lisa 11 fine grained access control for the puppet
play

LISA 11 Fine-grained access-control for the Puppet configuration - PowerPoint PPT Presentation

Dec 06, 2023 •22 likes •292 views

LISA 11 Fine-grained access-control for the Puppet configuration language Bart Vanbrabant, Joris Peeraer and Wouter Joosen DistriNet, Dept. of Computer Science, K.U.Leuven, Belgium December 7, 2011 1 / 27 Outline Systems configuration

  1. LISA ’11 Fine-grained access-control for the Puppet configuration language Bart Vanbrabant, Joris Peeraer and Wouter Joosen DistriNet, Dept. of Computer Science, K.U.Leuven, Belgium December 7, 2011 1 / 27

  2. Outline Systems configuration Context Problems Our solution: ACHEL Authorising Puppet Conclusion 2 / 27

  3. Outline Systems configuration Context Problems Our solution: ACHEL Authorising Puppet Conclusion 3 / 27

  4. System configuration tools 4 / 27

  5. System configuration tools 5 / 27

  6. System configuration tools 6 / 27

  7. System configuration tools 7 / 27

  8. System configuration tools M a l i c i o u s c o n f i g u r a t i o n 8 / 27

  9. System configuration tools 9 / 27

  10. System configuration tools 10 / 27

  11. Outline Systems configuration Context Problems Our solution: ACHEL Authorising Puppet Conclusion 11 / 27

  12. What is ACHEL? ACHEL manages access to repositories of configuration specification by implementing access control and enforcing workflows • fine-grained access control interpreting the semantics of changes • The actions that needs authorisation are derived automatically • access control is applied at the abstraction level of the configuration specification • support for workflow in federated infrastructures • a (configuration) language agnostic solution 12 / 27

  13. Generating meaningful changes with ACHEL 13 / 27

  14. Outline Systems configuration Context Problems Our solution: ACHEL Authorising Puppet Conclusion 14 / 27

  15. Puppet Authorise changes to the configuration model of a real tool: • System management tool used in production environment • Puppet has an expressive and complex configuration language • Manifests organised in modules • Authorisation based on modules and their file path • Link between contents of module and its name is not enforced 15 / 27

  16. Applying ACHEL to Puppet Steps to authorise changes the ACHEL way: • Aquire the AST from Puppet • AST contains syntax so normalisation is required • Derive to be authorised actions • Submit request to XACML policy engine • Report result of authorisation 16 / 27

  17. AST normalisation Define three users with one statement: user {["bart", "joris", "wouter"]: } Define three users with three statements: user {"bart": } user {"joris": } user {"wouter": } 17 / 27

  18. Prototype Challenges for prototype: • Not all language features supported, some are impossible to support • Prototype extracts AST from Puppet compiler and normalises it • The AST is serialised to XML so XPath can be used in policies • Prototype is integrated in a DVCS (Bazaar) to enforce access control 18 / 27

  19. Example: Adding vhosts Puppet manifest: # Apache-class class apache { ... } # vhost definition define apache::vhost ($document_root) { file {"/etc/apache2/vhosts-available/${name}": ensure => present, docroot => $document_root, } } node a { include apache } 19 / 27

  20. Example: Adding vhosts User Jdoe adds a virtual host: # Apache-class class apache { apache::vhost {"www.example.com": docroot => "/home/jdoe/public_html", } ... } # vhost definition define apache::vhost ($document_root) { file {"/etc/apache2/vhosts-available/${name}": ensure => present, docroot => $document_root, } ... 20 / 27

  21. Example: Adding vhosts Result from matching: * Updated: none * Inserted: Add member: Resource (title:www.example.com, type:apache::vhost) Add parameter: ResourceParam (param:docroot) Add value: String () => /home/jdoe/public_html * Removed: none 21 / 27

