access control
play

Access Control MAC Summary ITS335: IT Security Sirindhorn - PowerPoint PPT Presentation

Jan 14, 2023 •124 likes •400 views

ITS335 Access Control Concepts DAC RBAC Access Control MAC Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 10 October 2013 its335y13s2l04,

  1. ITS335 Access Control Concepts DAC RBAC Access Control MAC Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 10 October 2013 its335y13s2l04, Steve/Courses/2013/s2/its335/lectures/access.tex, r2932 1/26

  2. ITS335 Contents Access Control Concepts Access Control Concepts DAC RBAC MAC Summary Discretionary Access Control Role-Based Access Control Mandatory Access Control Summary 2/26

  3. ITS335 Access Control Access Control Concepts DAC RBAC MAC The prevention of unauthorized use of a resource, including Summary the prevention of use of a resource in an unauthorized manner. — ITU-T Recommendation X.800 “Security architecture for Open Systems Interconnection” 3/26

  4. ITS335 Relationship Among Access Control and Other Access Control Security Functions Concepts DAC RBAC MAC Summary Credit: Figure 4.1 in Stallings and Brown, Computer Security , 2nd Ed., Pearson 2012 4/26

  5. ITS335 Access Control and Other Security Functions Access Control Authentication verification that the credentials of a user or Concepts other entity are valid DAC Authorization granting of a right or permission to a system RBAC entity to access a resource MAC Summary Audit independent review of system records and activities in order to test for adequacy of system control, ensure compliance to policy, detect breaches and recommend changes 5/26

  6. ITS335 Access Control Policies Access Control Discretionary Access Control use identity of requestor and Concepts access rules (that determine what requestor is allowed DAC to do) to control access; entities may allow other RBAC entities to access resources MAC Mandatory Access Control compare security labels with Summary security clearances to determine access; entities cannot grant access to resources to other entities Role-based Access Control roles of users in system and rules for roles are used to control access DAC, MAC and RBAC are not mutually exclusive 6/26

  7. ITS335 General Requirements of Access Control Access Control ◮ Reliable input Concepts ◮ Fine and coarse specifications DAC ◮ Least privilege RBAC MAC ◮ Separation of duty Summary ◮ Open and closed policies ◮ Policy combinations and conflict resolution ◮ Administrative policies ◮ Dual control 7/26

  8. ITS335 Basic Elements of Access Control System Access Control Subject entity capable of access resources Concepts ◮ Often subject is a software process DAC ◮ Classes of subject, e.g. Owner, Group, World RBAC MAC Object resource to which access is controlled Summary ◮ E.g. records, blocks, pages, files, portions of files, directories, email boxes, programs, communication ports Access right describes way in which a subject may access an object ◮ E.g. read, write, execute, delete, create, search 8/26

  9. ITS335 Contents Access Control Concepts Access Control Concepts DAC RBAC MAC Summary Discretionary Access Control Role-Based Access Control Mandatory Access Control Summary 9/26

  10. ITS335 Discretionary Access Control Access Control ◮ DAC: an entity may be granted access rights that Concepts permit the entity, if they choose so, to enable another DAC entity to access a resource RBAC ◮ Common access control scheme in operating systems MAC and database management systems Summary ◮ Access Matrix specifies access rights of subjects on objects ◮ In practice, access matrix is sparse, so implement as either: Access Control Lists (ACL) For each object, list subjects and their access rights Capability Lists For each subject, list objects and the rights the subject have on that object ◮ Alternative implementation: authorization table listing subject, access mode and object; easily implemented in database 10/26

  11. ITS335 Example of DAC Access Matrix Access Control Concepts DAC RBAC MAC Summary Credit: Figure 4.3(a) in Stallings and Brown, Computer Security , 2nd Ed., Pearson 2012 11/26

  12. ITS335 Example of Access Control Lists Access Control Concepts DAC RBAC MAC Summary Credit: Figure 4.3(b) in Stallings and Brown, Computer Security , 2nd Ed., Pearson 2012 12/26

  13. ITS335 Example of Capability Lists Access Control Concepts DAC RBAC MAC Summary Credit: Figure 4.3(c) in Stallings and Brown, Computer Security , 2nd Ed., Pearson 2012 13/26

  14. ITS335 Example of Authorization Table Access Control Concepts Subject Access Mode Object DAC A Own File 1 A Read File 1 RBAC A Write File 1 MAC A Own File 3 Summary A Read File 3 A Write File 3 B Read File 1 B Own File 2 B Read File 2 B Write File 2 B Write File 3 B Read File 4 C Read File 1 C Write File 1 C Read File 2 C Own File 4 C Read File 4 C Write File 4 Credit: Table 4.1 in Stallings and Brown, Computer Security , 2nd Ed., Pearson 2012 14/26

