• No results found

ch04.ppt

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "ch04.ppt"

Copied!
21
0
0

Loading.... (view fulltext now)

Download now ( 21 Page )

Full text

(1)

Computer Security:

Computer Security:

Principles and Practice

Principles and Practice

First Edition First Edition

by William Stallings and Lawrie Brown by William Stallings and Lawrie Brown

Chapter 4 –

(2)

Access Control

Access Control

The prevention of unauthorized use of a

The prevention of unauthorized use of a

resource, including the prevention of use

resource, including the prevention of use

of a resource in an unauthorized manner“

of a resource in an unauthorized manner“

central element of computer security

central element of computer security

assume have users and groups

assume have users and groups

 authenticate to systemauthenticate to system

 assigned access rights to certain resources assigned access rights to certain resources

(3)

Access Control Principles

(4)

Access Control Policies

(5)

Access Control Requirements

Access Control Requirements

reliable input

reliable input

fine and coarse specifications

fine and coarse specifications

least privilege

least privilege

separation of duty

separation of duty

open and closed policies

open and closed policies

(6)

Access Control Elements

Access Control Elements

subject - entity that can access objects

subject - entity that can access objects

 a process representing user/applicationa process representing user/application  often have 3 classes: owner, group, worldoften have 3 classes: owner, group, world

object - access controlled resource

object - access controlled resource

 e.g. files, directories, records, programs etce.g. files, directories, records, programs etc  number/type depend on environmentnumber/type depend on environment

access right - way in which subject

access right - way in which subject

accesses an object

accesses an object

(7)

Discretionary

Discretionary

Access Control

Access Control

often provided using an access matrix

often provided using an access matrix

 lists subjects in one dimension (rows)lists subjects in one dimension (rows)

 lists objects in the other dimension (columns)lists objects in the other dimension (columns)  each entry specifies access rights of the each entry specifies access rights of the

specified subject to that object specified subject to that object

access matrix is often sparse

access matrix is often sparse

(8)

Access Control Structures

(9)

Access Control Model

(10)

Access

Access

Control

Control

Function

(11)

Protection Domains

Protection Domains

set of objects with associated access rights

set of objects with associated access rights

in access matrix view, each row defines a

in access matrix view, each row defines a

protection domain

protection domain

 but not necessarily just a userbut not necessarily just a user

 may be a limited subset of user’s rightsmay be a limited subset of user’s rights  applied to a more restricted processapplied to a more restricted process

(12)

UNIX File

UNIX File

Concepts

Concepts

UNIX files administered using inodes

UNIX files administered using inodes

 control structure with key info on filecontrol structure with key info on file • attributes, permissions of a single fileattributes, permissions of a single file

 may have several names for same inodemay have several names for same inode  have inode table / list for all files on a diskhave inode table / list for all files on a disk

• copied to memory when disk mountedcopied to memory when disk mounted

directories form a hierarchical tree

directories form a hierarchical tree

 may contain files or other directoriesmay contain files or other directories

(13)

UNIX File

(14)

UNIX File

UNIX File

Access Control

Access Control

 “set user ID”(SetUID) or “set group ID”(SetGID)set user ID”(SetUID) or “set group ID”(SetGID)

 system temporarily uses rights of the file owner / system temporarily uses rights of the file owner /

group in addition to the real user’s rights when making

group in addition to the real user’s rights when making

access control decisions

access control decisions

 enables privileged programs to access files / enables privileged programs to access files /

resources not generally accessible

resources not generally accessible

 sticky bit sticky bit

 on directory limits rename/move/delete to owner on directory limits rename/move/delete to owner

 superuser superuser

(15)

UNIX

UNIX

Access Control Lists

Access Control Lists

modern UNIX systems support ACLs

modern UNIX systems support ACLs

can specify any number of additional users /

can specify any number of additional users /

groups and associated rwx permissions

groups and associated rwx permissions

ACLs are optional extensions to std perms

ACLs are optional extensions to std perms

group perms also set max ACL perms

group perms also set max ACL perms

when access is required

when access is required

 select most appropriate ACLselect most appropriate ACL

(16)

Role-Based

Based

Access

Access

Control

(17)

Role-Based

Based

Access

Access

Control

(18)

Role-Based

Based

Access

Access

Control

(19)

NIST RBAC Model

(20)

RBAC For a Bank

(21)

Summary

Summary

introduced access control principles

introduced access control principles

 subjects, objects, access rightssubjects, objects, access rights

discretionary access controls

discretionary access controls

 access matrix, access control lists (ACLs), access matrix, access control lists (ACLs),

capability tickets capability tickets

 UNIX traditional and ACL mechanismsUNIX traditional and ACL mechanisms

References

Download now ( PPT - 21 Page - 911.50 KB )

Related documents

ingilizceDilBilgisi

* “değildim” ifadesinde “not” cümleye hem olumsuzluk anlamı katar hem de “past” anlamı katar. Aynı zamanda “dün” kelimesinden de cümlenin “past” olduğunu

Ireland and Switzerland: the jagged edges of the Great Inflation

In an interview, Schlumpf claimed: “Price control done by a small body in a relatively small economy can be effective” ( CT , 08/13/78). He was also reported as sharing the view

MATHEMATICAL INSTITUTE UNIVERSITY OF OXFORD. Exploring Mathematics with MuPAD

MuPAD procedures are sets of commands which are needed to be used repeatedly, often with different parameter values each time. The following is an example of a simple MuPAD

This catalog is for Anthem Institute Jersey City only and not complete without all current supplements. BRANCH LOCATION: ANTHEM INSTITUTE

If a student changes programs or enrolls into a new program, only those courses that apply to the new program in accordance with the Credit for Prior Education section of the

Teradata Database Version 2 Release (V2R6.1.0) Security Target

• The TOE enforces Discretionary Access Control (DAC) on objects based on the following user attributes: (a) identity of the user associated with the session, (b) access

Mathematics: A good predictor for success in a health science degree

This paper examines the extent to which the completion of secondary school mathematics courses is predictive of academic success for 57 first-year students enrolled in

The quality of clinical diagnosis and procedure coding and risk factors for malnutrition among hospitalized geriatrics in Hospital Universiti Sains Malaysia

Therefore, the objectives of this study were; (1) to determine factors associated with malnutrition among hospitalized geriatrics (2) to study the impacts of malnutrition