Introduction and Context

This brief overview of literature is based on an initial investigation into the issues surrounding flexible access controls for possible future use in remote monitoring of the nuclear test ban treaty under the assumptions that nation-state monitoring rights are changeable with time based on policy and the ever-changing geo-political situation.

We begin by describing some of the well-known and often cited works related to access control in information systems, briefly examine the issues of static and dynamic access control and some of the technical limitations we currently face in these areas, discuss issues related to access control in distributed systems, consider take-grant systems and other issues related to revocation, and finally summarize.

Static Access Control

Access control has been widely studied and analyzed. The basics of access control and the theoretical underpinnings for analyzing access control in information systems and networks derives from the works of several authors published in the 1970s and 80s. [Harrison76] [Cohen86-2] [Bell73] [Denning82] [Biba77] [Denning75] [Cohen86] [Cohen87-2] An overview of this work is available on-line.

Overview Drill Down

As a general rule, access controls are implemented based on some sort of marking scheme wherein objects are marked and a decision process is used to determine wheter or not the subject attempting to access the object is authorized to do so. Basic priciples of implementing marking and the techniques for marking and evaluating markings are outlined in early works in this area. [Denning82] [Landwehr83] [Klein83] [Cohen86] An overview of historical work in these areas is available on-line.

Overview Drill Down

This introduces the issue of authentication, because, in order for authorization (another name for access control) to work, separation mechanisms must have a reliable way to differentiate between the subjects to whom they grant authority. An overview of a limited portion of the historical work in this areas is available on-line along with some less-related information, and this subject matter will not be discussed in further detail here.

Overview Drill Down

In systems providing controlled access to statistical or similar content (as opposed to whole files), additional controls are required related to inferences. A substantial body of work has been done on inference control. The early part of this work was well summarized in Denning's fine book on cryptography and data security [Denning82] and in her 1983 paper on the subject. [Denning83-2] Extended labeling has been demonstrated to augment trusted computing bases to provide enforcable record-level controls, [Picciotto94] while view-based access control has been suggested as an alternative labeling scheme for managing fine grained access controls. [Qian96]

Formal models of access control systems have ben studied in some depth. For example, formal models of capability-based protection systems, [Snyder81] analysis and synthesis of access control systems, [Bilbao83] role-based access control, [Giuri96] [Thomsen91] and validation and verification of access controls [Denning77] [OShea94] have all been studied in some depth.

In a typical computer system, there are millions of protection bits, and yet most systems have little or no capability for effectively managing these bits. [Cohen91] A partial solution to this problem is provided by security management systems developed in recent years. The simplest of these systems simply verify that known flaws in protection settings permitting easy exploit are avioded. [Baldwin90] More complex change-control system provide detection of changes in the protection state and allow automated recovery. [Cohen91] Protection management systems typically go a step further and provide automation for setting protection according to a policy. [Bernardi94]

In today's market, there are numerous systems that provide automated protection management of heterogeneous networks of computers based on central policy specifications, distribute these settings through cryptographically secured protocols, analyze audit trails from these diverse systems, and report on and react to detected intrusions. This is a special case (two-level) of a hierarchical protection system. Hierarchical protection systems have been studied for some time, both in their application to networks [Wu81] [Cohen87-8] and in their application within a trusted computing base under the name of roles.

Dynamic Access Control

While protection setting in the static case is non-trivial and, in most cases, inadequately managed in most computer systems, things become far more complex when issues of time are considered. We will consider only operation within a single processor environment in this section to retain as much simplicity as possible. Some of the issues are outlined here:

• Synchronization and races: Within a single system, many events may be hapenning nearly simultaneously. Timesharing provides the means for multiple processes to have near-simultaneous access, but access controls are typically implemented under the assumption that only a single process is present. Race conditions have been induced when (for example) a trusted process creates a file, writes to it, then sets privileges to allow that file to run as a trusted process. If the attacker can induce a rename operation after the file is created and written, but before the protection mode is changed, they can (for example) substitute their own file content for the trusted program. This class of problems can be solved by more careful implementation of trusted processes.

• Opened files and inconsistencies: Suppose a file is readable by a given user, opened for read access by that user, and is being read when the protection is changed. This is inconsistent by the semantics of most modern computer languages because they do not have error return values for and are not designed to operate over a change in protection state. Even if they did, how should a program react to such a change, and what are the implications of partially completed operations that can only be completed based on the availability of information that is no longer available. An even more complicated situation is one where a directory in which a readable file resides has its protection changed while the file is being read. Is the system to track each directory containing a given file all the way up the file tree and instantaneously alter the readability to operating programs as those changes take place? No system does this today.

• Dynamic resource allocation: Further complications come when the program pre-allocates resources for a process based on availability of resources, and then finds that the resources become dynamically unavailable as a result of protection changes during operation. How are we to design systems so that all resource allocations can be dynamically reset after those resources have been partially used?

