Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security
Uploaded by Glo M

Access Control

advertisement 
ADMINISTRATIVE
 Project 1 is due today!
 NB: You can submit as many times as you would like, we will grade
your last submission.
CURRENT EVENTS?
ACCESS CONTROL
CS 526
Christina Garman
ACCESS CONTROL
ACCESS CONTROL
 Provides the essential services of authorization, identification and
authentication, access approval, and accountability
• authorization specifies what a subject can do
• identification and authentication ensure that only legitimate subjects can log
on to a system
• access approval grants access during operations, by association of users
with the resources that they are allowed to access, based on the
authorization policy
• accountability identifies what a subject (or all subjects associated with a
user) did
ACCESS CONTROL
 A reference monitor mediates all access to
resources
• Principle: Complete mediation: control all accesses to resources
Reference
monitor
User
process
access request
?
policy
Adapted from Ninghui Li
Resource
REFERENCE MONITOR
 Three required properties for reference monitors in “trusted systems”
• tamper-proof
• non-bypassable (complete mediation)
• small enough to be analyzable
 Multics is a classic system using this model
Adapted from Eugene Spafford
MANDATORY ACCESS CONTROL (MAC)
 Means of assigning access rights based on regulations by a central
authority
 Rules are enforced on every attempted access, not at the discretion
of any system user
 Authorized processes CANNOT pass along their capabilities to other
processes
 Ex. Bell-LaPadula Model
BELL-LAPADULA MODEL
 MAC system
 When is it OK to release information?
 Simple Security Property - subject at a given security level may not
read an object at a higher security level
 *-Property - subject at a given security level may not write to any
object at a lower security level
 “read down, write up”
BIBA INTEGRITY MODEL
 Rules that preserve integrity of information
 Simple Integrity Property - subject at a given level of integrity must not
read data at a lower integrity level
 *-Integrity Property - subject at a given level of integrity must not write
to data at a higher level of integrity
 “read up, write down”
PROBLEMS?
 Bell-LaPadula – Confidentiality
• Read down, write up
 Biba – Integrity
• Read up, write down
 Want both confidentiality and integrity
• May use Bell-LaPadula for some classification of personnel and data, Biba
for another
• Otherwise, only way to satisfy both models is only allow read and write at
same classification
DISCRETIONARY ACCESS CONTROL (DAC)
 Means of assigning access rights based on rules specified by users
 Rule enforcement may be waived or modified by some users
 Authorized processes can pass along their capabilities to other
processes
 Ex. Unix file mode, which represent write, read, and execute in each
of the 3 bits for each of User, Group and Others
ACCESS CONTROL MATRIX
 Introduce rules that control what accesses (i.e., actions) subjects may
take with respect to objects
object1
subject1
…
objectn
Ai , Aj
Ø
Al
Ai , Am
…
subjectn
ACCESS CONTROL MATRIX
subjects
objects
File 1
File 2
File 3
File 4
User 1
rwx
----
---
rw
User 2
r
w
rw
x
User 3
----
rw
rwx
rwx
User 4
w
r
rw
---
IMPLEMENTATION CONCEPTS
 Access control list (ACL)
• Store column of matrix with the resource
 Capabilities
• User holds a “ticket” for each resource
• Two variations
• Store row of matrix with user
• Unforgeable ticket in user space
ACCESS CONTROL LIST
 File 1 – User 1:rwx, User 4:rw
 File 2 – User 1:r, User 2:w, User 3:rw, User 4:x
 File 3 – User 2:rw, User 3:rwx, User 4:rwx
 File 4 – User 1:w, User 2:r, User 3:rw
CAPABILITIES LIST
 User 1 – File 1:rwx, File 2:r, File 4:w
 User 2 – File 2:w, File 3:rw, File 4:r
 User 3 – File 2:rw, File 3:rwx, File 4:rw
 User 4 – File 1:rw, File 2:x, File 3: rwx
ACL VS. CAPABILITIES
 Access control list
• Associate list with each object
• Check user/group against list
• Relies on authentication: need to know user
 Capabilities
• Capability is unforgeable ticket
• Random bit sequence, or managed by OS
• Can be passed from one process to another
• Reference monitor checks ticket
• Does not need to know identity of user/process
CONFUSED DEPUTY PROBLEM
 Process or program is tricked into performing an operation on an
adversary’s behalf that the adversary could not perform on their own
• Ex. write to (read from) a privileged file
 Type of privilege escalation
 One solution is to bundle together the designation of an object and
the permission to access that object
• This is exactly a capability
• When a user wants to run a program, the user must pass along their
capability to the program
ROLE-BASED ACCESS CONTROL
 Access rights need to change as the responsibilities of users change
 Associate permissions with job functions
• Each job defines a set of tasks
• The tasks need permissions
• The permissions define a role
 Ex. Bank Teller
• Read/Write to client accounts
• Cannot create new accounts
• Cannot create a loan
• Role defines only the permissions allowed for the job
ROLE-BASED ACCESS CONTROL
 Model consists of two relationships
• Role-permission assignments
• User-role assignments
 Assign permissions to roles
• These are largely fixed
 Assign a user to the roles they can assume
• These change with each user
• Administrators must manage this relationship
LINUX CAPABILITIES
Related documents
Documenting Shared Address Book Permissions from Groupwise Or Address Book
Documenting Shared Address Book Permissions from Groupwise Or Address Book
Tutorial Sheet 4.doc
Tutorial Sheet 4.doc
Image Permission procedure
Image Permission procedure
1b. Revised Project Plan C
1b. Revised Project Plan C
Download
advertisement