1 / 27

Access Control Intro, DAC and MAC

Access Control Intro, DAC and MAC. System Security. System Security. It is concerned with regulating how entities use resources in a system It consists of two main phases: Authentication : uniquely identifying entities Authorisation : assigning access rights to entities.

deiondre
Download Presentation

Access Control Intro, DAC and MAC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control Intro, DAC and MAC System Security

  2. System Security • It is concerned with regulating how entities use resources in a system • It consists of two main phases: • Authentication: uniquely identifying entities • Authorisation: assigning access rights to entities

  3. Authentication Phase • It is only concerned with identifying an entity against a known set • Assigning a unique identifier to the entity (i.e., user name) • Using a secret (supposedly) known only to the specific entity • Alternatively, using a unique feature that characterizes the entity

  4. Authorisation Phase • Known also as Access Control • “The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner” • It assumes users have been • authenticated to the system • assigned access rights to certain resources on the system (for instance, by an admin)

  5. Access Control Requirements • Reliable Input • Authenticated entities • Genuine information • Least Privilege • Entities granted minimum set of access rights • Administrative Duties • Only a special entity should be able to manage access rights for other entities

  6. Access Control Refinements • Separation of Duty • Fine Vs. Coarse Specifications • Open and Closed policies • (Automated) Conflict Resolution

  7. Access Control Elements • Subject - entity that can access objects • a process representing user/application • Object - access controlled resource • e.g. files, directories, records, programs etc • Access right - way in which subject accesses an object • e.g. read, write, execute, delete, create, search

  8. Security Modules

  9. Access Control Models • Discretionary AC (DAC) • Mandatory AC (MAC) • Role-based AC (RBAC) • Usage Control (UCON) • Policy-based Access Control

  10. Discretionary Access Control • A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. • The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission on to any other subject • Subjects are able to assign rights to other subjects on the objects they control • Model used in operating systems and DB management systems • Often provided using an access matrix

  11. Access Control Matrix

  12. Access Control List

  13. Capability List Capability Myths Demolished: http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf

  14. Access Matrix Details

  15. UNIX Access Control Lists • Modern UNIX systems support ACLs • Can specify any number of additional users / groups and associated rwx permissions • ACLs are optional extensions to std perms

  16. Mandatory Access Control • Entities cannot enable other entities to access their resources • It enforces a lattice between labels assigned to subjects and object • security labels: how sensitive or critical a system resource is • security clearances: which entities are eligible to access certain resources

  17. MAC: The Bell-LaPadulaModel The main goal is to control the confidentiality of information

  18. MAC Confidentiality Rules Simple Security Property: No Read-Up Read

  19. MAC Confidentiality Rules *(Star)property: No Write-Down Write

  20. MAC Confidentiality Rules Strong *(Star)-property: No Write-Down & No Write-up Write

  21. MAC: Biba Integrity Model The main goal is to control the integrity of information

  22. MAC Integrity Rules Simple Integrity Axiom: No Read Down Read

  23. MAC Integrity Rules *(Star)-Integrity Axiom: No Write Up Write

  24. Where is MAC used • BLP: Implemented the multi-level security policy for US Department of Defense • BIBA: Implemented in the FreeBSD MAC policy • A combined versions of BLP and BIBA is used in Android

  25. Summary • Introduced access control principles • subjects, objects, access rights • Discretionary Access Control • access matrix, access control lists (ACLs), capability tickets • UNIX traditional and ACL mechanisms • Mandatory Access Control • Bell-Lapadula • Biba

  26. Resources • Chapter 8 in Mark Stamp, Information Security: Principles and Practice, Wiley 2011. • Matt Bishop, Computer Security: Art and Science, Addison-Wesley 2003.

  27. Questions?

More Related