  22. Example: Adding vhosts XAMCL policy extract (without the namespace clutter) <Policy> <Description>Apache permissions for webuser</Description> <Target><Subjects><Subject><SubjectMatch> <AttributeValue>webuser</AttributeValue> <SubjectAttributeDesignator AttributeId="subject:role" /> </SubjectMatch></Subject></Subjects></Target> <Rule Effect="Permit"> <Description>Add or remove a vhost</Description> <Target><Resources><Resource><ResourceMatch> <AttributeValue>//pup:*[@type="apache::vhost"]</AttributeValue> <ResourceAttributeDesignator AttributeId="resource-id" DataType="xpath-expression" /> </ResourceMatch></Resource></Resources></Target> </Rule> <Rule Effect="Permit"> <Target><Resources><Resource><ResourceMatch> <AttributeValue>//pup:*[@type="apache::vhost"]/pup:*[@param="docroot"]</AttributeValue> <ResourceAttributeDesignator AttributeId="resource-id" DataType="xpath-expression" /> </ResourceMatch></Resource></Resources></Target> <Condition> <Apply FunctionId="string-starts-with"><Apply FunctionId="string-one-and-only"> <AttributeSelector RequestContextPath="//pup:*[@param=’docroot’]/pup:value/text()" /> </Apply> <Apply FunctionId="string-concatenate"> <AttributeValue>/home/</AttributeValue> <Apply FunctionId="string-one-and-only"> <SubjectAttributeDesignator AttributeId="subject-id" /> </Apply> </Apply></Apply> </Condition> </Rule> </Policy> 22 / 27

  23. Example: Adding vhosts First rule from extract: <Policy> ... <Rule Effect="Permit"> <Description>Add or remove a vhost</Description> <Target><Resources><Resource><ResourceMatch> <AttributeValue>//pup:*[@type="apache::vhost"] </AttributeValue> <ResourceAttributeDesignator AttributeId="resource-id" DataType="xpath-expression" /> </ResourceMatch></Resource></Resources></Target> </Rule> ... </Policy> 23 / 27

  24. Example: Adding vhosts Second rule from extract: <Policy> ... <Rule Effect="Permit"> <Target><Resources><Resource><ResourceMatch> <AttributeValue>//pup:*[@type="apache::vhost"]/pup:*[@param="docroot"]</AttributeValue> <ResourceAttributeDesignator AttributeId="resource-id" DataType="xpath-expression" /> </ResourceMatch></Resource></Resources></Target> <Condition> <Apply FunctionId="string-starts-with"><Apply FunctionId="string-one-and-only"> <AttributeSelector RequestContextPath="//pup:*[@param=’docroot’]/pup:value/text()" /> </Apply> <Apply FunctionId="string-concatenate"> <AttributeValue>/home/</AttributeValue> <Apply FunctionId="string-one-and-only"> <SubjectAttributeDesignator AttributeId="subject-id" /> </Apply> </Apply></Apply> </Condition> </Rule> </Policy> 24 / 27

  25. Use unsupported language constructions • Policy defines what is allowed • Usage of defines or classes can be authorised • Encapsulate unsupported or complex Puppet constructions • Authorise on the container of the unsupported statements 25 / 27

  26. Outline Systems configuration Context Problems Our solution: ACHEL Authorising Puppet Conclusion 26 / 27

  27. Conclusion • ACHEL method supports complex languages • Unsupported languages features using encapsulation • Clean AST required • XACML is powerful but hard to use 27 / 27

Recommend

Fine Grained Access Control Fine-Grained Access Control Fine Grained Access Control

Fine Grained Access Control Fine-Grained Access Control Fine Grained Access Control

Fine Grained Access Control Fine-Grained Access Control Fine Grained Access Control Fine-grained access control examples: p g Students can see their own grades Students can see grades of all students in courses they registered for

548 views • 34 slides
Fine-Grained Access Control Fine Grained Access Control Fine-grained access control examples:

Fine-Grained Access Control Fine Grained Access Control Fine-grained access control examples:

Fine-Grained Access Control Fine Grained Access Control Fine-grained access control examples: Students can see their own grades Students can see their own grades Students can see grades of all students in courses they registered for

338 views • 17 slides
On the Correctness Criteria of Fine-Grained Access Control in Relational Databases Qihua Wang,

On the Correctness Criteria of Fine-Grained Access Control in Relational Databases Qihua Wang,

On the Correctness Criteria of Fine-Grained Access Control in Relational Databases Qihua Wang, Ting Yu, Ninghui Li Jorge Lobo, Elisa Bertino Keith Irwin, Ji-Won Byun Outline Introduction Correctness Criteria A Fine-Grained Access

1.21k views • 51 slides
Flexible, fine-grained distributed access control John Mitchell Stanford with Adam Barth, Anupam

Flexible, fine-grained distributed access control John Mitchell Stanford with Adam Barth, Anupam

Flexible, fine-grained distributed access control John Mitchell Stanford with Adam Barth, Anupam Datta, Ninghui Li (Purdue), Helen Nissenbaum (NYU), Will Winsborough, . April 2006 Were all ears What policy concepts are important in

