Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control.

Published byErik McGee Modified over 5 years ago

Similar presentations

Presentation on theme: "Access Control."— Presentation transcript:

1 Access Control

2 Access Control Example
Access Control Policy for son Edward Allowed access: House Disallowed access: Automobile 4/4/2019

3 Access Control Example
Access Control Policy for son Edward Allowed access: House Disallowed access: Automobile 4/4/2019

4  Access Control Example Access Control policy Allowed access:
House: Disallowed access: Automobile Problem! Unauthorized access 4/4/2019

5 Access Control Example
Access Control Policy for son Edward Allowed access: House Kitchen Disallowed access: Automobile Car key 4/4/2019

6  Access Control Example Correct Access Control Policy for son Edward
Allowed access: House Kitchen Disallowed access: Automobile Car key 4/4/2019

7 Access Control Protection objects: system resources for which protection is desirable Memory, file, directory, hardware resource, software resources, etc. Subjects: active entities requesting accesses to resources User, owner, program, etc. Access mode: type of access Read, write, execute 4/4/2019

8 Access Control Requirement
Cannot be bypassed Enforce least-privilege and need-to-know restrictions Enforce organizational policy 4/4/2019

9 Access Control Access control: ensures that all direct accesses to object are authorized Protects against accidental and malicious threats by regulating the reading, writing and execution of data and programs Need: Proper user identification and authentication Information specifying the access rights is protected form modification 4/4/2019

10 Access Control Access control components:
Access control policy: specifies the authorized accesses of a system Access control mechanism: implements and enforces the policy Separation of components allows to: Define access requirements independently from implementation Compare different policies Implement mechanisms that can enforce a wide range of policies 4/4/2019

11 Closed v.s. Open Systems Closed system Open System yes no no yes
(minimum privilege) (maximum privilege) Access requ. Access requ. Allowed accesses Disallowed accesses Exists Rule? Exists Rule? yes no no yes Access permitted Access denied Access permitted Access denied 4/4/2019

12 Authorization Management
Who can grant and revoke access rights? Centralized administration: security officer Decentralized administration: locally autonomous systems Hierarchical decentralization: security officer > departmental system administrator > Windows NT administrator Ownership based: owner of data may grant access to other to his/her data (possibly with grant option) Cooperative authorization: predefined groups of users or predefined number of users may access data 4/4/2019

13 Access Control Models All accesses Discretionary AC Mandatory AC
Role-Based AC 4/4/2019

14 Discretionary Access Control
Access control is based on User’s identity and Access control rules Most common administration: owner based Users can protect what they own Owner may grant access to others Owner may define the type of access given to others 4/4/2019

15 Access Matrix Model OBJECTS AND SUBJECTS File 1 File 2 S U B J E C T
Read Write Own Joe Sam 4/4/2019

16 Implementation Access Control List (column) (ACL)
File 1 File 2 Joe:Read Joe:Read Joe:Write Sam:Read Joe:Own Sam:Write Sam:Own Access Control List (column) (ACL) Capability List (row) Joe: File 1/Read, File 1/Write, File 1/Own, File 2/Read Sam: File 2/Read, File 2/Write, File 2/Own Subject Access Object Joe Read File 1 Joe Write File 1 Joe Own File 1 Joe Read File 2 Sam Read File 2 Sam Write File 2 Sam Own File 2 Access Control Triples 4/4/2019

17 ACL v.s. Capabilities ACL: Capabilities: Per object based
Good for file systems Capabilities: Per subject based Good for environment with dynamic, short-lived subjects 4/4/2019

18 Access Control Conditions
Data-dependent conditions: access constraints based on the value of the accessed data Time-dependent: access constraints based on the time of the data access Context-dependent: access constraints based on combinations on data which can be accessed History-dependent: access constraints based on previously accessed data 4/4/2019

19 Access Control Mechanisms
Security through Views Stored Procedures Grant and Revoke Query modification 4/4/2019

20 Security Through Views
Assign rights to access predefined views CREATE VIEW Outstanding-Student AS SELECT NAME, COURSE, GRADE FROM Student WHERE GRADE > B Problem: Difficult to maintain updates. 4/4/2019

