Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Intro, DAC and MAC System Security.

Published byChester Francis Modified over 9 years ago

Similar presentations

Presentation on theme: "Access Control Intro, DAC and MAC System Security."— Presentation transcript:

1 Access Control Intro, DAC and MAC System Security

2 It is concerned with regulating how entities use resources in a system It consists of two main phases: Authentication: uniquely identifying entities Authorisation: assigning access rights to entities

3 Authentication Phase It is only concerned with identifying an entity against a known set Assigning a unique identifier to the entity (i.e., user name) Using a secret (supposedly) known only to the specific entity Alternatively, using a unique feature that characterizes the entity

4 Authorisation Phase Known also as Access Control “The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner” It assumes users have been authenticated to the system assigned access rights to certain resources on the system (for instance, by an admin)

5 Access Control Requirements Reliable Input Authenticated entities Genuine information Least Privilege Entities granted minimum set of access rights Administrative Duties Only a special entity should be able to manage access rights for other entities

6 Access Control Refinements Separation of Duty Fine Vs. Coarse Specifications Open and Closed policies (Automated) Conflict Resolution

7 Access Control Elements Subject - entity that can access objects a process representing user/application Object - access controlled resource e.g. files, directories, records, programs etc Access right - way in which subject accesses an object e.g. read, write, execute, delete, create, search

8 Security Modules

9 Access Control Models Discretionary AC (DAC) Mandatory AC (MAC) Role-based AC (RBAC) Usage Control (UCON) Policy-based Access Control

10 Discretionary Access Control A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission on to any other subject Subjects are able to assign rights to other subjects on the objects they control Model used in operating systems and DB management systems Often provided using an access matrix

11 Access Control Matrix

12 Access Control List

13 Capability List Capability Myths Demolished: http://srl.cs.jhu.edu/pubs/SRL2003-02.pdfhttp://srl.cs.jhu.edu/pubs/SRL2003-02.pdf

14 Access Matrix Details

15 UNIX Access Control Lists Modern UNIX systems support ACLs Can specify any number of additional users / groups and associated rwx permissions ACLs are optional extensions to std perms

16 Mandatory Access Control Entities cannot enable other entities to access their resources It enforces a lattice between labels assigned to subjects and object security labels: how sensitive or critical a system resource is security clearances: which entities are eligible to access certain resources

17 MAC: The Bell-LaPadula Model The main goal is to control the confidentiality of information

18 MAC Confidentiality Rules Simple Security Property: No Read-Up Read

19 MAC Confidentiality Rules *(Star)property: No Write-Down Write

20 MAC Confidentiality Rules Strong *(Star)-property: No Write-Down & No Write-up Write

21 MAC: Biba Integrity Model The main goal is to control the integrity of information

22 MAC Integrity Rules Simple Integrity Axiom: No Read Down Read

23 MAC Integrity Rules *(Star)-Integrity Axiom: No Write Up Write

24 Where is MAC used BLP: Implemented the multi-level security policy for US Department of Defense BIBA: Implemented in the FreeBSD MAC policy A combined versions of BLP and BIBA is used in Android

25 Summary Introduced access control principles subjects, objects, access rights Discretionary Access Control access matrix, access control lists (ACLs), capability tickets UNIX traditional and ACL mechanisms Mandatory Access Control Bell-Lapadula Biba

26 Resources Chapter 8 in Mark Stamp, Information Security: Principles and Practice, Wiley 2011. Matt Bishop, Computer Security: Art and Science, Addison- Wesley 2003.

27 Questions?

Download ppt "Access Control Intro, DAC and MAC System Security."

Similar presentations

Access Control CS461/ECE422 Fall 2011. Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.

Access Control CS461/ECE422 Fall Reading Material Chapter 4 through section 4.5 Chapters 23 and 24 – For the access control aspects of Unix and.
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Operating System Security

Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Jan. 2014Dr. Yangjun Chen ACS-49021 Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )

Jan. 2014Dr. Yangjun Chen ACS Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.

RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.

Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.
Database Security - Farkas 1 Database Security and Privacy.

Database Security - Farkas 1 Database Security and Privacy.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.

Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.

Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
Security Fall 2009McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2009McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Security Fall 2006McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Verifiable Security Goals

Verifiable Security Goals
Sicurezza Informatica Prof. Stefano Bistarelli

Sicurezza Informatica Prof. Stefano Bistarelli
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.
User Domain Policies.

User Domain Policies.
2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.

2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.
Lecture 7 Access Control

Lecture 7 Access Control

Similar presentations

Ads by Google