Access Control.

Slides:



Advertisements
Similar presentations
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Advertisements

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Access Control Methodologies
Some slides were taken from Database Access Control Tutorial, Lars Olson, UIUC CS463, Computer Security.
Database Security - Farkas 1 Database Security and Privacy.
Access Control Intro, DAC and MAC System Security.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.
Lecture 7 Access Control
Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
ORACLE LABEL SECURITY Evgeniya Kotzeva VEREO Technologies.
Switch off your Mobiles Phones or Change Profile to Silent Mode.
CSCE 548 Secure Software Development Weak Password-Based Systems Store and Protect Data Securely Information Leakage Failure to Handle Errors Correctly.
CSCE 201 Introduction to Information Security Fall 2010 Access Control.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 4 – Access Control.
G53SEC 1 Access Control principals, objects and their operations.
Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 18: Protection Goals of Protection Objects and Domains Access Matrix Implementation.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 14: Protection.
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
Database Security.
Multics CysecLab Graduate School of Information Security KAIST.
Access Controls Henry Parks SSAC 2012 Presentation Outline Purpose of Access Controls Access Control Models –Mandatory –Nondiscretionary/Discretionary.
Academic Year 2014 Spring Academic Year 2014 Spring.
COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:
CSCE 201 Introduction to Information Security Fall 2010 Access Control Models.
Chapter 14: Protection Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Goals of Protection Operating.
Privilege Management Chapter 22.
What is Access Control? Discretionary Access Control (DAC)
Computer Security: Principles and Practice
Access Control.
Protection & Security Greg Bilodeau CS 5204 October 13, 2009.
CSE Operating System Principles Protection.
Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
22 feb What is Access Control? Access control is the heart of security Definitions: * The ability to allow only authorized users, programs or.
Database Security Advanced Database Dr. AlaaEddin Almabhouh.
Saurav Karmakar. Chapter 14: Protection  Goals of Protection  Principles of Protection  Domain of Protection  Access Matrix  Implementation of Access.
Chapter 5 : DataBase Security Lecture #1-Week 8 Dr.Khalid Dr. Mohannad Information Security CIT460 Information Security Dr.Khalid Dr. Mohannad 1.
Database System Implementation CSE 507
CSCE 522 Access Control.
Access Control Model SAM-5.
Access Control CSE 465 – Information Assurance Fall 2017 Adam Doupé
PROTECTION.
Protection and Security
Operating Systems Protection Alok Kumar Jagadev.
Chapter 14: Protection Modified by Dr. Neerja Mhaskar for CS 3SH3.
Chapter 14: System Protection
Database Security and Authorization
Computer Data Security & Privacy
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
CE Operating Systems Lecture 21
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
OS Access Control Mauricio Sifontes.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Computer Security Access Control
Access Control What’s New?
Presentation transcript:

Access Control

Access Control Example  Access Control Policy for son Edward Allowed access: House Disallowed access: Automobile 4/4/2019

Access Control Example Access Control Policy for son Edward Allowed access: House Disallowed access: Automobile 4/4/2019

 Access Control Example Access Control policy Allowed access: House: Disallowed access: Automobile Problem! Unauthorized access 4/4/2019

Access Control Example Access Control Policy for son Edward Allowed access: House Kitchen Disallowed access: Automobile Car key 4/4/2019

 Access Control Example Correct Access Control Policy for son Edward Allowed access: House Kitchen Disallowed access: Automobile Car key 4/4/2019

Access Control Protection objects: system resources for which protection is desirable Memory, file, directory, hardware resource, software resources, etc. Subjects: active entities requesting accesses to resources User, owner, program, etc. Access mode: type of access Read, write, execute 4/4/2019

Access Control Requirement Cannot be bypassed Enforce least-privilege and need-to-know restrictions Enforce organizational policy 4/4/2019

Access Control Access control: ensures that all direct accesses to object are authorized Protects against accidental and malicious threats by regulating the reading, writing and execution of data and programs Need: Proper user identification and authentication Information specifying the access rights is protected form modification 4/4/2019

Access Control Access control components: Access control policy: specifies the authorized accesses of a system Access control mechanism: implements and enforces the policy Separation of components allows to: Define access requirements independently from implementation Compare different policies Implement mechanisms that can enforce a wide range of policies 4/4/2019

Closed v.s. Open Systems Closed system Open System yes no no yes (minimum privilege) (maximum privilege) Access requ. Access requ. Allowed accesses Disallowed accesses Exists Rule? Exists Rule? yes no no yes Access permitted Access denied Access permitted Access denied 4/4/2019