  15. ITS335 Contents Access Control Concepts Access Control Concepts DAC RBAC MAC Summary Discretionary Access Control Role-Based Access Control Mandatory Access Control Summary 15/26

  16. ITS335 Role-Based Access Control Access Control ◮ RBAC: users are assigned to roles; access rights are Concepts assigned to roles DAC ◮ Roles typically job functions and positions within RBAC organisation, e.g. senior financial analyst in a bank, MAC doctor in a hospital Summary ◮ Users may be assigned multiple roles; static or dynamic ◮ Sessions are temporary assignments of user to role(s) ◮ Access control matrix can map users to roles and roles to objects 16/26

  17. ITS335 Example of RBAC Access Control Matrix Access Control Concepts DAC RBAC MAC Summary Credit: Figure 4.8 in Stallings and Brown, Computer Security , 2nd Ed., Pearson 2012 17/26

  18. ITS335 Hierarchies in RBAC Access Control ◮ Hierarchy of an organisation can be reflected in roles Concepts ◮ A higher role includes all access rights of lower role DAC RBAC MAC Summary Credit: Figure 4.10 in Stallings and Brown, Computer Security , 2nd Ed., Pearson 2012 18/26

  19. ITS335 Constraints in RBAC Access Control ◮ Constraints define relationships between roles or Concepts conditions on roles DAC ◮ A higher role includes all access rights of lower role RBAC MAC ◮ Mutually exclusive roles: user can only be assigned to Summary one role in the set ◮ Cardinality: maximum number with respect to roles, e.g. ◮ maximum number of users assigned to a role ◮ maximum number of roles a user can be assigned to ◮ maximum number of roles that can be granted particular access rights ◮ Prerequisite: condition upon which user can be assigned a role, e.g. ◮ user can only be assigned a senior role if already assigned a junior role 19/26

  20. ITS335 Contents Access Control Concepts Access Control Concepts DAC RBAC MAC Summary Discretionary Access Control Role-Based Access Control Mandatory Access Control Summary 20/26

  21. ITS335 Mandatory Access Control Access Control ◮ Based on multilevel security (MLS) Concepts DAC top secret > secret > confidential > restricted > unclassified RBAC MAC ◮ Subject has security clearance of a given level Summary ◮ Object has security classification of a given level ◮ Two required properties for confidentiality: No read up Subject can only read an object of less or equal security level No write down Subject can only write into object of greater or equal security level ◮ Clearance and classification is determine by administrator; users cannot override security policy ◮ Bell-LaPadula model formally defines multilevel security and MAC 21/26

  22. ITS335 Implementations of MAC Access Control ◮ SELinux: Linux kernel modules available to most Linux Concepts distributions (RedHat, Debian, Ubuntu, SuSE, . . . ) DAC ◮ AppArmor: some Linux distributions (Ubuntu, SuSE) RBAC MAC ◮ TrustedBSD: FreeBSD, OpenBSD, OSX, . . . Summary ◮ Mandatory Integrity Control: Vista, Windows 7, Windows 8 22/26

  23. ITS335 Contents Access Control Concepts Access Control Concepts DAC RBAC MAC Summary Discretionary Access Control Role-Based Access Control Mandatory Access Control Summary 23/26

  24. ITS335 Key Points Access Control ◮ Access control to prevent unauthorized use of resources Concepts (objects) by subjects DAC ◮ Subjects are processes on behalf of users and RBAC applications MAC Summary ◮ Classes of subjects: owner, group, world ◮ Objects: files, database records, disk blocks, memory segments, processes, . . . ◮ Access rights: read, write, execute, delete, create, . . . ◮ DAC: access rights may be granted to other subjects (common in operating systems and databases) ◮ RBAC: subjects take on role; access rights assigned to roles ◮ MAC: subjects/objects assigned to levels; subjects cannot modify assignment (e.g. military classification) 24/26

  25. ITS335 Security Issues Access Control ◮ Rely on correct assignment of capabilities/levels to Concepts subjects and objects by human administrator DAC RBAC MAC Summary 25/26

  26. ITS335 Areas To Explore Access Control ◮ Trusted Computing and Trusted Platform Module Concepts (TPM) DAC ◮ Secure Boot RBAC MAC Summary 26/26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files & processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient access control and authentication checks Insecure access control methods Private, internal functions and data are accessible through a

547 views • 11 slides
Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a simple, modular approach to networked access control with scalability in mind. Easy management from a central location PC from anywhere with an

