The
simulations | The graphical user interface
The
tutorials | The
limitations | The design | The
reliability
The Access Road software
is a universal simulator of access controls, to improve the
design and the audit of IT security.
We
introduce the version 0.7 in a coherent view, rather than
enumerate the elementary changes from the previous 0.6 version.
The improvements of 0.7 are mainly for the Access Road data model
and the search of access paths, to extend the simulation
capacities. Due to the genericity of the previous version, the
software architecture and the GUI remains almost the same.
The
simulations
Access Road 0.7 provides
the simulation of two great software and one theoretical
application for learning purpose:
as
an example of operating system, the Linux
Ubuntu®
8.04 access controls are
simulated with the file system and the authorization system;
this covers, in an ACS addon (new in 0.7), the
User-Group-Other Linux rights including the inherited rights
from the parents, some Linux kernel capabilities, and the Ubuntu
authorizations on system resources,
as an example of DBMS, the MySQL
Server®
5 access controls are simulated (new in 0.7); this covers
the structure of components, the MySQL privileges, the priority
rules among the privileges and the privileges inheritance,
at
the application level, a typical large application which follows
the Role-Based Access Control model; this covers the tree of
functional roles, the application transactions, and the ACLs
with granting and denying rights.
By
design, Access Road models varied types of objects and access
controls. It may be customized to simulate many real systems with
their structural properties, their behaviors, their standard and
non-standard components and their rights.
Most
of the object modelings from the previous version have been
improved. The AclEntry may have a simple condition group. The ACS
type policy is extended. Access Road 0.7 provides complementary
objects as following:
the
typed and the linked privileges (new in 0.7),
the information system (new in
0.7),
the
virtual folders (new in 0.7),
the
aliasing relation (new in 0.7),
the
inheritance of AclEntry and Privilege (new in 0.7),
the
ACS parent roots (new in 0.7),
the
external AclEntries and linked privileges (new in 0.7.1).
To
specify the structure and the behavior of a software in a new
ACS, two ways are proposed to the Access Road user without
coding: (1) through a smooth derivation from one current
simulation, (2) by entering all the structural properties by
hand. The ACS components have always to be defined by hand,
except for some default components an ACS may create.
Access
Road 0.7 is able to simulate, right now, a certain variety of
application software. The RBAC model is a good representative of
the application needs. For the other types of software (system
software, network software...), the access control functions and
the structure are often more complex. Every software has to be
studied thoroughly to evaluate the Access Road ability to
simulate it. The source of the data is never the algorithms or
the code of the software to simulate, but its official
description in the user documentation and its behavior, seeing
from an user point of view. The current 0.7 version has still a
long way to go before being able to simulate the thousand of
important software in IT systems.
The
graphical user interface
The
graphical user interface is standardized, easy to use and
versatile. It facilitates both simple and complex works over all
the simulations to handle. It allows the user to study the
details of a complex structure... or the final compliance with a
general security rule. It allows him to work on large texts which
explain a simulation... or on a diagram to catch a result in a
single look.
The
GUI may be customized for a given ACS, but mainly on the
properties the beamer displays. By this way, when the user learns
the GUI for one ACS, he masters it for all. He may then
concentrate his efforts on the behavior of each modeled software.
Newbies may easily use Access Road after the creation of a
simulation by an inner feature, or by an advanced user.
The
GUI uses an object-oriented framework using multiple windows,
varied kinds of diagrams and textual representations. The mouse
has to use only the left clicking, and it is straightforward
because the GUI automatically adapts the open windows to the new
selected object. All the simulations start with the creation of
an Access Control System (ACS) to model a given software.
The main features of the graphical
user interface are listed hereafter:
the explorer shows in a specific
window the structure, as a tree, of the open Access Control
System (or ACS), the open views and the generic rights,
the beamer window allows to see
and to update the properties of a modeled object, with all the
update constraints coming down from the ACS policy, and it
manages also the specific properties from an ACS addon,
the information system window
displays the tree of all the ACS and the passive nodes the
programs knows, including their parent/child relations (new
in 0.7),
the sketcher window shows quickly
the very near objects of any modeled object, that is, its direct
rights users and access targets, with the relevant rights,
the user-defined full views for
rights simulation, containing from 0 to 48 objects in each view,
to search all the direct and indirect access paths between the
view objects, and to display the paths in the form of a diagram
and a text,
the user-defined NoMore-NoLess
views for the security policy compliance, to display in a
diagram, and for one access target, if a set of rights users
fulfills the maximum/minimum allowed rights on this target,
the
export/import functions to export images and texts from Access
Road in any external document, and to exchange ACS models
between different desktop computers.
Exchanging ACS models is
useful for internal users in a company. In the future, we hope it
will allow to set a public catalog of shared ACS made both by the
developers and the non-developer users.
