Discretionary Access Control (DAC)

Slides:



Advertisements
Similar presentations
INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
Advertisements

LECTURE 1 ACCESS CONTROL Ravi Sandhu.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Jan. 2014Dr. Yangjun Chen ACS Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )
1 Authentication with Passwords Prof. Ravi Sandhu Executive Director and Endowed Chair February 1, © Ravi.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013
Access Control Methodologies
CSC 405 Introduction to Computer Security
Database Management System
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
Chapter 5 Database Application Security Models
NS-H /11041 System Security. NS-H /11042 Authentication Verifying the identity of another entity Two interesting cases (for this class): –Computer.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Li Xiong CS573 Data Privacy and Security Access Control.
CS426Fall 2010/Lecture 191 Computer Security CS 426 Lecture 19 Discretionary Access Control.
Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.
Controlling Files Richard Newman based on Smith “Elementary Information Security”
CSCE 201 Introduction to Information Security Fall 2010 Access Control.
1 Grand Challenges in Authorization Systems Prof. Ravi Sandhu Executive Director and Endowed Chair November 14, 2011
IS 302: Information Security and Trust Week 10: Access Control 2012.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
CS426Fall 2010/Lecture 91 Computer Security CS 426 Lecture 9 Unix Access Control.
D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology
G53SEC 1 Access Control principals, objects and their operations.
Li Xiong CS573 Data Privacy and Security Access Control.
1 Cloud Computing and Security Prof. Ravi Sandhu Executive Director and Endowed Chair April 19, © Ravi Sandhu.
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 14 October 5, 2004.
COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:
Access Control Lesson Introduction ●Understand the importance of access control ●Explore ways in which access control can be implemented ●Understand how.
Computer Security: Principles and Practice
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
SECURITY Prepared By: Dr. Vipul Vekariya.. 2 S ECURITY Secure system will control, through use of specific futures, access to information that only properly.
Chapter 5 : DataBase Security Lecture #1-Week 8 Dr.Khalid Dr. Mohannad Information Security CIT460 Information Security Dr.Khalid Dr. Mohannad 1.
Identity and Access Management
Access Control Model SAM-5.
Access Control CSE 465 – Information Assurance Fall 2017 Adam Doupé
Chapter One: Mastering the Basics of Security
Symmetric Cryptography
Database Security and Authorization
Computer Data Security & Privacy
2. Access Control Matrix Introduction to Computer Security © 2004 Matt Bishop 9/21/2018.
Chapter 14: Protection.
Introduction and Basic Concepts
Cryptography Basics and Symmetric Cryptography
Authentication by Passwords
Role-Based Access Control (RBAC)
Executive Director and Endowed Chair
Chapter 14: Protection.
Challenge-Response Authentication
Asymmetric Cryptography
Discretionary Access Control (DAC)
Attribute-Based Access Control (ABAC)
Information Security CS 526 Topic 16
SECURITY IN THE LINUX OPERATING SYSTEM
Authentication and Authorization Federation
OS Access Control Mauricio Sifontes.
Protection and Security
Information Security CS 526 Topic 16
Executive Director and Endowed Chair
Protection and Security
Access Control.
Challenge-Response Authentication
CS703 - Advanced Operating Systems
Cyber Security Research: A Personal Perspective
Presentation transcript:

Discretionary Access Control (DAC) CS 5323 Discretionary Access Control (DAC) Prof. Ravi Sandhu Executive Director and Endowed Chair Lecture 2 ravi.utsa@gmail.com www.profsandhu.com © Ravi Sandhu World-Leading Research with Real-World Impact!

Authentication World-Leading Research with Real-World Impact! © Ravi Sandhu World-Leading Research with Real-World Impact!

Authentication, Authorization, Audit AAA Authentication Who are You? Authorization What are You Allowed to Do? Audit What Did You Do? © Ravi Sandhu World-Leading Research with Real-World Impact! 3

Authentication, Authorization, Audit AAA Authentication Who are You? Authorization What are You Allowed to Do? Audit What Did You Do? siloed integrated © Ravi Sandhu World-Leading Research with Real-World Impact! 4

Authentication Techniques Something you know password “secret” questions Something you have smartphone registered device Something you are fingerprint iris keyboard dynamics signature dynamics © Ravi Sandhu World-Leading Research with Real-World Impact! 5

Authentication Techniques Something you know password “secret” questions Something you have smartphone registered device Something you are fingerprint iris keyboard dynamics signature dynamics single factor multi factor © Ravi Sandhu World-Leading Research with Real-World Impact! 6

Phishing Personalized image to authenticate webserver to user © Ravi Sandhu World-Leading Research with Real-World Impact!

Phishing Man in the Middle Personalized image passed through © Ravi Sandhu World-Leading Research with Real-World Impact!

Passwords © Ravi Sandhu World-Leading Research with Real-World Impact!

Offline (Dictionary Attack) Password Attacks Password Attacks Online Lock out Throttling Offline (Dictionary Attack) Complex passwords Salting © Ravi Sandhu World-Leading Research with Real-World Impact! 10

Password Storage and Verification Password Verification User ID Plaintext Password User ID Stored Password Plaintext Password = ? User ID Stored Password Loss of stored passwords = Catastrophic failure © Ravi Sandhu World-Leading Research with Real-World Impact! 11

Password Storage and Verification Password Verification User ID Plaintext Password User ID Plaintext Password Hashing Process Hashing Process Computed Hash User ID Stored Hash = ? Loss of stored hashes = Attack by single dictionary User ID Stored Hash © Ravi Sandhu World-Leading Research with Real-World Impact! 12

Password Storage and Verification Password Verification User ID Random Salt Plaintext Password User ID Plaintext Password Hashing Process Hashing Process Computed Hash User ID Stored Salt Stored Hash = ? Loss of stored hashes = Attack by different dictionary for each salt value User ID Stored Salt Stored Hash © Ravi Sandhu World-Leading Research with Real-World Impact! 13

Access Matrix Model World-Leading Research with Real-World Impact! © Ravi Sandhu World-Leading Research with Real-World Impact!

