Features
An introduction to Access Road

The Access Road software is a universal simulator of access controls that is intended to improve design and auditing of IT security.

If you want to simulate only one software, like MySQL Server for instance, the learning curve to use Access Road is quick and easy (see the tutorials). On the other hand, this page presents Access Road from a larger point of view, as a framework for varied simulations.

One may remark this is an old-fashion static HTML page... Like for the simulation of software, we are proud to put it simple each time it is possible. Enjoy the basic HTML standard to read and print easily this page!

The simulations

Access Road 0.7 requires only Java 6 or 7 to run as a desktop standalone application. It provides the out-of-the-box simulation of two great software, and one theoretical application for learning purpose:

as an example of operating system, the GNU/Linux Ubuntu^® 8.04 access controls are simulated with its file system and its authorization system; this covers the User-Group-Other Linux rights including the inherited rights from the parents, some Linux kernel capabilities, and the Ubuntu authorizations on system resources,
as an example of DBMS, the MySQL Server^® 5 access controls are simulated; this covers the structure of components, the MySQL privileges, the priority rules among the privileges and the privileges inheritance,
at the application level, a typical large application which follows the Role-Based Access Control model; this covers the tree of functional roles, the application transactions, and the AclEntries with granting and denying rights.

By design, Access Road models varied types of objects and access controls. It may be configured to simulate many real systems with their structural properties, their behaviors, their default or non-default components, including all their rights. An add-on is necessary to simulate a complex software, like GNU/Linux Ubuntu or MySQL Server.

To specify the structure and the behavior of a new simulation, two ways are proposed without coding: (1) through a smooth derivation from one current simulation, (2) by entering all the structural properties by hand. The components of the simulated software have always to be defined by hand, except the default components of an add-on.

Access Road 0.7 is able to simulate, right now, a certain variety of application software. The RBAC model is a good representative of the common application needs. For the other types of software (system software, network software...), the access control functions and the structure are often more complex. Every software has to be studied thoroughly to evaluate the ability to simulate it. The source of the data is never the algorithms or the code of the software to simulate, but its official description in the user documentation and its behavior, seeing from an user point of view. The current Access Road 0.7 has still a long way to go before being able to simulate the thousand of important software in IT systems.

The tutorials

Three tutorials are the getting-started documentation. They provide a smooth learning curve to everyone. There is no requisite about the skills to have for following these tutorials. They use a balanced approach to learn both the Access Road core platform, and the use of a given-software simulation... even if you do not know this simulated software. By the way of a simulated GNU/Linux Ubuntu^® and a simulated MySQL Server^®, the tutorials demonstrates how the generic functions support the specific features of a given simulation. The tutorials introduce Access Road from 3 points of view listed hereinafter:

an one-hour tutorial for learning the access controls of a simulated Linux Ubuntu^®, and for using the four main tools: the explorer, the beamer, the IS structure and the sketcher
a two-hours tutorial for knowing the main ACS properties, for understanding the design of access controls into MySQL Server^®, and for learning how to use the full view,
a three-hours tutorial for verifying in a theoretical Role-Based-Access-Control application, the access controls compliance with the security policy, for learning the NoMore-NoLess view, the new features of the version 0.7.3 and the import/export functions.

It is recommended to follow these 3 tutorials in their order of presentation. Nonetheless, the user interface is so intuitive that one may start directly to work with to create and use its first simulation, using the 24-pages glossary when a new concept appears.

A README file is provided with the software. It presents the compatibility issues, the fixed bugs and the administration tasks. Last but not least, there are the specific guides for the ACS add-ons GNU/Linux Ubuntu and MySQL Server.

The release 0.7.3

The current release 0.7.3 improves the management of the user identity, the structural relations and the communications between software:

This includes the relation of an application and the operating system on which it runs. This release defines for instance how an Ubuntu running program like the MySQL server interacts with the ACS which models this MySQL server.
It improves the use of static and dynamic roots to manage the components of a software into its parent. For instance, a MySQL server has specific components on its GNU/Linux Ubuntu system.
This release brings the 2 concepts of exchange point and context switch to model, for instance, how a call to the MySQL server from its Ubuntu system has some rights on the MySQL internal resources (in other words, the data into the MySQL bases).
This release models the concept of IP address for an exchange point or a context switch, delivering powerful access controls on the communications.
It completes the handling of aliasing for an ACS object.
It allows to add short user comments into a view.

