week 13-14 access control and privilege management
TRANSCRIPT
WEEK 13-14
Access Control and Privilege Management
2
Access Control
• Once a client and a server have established a secure channel, the client can issue requests to the server
• Requests can only be carried out if the client has sufficient access rights
• The verification of access rights is access control, and the granting of access rights is authorization– These two terms are often used interchangeably
What is Access Control?
• The ability to allow only authorized users, programs or processes system or resource access
• The granting or denying, according to a particular security model, of certain permissions to access a resource
• An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on pre-established rules.
• Access control is the heart of security
Examples of Access Control• Social Networks: In most social networks, such as Facebook and
MySpace, some of your personal information can only be accessed by yourself, some can be accessed by your friends, and some can be accessed by everybody. – The part of system that implements such kind of control is doing access
control. • Web Browsers: When you browse a web site, and run JavaScript
code from that web site, the browser has to control what such JavaScript code can access, and what it cannot access. – For example, a code from one web site cannot access the cookies from
another web site, and it cannot modify the contents from another web site either.
– These controls are conducted by the browser’s access control.
Examples of Access Control• Operating Systems: In an operating system, one user cannot
arbitrarily access another user’s files; a normal user cannot kill another user’s processes. – These are done by operating system access control.
• Memory Protection: In Intel 80x86 architecture, code in one region (for example, in Ring 3), cannot access the data in another more privileged region (e.g. Ring0). – This is done by the access control implemented in the CPU (e.g. 80386
Protection Mode). • Firewalls: Firewalls inspect every incoming (sometimes outgoing)
packet, if a packet matches with certain conditions, it will be dropped by the firewalls, preventing it from accessing the protected networks. – This is also access control.
6
The Basic Model for Access Control
• This model is generally used to help understand the various issues involved in access control
• The subject issues requests to access the object, and protection is enforced by a reference monitor that knows which subjects are allowed to issue which requests
Identification & Authentication
• Identification is nothing more than claiming you are somebody.
• In the information security world, this is analogous to entering a username.
• Authentication is how one proves that they are who they say they are.
• Most systems use a password for this, which is based on “something you know”, i.e. a secret between you and the system.
Identification & Authentication Techniques
• The practical value of any identification/authentication scheme, however, generally exists in one of three states:
• certain and unambiguous (deterministic)• certain based on a low probability of error
(probabilistic)• uncertain and ambiguous and therefore (for all
practical purposes) false.
Biometric Identification
• Biometric identification is a sophisticated variation on a token-based, single-factor security scheme.
• In this case, the token is some physical attribute of the person—fingerprint, iris, retina, face, vein pattern, etc.
• Biometric identification systems typically follow three high-level processing steps.
• First, the system must acquire an image of the attribute through an appropriate scanning technique.
cont• Once the scanned content is acquired, it must be localized for
processing purposes. • During this step, extraneous informational content is discarded and
minutiae are isolated and turned into a template, a sort of internal canonical form for matching attributes stored in a database.
• Minutiae are the uniquely differentiating characteristics of the biometric attribute.
• Whorls and loops and their relationship to one another on a fingerprint are and example of the minutiae that might be extracted.
• Finally, templates stored in the database are searched for a match with the one just presented.
• If a match is found, the identification is a success and the succeeding steps of the security process can begin.
cont
Biometric Authentication
• Biometric authentication virtually eliminates the risk of anonymity in a two-factor security scenario by using a physical attribute of the person to authenticate a token.
• The process is similar to biometric identification. • First, the requestor presents a token to assert identity. • For example, an ATM or credit card is inserted into a
reader. • (A number encoded on the card is actually the token;
the card is more like a container for the token, but treating the card as a token is appropriate.)
cont
• As with identification, the system must acquire an image of the personal attribute.
• Second, the attribute must be localized, minutiae extracted, and a matching template created.
• Finally, the value of the token is used to look up the template previously stored for this individual.
• If it matches the template presented on this occasion, the requestor is authenticated.
cont
Limitations of Biometric Ident/Auth
• Whether biometric technology is used for identification or authentication, its main limitation is that it uses probabilistic techniques for matching.
• This means that every case includes some margin for error.
• In daily practice, false rejections are considered more acceptable than false acceptance.
Access Control Matrix
• The access control matrix is a matrix with each subject represented by a row, and each object represented by a column
• The entry M[s, o] lists the operations that subject s may carry out on object o
• Is this matrix a good way to represent access rights • Of course, we don’t really want to implement it as a matrix
in any system of reasonable size, because there would be a whole lot of wasted space…
?
?
Access Control Matrix
• There are two main approaches that are used instead of an actual matrix:– Each object can maintain a list, the access control
list, of the access rights of subjects that want to access that object - this effectively distributes the matrix column-wise, leaving out empty entries
– Each subject can maintain a list of capabilities for objects - this effectively distributes the matrix row-wise, leaving out empty entries• Of course, capabilities can’t be totally maintained by the subjects - they
must be given to the subjects by some other trusted entity (like the reference monitor)
Access Control Lists vs. Capabilities
Access Matrix
Access Control List
Capability Lists
Protection Domains
• ACLs and capabilities help to efficiently implement the access control matrix, but can still become quite cumbersome
• A protection domain is a set of (object, access rights) pairs, where each pair specifies for a given object exactly what operations can be carried out
• By associating a protection domain with each request, we can cut down on redundant information in access control lists
Protection Domains
• One approach to using protection domains is to construct groups of users
• Another approach is to use roles instead of groups– Roles: head of a department, manager of a project,
member of a personnel search committee
Handling Access Control
• Three methods for handling access control:• MAC Mandatory Access Control• DAC Discretionary Access Control• RBAC Role-based Access Control
MAC: Mandatory Access Control
• Definition: A system-wide policy decrees who is allowed to have access; individual user cannot alter that access.
• Relies on the system to control access. • Examples: The law allows a court to access driving
records without the owners’ permission. • Traditional MAC mechanisms have been tightly coupled
to a few security models. • Recently, systems supporting flexible security models
start to appear (e.g., SELinux, Trusted Solaris, TrustedBSD, etc.)
DAC: Discretionary Access Control
• Definition: An individual user can set an access control mechanism to allow or deny access to an object.
• Relies on the object owner to control access. • DAC is widely implemented in most operating
systems, and we are quite familiar with it. • Strength of DAC: – Flexibility: a key reason why it is widely known and
implemented in mainstream operating systems.
RBAC: Role-based Access Control
• Definition: Controls access based on roles that users have within the system and on rules stating what accesses are allowed to users in given roles.
• RBAC models define a role as a job function within an organization.
• RBAC systems assign access rights to role instead of individual users.
• Users are assigned to different roles according to their responsibilities.
cont
• RBAC is scalable provided that your organizational policy, is strong and well documented.
• Individual administration of accounts is greatly reduced if not eliminated.
• RBAC supports a hierarchal design allowing rights to flow down the tree and to rights to be constrained.
cont
• Where RBAC can create headaches is during an implementation where the organizational policy is poorly documented or not adhered to.
• Adding additional unnecessary roles because of a poor organizational policy will increase the administrative workload and over time can increase the administrator to end-user ratio to resemble more of a DAC implementation.