Access Matrix Model Objects (and Subjects) F G r w S r U own u b j e c V rights © Ravi Sandhu World-Leading Research with Real-World Impact! 15

Access Matrix Model Basic Abstractions Subjects Objects Rights The rights in a cell specify the access of the subject (row) to the object (column) © Ravi Sandhu World-Leading Research with Real-World Impact! 16

Users and Subjects A subject is a program (application) executing on behalf of a user A user may at any time be idle, or have one or more subjects executing on its behalf User-subject distinction is important if subject’s rights are different from a user’s rights Usually a subset In many systems a subject has all the rights of a user A human user may manifest as multiple users (accounts, principals) in the system © Ravi Sandhu World-Leading Research with Real-World Impact! 17

Users and Subjects JOE.TOP-SECRET JOE.SECRET JOE JOE.CONFIDENTIAL JOE.UNCLASSIFIED USER SUBJECTS © Ravi Sandhu World-Leading Research with Real-World Impact! 18

Users and Subjects JANE.CHAIRPERSON JANE.FACULTY JANE JANE. EMPLOYEE JANE.SUPER-USER USER SUBJECTS © Ravi Sandhu World-Leading Research with Real-World Impact! 19

Objects An object is anything on which a subject can perform operations (mediated by rights) Usually objects are passive, for example: File Directory (or Folder) Memory segment with CRUD operations (create, read, update, delete) But, subjects can also be objects, with operations kill suspend resume © Ravi Sandhu World-Leading Research with Real-World Impact! 20

Access Matrix Model Objects (and Subjects) F W r w S parent U own u b © Ravi Sandhu World-Leading Research with Real-World Impact! 21

Implementation Access Control Lists Capabilities Relations © Ravi Sandhu World-Leading Research with Real-World Impact! 22

Access Control Lists F U:r U:w U:own G U:r V:r V:w V:own each column of the access matrix is stored with the object corresponding to that column © Ravi Sandhu World-Leading Research with Real-World Impact! 23

Capabilities U F/r, F/w, F/own, G/r V G/r, G/w, G/own each row of the access matrix is stored with the subject corresponding to that row © Ravi Sandhu World-Leading Research with Real-World Impact! 24

commonly used in relational database management systems Relations Subject Access Object U r F U w F U own F U r G V r G V w G V own G commonly used in relational database management systems © Ravi Sandhu World-Leading Research with Real-World Impact! 25

ACLs versus Capabilities Authentication ACL's require authentication of subjects and ACL integrity Capabilities require integrity and propagation control Access review ACL's are superior on a per-object basis Capabilities are superior on a per-subject basis Revocation Least privilege Capabilities provide for finer grained least privilege control with respect to subjects, especially dynamic short-lived subjects created for specific tasks © Ravi Sandhu World-Leading Research with Real-World Impact! 26

ACLs versus Capabilities Authentication ACL's require authentication of subjects and ACL integrity Capabilities require integrity and propagation control Access review ACL's are superior on a per-object basis Capabilities are superior on a per-subject basis Revocation Least privilege Capabilities provide for finer grained least privilege control with respect to subjects, especially dynamic short-lived subjects created for specific tasks Most Operating Systems use ACLs often in abbreviated form: owner, group, world © Ravi Sandhu World-Leading Research with Real-World Impact! 27

Content-Dependent Controls you can only see salaries less than 50K, or you can only see salaries of employees who report to you beyond the scope of Operating Systems and are provided by Database Management Systems © Ravi Sandhu World-Leading Research with Real-World Impact! 28

Context-Dependent Controls cannot access classified information via remote login salary information can be updated only at year end company's earnings report is confidential until announced at the stockholders meeting can be partially provided by the Operating System and partially by the Database Management System more sophisticated context dependent controls such as based on past history of accesses definitely require Database support © Ravi Sandhu World-Leading Research with Real-World Impact! 29

Trojan Horse Vulnerability of DAC Information from an object which can be read can be copied to any other object which can be written by a subject Suppose our users are trusted not to do this deliberately. It is still possible for Trojan Horses to copy information from one object to another. © Ravi Sandhu World-Leading Research with Real-World Impact! 30

Trojan Horse Vulnerability of DAC ACL File F A:r File G B:r A:w User B cannot read file F © Ravi Sandhu World-Leading Research with Real-World Impact! 31

Trojan Horse Vulnerability of DAC ACL User A executes File F A:r read Program Goodies Trojan Horse File G B:r A:w write User B can read contents of file F copied to file G © Ravi Sandhu World-Leading Research with Real-World Impact! 32

Copy Difference for rw Read of a digital copy is as good as read of original Write to a digital copy is not so useful © Ravi Sandhu World-Leading Research with Real-World Impact! 33

DAC Subtleties Chains of grants and revokes Inheritance of permissions Negative rights © Ravi Sandhu World-Leading Research with Real-World Impact! 34

HRU Model Harrison, M. A., Ruzzo, W. L., & Ullman, J. D. (1976). Protection in operating systems. Communications of the ACM, 19(8), 461-471. © Ravi Sandhu World-Leading Research with Real-World Impact! 35

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.