Generally speaking, the release 0.7.3 increases the complexity of the access path modeling. Between two components, the number of access paths having exactly 3 nodes expands by 70 to 100 generic types.

The version 0.7.3 ensures a backward compatibility with the previous 0.7 versions. Unfortunately, the Access Road bases from the versions 0.6 cannot be opened by this version 0.7.3. This is due to the huge extension of the complex ACS properties.

The next release 0.8 would fully model the rights on the Ubuntu resources through the MySQL server, specially when these Ubuntu resources are MySQL roots like the files which contain a MySQL table.

The graphical user interface

The graphical user interface is standardized, easy to use and versatile. The GUI may be partially customized for a given simulation, to adapt the properties which are displayed. The user logic remains the same for all the simulated software. When the user learns the GUI for one simulation, he masters it for all. He may then concentrate his efforts on the behavior of each modeled software. Newbies may easily use Access Road after the creation of a simulation by an inner function, or by an advanced user.

The GUI facilitates both simple and complex works over all the simulations to handle. It allows the user to study the details of a complex structure... or the final compliance with a general security rule. It allows him to work on large texts which explain a simulation... or on a diagram to catch a result in a single look.

The GUI uses an object-oriented framework using multiple windows, varied kinds of diagrams and textual representations. Only the left click of the mouse is listened. Its use is straightforward, because the GUI automatically adapts the commands and the display of some windows to the new selected object. A new simulation starts with the creation of an Access Control System (ACS) to model a given software.

The main components and features of the GUI are listed hereafter:

the explorer shows in a specific window the structure, as a tree, of the open Access Control System (or ACS), the open views and the generic rights,
the beamer window allows to see and to update the properties of a modeled object, with all the updating constraints coming down from the ACS policy, and it manages also the specific properties from an ACS add-on,
the information system structure window displays the tree of all the ACS and the passive nodes the programs knows, including their parent/child relations (new in 0.7),
the sketcher window shows quickly the very near objects of any modeled object, that is, its direct rights users and access targets, with the relevant rights,
the user-defined full views for rights simulation, containing from 0 to 48 objects in each view, to search all the direct and indirect access paths between the view objects, and to display the paths in the form of a diagram and a text,
the user-defined NoMore-NoLess views for the security policy compliance, to display in a diagram, and for one given access target, if a set of rights users fulfills the maximum/minimum allowed rights on this target,
the export/import functions to export images and texts from Access Road into any external document, and to exchange ACS models between different Access Road instances.

Exchanging ACS models is useful for internal users in a company. In the future, we hope it will allow to set a public catalog of shared ACS made both by the developers and the non-developer users.

Overview

Downloads

Features

Why to simulate access controls

Why Access Road is unique

The generic model of Access Road

Access Road 0.7 uses a generic model of components, relations and rights to be able to simulate the access controls of a large set of software. It is not so usual to explain to the user of a software like Access Road, what are the concepts this software uses into its inner model. However, as a simulation software, Access Road matches any software to its generic model, and it explains the result with the vocabulary of this model. This is why the Access Road user is much more comfortable if he understands the generic model, along the varied simulations he handles. It is introduced into the tutorials, including numerous examples. This chapter offers a quick look on this model.

A simulated software is modeled by one or several Access Control Systems (ACS). An ACS contains a catalog of components, so-called ACSObjects, which are registered into the ACS at their creation. Each ACSObject class implements a key concept. Of course, a given ACS has not to handle all the kinds of components and relations, since it uses a selected part of them.

Access Road 0.7.3 manages 8 main kinds of ACSObjects: Resource, Directory, VirtualFolder, Actor, UserID, GroupID, ExchangePoint, ContextSwitch. All these concepts handle the relation to a parent, except UserID. There are 2 kinds of aliasing between two components. The ACS are elements of information systems, which have nodes and IP addresses. It is possible to simulate a complex component into an ACS by combining 2 or more generic components having some generic relations. For example, the MySQL Server view is modeled as a triplet: an Actor which is the alias of a VirtualFolder.