• Programming errors because of static assumptions: Almost every program is written under the assumption that the protection state of the machine is static,and the vast majority of programs can be made to fail if this assumption is not very nearly true.

• Access change races: When two users or processes are both changing the protection state of the same directories and files, the order of execution dictates that final protection state. This means that some of the possible outcomes will likely be inconsistent with the states expected by both of these processes or users - perhaps some of the changes will even fail because of sequencing problems.

• Testing: We have no way to test systems relaiably for their actions under dynamic access control conditions. The few tests that have been done are not encouraging. [Cohen94] They indicatet hat dynamic access controls produce unpredictable results for some period after changes are made and that testing under timing conditions is far too complex to be done with substantial coverage.

In practice, all of these phenomena have been observed both in experiments in in real-world attacks against computer systems. There are solutions to many of these challenges, but they all involve substantially increased programming cost and a level of sophistocation rarely found in modern programmers. Language support to address these issues is also lacking, making the task system dependent and manual.

Substantial results have been attained relating to these issues. [Istrail93] [Trueblood86] [Bishop96] [Cohen94]

Distributed System Issues

Dynamic access control is a highly co mplex problem in a single system, but when dynamic access control is distributed throughout a network, thigs get even more complex. Several key issues have to be addressed:

• Commensurability: Heterogeneous networks typically include components like routers, switches, firewalls, gateways, PCs, Unix boxes, VMS systems, mainframes, and MacIntosh computers. The protection models used in these systems are quite different - to the point where concepts such as directory protection, user identity, and network addresses aren't even available in all of the systems, or in other cases, don't mean the same things. The result is that, while an access control requirement may indicate that Joe cannot read File-A, this doesn't translate cleanly into a configuration on a Cisco router that may sit in between Joe and a DOS platform holding File-A. Without some way of translating requirement between systems and between policy requirements and system configurations, there is no sensible way to set protection or determine if it is properly set.

• Synchronization and time-base differences: If synchronization inside a single processor is complex, the problem for a distributed system is far more so. For example, the caches used to afford network performance in many networks prevent rechecking of protection settings over substantial periods of time. This can result in a wide range of protection failures.

• Operation under partial failures: When a part of a network fails, protection updating becomes very complex, and in some cases, prevents updates that lead to further protection problems. Since service denial is so easy to accomplish in most modern networks, central servers used for key revocation and other key management functions may be key targets for attack.

• Network Caches: Even cached Web pages present potential security problems, including retention of passwords for long durations in cached form, retention of access information, prevention of access controls which protect against other users gaining access to controlled Web pages, persistence of now-deleted pointers after updates, and retention of old versions of dynamically changing information.

• Revocation: While granting of privileges over a network may be straightforward with modern cryptography, revocation is far more complex. Current solutions can easily be driven into situations requiring high levels of network traffic, delays in revocation can grant undesired access over long periods, denial of services can impact revocation success or failure, and massive traffic and loss of access when central servers are broken into.

• Testing: Testing of access controls in networks is almost never done, and when it is done, issues related to time shifts, commensurability, and similar effects are almost never considered. When they are considered, coverage is usually extremely small.

Related work has been done for some time. [Karger89] [Gligor79] [Corsini84] [Minsky81] [Cohen94] [Ammann93] [Goldberg89] [Kumar94] [Lampson92] [Bishop81] [Ramamritham86] [Villiers88] [Stubblebine95]

Alternative Methodologies

While the access control methods considered to date in the Flexible Distributed Security Management project are potentially useful, there are many alternative lines that might be better suited to the treaty verification issue central to the project's underlying purpose. For example:

• Access controls could be replaced by a strong auditing capability with administrative and treaty-based response to unauthorized access.

• Source encryption using time varient keys could be used in concert with a shared key scheme to provide periodic reauthorization based on a treaty-dictated signatory voting procedures.

• Periodic inspection of signal sources could be used to extract treaty-related data with physical access limited to authorized individuals.

• A collection site in neutral territory could be used to gather data from multiple sources with access granted at that facility to authorized recipients.

• Local reprogramming and rekeying of signal sources could be used to implement policy changes on a site-by-site basis, exploiting physical access control implemented by the host country providing the data source.

• Satellites uplinks could be used to collect data from sources and space-stations or satellites could be used to provide more centralized access controls facilities. These facilities could be controlled by shared secret schemes implemented by the parties to the treaty.

This list is by no means comprehensive, but it gives a flavor for some of the variations that might be considered for implementing a flexible distributed access control system for this application.

Summary

There has been a substantial amount of research in the field of access control that relates to issues in flexible policy management for distributed systems. This short overview is neither complete nor comprehensive, but it does give an introduction to the topic that we hope will be of some use in further investigation in this area.