lecture 4 authorization
play

Lecture 4 - Authorization CMPSC 443 - Spring 2012 Introduction - PowerPoint PPT Presentation

Jan 20, 2024 •825 likes •1.06k views

Lecture 4 - Authorization CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Why

  1. Lecture 4 - Authorization CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  2. Why authenticate? • Why do we want to verify the identity of a user? 2 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  3. A Brief History • Early computing systems had no isolation – Shared memory space – Shared file space • Some physical limitations made this OK – Batch processing – Load the tape/disk for the application – Network? What network? • In the mid-60s people started to work on ʻ multiuser ʼ or ʻ time-sharing ʼ systems – What about a bug? – What about my data? 3 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  4. Multiprogrammed Systems • Multics project – AT&T, MIT, Honeywell, etc. – General purpose, multi-user system – Comprehensive security • Hardware protection • Subject labeling • Permission management • UNIX project – Spin-off of Multics project • When AT&T left – A stripped-down multiuser system 4 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  5. Control Access • An identity permits access to resources • In computer security this is called – Access control – Authorization • In authorization, we talk about: – Subjects (for whom an action is performed) – Objects (upon what an action is performed) – Operations (the type of action performed) • Authorization limits a subject ʼ s access perform an operation on an object – The combination of object and operations allowed are called a permission 5 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  6. Access Matrix • Describe all possible accesses O 1 O 2 O 3 – Operations of (S 2 ,O 2 ) – E.g., read, write, execute S 1 Y Y N • Specify which users ʼ processes can access which files S 2 N Y N • Necessary to specify policy to protect users S 3 N Y Y 6 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  7. Access Control Lists • System stores – Which operations can subjects perform – For each object O 1 O 2 O 3 • Advantage : Makes you think about how to protect each object S 1 Y Y N – Also, easier to confine subjects as we ʼ ll discuss later • Disadvantage : Cannot tell what S 2 N Y N permissions a particular subject has without looking at each object S 3 N Y Y – Process always uses all of its permissions, as we ʼ ll discuss later CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 7

  8. Capabilities • System stores – Which operations can be performed on each object – For each subject O 1 O 2 O 3 • Advantages and disadvantages are reverse of ACL case, naturally S 1 Y Y N S 2 N Y N S 3 N Y Y CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 8

  9. Authentication and Access • Authenticate user – E.g., login and ssh – Verify password or ... • Create processes with appropriate identity (subject) – E.g., UNIX user id • Limit access of these processes using subject – E.g., Access control of files based on subject • Protect one user from another 9 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  10. Sharing in the Access Matrix • How do you give someone access to your file? O 1 O 2 O 3 • Access matrix also has management permissions S 1 Y Y N – owner permission • A subject with owner permission can S 2 N Y N – Give another user permissions to an object S 3 N Y Y – Even the owner permission itself • This seems necessary, right? 10 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  11. Authorization Challenges • Sounds pretty easy, but there are several challenges – What ʼ s an object? – What ʼ s an operation? – What ʼ s a subject? – Who ʼ s going to manage permissions? 11 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  12. Operating Systems and Authorization • Traditionally, all true authorization was performed operating systems – But, that is no longer the case • Operating systems are not fully trusted – Commercial operating systems are immense – Thus, system trust is being focused lower layers (VMM, microkernel, ...) • Security-critical decisions are often made by user-space programs – We depend on several now (X, Apache, DBs, DBus, ...) • Applications may span multiple hosts, so Internet services do authorization 12 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  13. Objects • What ʼ s an object? – OS: Many things are files – Although not all • Different software components have their own objects – Virtualization – Microkernels – X Windows – Database – Apache – Logrotate – Clouds – Social Networks 13 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  14. Operations • What ʼ s an operation? – OS: System call – Well, not really because many things can happen in a single system call • What happens on a file open? • Security-sensitive operations – Any operation that may impact the security of your system • Confidentiality, Integrity, Availability – A little bit imprecise, but enables some interaction between subjects • Lots of security-sensitive operations – Communication between VMs – Cut-and-paste between windows – Update a database record – Post a message to a social network 14 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  15. Subjects • What ʼ s a subject? – OS: System (root/administrator) and Regular Users (you and me) – However, even for operating systems this distinction is unsatisfactory • System is too coarse • User is too coarse/fine • Why is system too coarse? – Might that be the same problem for users? • Do users even matter to operating systems anymore? – How many users on your devices? 15 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  16. Who Are You? • Identity vs. Permission CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 16

  17. Root/Administrative User • Subjects with full system access – Initialize the system – Modify the kernel – Install software • Need extra permissions to perform administrative tasks – Ends up being a lot of processes • All are part of the trusted computing base 17 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  18. Regular Users • An unprivileged user – However, all your processes run with the same permissions • What are all the programs that you run? – Should they all have full access to any file you can access? • Sandboxing – Run a program with a subset of your permissions 18 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  19. Role-Based Access Control • Associate permissions with job functions – Each job defines a set of tasks – The tasks need permissions – The permissions define a role • Bank Teller – Read/Write to client accounts – Cannot create new accounts – Cannot create a loan – Role defines only the permissions allowed for the job • What kind of jobs can we define permission sets for? CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 19