There are 3 kinds of modeled rights, as independent objects: AclEntry, Privilege for links and Privilege for type. The other rights are ACSObject properties: Resource Account/Group rights, Bridge rights between Actors, EndPoint senders lists, ExchangePoint maximal rights of ends. Finally, there are the 3 inherited rights from the parent, for the Account/Group, AclEntry and Privilege for links rights. This model of software produces 24 main structural boolean properties for a generic ACS, with numerous secondary structural properties. A generic ACS handles about 100 properties to drive the simulation of its components and inner relations.

We hope to bring to you a powerful, user-friendly, reliable, efficient and scalable program. Don't hesitate to tell us your personal opinion about both the concept and the tool.

Overview

Downloads

Features

Why to simulate access controls

Why Access Road is unique

What Access Road 0.7 does not do

The generic features have the following limitations:

Access Road is not an administration tool for access controls. It is more powerful, since it simulates the true functions of the software. It is also less powerful, since it cannot configure the effective rights on a production platform. Access Road is different and complementary.
There are tools to facilitate the administration of rights in an application, targeting for instance the Microsoft .NET applications. The logic of these tools is never to fully simulate the rights, but to propose a simplified vision of the application access controls to the administrator of rights. Producing a quite simple model, which sometimes includes a 'simulation' capability, it is then possible to configure the final rights through standardized commands on the .NET platform. This may be very useful for an administrator, but the full versatility of the access controls into the targeted software is not considered. By this way, it is not possible to understand the risks applied to the access controls on the Windows server, in this example.
On the contrary, the access control simulation in Access Road is complete. This is about what it is really possible to do, and what it is done, including all the inner and powerful functions of the simulated software. This does not force to have a complete simulation of all the components of a simulated software. For a very large software like GNU/Linux, it would be complex and usefulness. It is usual to simulate only a part of the components, each time this ensures a correct result.
The GUI of each simulated software is not shown by Access Road, since it has one generic GUI. Access Road does not simulate fully the current experience of an administrator or developer using a software like MySQL Server. More over, it would be better for the user to find exactly in Access Road the inner concepts the simulated software handles in its user documentation. Unfortunately, this is not always possible. The generic vocabulary of Access Road is the priority choice.
Access Road offers no ability to import the state (components, rights) of a simulated software from a real instance of the software, nor to export a simulated state into a true instance. Generally speaking, importation and exportation are much more easy to do than the simulation of a given software. They are planned for future versions. This feature is probably a key factor of success for this project. Nonetheless, we think the development of the universal platform is the first mandatory step to succeed, to demonstrate first the ability to simulate.
The authentication services, like the password checking for instance, are not covered by Access Road, because they are always before the access controls. Authentication is an independent security function, on which the access control is based. Access Road models all the kinds of user selection or switching an authentication may produce, not the authentication itself. Using an 'anonymous' account is of course a feature to simulate.
The logical access controls are modeled, not the organization of a company. For instance, if two users have one common pair (IT account, password), this is not visible by the logical access controls.
The rights may change after the actions of the modeled software users. The space of all the possible actions is not always simulated by Access Road. The case of creating a new user or a new administrator is trivial. A new object may be created by an user, and the simulated software may set some default rights on it. Access Road is able to fully simulate these cases, and this is not the point there. More difficult is when the state of rights changes without any administrator action. For instance, new rights are set by an administrator to an user of a software, to grant to him the right to propagate its rights on its own resources to other users. This offers a great but dangerous flexibility to manage the user resources. The simulation of such dynamic rights would require to run a list of virtual actions, in order to evaluate the possible results.

The Linux Ubuntu simulation has the following limitations:

the Linux kernel capabilities, which are a special form of access control on the OS resources, are not fully simulated,
the POSIX ACLs are not modeled,
the Linux network system and the Netfilter firewall are not modeled.

