lisa 09 federated access control and workflow enforcement
play

LISA 09 Federated access control and workflow enforcement in - PowerPoint PPT Presentation

Dec 26, 2022 •448 likes •852 views

LISA 09 Federated access control and workflow enforcement in systems configuration Bart Vanbrabant, Thomas Delaet and Wouter Joosen DistriNet, Dept. of Computer Science, K.U.Leuven, Belgium November 6, 2009 1 / 40 Outline Systems

  1. LISA ’09 Federated access control and workflow enforcement in systems configuration Bart Vanbrabant, Thomas Delaet and Wouter Joosen DistriNet, Dept. of Computer Science, K.U.Leuven, Belgium November 6, 2009 1 / 40

  2. Outline Systems configuration Context Problems Our solution: ACHEL Access control and workflow Generating meaningful changes Prototype Evaluation Case 1 Case 2 Conclusion 2 / 40

  3. Outline Systems configuration Context Problems Our solution: ACHEL Access control and workflow Generating meaningful changes Prototype Evaluation Case 1 Case 2 Conclusion 3 / 40

  4. System configuration tools 4 / 40

  5. System configuration tools 5 / 40

  6. System configuration tools 6 / 40

  7. System configuration tools 7 / 40

  8. System configuration tools M a l i c i o u s c o n f i g u r a t i o n 8 / 40

  9. System configuration tools 9 / 40

  10. State of practice in access control Access control rules [@netadmins] lib = r hosts = r lib/ lib/net = rw net/ dhcp.cf [@senior] routing.cf = rw web/ cluster.cf [@mail] ... lib/mail = rw mail/ lib/file = rw ... file/ [userA] ... hosts/verdana.cs.kuleuven.be.cf = rw hosts/ verdana.cs.kuleuven.be.cf clio.cs.kuleuven.be.cf ... 10 / 40

  11. State of practice in access control UserA can not be trusted Some global network configuration! hosts/verdana.cs.kuleuven.be.cf 11 / 40

  12. Workflow Dev repository Q&A repository Updates approved by security officer Production repository 12 / 40

  13. Federated infrastructures Central Repository Site 1 Site 3 Site 4 Site 2 Repository Repository Repository Repository 13 / 40

  14. Outline Systems configuration Context Problems Our solution: ACHEL Access control and workflow Generating meaningful changes Prototype Evaluation Case 1 Case 2 Conclusion 14 / 40

  15. What is ACHEL? ACHEL manages access to repositories of configuration specification by implementing access control and enforcing workflows • fine-grained acccess control interpreting the semantics of changes • access control is applied at the abstraction level of the configuration specification • support for workflow in federated infrastructures • a (configuration) language agnostic solution 15 / 40

  16. Update 1: an allowed change 16 / 40

  17. Update 1: an allowed change Current specification for managing the motd file written by Bart: motd_file = File() motd_file.name = "/etc/motd" motd_file.content = "Welcome to $hostname" motd_file.owner = "root" motd_file.group = "root" motd_file.perm = "0644" 17 / 40

  18. Update 1: an allowed change Thomas changes the content of the motd file: motd_file = File() motd_file.name = "/etc/motd" motd_file.content = template("motd.tmpl") motd_file.owner = "root" motd_file.group = "root" motd_file.perm = "0644" 18 / 40

  19. Update 1: an allowed change Access control policy # list of admins update { define admins as action => modify bart.vanbrabant@cs.kuleuven.be, operation => assign wouter.joosen@cs.kuleuven.be lhs => motd_file.content rhs => template("motd.tmpl") # allow admins to create the motd old_rhs => "Welcome to $hostname" allow admins to: * assign File() to motd_file owner => bart.vanbrabant@cs.kuleuven.be * assign "/etc/motd" to motd_file.name author => thomas.delaet@cs.kuleuven.be } # allow everyone to manage the motd allow to : * assign * to motd_file.content # demand approval by an admin to change # the permissions (all other attributes) allow to: /(add|modify)/ assign * to motd_file.* authorised by 1 admins 19 / 40