531 views • 20 slides
Fine-grained Data Access Control Systems with User Accountability in Cloud Computing Jin Li 1 ,

Fine-grained Data Access Control Systems with User Accountability in Cloud Computing Jin Li 1 ,

Fine-grained Data Access Control Systems with User Accountability in Cloud Computing Jin Li 1 , Gansen Zhao 2 , and Xiaofeng Chen 3 Chunming Rong 4 , Yong Tang 2 1 Guangzhou University, China South China Normal University 2 3 Xidian University

784 views • 21 slides
Fine-Grained Geographic Communication (Geocast) Nexus Workshop Frank Drr 23.07.2003 1

Fine-Grained Geographic Communication (Geocast) Nexus Workshop Frank Drr 23.07.2003 1

Fine-Grained Geographic Communication (Geocast) Nexus Workshop Frank Drr 23.07.2003 1 Overview Motivation Requirements for Fine-Grained Geocast Location Model for Fine-Grained Geographic Addressing Summary Related Work

752 views • 18 slides
LAMINAR: PRACTICAL FINE-GRAINED DECENTRALIZED INFORMATION FLOW CONTROL (DIFC) Indrajit Roy ,

LAMINAR: PRACTICAL FINE-GRAINED DECENTRALIZED INFORMATION FLOW CONTROL (DIFC) Indrajit Roy ,

LAMINAR: PRACTICAL FINE-GRAINED DECENTRALIZED INFORMATION FLOW CONTROL (DIFC) Indrajit Roy , Donald E. Porter, Michael D. Bond, Kathryn S. McKinley, Emmett Witchel The University of Texas at Austin Untrusted code on trusted data Your

820 views • 45 slides
Copy raising and perception: A fine-grained semantics for raising and control Ash Asudeh &amp;

Copy raising and perception: A fine-grained semantics for raising and control Ash Asudeh &amp;

Copy raising and perception: A fine-grained semantics for raising and control Ash Asudeh &amp; Ida Toivonen Carleton University LAGB 2007, Kings College London 1 Copy raising 1. Louise seems like shes had a rough day. 2. The lawyer

752 views • 43 slides
Mechanized Verification of Fine-grained Concurrent Programs Ilya Sergey Aleks Nanevski

Mechanized Verification of Fine-grained Concurrent Programs Ilya Sergey Aleks Nanevski

Mechanized Verification of Fine-grained Concurrent Programs Ilya Sergey Aleks Nanevski Anindya Banerjee PLDI 2015 Terminology Coarse-grained Concurrency synchronisation between threads via locks ; Fine-grained

973 views • 72 slides
Parts of Speech More Fine-Grained Classes More

Parts of Speech More Fine-Grained Classes More

Parts of Speech More Fine-Grained Classes More Fine-Grained Classes Actually , I ran home extremely quickly yesterday The closed classes Example of POS tagging The Penn Treebank Part-of-Speech

747 views • 54 slides
Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Sangho Lee Ming-Wei

Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Sangho Lee Ming-Wei

Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Sangho Lee Ming-Wei Shih Prasun Gera Taesoo Kim Hyesoon Kim Marcus Peinado 26 th USENIX Security Symposium August 17, 2017 Intel Software Guard Extension (SGX)

437 views • 42 slides
Machine Learning for Fine-Grained Hardware Prefetcher Control Jason Hiebel Laura E. Brown

Machine Learning for Fine-Grained Hardware Prefetcher Control Jason Hiebel Laura E. Brown

Machine Learning for Fine-Grained Hardware Prefetcher Control Jason Hiebel Laura E. Brown Zhenlin Wang jshiebel@mtu.edu lebrown@mtu.edu zlwang@mtu.edu Department of Computer Science Michigan Technological University International

544 views • 31 slides
Fine-grained Visual Analysis: From Classification to Retrieval Yi-Zhe Song SketchX Lab, CVSSP,

Fine-grained Visual Analysis: From Classification to Retrieval Yi-Zhe Song SketchX Lab, CVSSP,

Fine-grained Visual Analysis: From Classification to Retrieval Yi-Zhe Song SketchX Lab, CVSSP, University of Surrey, UK http://sketchx.ai Why fine-grained? Dog Dog Dog I am not just a dog Why fine-grained? Husky

615 views • 24 slides
Fine-grained Image Recognition Lei Wang VILA group School of Computing and Information

Fine-grained Image Recognition Lei Wang VILA group School of Computing and Information

