CS687 - Access Control 1 Spring 2013
-
Upload
demsewa-ayele -
Category
Documents
-
view
6 -
download
0
Transcript of CS687 - Access Control 1 Spring 2013
-
5/27/2018 CS687 - Access Control 1 Spring 2013
1/36
New in this term
Access control in windows
Access control in unix (already there)
Active directory and authorization
Group policy in windows (not sure yet
it if fits in here).
LDAP
HiLCoE School of Computer Science &Technology
-
5/27/2018 CS687 - Access Control 1 Spring 2013
2/36
HiLCoE School of Computer Science &Technology
CS687Information Systems
Security
Access Control
-
5/27/2018 CS687 - Access Control 1 Spring 2013
3/36
HiLCoE School of Computer Science &Technology
Course objectives
Professional carrier
Research orientation
Certification
Technical security (Main focus)
Managerial security
-
5/27/2018 CS687 - Access Control 1 Spring 2013
4/36
HiLCoE School of Computer Science &Technology
CS687: Information Systems Security
Course Outline
1. Introduction
2. Security Threats and Vulnerabilities
3. Malicious Software
4. Hacking
5. Cryptography6. Access Control
7. Authentication
8. Network Security
9. Application Security
10. Firewalls and Intrusion Detection System11. Operational Security
12. Topics in Information Systems Security
-
5/27/2018 CS687 - Access Control 1 Spring 2013
5/36
HiLCoE School of Computer Science &Technology
Text Book
William Stallings & Lawrie Brown,
Computer Security: Principles and
Practice, Pearson, 2008
-
5/27/2018 CS687 - Access Control 1 Spring 2013
6/36
HiLCoE School of Computer Science &Technology
References
Bruice Schneier, Applied
CryptographyProtocols, Algorithms,
[], Second Edition, Wiley StudentEdition, 2006
Stuart McClure et al, HackingExposed, McGraw Hill, 2009
-
5/27/2018 CS687 - Access Control 1 Spring 2013
7/36
HiLCoE School of Computer Science &Technology
Access
Accessis the ability to do something
with a computer resource.
-
5/27/2018 CS687 - Access Control 1 Spring 2013
8/36
HiLCoE School of Computer Science &Technology
Resources to protect
Files
Programs
Computers
Communication ports
Printers and other peripherals
Disks
etc
-
5/27/2018 CS687 - Access Control 1 Spring 2013
9/36
HiLCoE School of Computer Science &Technology
Access to Whom
o Individual users or processes on their
behalf
o Servers, machineso Group of users/entities
o finance department, etc
o PublicoAnonymous
-
5/27/2018 CS687 - Access Control 1 Spring 2013
10/36
HiLCoE School of Computer Science &Technology
Access Roles
o In certain cases, access is defined byfunctional assignment rather than aspecific user:
Eg. Manager, CEO, CIO, Operator,Administrator, etc
o See Role Based Access Control
(RBAC)oAuditing, however, is done per the
individuals account
-
5/27/2018 CS687 - Access Control 1 Spring 2013
11/36
HiLCoE School of Computer Science &Technology
Access Restrictions
Locations: Access to particular systemresources may also be based upon physicalor logical location.
Time of access: Time-of-day or day-of-weekrestrictions are common limitations onaccess.
Transaction: Access maybe granted for alimited duration to do a very restricted tasks.Eg. Accessing the /etc/passwd to change apassword
-
5/27/2018 CS687 - Access Control 1 Spring 2013
12/36
HiLCoE School of Computer Science &Technology
Common Access Rights
Read access provides users with thecapability to view information in a systemresource (such as a file, certain records,
certain fields, or a combination), but notto alterit .
Writeaccess allows users to add to, modify,or delete information in system resources
(e.g., files, records, programs). Normallyuser has read access to anything they havewrite access to.
-
5/27/2018 CS687 - Access Control 1 Spring 2013
13/36
HiLCoE School of Computer Science &Technology
Access Rights/Privileges
Executeprivilege allows users to runprograms.
Deleteaccess allows users to erasesystem resources (e.g., files, records,fields, programs). Note that if usershave write access but not delete
access, they could overwrite the fieldor file with any thing effectivelydeleting the information.
-
5/27/2018 CS687 - Access Control 1 Spring 2013
14/36
HiLCoE School of Computer Science &
Technology
Access Rights/Privileges
Createaccess allows users to create
new files, records, or fields.
Searchaccess allows users to list the
files in a directory.
-
5/27/2018 CS687 - Access Control 1 Spring 2013
15/36
HiLCoE School of Computer Science &
Technology
Access Rights In DB
Select
Insert
Update
Create
Delete
-
5/27/2018 CS687 - Access Control 1 Spring 2013
16/36
HiLCoE School of Computer Science &
Technology
Resources in DB
Database
Table
Column
Field
Stored procedure
-
5/27/2018 CS687 - Access Control 1 Spring 2013
17/36
HiLCoE School of Computer Science &
Technology
Access Control
Access controlis a mechanisms to
enforce access policies on
resources.
-
5/27/2018 CS687 - Access Control 1 Spring 2013
18/36
HiLCoE School of Computer Science &
Technology
AC Protects
Confidential information from beingdisclosed to unauthorized individuals.
