Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control and Audit

Published byTeresa Harper Modified over 5 years ago

Similar presentations

Presentation on theme: "Access Control and Audit"— Presentation transcript:

1 Access Control and Audit
CS Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University

2 Section Overview OS Reference Model CPU protection Memory protection
Resource access control Audits

3 References Security in Computing, 3rd Ed. Online Resources
Chapter 4 (pgs ) Online Resources Role Based Access Control by Michael Lebkicher (SANS Reading Room)

4 Access Control Model Subject Object OS Reference Monitor Access
request OS Reference Monitor Access Granted Object

5 I/O Device Controllers
Hardware Components CPU Memory Bus I/O Device Controllers

6 Dual-Mode Operation Interrupt User Supervisor Resume

7 Pentium Protection Rings
Application Software I/O Drivers Operating System Kernel

8 Interrupt vector table
Interrupt Handling Memory User Interrupt Handler n System Call Supervisor Interrupt Vector 0 Interrupt Vector n-1 Interrupt Vector n Trap n Interrupt vector table

9 Interrupt Uses I/O Device Protection CPU Protection
Users cannot access devices directly Must go through kernel System calls CPU Protection Exception Handling Fair use (timer)

10 Fence Registers Operating System n n+1 n+1 User Program Space
All memory requests by user programs must be for addresses n+1 or higher. Memory

11 Base/Bound Registers Operating System n n+1 User A Program Space n+1 p
User B Program Space p+1 Bound Register q User C Program Space q+1 Memory requests must fall between base and bound register addresses Memory

12 Fetch<Data_Seg, 20>
Segmentation Seg. Translation Table C: Sub Segment Addr Main b Seg_A e Sub Data_Seg f a B: Data_Seg b Main C: Main c A: Main Seg_A d B: Main Fetch<Data_Seg, 20> e C: Seg_A Sub f + C: Data_Seg Data_Seg g A: Data_Seg h B: Seg_A Program C Memory

13 Paging Page 0 Page 1 Page 2 Page 3 Page 4 Page 5 Program C Memory c f
Translation Table Page 1 Page 0 Page Addr b 1 f 2 i 3 o 4 c 5 g Page 4 c Page 6 Page 2 Page 0 Page 1 f Page 1 Page 1 Page 5 Page 7 Page 2 i Fetch<3, 37> Page 2 Page 0 Page 3 Page 4 l Page 4 Page 4 Page 5 Page 3 Page 5 o + Page 3 Page 2 Program C Page 3 r Page 0 Can be combined with Segmentation Memory

14 MS File/Directory Attributes
Read-Only Hidden System Archive

15 User Accounts UserID User’s Full Name Password Home Directory Groups
System Interface?

16 “Principle of Least Privilege”
Special Users Guest System Accounts Superuser / Administrator Full Access to all system resources Superuser Equivalency “Principle of Least Privilege”

17 UNIX Accounts Username Password UID GID GCOS Home Directory
Default Shell Stored in /etc/passwd: sorr:VsjqYhTwQiJPw:126:10:Scott Orr:/home/sorr:/bin/csh

18 Microsoft Security Identifiers
Created for every user, group, and machine Never reused S D1-D2-D3-RID S : Standard prefix for NT D1-D2-D3: Local or domain identifier RID (Relative ID): Unique part of SID

19 File/Directory Permissions
Read Create Write Append Delete Execute Search Ownership Access Control Permissions on newly created files/directories?

20 Access Control Matrix File-1 File-2 Dir-1 Printer-1 alice Read, Write
Execute Search Write bob Read Read, Search scott

21 Object Access Control Lists
User Access alice Read, Write bob Read scott File-1

22 Group Access Users requiring same access to object
Simplifies adding/removing of access Adding/Removing users Adding/removing permissions to object Multiple group membership interaction Union Interception Deny permissions

23 Superuser processes have full system access!!!
Programs which are running Inherits access rights from parent Restricting User processes Priority based Process size Number of concurrent user processes Superuser processes have full system access!!!