Learning Kernel-matrix-based Representation for Fine-grained Image Recognition Lei Wang VILA group School of Computing and Information Technology University of Wollongong, Australia 11-Dec-2019 Introduction Fine-grained image recognition

1.56k views • 58 slides
TRILL Fine Grained Labeling Donald Eastlake 3 rd Huawei

TRILL Fine Grained Labeling Donald Eastlake 3 rd Huawei

TRILL Fine Grained Labeling Donald Eastlake 3 rd Huawei Technologies d3e3e3@gmail.com November 2011 TRILL WG 1 Fine Grained Labeling A way to

469 views • 8 slides
Fine-Grained User-Space Security Through Virtualization Mathias Payer and Thomas R. Gross ETH

Fine-Grained User-Space Security Through Virtualization Mathias Payer and Thomas R. Gross ETH

Fine-Grained User-Space Security Through Virtualization Mathias Payer and Thomas R. Gross ETH Zurich Motivation Applications often vulnerable to security exploits Solution: restrict application access to the minimum amount of data

890 views • 29 slides
Addressing Inter-Class Similarity in Fine-Grained Visual Classification Abhimanyu Dubey

Addressing Inter-Class Similarity in Fine-Grained Visual Classification Abhimanyu Dubey

Addressing Inter-Class Similarity in Fine-Grained Visual Classification Abhimanyu Dubey Collaborators: Nikhil Naik, Ryan Farrell, Otkrist Gupta, Pei Guo, Ramesh Raskar Fine-Grained Visual Classification - Image classification with target

760 views • 35 slides
Fine-Grained Power Modeling for Smartphones Using System Call Tracing Based on paper and

Fine-Grained Power Modeling for Smartphones Using System Call Tracing Based on paper and

Fine-Grained Power Modeling for Smartphones Using System Call Tracing Based on paper and presentation by: Abhinav Pathak, Y. Charlie Hu, Ming Zhang Paramvir Bahl, Yi-Min Wang Damian Rodziewicz Fine-Grained Power Modeling for Smartphones

701 views • 33 slides
Fine Grained Coordinated Parallelism in a Real World Application Mohammad Rezaei, PhD June 2012

Fine Grained Coordinated Parallelism in a Real World Application Mohammad Rezaei, PhD June 2012

Fine Grained Coordinated Parallelism in a Real World Application Mohammad Rezaei, PhD June 2012 1 Outline Types of parallelism Algorithm description Why fine grained parallelism? Concurrency is hard no, its different

419 views • 19 slides
Mesos A Platform for Fine-Grained Resource Sharing in the

Mesos A Platform for Fine-Grained Resource Sharing in the

Mesos A Platform for Fine-Grained Resource Sharing in the Data Center Benjamin Hindman, Andy Konwinski, Matei Zaharia , Ali Ghodsi, Anthony Joseph,

438 views • 32 slides
Enhancing Fine- Grained Parallelism Loop vectorization, Loop distribution, Scalar expansion

Enhancing Fine- Grained Parallelism Loop vectorization, Loop distribution, Scalar expansion

Enhancing Fine- Grained Parallelism Loop vectorization, Loop distribution, Scalar expansion Scalar and array renaming 1 Fine-Grained Parallelism Theorem 2.8. A sequential loop can be converted to a parallel loop if the loop carries no

606 views • 41 slides
Fine-Grained Tracking of Grid Infections Ashish Gehani SRI Basim Baig, Salman Mahmood, Dawood

Fine-Grained Tracking of Grid Infections Ashish Gehani SRI Basim Baig, Salman Mahmood, Dawood

Fine-Grained Tracking of Grid Infections Ashish Gehani SRI Basim Baig, Salman Mahmood, Dawood Tariq, Fareed Zaffar LUMS Fine-Grained Tracking of Grid Infections p. 1/18 Introduction Grid semantics Not middleware-specific Distributed

644 views • 18 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Owen S. Hofmann, Xuan Wang, Emmett Witchel, Donald E. Porter 1 Fine-grained locking -

Owen S. Hofmann, Xuan Wang, Emmett Witchel, Donald E. Porter 1 Fine-grained locking -

Sangman Kim , Michael Z. Lee, Alan M. Dunn, Owen S. Hofmann, Xuan Wang, Emmett Witchel, Donald E. Porter 1 Fine-grained locking - Bug-prone, hard to maintain Parallelism - OS provides poor support Coarse-grained locking - Reduced

536 views • 34 slides

More recommend