21 Security Through Views
Student relation NAME COURSE GRADE SEMESTER White CSCE 122 C+ Fall 2000 Black CSCE 313 A Brown CSCE 580 Spring 2000 Green CSCE 850 B+ Blue B 4/4/2019

22 Security Through Views
CREATE VIEW Outstanding-Student AS SELECT NAME, COURSE, GRADE FROM Student WHERE GRADE > B Outstanding-Student NAME COURSE GRADE Black CSCE 313 A Brown CSCE 580 Green CSCE 850 B+ 4/4/2019

23 Security Through Views
CREATE VIEW Fall-Student AS SELECT NAME, COURSE FROM Student WHERE SEMESTER=“Fall 2000” NAME COURSE White CSCE 122 Black CSCE 313 Green CSCE 850 Blue Fall-Student 4/4/2019

24 Stored Procedures Assign rights to execute compiled programs
GRANT RUN ON <program> TO <user> Problem: Programs may access resources for which the user who runs the program does not have permission. 4/4/2019

25 Grant and Revoke GRANT <privilege> ON <relation>
To <user> [WITH GRANT OPTION] GRANT SELECT * ON Student TO Matthews GRANT SELECT *, UPDATE(GRADE) ON Student TO FARKAS GRANT SELECT(NAME) ON Student TO Brown GRANT command applies to base relations as well as views 4/4/2019

26 Grant and Revoke REVOKE <privileges> [ON <relation>]
FROM <user> REVOKE SELECT* ON Student FROM Blue REVOKE UPDATE ON Student FROM Black REVOKE SELECT(NAME) ON Student FROM Brown 4/4/2019

27 Non-cascading Revoke A B C D E F A revokes D’s privileges E B A F C
4/4/2019

28 Cascading Revoke A B C D E F A revokes D’s privileges B A C 4/4/2019

29 Positive and Negative Authorization
B C E D + - Problem: Contradictory authorizations GRANT <privilege> ON X TO <user> DENY <privilege> ON X TO <user> 4/4/2019

30 Negative Authorization
B C E D + - - Positive authorization granted By A to D becomes blocked but NOT deleted. 4/4/2019

31 Negative Authorization
B C E D + - - + F What should happen with the privilege given by D To F? (Blocked but not deleted) 4/4/2019

32 Query Modification GRANT SELECT(NAME) ON Student TO Blue WHERE COURSE=“CSCE 590” Blue’s query: SELECT * FROM Student Modified query: SELECT NAME WHERE COURSE=“CSCE 580” 4/4/2019

Download ppt "Access Control."

Similar presentations

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Access Control Methodologies

Access Control Methodologies
Some slides were taken from 463.5.1 Database Access Control Tutorial, Lars Olson, UIUC CS463, Computer Security.

Some slides were taken from Database Access Control Tutorial, Lars Olson, UIUC CS463, Computer Security.
Database Security - Farkas 1 Database Security and Privacy.

Database Security - Farkas 1 Database Security and Privacy.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.
Lecture 7 Access Control

Lecture 7 Access Control
Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.

Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
ORACLE LABEL SECURITY Evgeniya Kotzeva VEREO Technologies.

ORACLE LABEL SECURITY Evgeniya Kotzeva VEREO Technologies.
Switch off your Mobiles Phones or Change Profile to Silent Mode.

Switch off your Mobiles Phones or Change Profile to Silent Mode.
CSCE 548 Secure Software Development Weak Password-Based Systems Store and Protect Data Securely Information Leakage Failure to Handle Errors Correctly.

CSCE 548 Secure Software Development Weak Password-Based Systems Store and Protect Data Securely Information Leakage Failure to Handle Errors Correctly.
CSCE 201 Introduction to Information Security Fall 2010 Access Control.

CSCE 201 Introduction to Information Security Fall 2010 Access Control.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 4 – Access Control.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 4 – Access Control.

Similar presentations

Ads by Google