Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS426Fall 2010/Lecture 191 Computer Security CS 426 Lecture 19 Discretionary Access Control.

Published byBriana Juliana Lawson Modified over 8 years ago

Similar presentations

Presentation on theme: "CS426Fall 2010/Lecture 191 Computer Security CS 426 Lecture 19 Discretionary Access Control."— Presentation transcript:

1 CS426Fall 2010/Lecture 191 Computer Security CS 426 Lecture 19 Discretionary Access Control

2 CS426Fall 2010/Lecture 192 Access control Reference monitor mediate all access to resources –complete mediation: control all accesses to resources Resource User process Reference monitor access request policy ?

3 CS426Fall 2010/Lecture 193 ACCESS MATRIX MODEL U r w own V F SubjectsSubjects Objects (and Subjects) r w own G r rights

4 CS426Fall 2010/Lecture 194 IMPLEMENTATION OF AN ACCESS MATRIX Access Control Lists Capabilities Access control triples

5 CS426Fall 2010/Lecture 195 ACCESS CONTROL LISTS (ACLs) F U:r U:w U:own G U:r V:r V:w V:own each column of the access matrix is stored with the object corresponding to that column

6 CS426Fall 2010/Lecture 196 CAPABILITY LISTS each row of the access matrix is stored with the subject corresponding to that row UF/r, F/w, F/own, G/r VG/r, G/w, G/own

7 CS426Fall 2010/Lecture 197 ACCESS CONTROL TRIPLES SubjectAccessObject UrF UwF UownF UrG VrG VwG VownG commonly used in relational DBMS

8 ACL vs. Capabilities The Confused Deputy Problem CS426Fall 2010/Lecture 198 SYSX/FORT $OUTPUT Compiler Program SYSX (Dir) FORT STAT BILL Write to the bill file System Admin $Output SYSX/BILL Write output file User

9 CS426Fall 2010/Lecture 199 Analysis of The Confused Deputy Problem The compiler runs with authority from two sources –the invoker –the system admin (who installed the compiler and controls billing and other info) It is the deputy of two masters There is no way to tell which master the deputy is serving when performing a write

10 CS426Fall 2010/Lecture 1910 How the Capability Approach Solves the Confused Deputy Problem SYSX/FORT $OUTPUT 123 SYSX/STATSYSX/BILL $OUTPUT Invoker must pass in a capability for $OUTPUT, which is stored in slot 3. Writing to output uses the capability in slot 3. Invoker cannot pass a capability it doesn’t have.

11 CS426Fall 2010/Lecture 1911 Capabilities vs. ACL: Ambient Authority Ambient authority means that a user’s authority is automatically exercised, without the need of being selected. –causes the confused deputy problem No Ambient Authority in capability systems

12 CS426Fall 2010/Lecture 1912 Capability vs. ACL: Naming ACL systems need a namespace for objects In capability systems, a capability can serve both to designate a resource and to provide authority. ACLs also need a namespace for subjects –as they need to refer to subjects Implications –the set of subjects cannot be too many or too dynamic –most ACL systems treat user accounts (principals) as subjects, and do not support fine-grained subjects

13 CS426Fall 2010/Lecture 1913 Capability vs. ACL: Authority Management Subject-Aggregated Authority Management In (almost) all ACL systems, the power to edit authorities is aggregated by resource –naturally compatible with Discretionary Access Control, where there is often the notion of an owner In capabilities systems, the power to edit authorities is aggregated by subject

14 CS426Fall 2010/Lecture 1914 ACL'S VS CAPABILITIES ACCESS REVIEW ACL's provide for superior access review on a per-object basis Capabilities provide for superior access review on a per-subject basis REVOCATION ACL's provide for superior revocation facilities on a per-object basis Capabilities provide for superior revocation facilities on a per-subject basis

15 CS426Fall 2010/Lecture 1915 ACL'S VS CAPABILITIES ACL's require authentication of subjects Capabilities do not require authentication of subjects, but do require unforgeability and control of propagation of capabilities

