access control
play

Access Control MAC Summary ITS335: IT Security Sirindhorn - PowerPoint PPT Presentation

Jan 14, 2023 •124 likes •400 views

ITS335 Access Control Concepts DAC RBAC Access Control MAC Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 10 October 2013 its335y13s2l04,

  1. ITS335 Access Control Concepts DAC RBAC Access Control MAC Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 10 October 2013 its335y13s2l04, Steve/Courses/2013/s2/its335/lectures/access.tex, r2932 1/26

  2. ITS335 Contents Access Control Concepts Access Control Concepts DAC RBAC MAC Summary Discretionary Access Control Role-Based Access Control Mandatory Access Control Summary 2/26

  3. ITS335 Access Control Access Control Concepts DAC RBAC MAC The prevention of unauthorized use of a resource, including Summary the prevention of use of a resource in an unauthorized manner. — ITU-T Recommendation X.800 “Security architecture for Open Systems Interconnection” 3/26

  4. ITS335 Relationship Among Access Control and Other Access Control Security Functions Concepts DAC RBAC MAC Summary Credit: Figure 4.1 in Stallings and Brown, Computer Security , 2nd Ed., Pearson 2012 4/26

  5. ITS335 Access Control and Other Security Functions Access Control Authentication verification that the credentials of a user or Concepts other entity are valid DAC Authorization granting of a right or permission to a system RBAC entity to access a resource MAC Summary Audit independent review of system records and activities in order to test for adequacy of system control, ensure compliance to policy, detect breaches and recommend changes 5/26

  6. ITS335 Access Control Policies Access Control Discretionary Access Control use identity of requestor and Concepts access rules (that determine what requestor is allowed DAC to do) to control access; entities may allow other RBAC entities to access resources MAC Mandatory Access Control compare security labels with Summary security clearances to determine access; entities cannot grant access to resources to other entities Role-based Access Control roles of users in system and rules for roles are used to control access DAC, MAC and RBAC are not mutually exclusive 6/26

  7. ITS335 General Requirements of Access Control Access Control ◮ Reliable input Concepts ◮ Fine and coarse specifications DAC ◮ Least privilege RBAC MAC ◮ Separation of duty Summary ◮ Open and closed policies ◮ Policy combinations and conflict resolution ◮ Administrative policies ◮ Dual control 7/26

  8. ITS335 Basic Elements of Access Control System Access Control Subject entity capable of access resources Concepts ◮ Often subject is a software process DAC ◮ Classes of subject, e.g. Owner, Group, World RBAC MAC Object resource to which access is controlled Summary ◮ E.g. records, blocks, pages, files, portions of files, directories, email boxes, programs, communication ports Access right describes way in which a subject may access an object ◮ E.g. read, write, execute, delete, create, search 8/26

  9. ITS335 Contents Access Control Concepts Access Control Concepts DAC RBAC MAC Summary Discretionary Access Control Role-Based Access Control Mandatory Access Control Summary 9/26

  10. ITS335 Discretionary Access Control Access Control ◮ DAC: an entity may be granted access rights that Concepts permit the entity, if they choose so, to enable another DAC entity to access a resource RBAC ◮ Common access control scheme in operating systems MAC and database management systems Summary ◮ Access Matrix specifies access rights of subjects on objects ◮ In practice, access matrix is sparse, so implement as either: Access Control Lists (ACL) For each object, list subjects and their access rights Capability Lists For each subject, list objects and the rights the subject have on that object ◮ Alternative implementation: authorization table listing subject, access mode and object; easily implemented in database 10/26

  11. ITS335 Example of DAC Access Matrix Access Control Concepts DAC RBAC MAC Summary Credit: Figure 4.3(a) in Stallings and Brown, Computer Security , 2nd Ed., Pearson 2012 11/26

  12. ITS335 Example of Access Control Lists Access Control Concepts DAC RBAC MAC Summary Credit: Figure 4.3(b) in Stallings and Brown, Computer Security , 2nd Ed., Pearson 2012 12/26

  13. ITS335 Example of Capability Lists Access Control Concepts DAC RBAC MAC Summary Credit: Figure 4.3(c) in Stallings and Brown, Computer Security , 2nd Ed., Pearson 2012 13/26

