Lecture 3 Page 1 CS 236 Online Security Mechanisms CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Slides:



Advertisements
Similar presentations
Lecture 13 Page 1 CS 111 Online File Systems: Introduction CS 111 On-Line MS Program Operating Systems Peter Reiher.
Advertisements

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
Lecture 7 Access Control
Present by Napasakorn Sukjay Poom Samaharn
Lecture 19 Page 1 CS 111 Online Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111 On-Line MS Program Operating.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
Lecture 17 Page 1 CS 111 Spring 2015 Operating System Security CS 111 Operating Systems Peter Reiher.
Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.
Lecture 15 Page 1 CS 236 Online Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Cryptography, Authentication and Digital Signatures
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
Lecture 13 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 17 Page 1 CS 236 Online Privacy CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Lecture 13 Page 1 Advanced Network Security Authentication and Authorization in Local Networks Advanced Network Security Peter Reiher August, 2014.
G53SEC 1 Access Control principals, objects and their operations.
Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
Security CS Introduction to Operating Systems.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
Lecture 15 Page 1 CS 236 Online Prolog to Lecture 15 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 7 Page 1 CS 236 Online Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.
Access Control Lesson Introduction ●Understand the importance of access control ●Explore ways in which access control can be implemented ●Understand how.
Lecture 17 Page 1 CS 111 Fall 2015 Operating System Security CS 111 Operating Systems Peter Reiher.
Secure Operating Systems Lesson F: Capability Based Systems.
Presented by: Dr. Munam Ali Shah
Lecture 16 Page 1 CS 188,Winter 2015 Security in Distributed Systems CS 188 Distributed Systems March 5, 2015.
Lecture 3 Page 1 CS 136, Fall 2010 Security Mechanisms CS 136 Computer Security Peter Reiher September 30, 2010.
Lecture 14 Page 1 CS 111 Summer 2013 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.
Lecture 3 Page 1 CS 136, Winter 2010 Security Mechanisms CS 136 Computer Security Peter Reiher January 12, 2010.
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 12 Page 1 CS 111 Summer 2014 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
Lecture 14 Page 1 CS 111 Online File Systems: Naming, Reliability, and Advanced Issues CS 111 On-Line MS Program Operating Systems Peter Reiher.
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
Lecture 2 Page 1 CS 136, Spring 2016 Security Principles, Policies, and Tools CS 136 Computer Security Peter Reiher March 31, 2016.
Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Lecture 2 Page 1 CS 136, Fall 2011 Security Principles, Policies, and Tools CS 136 Computer Security Peter Reiher September 27, 2011.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Outline The basic authentication problem
Outline Security design principles Security policies Basic concepts
Capabilities Each subject keeps a set of data items that specify his allowable accesses Essentially, a set of tickets Possession of the capability for.
Outline Basic concepts in computer security
Security+ All-In-One Edition Chapter 1 – General Security Concepts
Secure Software and the Law
Outline What does the OS protect? Authentication for operating systems
Outline Security design principles Security policies Basic concepts
Outline What does the OS protect? Authentication for operating systems
CE Operating Systems Lecture 21
Outline Security tools Access control. Security Mechanisms CS 136 Computer Security Peter Reiher April 7, 2009.
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Access Control What’s New?
Access Control Dr. X Parenthesis: before we dive deeper into crypto, we will explore and old but still valid security principle, access controls.
Presentation transcript:

Lecture 3 Page 1 CS 236 Online Security Mechanisms CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Lecture 3 Page 2 CS 236 Online Outline Security tools Access control

Lecture 3 Page 3 CS 236 Online Tools for Security Physical security Access control Encryption Authentication Encapsulation Intrusion detection Common sense

Lecture 3 Page 4 CS 236 Online Physical Security Lock up your computer –Actually, sometimes a good answer But what about networking? –Networks poke a hole in the locked door In any case, lack of physical security often makes other measures pointless

Lecture 3 Page 5 CS 236 Online Access Controls Only let authorized parties access the system A lot trickier than it sounds Particularly in a network environment Once data is outside your system, how can you continue to control it? –Again, of concern in network environments

Lecture 3 Page 6 CS 236 Online Encryption Algorithms to hide the content of data or communications Only those knowing a secret can decrypt the protection One of the most important tools in computer security –But not a panacea Covered in more detail later in class

Lecture 3 Page 7 CS 236 Online Authentication Methods of ensuring that someone is who they say they are Vital for access control But also vital for many other purposes Often (but not always) based on encryption