  20. Update 1: an allowed change Output from our prototype for the motd example: Rev 1 has 6 changes and 0 signatures allowed bart.vanbrabant@cs.kuleuven.be to add assign "/etc/motd" to motd_file.name allowed bart.vanbrabant@cs.kuleuven.be to add assign "Welcome at $hostname" to motd_file.content allowed bart.vanbrabant@cs.kuleuven.be to add assign "root" to motd_file.group allowed bart.vanbrabant@cs.kuleuven.be to add assign File() to motd_file allowed bart.vanbrabant@cs.kuleuven.be to add assign "root" to motd_file.owner allowed bart.vanbrabant@cs.kuleuven.be to add assign "0644" to motd_file.perm Rev 2 has 1 changes and 0 signatures allowed thomas.delaet@cs.kuleuven.be to modify assign template("motd.tmpl") to motd_file.content 20 / 40

  21. Update 1: an allowed change 21 / 40

  22. Update 2: a change requiring authorisation 22 / 40

  23. Update 2: a change requiring authorisation Thomas changes the permissions of the motd file: motd_file = File() motd_file.name = "/etc/motd" motd_file.content = template("motd.tmpl") motd_file.owner = "root" motd_file.group = "wheel" motd_file.perm = "0644" 23 / 40

  24. Update 2: a change requiring authorisation Access control policy # list of admins update { define admins as action => modify bart.vanbrabant@cs.kuleuven.be, operation => assign wouter.joosen@cs.kuleuven.be lhs => motd_file.group rhs => "wheel" # allow admins to create the motd old_rhs => "root" allow admins to: * assign File() to motd_file owner => bart.vanbrabant@cs.kuleuven.be * assign "/etc/motd" to motd_file.name author => thomas.delaet@cs.kuleuven.be } # allow everyone to manage the motd allow to : * assign * to motd_file.content # demand approval by an admin to change # the permissions (all other attributes) allow to: /(add|modify)/ assign * to motd_file.* authorised by 1 admins 24 / 40

  25. Update 2: a change requiring authorisation Output from our prototype for the motd example: Rev 1 has 6 changes and 0 signatures allowed bart.vanbrabant@cs.kuleuven.be to add assign "/etc/motd" to motd_file.name allowed bart.vanbrabant@cs.kuleuven.be to add assign "Welcome at $hostname" to motd_file.content allowed bart.vanbrabant@cs.kuleuven.be to add assign "root" to motd_file.group allowed bart.vanbrabant@cs.kuleuven.be to add assign File() to motd_file allowed bart.vanbrabant@cs.kuleuven.be to add assign "root" to motd_file.owner allowed bart.vanbrabant@cs.kuleuven.be to add assign "0644" to motd_file.perm Rev 2 has 1 changes and 0 signatures allowed thomas.delaet@cs.kuleuven.be to modify assign template("motd.tmpl") to motd_file.content Rev 3 has 1 changes and 0 signatures authorisation (1) required for thomas.delaet@cs.kuleuven.be to modify assign "wheel" to motd_file.group owned by bart.vanbrabant@cs.kuleuven.be 25 / 40

  26. Update 2: a change requiring authorisation 26 / 40

  27. Generating meaningful changes 27 / 40

  28. Generating meaningful changes Compilation Tree matching Abstract syntax tree 21 11 new Config file revision 13 22 12 15 24 23 14 Config file Edit script generation Abstract Version repository syntax tree added = { 24 } modified = { 13 -> 22 } deleted = { 12, 15 } Algorithm based on: • Meaningful change detection in structured data. CHAWATHE AND GARCIA-MOLINE. 1997 • Change Distilling: Tree Differencing for Fine-Grained Source Code Change Extraction. FLURI, WUERSCH, PINZGER AND GALL. 2007 28 / 40

  29. Outline Systems configuration Context Problems Our solution: ACHEL Access control and workflow Generating meaningful changes Prototype Evaluation Case 1 Case 2 Conclusion 29 / 40

  30. Prototype Prototype in Python • built on Mercurial • simple configuration language and BCFG2 for deployment • PGP for signatures and authentication • access control language using regular expressions for pattern matching 30 / 40

  31. Outline Systems configuration Context Problems Our solution: ACHEL Access control and workflow Generating meaningful changes Prototype Evaluation Case 1 Case 2 Conclusion 31 / 40

