OMAM and PEI Prof Ravi Sandhu Ravi Sandhu

OM-AM and PEI Prof. Ravi Sandhu © Ravi Sandhu 1

THE OM-AM WAY What? Objectives Model Architecture Mechanism How? © Ravi Sandhu A s s u r a n c e 2

LAYERS AND LAYERS Multics rings v Layered abstractions v Waterfall model v Network protocol stacks v Napolean layers v Ro. Fi layers v OM-AM v etcetera v © Ravi Sandhu 3

OM-AM AND MANDATORY ACCESS CONTROL (MAC) What? No information leakage Lattices (Bell-La. Padula) Security kernel Security labels How? © Ravi Sandhu A s s u r a n c e 4

OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC) What? Owner-based discretion numerous ACLs, Capabilities, etc How? © Ravi Sandhu A s s u r a n c e 5

OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC) What? Objective neutral RBAC 96, ARBAC 97, etc. user-pull, server-pull, etc. certificates, tickets, PACs, etc. How? © Ravi Sandhu A s s u r a n c e 6

SERVER MIRROR Client Server User-role Authorization Server © Ravi Sandhu 7

SERVER-PULL Client Server User-role Authorization Server © Ravi Sandhu 8

USER-PULL Client Server User-role Authorization Server © Ravi Sandhu 9

PROXY-BASED Client Proxy Server User-role Authorization Server © Ravi Sandhu 10

THE OM-AM WAY What? Objectives Model Architecture Mechanism How? © Ravi Sandhu A s s u r a n c e 11

PEI Security and system goals (objectives/policy) • Necessarily informal Specified using users, subjects, objects, admins, labels, roles, groups, etc. in an ideal setting. • Security analysis (objectives, properties, etc. ). • Policy models Approximated policy realized using system architecture with trusted servers, protocols, etc. • Enforcement level security analysis (e. g. stale information due to network latency, protocol proofs, etc. ). • Technologies such as Cloud Computing, Trusted Computing, etc. • Implementation level security analysis (e. g. vulnerability analysis, penetration testing, etc. ) • Enforcement models Implementation models Concrete System © Ravi Sandhu • Software and Hardware 12