Unfortunately, the
Access Road files of the 0.6 version cannot be open in this 0.7
version. This is due to the huge extension of the complex ACS
properties. The version 0.7.1 handles all the objects of the
version 0.7.0, excepted the linked privileges. This does not
forbid the opening of the main 0.7.0 ACS like Ubuntu, MySQL and
RBAC application.
|
About
Access Road
One-hour
tutorial for learning access controls
Two-hours
tutorial for designing access controls
One-hour
tutorial for verifying access controls
Why
Access Road is unique
Glossary
|
The
tu torials
Three basic tutorials
are the getting-started
documentation. They provide a smooth learning curve to everyone.
There is no requisite about the skills to have for following
these tutorials. The tutorials use a balanced approach to
learn both the Access Road core platform, and the use of a
given-software simulation, even if you do not know this software.
By the way of a simulated Linux
Ubuntu®
and a simulated MySQL Server®,
the tutorials demonstrates how the generic functions support the
specific features of a given simulation. The tutorials introduce
Access Road from 3 points of view listed hereinafter:
an one-hour tutorial
for learning the access controls
of a simulated Linux Ubuntu®,
and for using the four
main tools: the
explorer, the beamer, the IS structure and the sketcher; it is a
19-pages printable document,
a two-hours tutorial
for knowing the main ACS
properties, for understanding the design of access controls into
MySQL Server®,
and for learning how to
use the Access Road full view;
it is a 26-pages printable document,
an
one-hour tutorial for verifying in a theoritical
Role-Based-Access-Control application, the access controls
compliance with the security policy, for learning the
NoMore-NoLess view and the ACS import/export functions; it
is a 15-pages printable document.
It is recommended to
follow these 3 tutorials in their order of presentation.
Nonetheless, the user interface is so intuitive that one may
start directly to work with, using the glossary of Access Road
terms when a new concept appears. Last but not least, there are
the specific tutorials for the ACS add-ons Linux Ubuntu and MySQL
Server.
We hope to bring to you
a powerful, user-friendly, reliable, efficient and scalable
program. Don't hesitate to tell us your personal opinion about
both the concept and the tool.
What Access Road 0.7.1 does not do
This
section should be ridden after the tutorials. The generic
features have the following limitations:
The authentification services,
like the password checking for instance, are not covered by
Access Road, because they are before the access controls.
Authentification is
a separate security function.
Access control simulation is about
what it is really possible to do. Access Road does not always
simulate fully the current experience of an administrator or
developer using the simulated software. For instance, the GUI of
the simulated software is not shown by Access Road. On the other
hand, it is often a secondary objective to help the user to find
in Access Road the usual concepts of the simulated software.
For instance, the SQL GRANT statements are not exactly
simulated, although the MySQL access controls are created
through them.
Of course, there is a precise consistency between
the space of the GRANT statements and the commands Access Road
handles to simulate
the MySQL Server. Moreover, the Access Road
GUI mimics the GRANT statement to present the current state
of
the MySQL Server access controls, in so-called 'primary rights'.
But this indeed is not a full simulation of GRANT.
More
generally, Access Road does not handle some 'false' access
controls. For instance, when a developer accessing a PostgreSQL
database uses the command 'SET ROLE' to change dynamically the
set
of rights PostgreSQL attributes to its connection, this is
not access control, but simply a coding practice. In fact, the
program
does have the rights of all the set of roles PostgreSQL
allows this connected user to take. In such a case, an Access
Road simulation
of PostgreSQL would cover the rights from all
this set of roles as a whole, just like they are offered to
this connected PostgreSQL user.
In this version, there is no
ability to import the state (components, rights) of a simulated
software from a real instance of the software,
nor to export a
simulated state into a true instance. Generally speaking,
importation and exportation are more easy to do than the
simulation, for a given software to simulate. They are planned
for future versions. We think that this feature is the key to
ensure the success of this project.
Nonetheless, the
development of the universal platform is the first mandatory
step to succeed, because we have to demonstrate first the Access
Road concept.
The logical access controls are
modeled, not the organization of a company. For instance, if two
users have one common IT account and password, this is not
visible by the logical access controls.
The relations between the ACS are
not fully handled, even if the version 0.7.1 handles the
external AclEntries and Linked Privileges (a workable management
of the ACS relations is planned for the next 0.7.2 version),
The typed and linked privileges
are fully managed only for the simplest forms and for the
one-to-one linked privilege (new in 0.7.1),
The administrative rights, that
are the rights to change the current rights, are modeled but
their application to change the current rights is not provided.
The access controls are simulated
in the views for a given state of the Access Road base. This
means it is not possible to sum
the access controls result of
two distincts states of the base, simulating two options or a
sequence of states in time.
The
Linux Ubuntu simulation has the following limitations:
the Linux kernel capabilities,
which are a special form of access control on the OS resources,
are not fully simulated,
the POSIX ACLs are not modeled,
the Linux network system and the
Netfilter firewall are not modeled.