  14. ITS335 Example of Authorization Table Access Control Concepts Subject Access Mode Object DAC A Own File 1 A Read File 1 RBAC A Write File 1 MAC A Own File 3 Summary A Read File 3 A Write File 3 B Read File 1 B Own File 2 B Read File 2 B Write File 2 B Write File 3 B Read File 4 C Read File 1 C Write File 1 C Read File 2 C Own File 4 C Read File 4 C Write File 4 Credit: Table 4.1 in Stallings and Brown, Computer Security , 2nd Ed., Pearson 2012 14/26

  15. ITS335 Contents Access Control Concepts Access Control Concepts DAC RBAC MAC Summary Discretionary Access Control Role-Based Access Control Mandatory Access Control Summary 15/26

  16. ITS335 Role-Based Access Control Access Control ◮ RBAC: users are assigned to roles; access rights are Concepts assigned to roles DAC ◮ Roles typically job functions and positions within RBAC organisation, e.g. senior financial analyst in a bank, MAC doctor in a hospital Summary ◮ Users may be assigned multiple roles; static or dynamic ◮ Sessions are temporary assignments of user to role(s) ◮ Access control matrix can map users to roles and roles to objects 16/26

  17. ITS335 Example of RBAC Access Control Matrix Access Control Concepts DAC RBAC MAC Summary Credit: Figure 4.8 in Stallings and Brown, Computer Security , 2nd Ed., Pearson 2012 17/26

  18. ITS335 Hierarchies in RBAC Access Control ◮ Hierarchy of an organisation can be reflected in roles Concepts ◮ A higher role includes all access rights of lower role DAC RBAC MAC Summary Credit: Figure 4.10 in Stallings and Brown, Computer Security , 2nd Ed., Pearson 2012 18/26

  19. ITS335 Constraints in RBAC Access Control ◮ Constraints define relationships between roles or Concepts conditions on roles DAC ◮ A higher role includes all access rights of lower role RBAC MAC ◮ Mutually exclusive roles: user can only be assigned to Summary one role in the set ◮ Cardinality: maximum number with respect to roles, e.g. ◮ maximum number of users assigned to a role ◮ maximum number of roles a user can be assigned to ◮ maximum number of roles that can be granted particular access rights ◮ Prerequisite: condition upon which user can be assigned a role, e.g. ◮ user can only be assigned a senior role if already assigned a junior role 19/26

  20. ITS335 Contents Access Control Concepts Access Control Concepts DAC RBAC MAC Summary Discretionary Access Control Role-Based Access Control Mandatory Access Control Summary 20/26

  21. ITS335 Mandatory Access Control Access Control ◮ Based on multilevel security (MLS) Concepts DAC top secret > secret > confidential > restricted > unclassified RBAC MAC ◮ Subject has security clearance of a given level Summary ◮ Object has security classification of a given level ◮ Two required properties for confidentiality: No read up Subject can only read an object of less or equal security level No write down Subject can only write into object of greater or equal security level ◮ Clearance and classification is determine by administrator; users cannot override security policy ◮ Bell-LaPadula model formally defines multilevel security and MAC 21/26

  22. ITS335 Implementations of MAC Access Control ◮ SELinux: Linux kernel modules available to most Linux Concepts distributions (RedHat, Debian, Ubuntu, SuSE, . . . ) DAC ◮ AppArmor: some Linux distributions (Ubuntu, SuSE) RBAC MAC ◮ TrustedBSD: FreeBSD, OpenBSD, OSX, . . . Summary ◮ Mandatory Integrity Control: Vista, Windows 7, Windows 8 22/26

  23. ITS335 Contents Access Control Concepts Access Control Concepts DAC RBAC MAC Summary Discretionary Access Control Role-Based Access Control Mandatory Access Control Summary 23/26

  24. ITS335 Key Points Access Control ◮ Access control to prevent unauthorized use of resources Concepts (objects) by subjects DAC ◮ Subjects are processes on behalf of users and RBAC applications MAC Summary ◮ Classes of subjects: owner, group, world ◮ Objects: files, database records, disk blocks, memory segments, processes, . . . ◮ Access rights: read, write, execute, delete, create, . . . ◮ DAC: access rights may be granted to other subjects (common in operating systems and databases) ◮ RBAC: subjects take on role; access rights assigned to roles ◮ MAC: subjects/objects assigned to levels; subjects cannot modify assignment (e.g. military classification) 24/26

  25. ITS335 Security Issues Access Control ◮ Rely on correct assignment of capabilities/levels to Concepts subjects and objects by human administrator DAC RBAC MAC Summary 25/26