196 views • 9 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confiden5ality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ applica5on Hardware/

985 views • 46 slides
Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer Security Announcements intermission Day 10: OS security: access control Multilevel and mandatory access control Stephen McCamant University of

324 views • 10 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confidentiality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ application

1.31k views • 50 slides
Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following authentication, we need to decide what the subject can access 1 Read F 1 OK 2 Bob Write to F Alice 2 F NO ! 3 Execute G G 3 OK

596 views • 56 slides
Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~# whoami Eric Biako Bsc. IT, CEH v9 Information security officer @ E-connecta Moderator @ https://legalhackmen.com IDOR ( Broken Access Control )

517 views • 12 slides
Access Control SecAppDev 2016 Maarten Decat maarten.decat@kuleuven.be @maartendecat What is

Access Control SecAppDev 2016 Maarten Decat maarten.decat@kuleuven.be @maartendecat What is

Access Control SecAppDev 2016 Maarten Decat maarten.decat@kuleuven.be @maartendecat What is access control? Access control is the part of security that constrains the actions that are performed in a system based on access control rules .

1.4k views • 113 slides
1 Types of Power-Saving MACs The Sensor MAC (S-MAC) Three distinct classes of power-saving

1 Types of Power-Saving MACs The Sensor MAC (S-MAC) Three distinct classes of power-saving

What Is Media Access Control? Media Access Control (MAC) determines who gets access to the shared medium, and when Media Access Control In wired settings, usually just tries to avoid Greg Hackmann contention In wireless settings, can

399 views • 7 slides
Internet Identity and Access Control Dr Ken Klingenstein, Director, Middleware and Security,

Internet Identity and Access Control Dr Ken Klingenstein, Director, Middleware and Security,

Internet Identity and Access Control Dr Ken Klingenstein, Director, Middleware and Security, Internet2 Topics Whats happening/ impacts See lunch talk The Research Angle Researchers as users Security Researchers New

499 views • 10 slides
Identity & Access Management in an Academic Environment Webinar May 17, 2018 Johan Lidros

Identity & Access Management in an Academic Environment Webinar May 17, 2018 Johan Lidros

Identity & Access Management in an Academic Environment Webinar May 17, 2018 Johan Lidros CISA, CISM, CGEIT, CRISC, HITRUST CCSFP, ITIL-F President Eminere Group 2 3 4 5 Presenter Johan Lidros, Founder and President of Eminere

901 views • 58 slides
CS 4803 Before we begin, some design principles Computer and Network Security Alexandra

CS 4803 Before we begin, some design principles Computer and Network Security Alexandra

Access to general objects Memory protection is only one example Need a way to protect more general objects CS 4803 Before we begin, some design principles Computer and Network Security Alexandra (Sasha) Boldyreva More on access

837 views • 7 slides
computation may someday be organized as a public utility John McCarthy, 1960 2

computation may someday be organized as a public utility John McCarthy, 1960 2

Security and Cloud Computing computation may someday be organized as a public utility John McCarthy, 1960 2 How did we get here? Security and Cloud Computing 3 What Is Cloud Computing? On-demand self-service Add or

603 views • 27 slides
CHIPSEC IPSEC Platform Security Assessment Framework https://github.com/chipsec/chipsec

CHIPSEC IPSEC Platform Security Assessment Framework https://github.com/chipsec/chipsec

CHIPSEC IPSEC Platform Security Assessment Framework https://github.com/chipsec/chipsec @CHIPSEC Wha What is is Pl Platform rm Se Secu curi rity? ty? Hardware Implementation and Configuration Available Security Features

695 views • 20 slides
A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and V. Sassone MyThS Meeting, Venice, June, 14th, 2004 A Distributed Calculus for Role-Based Access Control p.1/18 RBAC Why: Role-Based Access

613 views • 36 slides
Fine-grained Data Access Control Systems with User Accountability in Cloud Computing Jin Li 1 ,

Fine-grained Data Access Control Systems with User Accountability in Cloud Computing Jin Li 1 ,

Fine-grained Data Access Control Systems with User Accountability in Cloud Computing Jin Li 1 , Gansen Zhao 2 , and Xiaofeng Chen 3 Chunming Rong 4 , Yong Tang 2 1 Guangzhou University, China South China Normal University 2 3 Xidian University

784 views • 21 slides
access control 1 last time (1) network fjlesystem caching open-to-close consistency

access control 1 last time (1) network fjlesystem caching open-to-close consistency

access control 1 last time (1) network fjlesystem caching open-to-close consistency compromise: consistent for typical use check on open write on close callbacks for caching server notifjes interested clients disconnected operation

785 views • 49 slides

More recommend