24 Permissions and Paths Must have execute permissions to run
Running Programs Absolute location Shortcuts PATH environment variable Lists directories to search for programs Order important Having the current directory in your path may be hazardous to your health!!!

25 Who Controls Access? Discretionary Access Control (DAC)
Object owner decides Does not require administrator assistance Mandatory Access Control (MAC) Administration decide Multi-level Security Requirements Role-Based Access Control (RBAC) Based on “role” within an organization Transaction based Least privileged based

26 UNIX SUID/SGID Programs
Permits controlled access to restricted resources SetUID (SUID) – Runs with access permissions of program owner SetGID (SGID) – Runs with access permissions of default group owner Root SUID/SGID programs often the target of Buffer-Overflow Attacks

27 Using Administrative accounts
Principle of Least Privilege Selective use of administrative access UNIX su “switch user” command Microsoft “Run As” command All attempts logged UNIX sudo command Grant specific users root access to programs No need to share root password Remember to avoid ‘.’ in root’s path!!!

28 Active Audits Monitor what is happening currently Memory/CPU Usage
System Load Free memory/swap Time since last reboot Disk Space Usage Current Users

29 Historical Records Events logged into files Log reduction?
Login/Logout Access Programs run Software/Hardware Errors Resource Usage Application logs Log reduction? Log integrity and centralization

30 How long to keep logs? Don’t log at all Reset the logs periodically
Rotate Logs periodically Permanently archive log data File compression tools Tape CDROM/DVD

Download ppt "Access Control and Audit"

Similar presentations

CSC 360- Instructor: K. Wu Overview of Operating Systems.

CSC 360- Instructor: K. Wu Overview of Operating Systems.
CS426Fall 2010/Lecture 71 Computer Security CS 426 Lecture 7 Operating System Security Basics.

CS426Fall 2010/Lecture 71 Computer Security CS 426 Lecture 7 Operating System Security Basics.
CSC 405 Introduction to Computer Security

CSC 405 Introduction to Computer Security
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:

CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:
1 School of Computing Science Simon Fraser University CMPT 300: Operating Systems I Dr. Mohamed Hefeeda.

1 School of Computing Science Simon Fraser University CMPT 300: Operating Systems I Dr. Mohamed Hefeeda.
OS Fall ’ 02 Introduction Operating Systems Fall 2002.

OS Fall ’ 02 Introduction Operating Systems Fall 2002.
1 CS 333 Introduction to Operating Systems Class 2 – OS-Related Hardware & Software The Process Concept Jonathan Walpole Computer Science Portland State.

1 CS 333 Introduction to Operating Systems Class 2 – OS-Related Hardware & Software The Process Concept Jonathan Walpole Computer Science Portland State.
Introduction to Kernel

Introduction to Kernel
Home: www.cse.dmu.ac.uk/~pkang Phones OFF Please Unix Kernel Parminder Singh Kang Home: www.cse.dmu.ac.uk/~pkang Email: pkang@dmu.ac.uk.

Home: Phones OFF Please Unix Kernel Parminder Singh Kang Home:
OS Spring’03 Introduction Operating Systems Spring 2003.

OS Spring’03 Introduction Operating Systems Spring 2003.
Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.

Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.
Computer System Structures memory memory controller disk controller disk controller printer controller printer controller tape-drive controller tape-drive.

Computer System Structures memory memory controller disk controller disk controller printer controller printer controller tape-drive controller tape-drive.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.

1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.

Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.
Systems Security & Audit Operating Systems security.

Systems Security & Audit Operating Systems security.
OPERATING SYSTEM OVERVIEW. Contents Basic hardware elements.

OPERATING SYSTEM OVERVIEW. Contents Basic hardware elements.
G53SEC 1 Reference Monitors Enforcement of Access Control.

G53SEC 1 Reference Monitors Enforcement of Access Control.

Similar presentations

Ads by Google