  26. ITS335 Areas To Explore Access Control ◮ Trusted Computing and Trusted Platform Module Concepts (TPM) DAC ◮ Secure Boot RBAC MAC Summary 26/26

Recommend

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files & processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient access control and authentication checks Insecure access control methods Private, internal functions and data are accessible through a

547 views • 11 slides
Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a simple, modular approach to networked access control with scalability in mind. Easy management from a central location PC from anywhere with an

196 views • 9 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confiden5ality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ applica5on Hardware/

985 views • 46 slides
Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer Security Announcements intermission Day 10: OS security: access control Multilevel and mandatory access control Stephen McCamant University of

324 views • 10 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confidentiality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ application

1.31k views • 50 slides
Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following authentication, we need to decide what the subject can access 1 Read F 1 OK 2 Bob Write to F Alice 2 F NO ! 3 Execute G G 3 OK

596 views • 56 slides
Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~# whoami Eric Biako Bsc. IT, CEH v9 Information security officer @ E-connecta Moderator @ https://legalhackmen.com IDOR ( Broken Access Control )

517 views • 12 slides
Access Control SecAppDev 2016 Maarten Decat maarten.decat@kuleuven.be @maartendecat What is

Access Control SecAppDev 2016 Maarten Decat maarten.decat@kuleuven.be @maartendecat What is

Access Control SecAppDev 2016 Maarten Decat maarten.decat@kuleuven.be @maartendecat What is access control? Access control is the part of security that constrains the actions that are performed in a system based on access control rules .

1.4k views • 113 slides
1 Types of Power-Saving MACs The Sensor MAC (S-MAC) Three distinct classes of power-saving

1 Types of Power-Saving MACs The Sensor MAC (S-MAC) Three distinct classes of power-saving

What Is Media Access Control? Media Access Control (MAC) determines who gets access to the shared medium, and when Media Access Control In wired settings, usually just tries to avoid Greg Hackmann contention In wireless settings, can

399 views • 7 slides
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define Access Controls List the four Access Control Models Describe logical Access Control Methods Explain the

128 views • 8 slides
DECENTRALIZED ACCESS CONTROL Sandra Siby EDIC Semester Project (DEDIS) Supervisors: Eleftherios

DECENTRALIZED ACCESS CONTROL Sandra Siby EDIC Semester Project (DEDIS) Supervisors: Eleftherios

DECENTRALIZED ACCESS CONTROL Sandra Siby EDIC Semester Project (DEDIS) Supervisors: Eleftherios Kokoris-Kogias, Prof. Bryan Ford 1 Motivation Access Control: Management of access to a resource Simple access control Static binding

494 views • 24 slides
Security (2) Summer 2016 Cornell University 1 Today Access control DAC MAC 2

Security (2) Summer 2016 Cornell University 1 Today Access control DAC MAC 2

CS 4410 Operating Systems Security (2) Summer 2016 Cornell University 1 Today Access control DAC MAC 2 Access control Confidentiality and integrity are often enforced using access control. Predefined operations are the

649 views • 17 slides
Overview Access control lists Capability lists Locks and keys Rings-based

Overview Access control lists Capability lists Locks and keys Rings-based

Overview Access control lists Capability lists Locks and keys Rings-based access control Propagated access control lists May 31, 2005 ECS 235, Computer and Information Slide #1 Security Access Control Lists Columns

1.24k views • 80 slides
Access Control for Smart Objects Access Control for Smart Objects Jan Janak, Hyunwoo Nam, Henning

Access Control for Smart Objects Access Control for Smart Objects Jan Janak, Hyunwoo Nam, Henning

IAB Workshop on Smart Object Security Paris, March 2012 Access Control for Smart Objects Access Control for Smart Objects Jan Janak, Hyunwoo Nam, Henning Schulzrinne I R T Columbia University Internet Real-Time Laboratory This work is

57 views • 5 slides
Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System

Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System

Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System Evaluation Criteria (TCSEC) Background MAC Mandatory Access Control Firm security levels DAC Discretionary Access Control Access

240 views • 6 slides
Access Control Origin Usage Control (UCON) Since the advent of timesharing system The

Access Control Origin Usage Control (UCON) Since the advent of timesharing system The

Access Control Origin Usage Control (UCON) Since the advent of timesharing system The main goal is to selectively determine who can access services, resources, and ISA 767, Secure Electronic Commerce digital contents and Xinwen

313 views • 10 slides
Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File Systems Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University

667 views • 23 slides

More recommend