Lecture 3 Page 8 CS 236 Online Encapsulation Methods of allowing outsiders limited access to your resources Let them use or access some things –But not everything Simple, in concept Extremely challenging, in practice

Lecture 3 Page 9 CS 236 Online Intrusion Detection All security methods sometimes fail When they do, notice that something is wrong And take steps to correct the problem Reactive, not preventative –But unrealistic to believe any prevention is certain Must be automatic to be really useful

Lecture 3 Page 10 CS 236 Online Common Sense A lot of problems arise because people don’t like to think The best security tools generally fail if people use them badly If the easiest way in is to fool people, that’s what attackers will do

Lecture 3 Page 11 CS 236 Online The Depressing Truth Ultimately, computer security is a losing battle Nothing will ever work 100% Nothing will work forever All your efforts will eventually be undone It’s like housework – doing it doesn’t make the house clean tomorrow, but not doing it guarantees the house is dirty today

Lecture 3 Page 12 CS 236 Online Access Control Security could be easy –If we didn’t want anyone to get access to anything The trick is giving access to only the right people How do we ensure that a given resource can only be accessed by the proper people?

Lecture 3 Page 13 CS 236 Online Goals for Access Control Complete mediation Least privilege Useful in a networked environment Scalability Cost and usability

Lecture 3 Page 14 CS 236 Online Access Control Mechanisms Directories Access control lists Capabilities Access control matrices

Lecture 3 Page 15 CS 236 Online The Language of Access Control Subjects are active entities that want to gain access to something –E.g., users or programs Objects represent things that can be accessed –E.g., files, devices, database records Access is any form of interaction with an object An entity can be both subject and object

Lecture 3 Page 16 CS 236 Online Directories Each user has a list of the items he can access –With the associated rights When a user wants to access an item, look it up in his directory

Lecture 3 Page 17 CS 236 Online Problems With the Directory Approach Per-user directories get very large –Overhead and performance problems Universal revocation of access Pseudonym problems Works poorly in networks This method is not widely used

Lecture 3 Page 18 CS 236 Online Access Control Lists For each protected resource, maintain a single list Each list entry specifies a user who can access the resource –And the allowable modes of access When a user requests access to a resource, check the access control list (ACL)

Lecture 3 Page 19 CS 236 Online ACL Objects and Subjects In ACL terminology, the resources being protected are objects The entities attempting to access them are subjects –Allowing finer granularity of control than per-user

Lecture 3 Page 20 CS 236 Online ACL Example An operating system example: –Using ACLs to protect a file User (Subject) A is allowed to read and write to the file User (Subject) B may only read from it User (Subject) C may not access it

Lecture 3 Page 21 CS 236 Online write An ACL Protecting a File File X ACL for file X A read write B C none Subject ASubject BSubject C read denied

Lecture 3 Page 22 CS 236 Online Issues for Access Control Lists How do you know the requestor is who he says he is? How do you protect the access control list from modification? How do you determine what resources a user can access?

Lecture 3 Page 23 CS 236 Online ACLs in Practice Unix file permissions are a limited form of an ACL –Only owner, group, and all can have ACL entries –Only read/write/execute controls are available Other systems (modern Windows, Linux, Solaris) have more general ACL mechanisms

Lecture 3 Page 24 CS 236 Online ACLs and Wildcards Can specify a whole range of subjects who share same access rights to object E.g., “all members of the software development team can read this file” Shortens the lists But leads to questions of conflicts

Lecture 3 Page 25 CS 236 Online Conflicts in ACLs What if a given subject matches more than one rule in an ACL?

Lecture 3 Page 26 CS 236 Online ACL Conflict Example Accounts receivable Bob Fred Nancy Accountants BobRW Accountant R Can Bob write this file? write

Lecture 3 Page 27 CS 236 Online How To Handle ACL Conflicts Give most liberal rights Give most restrictive rights Deal with list in order –Giving first rights found –Or last rights found Any of these solutions might be best in particular circumstances

Lecture 3 Page 28 CS 236 Online Handling Conflicts in an Example System In standard Unix file access permissions, determine identity –Owner, group member, other Test only rights for the highest group If I own the file, test owner rights –Even if I’m in the group and group rights are more liberal

Lecture 3 Page 29 CS 236 Online Pros and Cons of ACLs +Easy to figure out who can access a resource +Easy to revoke or change access permissions –Hard to figure out what a subject can access –Changing access rights requires getting to the object

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.