The MySQL Server simulation has the following limitations:

the security-related mysqld options are not managed,
the host and base names cannot include more than one wild card,
the blank user names are forbidden,
for a host value specified as an IP address, there is no handling of the netmask.

The design

We think access control simulation is a worldwide innovation. We are proud to bring in it as a great free software. Access Road 0.7.3 is the result of more than 6 person-years of work to search the best design solutions, and to develop a code which is fully original. There is no integration of external code or libraries.

The main innovation has been to study a core platform for handling all the access controls, able to be configured for simulating the access controls of a given software. The second innovation has been to present to the user, the full complexity of rights in, as far as possible, simple, generic and varied points of view, while a limited customization offers the best possible explanation about each specific simulation. The third innovation is an unique in-memory object-oriented database management system, which provides great performance, inner integrity controls, extensibility and scalability.

The design of Access Road is driven by the following principles:

to model first the objects on which the access control applies, then the access controls, and for that, to use some concepts as UserID, GroupID, Resource, Directory, AclEntries, User-Group-Other rights as in GNU/Linux^®, Group hierarchy as in a RBAC application, granting and denying rights, rights hierarchy, AclEntry rights inheritance as in MySQL Server^®...
to model the structure of each specific software for simulating it as one or several 'Access Control System' (or ACS) in Access Road, and to model the internal structural constraints on the key properties of each ACS object, like for instance, what types of right are possible between two given types of object,
to model the structure of the access paths for any pair of components, defining a generic vocabulary to explain to the user the results of a search for all the access paths between the modeled objects,
to use 8 fully-original architectural patterns, like the access path search pattern and the ACS add-ons pattern, to master the software re-usability, testability, performance and extensibility,
to design the rights simulator for a fast detection of all the authorized paths in a view, between any given couple (rights user, access target) from any ACS, and for detecting all the structural links for any couple of objects, like the owning relation from an account to a file,
to show the rights simulation into complementary diagram and text, where the diagram offers a simplified result to the eye (but without never being a caricature that distorts important things), while the text explains in details all the results in a standardized form into which an ACS add-on may insert its own terms,
to update the simulations on the fly, at each change on any object property in the base which influences the current right simulations in the GUI,
to set multi-threading for the access paths search in the views, letting the user interacts with the user interface during the large searches (new in 0.7); on the other hand, the performances are great, since most of the searches are done in a period of less than one second, on a medium-size desktop computer,
to design the ACS add-ons for facilitating the extension of the Access Road simulations with a minimum effort of Java coding, offering a great versatility in the choice of the generic features to keep or to adapt for a new simulation (new in 0.7).

The reliability

The release 0.7 of Access Road is a beta version, but it is workable and reliable. It is able to help the user for complex works. Errors should be (1) from the code, of course, but also (2) from the specification of a given software simulation, and (3) from any user misunderstanding, because the results should be rather complex.

The overall reliability of Access Road is based on the following principles, trying to cover the main issues:

the in-memory object-oriented database system is isolated from the other code packages, and its code is thoroughly tested,
this database system ensures all the integrity controls, coming down both from the general model and the software simulation model,
the specification of a given software simulation is done, as far as possible, through a set of properties the user may consult in the GUI at any time, and this includes the ACS add-on properties,
the code for the generic access paths search is mainly structured by the ACS properties to handle; it is tested through a large set of generic ACS and ACS add-ons to cover most of the ACS properties space,
the access paths search code is also tested by the comparison of three independently-coded sets of algorithms (but this is no parallel programming) to search for the paths including exactly 2 nodes, or exactly 3 nodes, or more than 3 nodes,
the user updating is controlled, and each refusal by the program is explained to the user, with the current context of the relevant simulations,
the simulated access paths between two modeled objects are explained in details in a program-generated text, to avoid, as far as possible, any misunderstanding of the results,
the specific behavior of a simulation is explained into several beamer ACS tabs ('Rules', 'See Why') and by a dedicated documentation.

^®All trademarks are property of their respective holders. Copyright ACCBEE – 06 August 2013

Overview

Downloads

Features

Why to simulate access controls

Why Access Road is unique