  32. Case 1: access control and simple workflow • Small infrastructure • Team with junior and senior sysadmins • Enforce responsibilities • Enforce coding guidelines • Manage network configuration 32 / 40

  33. Case 1: access rules # enforce some conventions on everyone deny to : * assign File() to /^[^_]+_(?!file_)[\S]+$/ * assign Package() to /^[^_]+_(?!pkg_)[\S]+$/ * assign Service() to /^[^_]+_(?!service_)[\S]+$/ * assign Directory() to /^[^_]+_(?!dir_)[\S]+$/ * assign Symlink() to /^[^_]+_(?!ln_)[\S]+$/ * assign Permissions() to /^[^_]+_(?!perm_)[\S]+$/ # senior admins can do anything else allow senioradmin to : * * * # allow admins to do everything if a senior admins approves allow to : * * * authorised by 1 senioradmin # network related configuration deny netadmins to : # deny files other then those in /etc/network * assign /^(?!\/etc\/network\/)\S+/ to /^net_file_\w+\.name$/ # deny services other then dhcpd and network * assign /^(?!(dhcpd$|network$))\w+$/ to /^net_service_\w+\.name$/ allow netadmins to : * import /^dhcp/ # allow adding a list of values to the net_dhcp_clients list * add /^\[[^\]]$/ to /^net_dhcp_clients$/ # allow only variables prefixed with net (ignore rhs) * assign * to /^(?!net_)\S+$/ 33 / 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Access Control Enforcement Access Control Enforcement for Conversation- -based based for

Access Control Enforcement Access Control Enforcement for Conversation- -based based for

The Cyber Center The Cyber Center Access Control Enforcement Access Control Enforcement for Conversation- -based based for Conversation Web Services Web Services Massimo Mecella * Mourad Ouzzani Univ. Roma LA SAPIENZA, Italy Purdue

375 views • 26 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Lets get a federated identity Do you have access to your email? Youll need a valid email

Lets get a federated identity Do you have access to your email? Youll need a valid email

Lets get a federated identity Do you have access to your email? Youll need a valid email address Intro to Federated Identity Do you have an account from Protect Network or Twitter You can skip ahead! EuroCAMP Training for

104 views • 7 slides
LISA 11 Fine-grained access-control for the Puppet configuration language Bart Vanbrabant,

LISA 11 Fine-grained access-control for the Puppet configuration language Bart Vanbrabant,

LISA 11 Fine-grained access-control for the Puppet configuration language Bart Vanbrabant, Joris Peeraer and Wouter Joosen DistriNet, Dept. of Computer Science, K.U.Leuven, Belgium December 7, 2011 1 / 27 Outline Systems configuration

292 views • 27 slides
Federated Access to Multimedia Content Ajay Daryanani Middleware Engineer RedIRIS Zurich, 30th

Federated Access to Multimedia Content Ajay Daryanani Middleware Engineer RedIRIS Zurich, 30th

Federated Access to Multimedia Content Ajay Daryanani Middleware Engineer RedIRIS Zurich, 30th January 2009 1st Media Management and Distribution Workshop 1 Outline 1. Federated access to content Requirements Approaches 2. Additions

257 views • 25 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files & processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current

2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current

2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current Status Adoption of Federated Identity and Access Control is one of the top priorities for the lab Crucial for our success with DUNE,

403 views • 13 slides
EUDAT: Towards a pan-European Collaborative Data Infrastructure Federated Identity Management and

EUDAT: Towards a pan-European Collaborative Data Infrastructure Federated Identity Management and

EUDAT: Towards a pan-European Collaborative Data Infrastructure Federated Identity Management and Access Control Mark van de Sanden SARA, The Netherlands Terena VAMP workshop Utrecht, 6-7 September 2012 Outline Project Core Services

435 views • 16 slides
SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets)

Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets)

Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets) Cdric Favre(1,2), Hagen Vlzer(1), Peter Mller(2) (1) IBM Research - Zurich (2) ETH Zurich 1 Outline Problem - Control-flow analysis

624 views • 44 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
APPLICATIONS 1. Automatic toll collection 2. Traffic law enforcement 3. Parking lot access

