computer security: principles and practice,...
TRANSCRIPT
Access Control
(Chapter 5)
Learning Objectives
After studying this chapter. You should be able to:
Explain how access control fits into the broader context that includes authentication, authorization, and audit
Define the three major categories of access control policies
Distinguish among subjects, objects, and access rights
UNIX file access control model
Discuss the principal concepts of role-based access control
2
Contents
Access Control Principles
Subjects, Objects, and Access rights
Discretionary Access Control (DAC)
Example: UNIX File Access Control
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
Case Study: RBAC System for a Bank
3
Linux / Android / Windows
Access Control Examples
– 5 –
524870, F’18
Authorization (permission mode) on Linux
Access Control: DAC (Discretionary Access Control)
Subject, Object, Access rights
– 6 –
524870, F’18
Android Permissions
– 7 –
524870, F’18
Access Control on Windows
– 8 –
524870, F’18
Topic: Access Control
• Users and groups
• Authentication
• Passwords
• File protection
• Access control lists
• Which users can read/write which files?
• Are my files really safe?
• What does it mean to be root?
• What do we really want to control?
Note: This access control section taken from the slide of textbook authors
Definition
Basic elements
Requirements
Access Control
Access Control
Access Control
Access Control (ITU-T Recommendation X.800 Definition)
● Its function is to control which (active) subject have access to a which
(passive) object with some specific access operation.
● “The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner.”
RFC 2828 defines computer security as:● “Measures that implement and assure security services in a computer
system, particularly those that assure access control service”.
-10-
subject Access Operation
object
Relationship Among Access Control and Other Security Functions
An access control system assumes that a user is authentic; thus, an authentication mechanism is needed as a front end to an access control system
11
Access Control
Authentication and Access Control
Identification & Authentication● Identification username (UID), GID
● Authentication password, 지문, 홍채
Access control = Authorization● The selective restriction of access to a place or other resource
Authorization: the determination if a subject is allowed access to resources, based on an access control policy. ● Granting/Denying permission(s) to access a resource
● After a person or process has successfully been identified and authenticated then it must be determined what informational resources they are permitted to access and what actions they will be allowed to perform (run, view, create, delete, or change).
● Authorization ensures that specific entities may perform specific operations on a secure object.
-12-
Access Control
Access Control Overview
Access● The flow of information between subject and object
Basic Elements of Access Control☞ Subject: An active entity that requests access to an object or the data in an
object
• person(user), group, program (process), computer
☞ Object (Resource): A passive entity that contains information
• file/directory/device, memory, IPC, …
☞ Access right (Operation): read, write, append, execute, …
Operation = Action = Access right = Permission● The act of accessing may mean consuming, entering, or using
− read (view), write, execute (run), create, delete, change, copy
● In Unix/Linux, access control is specified with three operations:− Read, Write, Execute as applied to a file or directory for an owner.
-13-
Access Control
Access Control Basic Elements
-14-
Subject
● Owner (user), group, world
● Program (process)
● System
● Virtual machine (App)
Object
● records, blocks, pages, segments, files, directories, document, mailboxes, messages, programs
● devices, processors, communication ports, clocks, …
Access right
subject –entity
capable of accessing
objects
• concept equates with that of process
• typically held accountable for the actions they initiate
• often have three classes: owner, group, world
object –resource to which access is
controlled
• entity used to contain and/or receive information
• protection depends on the environment in which access control operates
access right –describes the way in which a subject may
access an object
• e.g. read, write, execute, delete, create, search
Access Control
Motivation of Access Control
Why do we need access control? Confidentiality, a user should be able to deny other users read access to his
files
● No READ
Integrity, a user should be able to protect his files from modification or deletion by other users
● No WRITE
Help users to avoid unintentional change of important system files
Help users to avoid unintentional change of important personal files, e.g., photos
-15-
Access Control Requirements
reliable input• An authentication mechanism is needed as a front end to an access control system
support for fine and coarse specifications• The level of files, records in files, and individual fields within records
least privilege
separation of duty• The practice of dividing the steps in a system function among different individuals, so as
to keep a single individual from subverting the process
open and closed policies• In a closed policy, only accesses that are specifically authorized are allowed.