  20. Role-based Access Control • Model consists of two relationships – Role-permission assignments – User-role assignments • Assign permissions to roles – These are largely fixed • Assign a user to the roles they can assume – These change with each user – Administrators must manage this relationship CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 20

  21. Managing Access Control • Who ʼ s going to manage? – Formerly, you (and your programs) – But, then it was easy • Subjects: All, Group, Just You • Operations: Read, Write, Execute – But, this approach does not provide security • Now, we have gone overboard – Models with multiple types of subjects, objects, operations are common – Policies with 10,000+ rules • Too complex for users -- even system admins – OS Distributors can write fixed permissions – But what if we need to change permissions? • Make the programmer manage it? 21 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  22. Take Away • We have just looked at the most common mechanisms – Password Authentication – User-based Authorization • There are a slew of problems with each • But, this is what the world uses – What can we do? That Is the Topic of This Course 22 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Remote File Access: Problems and Solutions Authentication and authorization Performance

Remote File Access: Problems and Solutions Authentication and authorization Performance

Remote File Access: Problems and Solutions Authentication and authorization Performance Synchronization Robustness Lecture 13 CS 111 Page 1 Summer 2013 Authorization and Authentication Authorization is determined if someone

886 views • 41 slides
Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without authorization Authorization in Oxford Advanced Learner's Dictionary Object-oriented Databases authorization is the concept of allowing

70 views • 6 slides
Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably Authorization answers the question who is allowed to do what ? A first step in the development of an access control system is the

651 views • 53 slides
1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel Expense 4. Travel Regulations 2 Travel Authorization (See Next Slide for Detailed Steps) 2. Trip Information goes here 1. Budgetary Coding goes

319 views • 11 slides
Molina Healthcare Prior Authorization Prior Authorization is a request for prospective review. It

Molina Healthcare Prior Authorization Prior Authorization is a request for prospective review. It

Molina Healthcare Prior Authorization Prior Authorization is a request for prospective review. It is designed to : Assist in benefit determination Prevent unanticipated denials of coverage Create a collaborative approach to

187 views • 18 slides
Security and Authorization CS430/630 Lecture 18 Slides based on Database Management Systems

Security and Authorization CS430/630 Lecture 18 Slides based on Database Management Systems

Security and Authorization CS430/630 Lecture 18 Slides based on Database Management Systems 3 rd ed, Ramakrishnan and Gehrke Definitions Security policy specifies who is authorized to do what Security mechanism allows to

892 views • 26 slides
Work Authorization Documents Work Authorization Document Control Account Information Control

Work Authorization Documents Work Authorization Document Control Account Information Control

Work Authorization Documents https://cametoolbox.fnal.gov/Project/WADReports?ProjectName=HL-L... Work Authorization Documents Work Authorization Document Control Account Information Control Account Manager: 10629N Nobrega, Fred Control

56 views • 5 slides
Lecture 22 Access Control Stephen Checkoway Oberlin College Slides based on Baileys ECE

Lecture 22 Access Control Stephen Checkoway Oberlin College Slides based on Baileys ECE

Lecture 22 Access Control Stephen Checkoway Oberlin College Slides based on Baileys ECE 422 Authentication vs Authorization Authentication Who goes there? Restrictions on who (or what) can access system Authorization Are

422 views • 20 slides
Curricular Practical Training (CPT) How Do I Obtain CPT Authorization? HOW DO I OBTAIN CPT

Curricular Practical Training (CPT) How Do I Obtain CPT Authorization? HOW DO I OBTAIN CPT

Curricular Practical Training (CPT) How Do I Obtain CPT Authorization? HOW DO I OBTAIN CPT AUTHORIZATION? 1. Register for and attend a MANDATORY CPT Information Session. You can register and find dates on Handshake by Mid-February YOU

320 views • 17 slides
REACH Authorization Brussels, June 26, 2013 Dr. Cndido Garca Molyneux

REACH Authorization Brussels, June 26, 2013 Dr. Cndido Garca Molyneux

REACH Authorization Brussels, June 26, 2013 Dr. Cndido Garca Molyneux cgarciamolyneux@cov.com Outline 1. What is covered by Authorization 2. State of Play 3. General Overview of Process 4. Who Can Apply 5. Application Deadlines 6.

148 views • 13 slides
Security and Authorization Access to large databases is generally selective: Distinct users

Security and Authorization Access to large databases is generally selective: Distinct users

Security and Authorization Access to large databases is generally selective: Distinct users have distinct privileges. The process of defining and granting these privileges is called authorization. Authorization is generally a positive

514 views • 22 slides
1997 Bond Authorization Project Information Sheets Transportation Bond Improvement Plan 1997

1997 Bond Authorization Project Information Sheets Transportation Bond Improvement Plan 1997

1997 Bond Authorization Project Information Sheets Transportation Bond Improvement Plan 1997 HURF Bond Authorization Bond Implementation Authorization Project Period Amount DOT-06 Magee Road: La Canada Drive to Oracle Road 2015/16 $