The
MySQL Server simulation has the following limitations:
the security-related mysqld
options are not managed,
the host and base names cannot
include more than one wildcard,
the blank user names are
forbidden,
for
a host value specified as an IP address, there is no handling of
the netmask.
|
About
Access Road
One-hour
tutorial for learning access controls
Two-hours
tutorial for designing access controls
One-hour
tutorial for verifying access controls
Why
Access Road is unique
Glossary
|
The
design
We think access control
simulation is a worldwide innovation. We are proud to bring in it
as a great free software. Access Road 0.7 is the result of more
than 5 person-years of work to search the best design solutions,
and to develop a code which is fully original. There is no
integration of external code.
The main innovation has
been to study a core platform for handling all the access
controls, able to be derived for simulating the access controls
of a given software. The second innovation has been to present to
the user, the full complexity of rights in, as far as possible,
simple, generic and varied points of view, while a limited
customization offers the best possible explanation about each
specific simulation. The third innovation is an unique
object-oriented database management system, which provides great
performance, integrated integrity controls, extensibility and
scalability.
The Access Road design
is driven by the following principles:
to model first the objects on
which access control applies, then the access controls, and for
that, use some concepts as UserID, GroupID, Resource, Directory,
Access Control Lists, User-Group-Other rights as in Linux®,
Group hierarchy as in a RBAC application, granting and denying
rights, rights hierarchy, rights inheritance...
to model the structure of each
specific software to simulate it as one or several 'Access
Control System' (or ACS) in Access Road, and to model the
internal structural constraints on the key properties of each
ACS object,
to use 8 architectural patterns,
like the access path search pattern and the ACS add-ons pattern,
to master the software reusability, testability, performance and
extensibility,
to design the rights simulator for
detecting all the authorized paths between any given couple
(rights user, access target) from any ACS, and for detecting all
the structural links for any couple of objects, like the owning
relation from an account to a file,
to show the rights simulation into
complementary diagram and text, where the diagram offers a
simplified and visual result, but without never being a
caricature that distorts important things, while the text
explains in details all the results in a standardized form into
which an ACS add-on may insert its own terms,
to update the simulations on the
fly, at each user change on any object property which influences
the current right simulations,
to have multi-threading for the
access paths search, letting the user interacts with the user
interface during the large searches (new
in 0.7); on the other
hand, most of the searches are done in a period of less than one
second, on a medium-size desktop computer,
to
design the ACS add-ons for facilitating the extension of the
Access Road simulations with a minimum effort of Java coding,
offering a great versatility in the choice of the generic
features to adapt to a new simulation (new in 0.7).
|
|
The
reliability
The
0.7 version is a beta version, but it is workable and reliable.
It is able to help the user for complex works. Errors
should be from the code, of course, but also from the
specification of a given software simulation, or from any user
misunderstanding because the results may be rather complex. The
overall reliability of Access Road is based on the following
principles, trying to cover the main issues:
the object-oriented database
system is isolated from the other code packages, and its code is
thoroughly tested,
this database system ensures all
the integrity controls, coming down both from the general model
and the software simulation model,
the specification of a given
software simulation is done, as far as possible, through a set
of properties the user may consult and study at any time, and
this includes the ACS addon properties,
the code for the generic access
paths search is mainly structured by the ACS properties to
handle; it is tested through a large set of generic ACS and ACS
add-ons to cover most of the ACS properties space,
the most difficult
errors is when
the context of use of a method may change strongly, or when a
method does things beyond its contract.
The usual catalog of
unit and integration tests is never suffisant to cover all these
complex cases.
This is still more true for a framework. The
best way is to use different contexts of use for each method to
test,
so that most of the bugs appear. The Access Road way of
testing is to test both the results, the call paths among the
methods,
and the changes of the inner data in a class or a
method. Nonetheless, such a framework has to be tried by
numerous users
in varied contexts to be fully reliable. This
is why Access Road 0.7.1 is considered as a beta version,
although it is quite stable.
the access paths search code is
also tested by the comparison of several independently-coded
algorithms (but this is no parallel programming) to search for
the 2-nodes paths, the 3-nodes paths and the more-than-3-nodes
paths,
the user updating is controlled,
and each refusal by the program is explained to the user, with
the true context of the ACS and the implied simulations,
the simulated access paths between
two modeled objects are explained in details in a generated
text, to avoid, as far as possible, any misunderstanding of the
results,
the
specific behavior of an ACS is explained into several beamer ACS
tabs ('Rules', 'See Why') and by a dedicated documentation.
The
simulations | The graphical user interface
The
tutorials | The
limitations | The design | The
reliability
®All
trademarks are property of their respective holders. Copyright
ACCBEE – 02 May 2012
|
About
Access Road
One-hour
tutorial for learning access controls
Two-hours
tutorial for designing access controls
One-hour
tutorial for verifying access controls
Why
Access Road is unique
Glossary
|