policy combinations and conflict resolution• An access control mechanism may apply multiple policies to a given class of resource
administrative policies• Are needed to specify who can add, delete, or modify authorization rules
dual control• When a task requires two or more individuals working in tandem
16
Access Control
Requirement: Least Privilege
A subject should be given only those privileges that it needs in order to complete its task
● Each program and user should operate with the bare minimum privileges necessary to function properly.
● A task should be accomplished with the absolute lowest level of privilege required
● A policy that limits users’ & processes’ access to only those resources necessary to perform their functions
-17-
Access Control
Requirement: Least Privilege
This principle requires that processes should be confined to as small a protection domain as possible● If this principle is enforced, the damage caused by the compromise of a
particular application or user account is minimized.
-18-
Access Control
Requirement: Least Privilege
It is the analogue of the “need-to-know” rule● If the subject does not need access to an object to perform its task,
it should not have the right to access that object
● If a subject needs to append to an object, but not to alter the info already contained in the object, it should be given append right and not write rights
− Fine granularity of privileges and permissions is better
-19-
Access Control
Requirement: Separation of duties
Segregation of duties
Security critical functionality must be performed by more than one user
Prevents fraud and errors
Sometimes difficult to achieve
● Example 1: designer/implementer should not be same as tester
● Example 2: Control of nuclear missile launch
-20-
Separation od Duties• The crypto security officer is not allowed access to the
encrypted data• The data user is not allowed to create/manage keys
Dual Control• Two or more crypto security officers are responsible
for generating the encryption keys
Split knowledge• No one person has the whole encryption key when it
is in the clear
Access Control
Requirement: Separation of Duty
Purpose is to ensure that a single point of compromise does not have significant impacts on the business.● The risk being that if a single post is responsible for highly privileged actions and is not
monitored or controlled, then compromise of that role could result in disastrous impacts to the organization.
● For example, malicious system or network admins managing the network could greatly disrupt or leak highly sensitive data if not controlled and monitored through controls.
Segregation of Duties for Cash Receipts
-21-
Custody: 보호[관리]권, 양육권
Access Control
Requirement: Separation of Duty
If two or more steps are required to perform a critical function, at least two different people should perform the steps
equivalent to the separation of privilege
● A system should not grant permission based on a single condition
Example 1
● Company checks for more than $75,000 must be signed by two officers of the company
● If either does not sign, the check is not valid
● The two conditions are the signatures of both officers
On BSD, users are not allowed to change from their accounts to the root account unless two conditions are met● The 1st condition: the user know the root password
● The 2nd condition: the user is in the wheel group (the group with GID 0)
-22-
Access Control
Requirement: Separation of Duty
Separation of duties (SoD) is the concept of having more than one person required to complete a task
Separation of duty has as its primary objective the prevention of fraud and errors.
● This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users.
● This principle is demonstrated in the traditional example of separation of duty found in the requirement of two signatures on a check.
-23-
1. Discretionary AC: Access Matrix, ACLs, …
2. Mandatory AC: MLS, TE, …
3. Role-Based AC
Access Control Models
Access Control
Access Control Models: Three main types
-25-
Summary
access control prevent unauthorized users from gaining access to resources
prevent legitimate users from accessing resources in an unauthorized manner
enable legitimate users to access resources in an authorized manner
subjects, objects, access rights
authentication, authorization, audit
discretionary access controls (DAC) controls access based on user identity
mandatory access control (MAC) controls access based on security labels
role-based access control (RBAC) controls access based on roles
26
= Authorization
• Mechanisms to accomplish Confidentiality
• Access Control
According to textbook, mechanisms for confidentiality =
Access control, Authentication,
Encryption, Physical security