Access control, Lecture notes of Cybercrime, Cybersecurity and Data Privacy

Access Control

Typology: Lecture notes

2014/2015

Uploaded on 09/25/2015

arenw3
arenw3 🇺🇸

1 document

1 / 45

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d

Partial preview of the text

Download Access control and more Lecture notes Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!

Chapter 4

Access Control

Authentication function

Authentication

Auditing

Figure 4.1 Relationship Among Access Control and Other Security Functions

System resources

Authorization database

Security administrator

User

Access control

Access control function

Access Control Policies

  • Role-based access

control (RBAC)

o Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles

  • Attribute-based access

control (ABAC)

o Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions

  • Discretionary access

control (DAC)

o Controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do

  • Mandatory access

control (MAC)

o Controls access based on comparing security labels with security clearances

Discretionary Access Control

(DAC)

  • Scheme in which an entity may enable another

entity to access some resource

  • Often provided using an access matrix
o One dimension consists of identified subjects that may
attempt data access to the resources
o The other dimension lists the objects that may be
accessed
  • Each entry in the matrix indicates the access rights

of a particular subject for a particular object

Own Read Write

Read Write

Own Read Write

File 1 A

Read

Read

Write Read

Own Read Write

Own Read Write

User A

SUBJECTS User B

OBJECTS

User C

File 1 File 2

(a) Access matrix

File 3 File 4

B C User A^ File 1 Fil

Subject Access

Mode

Authorization

Table

  • A Own File Object
  • A Read File
  • A Write File
  • A Own File
  • A Read File
  • A Write File
  • B Read File
  • B Own File
  • B Read File
  • B Write File
  • B Write File
  • B Read File
  • C Read File
  • C Write File
  • C Read File
  • C Own File
  • C Read File
  • C Write File
    • Table 4.
      • Figure 4. for Files in

control (^) wakeup seek

owner

controlowner ownerread wakeup owner

execute

write stop

owner

control

control

read *

write *

    • copy flag set

seek *

S 1

SUBJECTS S 2

OBJECTS subjects files processes disk drives

S 3

S 1 S 2

Figure 4.3 Extended Access Control Matrix

S 3 F 1 F 2 P 1 P 2 D 1 D 2

Table 4.
Access
Control
System
Commands

Protection Domains

  • Set of objects together with access rights to those objects
  • More flexibility when associating capabilities with

protection domains

  • In terms of the access matrix, a row defines a protection

domain

  • User can spawn processes with a subset of the access

rights of the user

  • Association between a process and a domain can be

static or dynamic

  • In user mode certain areas of memory are protected

from use and certain instructions may not be executed

  • In kernel mode privileged instructions may be executed

and protected areas of memory may be accessed

UNIX

File Access Control

 Unique user identification number (user ID)

 Member of a primary group identified by a group ID

 Belongs to a specific group

 12 protection bits

 Specify read, write, and execute permission for the owner of the file, members of the group and all other users

 The owner ID, group ID, and protection bits are part of the file’s inode

(a) Traditional UNIX approach (minimal access control list)

rw- r-- ---

Owner classGroup classOther class

user: :rw- group::r-- other::---

masked

rw- rw- ---

Owner classGroup classOther class

user: :rw- user:joe:rw-

Traditional UNIX

File Access Control

 “Set user ID”(SetUID)

 “Set group ID”(SetGID)

 System temporarily uses rights of the file owner/group in
addition to the real user’s rights when making access
control decisions
 Enables privileged programs to access files/resources not
generally accessible

 Sticky bit

 When applied to a directory it specifies that only the owner
of any file in the directory can rename, move, or delete
that file

 Superuser

 Is exempt from usual access control restrictions
 Has system-wide access

Figure 4.5 UNIX File Access Control

(b) Extended access control list

masked entries

rw- rw- ---

Owner classGroup classOther class

user: :rw-

user:joe:rw-

group::r--

mask::rw-

other::---

Role 1

Users Roles

Figure 4.6 Users, Roles, and Resources

Resources

Role 2

Role 3