access control intro, dac and mac
DESCRIPTION
Access Control Intro, DAC and MAC. System Security. System Security. It is concerned with regulating how entities use resources in a system It consists of two main phases: Authentication : uniquely identifying entities Authorisation : assigning access rights to entities. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/1.jpg)
Access Control Intro, DAC and MACSystem Security
![Page 2: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/2.jpg)
System Security• It is concerned with regulating how entities use resources in a
system• It consists of two main phases:• Authentication: uniquely identifying entities• Authorisation: assigning access rights to entities
![Page 3: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/3.jpg)
Authentication Phase• It is only concerned with identifying an entity against a known
set• Assigning a unique identifier to the entity (i.e., user name)• Using a secret (supposedly) known only to the specific entity• Alternatively, using a unique feature that characterizes the entity
![Page 4: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/4.jpg)
Authorisation Phase• Known also as Access Control• “The prevention of unauthorized use of a resource, including
the prevention of use of a resource in an unauthorized manner”
• It assumes users have been• authenticated to the system• assigned access rights to certain resources on the system (for
instance, by an admin)
![Page 5: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/5.jpg)
Access Control Requirements• Reliable Input• Authenticated entities• Genuine information
• Least Privilege• Entities granted minimum set of access rights
• Administrative Duties• Only a special entity should be able to manage access rights for
other entities
![Page 6: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/6.jpg)
Access Control Refinements• Separation of Duty• Fine Vs. Coarse Specifications• Open and Closed policies• (Automated) Conflict Resolution
![Page 7: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/7.jpg)
Access Control Elements• Subject - entity that can access objects• a process representing user/application
• Object - access controlled resource• e.g. files, directories, records, programs etc
• Access right - way in which subject accesses an object• e.g. read, write, execute, delete, create, search
![Page 8: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/8.jpg)
Security Modules
![Page 9: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/9.jpg)
Access Control Models• Discretionary AC (DAC)• Mandatory AC (MAC)• Role-based AC (RBAC)• Usage Control (UCON)• Policy-based Access Control
![Page 10: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/10.jpg)
Discretionary Access Control• A means of restricting access to objects based on the identity
of subjects and/or groups to which they belong. • The controls are discretionary in the sense that a subject with a
certain access permission is capable of passing that permission on to any other subject
• Subjects are able to assign rights to other subjects on the objects they control
• Model used in operating systems and DB management systems
• Often provided using an access matrix
![Page 11: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/11.jpg)
Access Control Matrix
![Page 12: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/12.jpg)
Access Control List
![Page 13: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/13.jpg)
Capability List
Capability Myths Demolished: http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf
![Page 14: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/14.jpg)
Access Matrix Details
![Page 15: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/15.jpg)
UNIX Access Control Lists• Modern UNIX systems support ACLs• Can specify any number of additional users / groups and
associated rwx permissions• ACLs are optional extensions to std perms
![Page 16: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/16.jpg)
Mandatory Access Control• Entities cannot enable other entities to access their resources• It enforces a lattice between labels assigned to subjects and
object• security labels: how sensitive or critical a system resource is• security clearances: which entities are eligible to access certain
resources
![Page 17: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/17.jpg)
MAC: The Bell-LaPadula ModelThe main goal is to control the confidentiality of information
![Page 18: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/18.jpg)
MAC Confidentiality RulesSimple Security Property: No Read-Up
Read
![Page 19: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/19.jpg)
MAC Confidentiality Rules*(Star)property: No Write-Down
Write
![Page 20: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/20.jpg)
MAC Confidentiality RulesStrong *(Star)-property: No Write-Down & No Write-up
Write
![Page 21: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/21.jpg)
MAC: Biba Integrity ModelThe main goal is to control the integrity of information
![Page 22: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/22.jpg)
MAC Integrity RulesSimple Integrity Axiom: No Read Down
Read
![Page 23: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/23.jpg)
MAC Integrity Rules*(Star)-Integrity Axiom: No Write Up
Write
![Page 24: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/24.jpg)
Where is MAC used• BLP: Implemented the multi-level security policy for US
Department of Defense• BIBA: Implemented in the FreeBSD MAC policy• A combined versions of BLP and BIBA is used in Android
![Page 25: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/25.jpg)
Summary• Introduced access control principles• subjects, objects, access rights
• Discretionary Access Control• access matrix, access control lists (ACLs), capability tickets• UNIX traditional and ACL mechanisms
• Mandatory Access Control• Bell-Lapadula• Biba
![Page 26: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/26.jpg)
Resources• Chapter 8 in Mark Stamp, Information Security: Principles and
Practice, Wiley 2011.• Matt Bishop, Computer Security: Art and Science, Addison-
Wesley 2003.
![Page 27: Access Control Intro, DAC and MAC](https://reader036.vdocuments.us/reader036/viewer/2022062410/568163f3550346895dd57942/html5/thumbnails/27.jpg)
Questions?