788 views • 49 slides
BRIEFING TO NISPPAC NISA WG KARL HELLMANN NISP Authorization Office (NAO) DATE: JUNE 2020

BRIEFING TO NISPPAC NISA WG KARL HELLMANN NISP Authorization Office (NAO) DATE: JUNE 2020

UNCLASSIFIED BRIEFING TO NISPPAC NISA WG KARL HELLMANN NISP Authorization Office (NAO) DATE: JUNE 2020 UNCLASSIFIED UNCLASSIFIED NISP AUTHORIZATION OFFICE DCSA Assessment and Authorization Process Manual (DAAPM) Complete control package

393 views • 4 slides
Cooperative Secondary Authorization Recycling Qiang Wei, Matei Ripeanu, Konstantin Beznosov

Cooperative Secondary Authorization Recycling Qiang Wei, Matei Ripeanu, Konstantin Beznosov

Cooperative Secondary Authorization Recycling Qiang Wei, Matei Ripeanu, Konstantin Beznosov Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca) University of British Columbia Typical Authorization

256 views • 23 slides
Data Collection Pilot Update Carol Freedman, RPh, BCGP Prior Authorization Pilot Results

Data Collection Pilot Update Carol Freedman, RPh, BCGP Prior Authorization Pilot Results

Pharmacy Prior Authorization Data Collection Pilot Update Carol Freedman, RPh, BCGP Prior Authorization Pilot Results Prior authorization requests are not going away There is no Easy Button for this process Data collected

200 views • 8 slides
Security and Authorization 5DV119 Introduction to Database Management Ume a University

Security and Authorization 5DV119 Introduction to Database Management Ume a University

Security and Authorization 5DV119 Introduction to Database Management Ume a University Department of Computing Science Stephen J. Hegner hegner@cs.umu.se http://www.cs.umu.se/~hegner Security and Authorization 20130307 Slide 1 of 33

513 views • 33 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
Kerberos and Single Sign-On with HTTP Joe Orton Senior Software Engineer, Red Hat Overview

Kerberos and Single Sign-On with HTTP Joe Orton Senior Software Engineer, Red Hat Overview

Kerberos and Single Sign-On with HTTP Joe Orton Senior Software Engineer, Red Hat Overview Introduction The Problem Current Solutions Future Solutions Conclusion Introduction WebDAV: common complaint of poor

481 views • 26 slides
Lets Authenticate Automated Cryptographic Authentication for the Web with Simple Account

Lets Authenticate Automated Cryptographic Authentication for the Web with Simple Account

Lets Authenticate Automated Cryptographic Authentication for the Web with Simple Account Recovery James Conners Daniel Zappala Brigham Young University Our focus easy registration/login easy account recovery privacy by design What about

737 views • 45 slides
Network Access Security Torino, IT March 4 th , 2005 Carsten Bormann <cabo@tzi.de>

Network Access Security Torino, IT March 4 th , 2005 Carsten Bormann <cabo@tzi.de>

An introduction to Network Access Security Torino, IT March 4 th , 2005 Carsten Bormann <cabo@tzi.de> Overview Network Access Security: Traditions WLAN Security WLAN Roaming 2 Overview Network Access Security:

782 views • 20 slides
Pushed Authorization Requests https://tools.ietf.org/html/draft-lodderstedt-oauth-par IETF-106,

Pushed Authorization Requests https://tools.ietf.org/html/draft-lodderstedt-oauth-par IETF-106,

Pushed Authorization Requests https://tools.ietf.org/html/draft-lodderstedt-oauth-par IETF-106, 21.11.2019, Singapore Brian Campbell, Nat Sakimura, Dave Tonge, Filip Skokan, Torsten Lodderstedt { "userinfo":{

340 views • 16 slides
CDC post-authorization/post-licensure safety monitoring of COVID-19 vaccines Tom Shimabukuro, MD,

CDC post-authorization/post-licensure safety monitoring of COVID-19 vaccines Tom Shimabukuro, MD,

National Center for Immunization & Respiratory Diseases CDC post-authorization/post-licensure safety monitoring of COVID-19 vaccines Tom Shimabukuro, MD, MPH, MBA CDC COVID-19 Vaccine Task Force Vaccine Safety Team October 30, 2020

509 views • 31 slides
WAVE: A Decentralized Authorization Framework with Transitive Delegation [Andersen et al.,

WAVE: A Decentralized Authorization Framework with Transitive Delegation [Andersen et al.,

WAVE: A Decentralized Authorization Framework with Transitive Delegation [Andersen et al., USENIX Security 2019] Slides credit Michael Andersen Representative authorization example BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT

1.09k views • 73 slides
IDfusion An Open-Architecture for Kerberos based Authorization Dr. Greg Wettstein, Ph.D., John

IDfusion An Open-Architecture for Kerberos based Authorization Dr. Greg Wettstein, Ph.D., John

IDfusion An Open-Architecture for Kerberos based Authorization Dr. Greg Wettstein, Ph.D., John Grosen, MS Information Technology Services North Dakota State University Enrique Rodriquez Safehaus/Apache Software Foundation Background

399 views • 22 slides

More recommend