Operating systems and other systemsoftware from unauthorized modification ormanipulation (and thereby help ensure thesystem's integrity and availability);
Availability of information by restricting thenumber of users and processes
-
5/27/2018 CS687 - Access Control 1 Spring 2013
19/36
HiLCoE School of Computer Science &
Technology
Placement of Access Control
It depends on the resources access to
which is to be restricted
Operating systemsApplications
Database systems
etc
-
5/27/2018 CS687 - Access Control 1 Spring 2013
20/36
HiLCoE School of Computer Science &
Technology
Discretional Access Control
A DAC is a type of access control whereby
the entity (ie. Subject) is allowed to define and
change its access rights.
Many UNIX varieties use DAC since they
allow owners to set and unset access rights
on files and directories.
Note, however, that some aspects of UNIX
access control are set centrally by the super
user. Example is x and s access to some
program files.
-
5/27/2018 CS687 - Access Control 1 Spring 2013
21/36
HiLCoE School of Computer Science &
Technology
Mandatory Access Control
A mandatory access control (MAC)is a type
of access control whereby access is defined
based on regulations by a central authority.
The philosophy underlying these policies is
that information belongs to an organization
(rather than individual members of it), and it
is that organization which should define the
access control.
E.g. Unix System V
-
5/27/2018 CS687 - Access Control 1 Spring 2013
22/36
HiLCoE School of Computer Science &
Technology
Representing andImplementing AC
-
5/27/2018 CS687 - Access Control 1 Spring 2013
23/36
HiLCoE School of Computer Science &
Technology
Access Control Matrix
The access control matrix model is
the most precise model used which
describes the rights of subjects overresources in a matrix.
-
5/27/2018 CS687 - Access Control 1 Spring 2013
24/36
HiLCoE School of Computer Science &
Technology
ACM: Example
File1 File2 File3 File4
User1 Read,
write,
execute
Execute read write
User2 execute Read,write
read,write,
execute
read
-
5/27/2018 CS687 - Access Control 1 Spring 2013
25/36
HiLCoE School of Computer Science &
Technology
ACM: Questions
Adding and deleting ACM entries: who has
the right to add and delete privileges.
Default privileges
Undefined entries
Inconsistencies
Management issues (for the admin)
Re-adjusting access rights, etc
-
5/27/2018 CS687 - Access Control 1 Spring 2013
26/36
HiLCoE School of Computer Science &
Technology
ACL
ACL is a simplified implementation of ACM oncolumn basis. In other words, access privileges arekept by the objects (ie. Column wise in the Matrix). A
good example is a file systems in UNIX where theaccess rights are implemented per file (ie. Object)
-
5/27/2018 CS687 - Access Control 1 Spring 2013
27/36
HiLCoE School of Computer Science &
Technology
Capability
A simplified implementation of ACM on rows basis.Each subject maintains an un-forgeable list of therights it has to objects.
-
5/27/2018 CS687 - Access Control 1 Spring 2013
28/36
HiLCoE School of Computer Science &
Technology
ACL vs Capability
Both implementations make certain questions easierto answer than others. For example, it is easy in an
ACL implementation to find the set of all subjects
who may read a file, but it is difficult to find the set ofall files that a subject may read.
-
5/27/2018 CS687 - Access Control 1 Spring 2013
29/36
HiLCoE School of Computer Science &
Technology
Constrained UserInterface
Often used in conjunction with ACLs are constraineduser interfaces, which restrict users' access tospecific functions by never allowing them to requestthe use of information, functions, or other specific
system resources for which they do not have access.Three major types exist: (1) menus, (2) databaseviews, and (3)physically constrained user interfaces.
-
5/27/2018 CS687 - Access Control 1 Spring 2013
30/36
HiLCoE School of Computer Science &
Technology
Menus ..
Menus can be used to implement AC
by allowing and disallowing certain
activities depending on the accessrights users.
-
5/27/2018 CS687 - Access Control 1 Spring 2013
31/36
HiLCoE School of Computer Science &
Technology
Database View
Databaseviewsis a mechanism for restricting useraccess to data contained in a database. It may benecessary to allow a user to access a database, but
that user may not need access to all the data in thedatabase (e.g., not all fields of a record nor allrecords in the database).
-
5/27/2018 CS687 - Access Control 1 Spring 2013
32/36
HiLCoE School of Computer Science &
Technology
Physically
Physicallyconstrained user interfaces can also limit auser's abilities. A common example is an ATMmachine, which provides only a limited number of
physical buttons to select options; no alphabetickeyboard is usually present
-
5/27/2018 CS687 - Access Control 1 Spring 2013
33/36
HiLCoE School of Computer Science &
Technology
AC in Unix
Subjects are processes that execute
on behalf of users
Objects are all considered as files:files, directories, devices, etc
Access rights are: read, write,
execute,
but also SetUID and SetGID
-
5/27/2018 CS687 - Access Control 1 Spring 2013
34/36
HiLCoE School of Computer Science &
Technology
ReadingAssignment
Access Control in Linux.
-
5/27/2018 CS687 - Access Control 1 Spring 2013
35/36
HiLCoE School of Computer Science &
Technology
ReadingAssignment
Access Control in MS Windows.
-
5/27/2018 CS687 - Access Control 1 Spring 2013
36/36
HiLCoE School of Computer Science &
Technology
ReadingAssignment
Role Based Access Control in MS
SQL Server.