Lecture 10
Access Control
“The prevention of unauthorized use of a
resource, including the prevention of use of
a resource in an unauthorized manner“
central element of computer security
assume have users and groups
◦
authenticate to system
◦
assigned access rights to certain resources on
Access control is a process to determine
“Who does what to what,” based on a
policy.
It is controlling access of who gets in and
out of the system and who uses what
resources, when, and in what amounts.
Access control is restricting access to a
system or system resources based on
something other than the identity of the
user
Kizza - Guide to Computer Network
Discretionary
access control (DAC)
◦
Individual user may, at his own discretion,
determine who is authorized to access the
objects he creates
Example: Unix files
Mandatory
access control (MAC)
◦
Creator of an object does not necessarily
have the ability to determine who has
authorized access to it
◦
Policy typically governed by a central
authority
◦
Policy on an object depends on what object
or information was used to create it
reliable input
fine and coarse specifications
least privilege
separation of duty
open and closed policies
policy combinations, conflict resolution
subject - entity that can access objects
◦
a process representing user/application
◦
often have 3 classes: owner, group, world
object - access controlled resource
◦
e.g. files, directories, records, programs etc
◦
number/type depend on environment
access right - way in which subject accesses
an object
often provided using an access matrix
◦
lists subjects in one dimension (rows)
◦
lists objects in the other dimension (columns)
◦
each entry specifies access rights of the specified
subject to that object
access matrix is often sparse
Kizza - Guide to Computer Network
Security 11
All the information needed for access
control administration can be put into a
matrix with rows representing the subjects
or groups of subjects and columns
representing the objects.
The access that the subject or a group of
subjects is permitted to the object is
shown in the body of the matrix.
One feature of the access control matrix is
Kizza - Guide to Computer Network
Security 13
In the access control lists (ACLs), groups
with access rights to an object are stored
in association to the object. If you look at
the access matrix in Figure, each object
has a list of access rights associated with
it. In this case each object is associated
with all the access rights in the column.
For example, the ACL for the access
matrix a is in fig b.
ACLs are very fitting for operating systems
Kizza - Guide to Computer Network
Security 15
A capability specifies that “the subject may do
operation O on object X.”
Unlike the ACLs, where the storage of access
rights between objects and subjects is based on
columns in the access control matrix, capabilities
access control storage is based on the rows. This
means that every subject is given a capability, a
forgery-proof token that specifies the subject’s
access rights.
From the access matrix a, we can construct a
Given a subject, what objects can it access?
(capabilities)
Given an object, which subjects can access
it? (ACLs)
◦
Second question is asked more often than first
For incident response, capabilities may be
preferable
set of objects with associated access rights
in access matrix view, each row defines a
protection domain
◦
but not necessarily just a user
◦
may be a limited subset of user’s rights
◦
applied to a more restricted process
Combines ACLs and capabilities
◦
“Lock” associated with each object
◦
“Key” associated with each subject authorized to
access this object
◦
When subject tries to access object, its set of keys
ACLs and capabilities are “static”
◦
Require manual intervention to change
Locks and keys are “dynamic”
◦
May change on their own in response to changes
Cryptographic key used to encrypt a file
◦
A file cannot be “read” unless the subject has the
encryption key
◦
Can also enforce that requests from n users are
Kizza - Guide to Computer Network
Security 24
The changing size and technology of computer and
communication networks are creating complex and
challenging problems in the security management of these large networked systems.
The changing technology and large numbers of users
joining the networks are making the administration of systems extremely costly and prone to error when it is based solely on access control lists for each user on the system individually.
System security in role-based access control (RBAC) is
based on roles assigned to each user in an organization. For example, one can take on a role as a chief executive officer, a chief information officer, or chief security officer.
A user may be assigned one or more roles, and each role is
assigned one or more privileges that are permitted to users in that role. Access decisions are then based on the roles individual users have as part of an organization.
The process of defining roles is based on a thorough
Kizza - Guide to Computer Network
Security 25
Access rights are grouped by role name, and the use of
resources is restricted to individuals authorized to assume the associated role.
Users are granted membership into roles based on their
competencies and responsibilities in the organization.
The types of operations that a user is permitted to perform
in the role he or she assumes are based on that user's role. User roles are constantly changing as the user changes
responsibilities and functions in the organizations, and these roles can be revoked.
Role associations can be established when new operations
are instituted, and old operations can be deleted as organizational functions change and evolve.
RBAC is also based on the concept of least privilege that
introduced access control principles
◦
subjects, objects, access rights
discretionary access controls
◦
access matrix, access control lists (ACLs),
capability tickets
◦
UNIX traditional and ACL mechanisms
First Edition
by William Stallings and Lawrie
Brown
Lecture slides by Lawrie Brown
Chapter 4 –
http://www.cgisecurity.com/owasp/html/ch0
8.html