------------
Prof. Dr. Simone Fischer-Huebner
Karlstad University
Department of Computer Science
Universitetsgatan 1
S 651 88 Karlstad / Sweden
Tel: +46  54 700 1723
Fax: +46  54 700 1828
http://www.cs.kau.se/~simone/
simone.fischer-huebner@kau.se

-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Go to Compuniverse LWGate Home Page.