16 CS426Fall 2010/Lecture 1916 Conjectures on Why Most Real-world OS Use ACL, rather than Capabilities Capability is more suitable for process level sharing, but not user-level sharing –user-level sharing is what is really needed Processes are more tightly coupled in capability- based systems because the need to pass capabilities around –programming may be more difficult

17 CS426Fall 2010/Lecture 1917 Discretionary Access Control No precise definition. Basically, DAC allows access rights to be propagated at subject’s discretion –often has the notion of owner of an object –used in UNIX, Windows, etc. "A means of restricting access to objects based on the identity and need-to-know of users and/or groups to which they belong. Controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (directly or indirectly) to any other subject."

18 CS426Fall 2010/Lecture 1918 Mandatory Access Control Mandatory access controls (MAC) restrict the access of subjects to objects based on a system-wide policy –denying users full control over the access to resources that they create. The system security policy (as set by the administrator) entirely determines the access rights granted

19 CS426Fall 2010/Lecture 1919 Multi-level Security (MLS) The capability of a computer system to carry information with different sensitivities (i.e. classified information at different security levels), permit simultaneous access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for which they lack authorization. Typically use MAC Primary Security Goal: Confidentiality

20 CS426Fall 2010/Lecture 1920 INHERENT WEAKNESS OF DAC Unrestricted DAC allows information from an object which can be read to any other object which can be written by a subject –do not provide multi-level security Suppose our users are trusted not to do this deliberately. It is still possible for Trojan Horses to copy information from one object to another.

21 CS426Fall 2010/Lecture 1921 TROJAN HORSES A Trojan Horse is rogue software installed, perhaps unwittingly, by duly authorized users A Trojan Horse does what a user expects it to do, but in addition exploits the user's legitimate privileges to cause a security breach

22 CS426Fall 2010/Lecture 1922 TROJAN HORSE EXAMPLE File F A:r A:w File G B:r A:w Principal B cannot read file F ACL

23 CS426Fall 2010/Lecture 1923 TROJAN HORSE EXAMPLE File F A:r A:w File G B:r A:w Principal B can read contents of file F copied to file G ACL Principal A Program Goodies Trojan Horse executes read write

24 CS426Fall 2010/Lecture 1924 Buggy Software Can Become Trojan Horse When a buggy software is exploited, it execute the code/intention of the attacker, while using the privileges of the user who started it.

25 CS426Fall 2010/Lecture 1925 Readings for This Lecture Wikipedia Discretionary Access Control The Confused Deputy by Norm Hardy

26 CS426Fall 2010/Lecture 1926 Coming Attractions … The Bell LaPadula Model

Download ppt "CS426Fall 2010/Lecture 191 Computer Security CS 426 Lecture 19 Discretionary Access Control."

Similar presentations

LECTURE 1 ACCESS CONTROL Ravi Sandhu.

LECTURE 1 ACCESS CONTROL Ravi Sandhu.
Operating System Security

Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Protection and Security Protection is any mechanism for controlling the access of processes to the resources of a computer system. This mechanism must.

Protection and Security Protection is any mechanism for controlling the access of processes to the resources of a computer system. This mechanism must.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013

1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013
CSC 405 Introduction to Computer Security

CSC 405 Introduction to Computer Security
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.

Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.
Database Security - Farkas 1 Database Security and Privacy.

Database Security - Farkas 1 Database Security and Privacy.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
1 UCR Access Control/Capabilities Some slides/ideas adapted from Ninghui Li.

1 UCR Access Control/Capabilities Some slides/ideas adapted from Ninghui Li.
CS 483 – SD SECTION (8) AUTHORIZATION. INTRODUCTION The authorization (or access control) process is used to decide if person, program or device X is.

CS 483 – SD SECTION (8) AUTHORIZATION. INTRODUCTION The authorization (or access control) process is used to decide if person, program or device X is.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Access Control Dr.Talal Alkharobi.

Access Control Dr.Talal Alkharobi.
User Domain Policies.

User Domain Policies.

Similar presentations

Ads by Google