APPLICATIONS 1. Automatic toll collection 2. Traffic law enforcement 3. Parking lot access

A UTOMATIC L ICENSE P LATE R ECOGNITION (ALPR) ON EMBEDDED SYSTEM Presented by Guanghan APPLICATIONS 1. Automatic toll collection 2. Traffic law enforcement 3. Parking lot access control 4. Road traffic monitoring ALPR SYSTEM : SEVERAL STAGES

550 views • 23 slides
Lisa Busch QC and Dr Ashley Bowes Introduction by Lisa Busch QC Fairness and access to justice

Lisa Busch QC and Dr Ashley Bowes Introduction by Lisa Busch QC Fairness and access to justice

Lisa Busch QC and Dr Ashley Bowes Introduction by Lisa Busch QC Fairness and access to justice Why does it matter? In principle In practice The approach of the Courts March 2020 and two differing approaches: PINS The Court

548 views • 34 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
AIRS Science Accomplishments Version 4.0/ Plans for Version 5 H. H. Aumann Jet Propulsion

AIRS Science Accomplishments Version 4.0/ Plans for Version 5 H. H. Aumann Jet Propulsion

AIRS Science Accomplishments Version 4.0/ Plans for Version 5 H. H. Aumann Jet Propulsion Laboratory California Institute of Technology Pasadena, California 91109 H. H. Aumann AIRS/AMSU/HSB Spacecraft: Spacecraft: EOS Aqua EOS Aqua

496 views • 28 slides
Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information

1.95k views • 154 slides
AI Large Practical Alan Smaill School of Informatics Oct 4, 2017 Alan Smaill AI Large

AI Large Practical Alan Smaill School of Informatics Oct 4, 2017 Alan Smaill AI Large

N I V E U R S E I H T T Y O H F G R E U D I B N AI Large Practical Alan Smaill School of Informatics Oct 4, 2017 Alan Smaill AI Large Practical Oct 4, 2017 1/10 AILP: Assignment 2 N I V E U R S E I H T T

512 views • 11 slides
Alchemy the modern healthcare manager. The highest leel of management is creation. Alchemy

Alchemy the modern healthcare manager. The highest leel of management is creation. Alchemy

Basic Concepts Alchemy is an ancient art and science that can contribute many valuable insights to Alchemy the modern healthcare manager. The highest leel of management is creation. Alchemy is the science of The Science of

632 views • 6 slides
Impacts of Inoperability at Inland Waterway Ports and Network Kash Barker, PhD , Raghav Pant, Hiba

Impacts of Inoperability at Inland Waterway Ports and Network Kash Barker, PhD , Raghav Pant, Hiba

Interdependent, Multi-regional Impacts of Inoperability at Inland Waterway Ports and Network Kash Barker, PhD , Raghav Pant, Hiba Baroud, Thomas L. Landers, PhD Maritime Risk Symposium 2011 Piscataway, New Jersey November 7-9, 2011 Research

841 views • 34 slides
Probabilistic Planning 2: Exogenous events Jim Blythe November 11th Recap: uncertainty from

Probabilistic Planning 2: Exogenous events Jim Blythe November 11th Recap: uncertainty from

Probabilistic Planning 2: Exogenous events Jim Blythe November 11th Recap: uncertainty from external change External agents might be changing the world while we execute our plan. Me Me X X CS 541 Probabilistic planning 2 Representing

237 views • 20 slides
Bristol City Docks review project Vision We want Bristol City Docks to be A commercial

Bristol City Docks review project Vision We want Bristol City Docks to be A commercial

BUSINESS CHANGE Title Bristol City Docks review project Vision We want Bristol City Docks to be A commercial success Safe and welcoming for all A place for innovation and creativity A world class tourist destination We

105 views • 9 slides
Session Loading 5 Dock I Audacious Prayer How to pray Like a Juggernaut -

Session Loading 5 Dock I Audacious Prayer How to pray Like a Juggernaut -

I Session Loading 5 Dock I Audacious Prayer How to pray Like a Juggernaut - massive, inexorable force, - often unstoppable 1 Audacious Prayer How to pray Like a Juggernaut a large overpowering force in

464 views • 11 slides

More recommend