Authorization Management Who can grant and revoke access rights? Centralized administration: security officer Decentralized administration: locally autonomous systems Hierarchical decentralization: security officer > departmental system administrator > Windows NT administrator Ownership based: owner of data may grant access to other to his/her data (possibly with grant option) Cooperative authorization: predefined groups of users or predefined number of users may access data 4/4/2019

Access Control Models All accesses Discretionary AC Mandatory AC Role-Based AC 4/4/2019

Discretionary Access Control Access control is based on User’s identity and Access control rules Most common administration: owner based Users can protect what they own Owner may grant access to others Owner may define the type of access given to others 4/4/2019

Access Matrix Model OBJECTS AND SUBJECTS File 1 File 2 S U B J E C T Read Write Own Joe Sam 4/4/2019

Implementation Access Control List (column) (ACL) File 1 File 2 Joe:Read Joe:Read Joe:Write Sam:Read Joe:Own Sam:Write Sam:Own Access Control List (column) (ACL) Capability List (row) Joe: File 1/Read, File 1/Write, File 1/Own, File 2/Read Sam: File 2/Read, File 2/Write, File 2/Own Subject Access Object Joe Read File 1 Joe Write File 1 Joe Own File 1 Joe Read File 2 Sam Read File 2 Sam Write File 2 Sam Own File 2 Access Control Triples 4/4/2019

ACL v.s. Capabilities ACL: Capabilities: Per object based Good for file systems Capabilities: Per subject based Good for environment with dynamic, short-lived subjects 4/4/2019

Access Control Conditions Data-dependent conditions: access constraints based on the value of the accessed data Time-dependent: access constraints based on the time of the data access Context-dependent: access constraints based on combinations on data which can be accessed History-dependent: access constraints based on previously accessed data 4/4/2019

Access Control Mechanisms Security through Views Stored Procedures Grant and Revoke Query modification 4/4/2019

Security Through Views Assign rights to access predefined views CREATE VIEW Outstanding-Student AS SELECT NAME, COURSE, GRADE FROM Student WHERE GRADE > B Problem: Difficult to maintain updates. 4/4/2019

Security Through Views Student relation NAME COURSE GRADE SEMESTER White CSCE 122 C+ Fall 2000 Black CSCE 313 A Brown CSCE 580 Spring 2000 Green CSCE 850 B+ Blue B 4/4/2019

Security Through Views CREATE VIEW Outstanding-Student AS SELECT NAME, COURSE, GRADE FROM Student WHERE GRADE > B Outstanding-Student NAME COURSE GRADE Black CSCE 313 A Brown CSCE 580 Green CSCE 850 B+ 4/4/2019

Security Through Views CREATE VIEW Fall-Student AS SELECT NAME, COURSE FROM Student WHERE SEMESTER=“Fall 2000” NAME COURSE White CSCE 122 Black CSCE 313 Green CSCE 850 Blue Fall-Student 4/4/2019

Stored Procedures Assign rights to execute compiled programs GRANT RUN ON <program> TO <user> Problem: Programs may access resources for which the user who runs the program does not have permission. 4/4/2019

Grant and Revoke GRANT <privilege> ON <relation> To <user> [WITH GRANT OPTION] ------------------------------------------------------------------------------------------------------------------------------------ GRANT SELECT * ON Student TO Matthews GRANT SELECT *, UPDATE(GRADE) ON Student TO FARKAS GRANT SELECT(NAME) ON Student TO Brown GRANT command applies to base relations as well as views 4/4/2019

Grant and Revoke REVOKE <privileges> [ON <relation>] FROM <user> ------------------------------------------------------------------------------------------------------------------------- REVOKE SELECT* ON Student FROM Blue REVOKE UPDATE ON Student FROM Black REVOKE SELECT(NAME) ON Student FROM Brown 4/4/2019

Non-cascading Revoke A B C D E F A revokes D’s privileges E B A F C 4/4/2019

Cascading Revoke A B C D E F A revokes D’s privileges B A C 4/4/2019

Positive and Negative Authorization B C E D + - Problem: Contradictory authorizations GRANT <privilege> ON X TO <user> DENY <privilege> ON X TO <user> 4/4/2019

Negative Authorization B C E D + - - Positive authorization granted By A to D becomes blocked but NOT deleted. 4/4/2019

Negative Authorization B C E D + - - + F What should happen with the privilege given by D To F? (Blocked but not deleted) 4/4/2019

Query Modification GRANT SELECT(NAME) ON Student TO Blue WHERE COURSE=“CSCE 590” Blue’s query: SELECT * FROM Student Modified query: SELECT NAME WHERE COURSE=“CSCE 580” 4/4/2019

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.