Presentation is loading. Please wait.

Presentation is loading. Please wait.

COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:

Published byEsmond Holland Modified over 8 years ago

Similar presentations

Presentation on theme: "COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:"— Presentation transcript:

1 COEN 350: Network Security Authorization

2 Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example: OS Subjects = Processes Objects = System Resources Access Rights: read, write, execute

3 Fundamental Mechanisms: Access Matrix Example: DBMS Subjects = Users Objects = Relations Access Rights: retrieve, update, insert, delete

4 Fundamental Mechanisms: Access Matrix Access Matrix: Row for each object Column for each subject Entry is a set of access rights. Later Security Models: Allow for administrative operations that change the access matrix. Example: Owner of file can give permissions to others.

5 Fundamental Mechanisms: Access Matrix Access Control Lists ACL for each object. Lists all the subjects and their rights. Capabilities Capability list for each subject. Contains all the objects and the rights of the subject.

6 Fundamental Mechanisms: Access Matrix Authorization Relation Database table with fields owner, access mode, object. SubjectAccess ModeObject BobOwnerFile 1 BobReadFile 1 BobWriteFile 1 AliceReadFile 1 AliceOwnerFile 2 AliceReadFile 2 AliceWriteFile 2 BobReadFile 2 BobWriteFile 2

7 Fundamental Mechanisms: Intermediate Controls Access matrix too storage intensive Access matrices make it hard to change policies. Mechanism 1: Groups Ideally, all access privileges mediated through group membership. Negative permissions implement exceptions

8 Fundamental Mechanisms: Intermediate Control Protection Rings Example: Group processes and system resources into four categories Operating System Kernel Operating System Utilities User Processes Access to an object is only granted to a subject of lower level. Unix only has two levels. Sometimes protection rings have hardware support.

9 Fundamental Mechanisms: Security Classes Each object has a Security class (Security Label) Denning: Information Control Policy consists of Security Classes “Can flow” relationship Join operation Join A  B combines rights and restrictions of both. US DoD Security Levels Top Secret Secret Confidential Unclassified

10 Fundamental Mechanisms Access Control Policies Discretionary Access Control (DAC) Specifies authorization solely based on object and subject identity. Flexible and simple. Difficult to control information flow. (Classical) Mandatory Access Control (MAC) Each user and object has a security level. Security level reflects trust that user will not pass information to users with lower level clearance. Access to an object based on security level.

11 Fundamental Mechanisms Access Control Policies (Refined) Mandatory Access Control (MAC) Security Levels and Compartments. Example: CRYPTO for cryptographic algorithms. COMSEC for communication security. Possible to have top secret clearance in CRYPTO and unclassified clearance in COMSEC Discretionary policies typical in low security (academic) environments. Mandatory policies typical in high security (military) environments. Neither policy adequate for commercial systems.

12 Fundamental Mechanisms Access Control Policies Role Based Access Control (RBAC) Regulate user’s access to information based on the activities the users execute in the system. “Role” is a set of actions and responsibilities associated with a particular working activity. Access based on role, not identity of user.

13 Fundamental Mechanisms Access Control Policies Role Based Access Control (RBAC) User authorization is broken into two tasks: Granting roles to users Granting rights to roles Roles can be hierarchical Engineers inherent employee rights. User can login with the least privilege for a set of particular tasks. Roles make it easier to enforce separation of duties: “No single user can subvert the system by herself/himself.”

14 Covert Channels A mechanism to circumvent automatic confinement within a security perimeter. Example: Person with TOP SECRET clearance runs (inadvertently) Trojan horse. Trojan horse has free access to files in the compartment. Trojan horse cannot write down to an unclassified file. But: Trojan horse can do things that are visible from the outside and thus send contents of TOP SECRET files through a covert channel. T.H. either runs or waits. System load will vary. Small bandwidth channel. T.H. can or cannot use shared resources. To send a bit, T.H. fills up the printer line to send 1 bit, or empties it for a 0 bit.

15 UNIX Woes: SUID programs Programs can execute the setuid system call. Executable runs as if executed by user. Sendmail uses setuid to implement email. User can cause programs to run as root with input they provide. Favorite targets of buffer overflow attacks.

Download ppt "COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:"

Similar presentations

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Jan. 2014Dr. Yangjun Chen ACS-49021 Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )

Jan. 2014Dr. Yangjun Chen ACS Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
Access Control Methodologies

Access Control Methodologies
Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.

Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.
Database Management System

Database Management System
COEN 150: Intro to IA Authorization.

COEN 150: Intro to IA Authorization.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Bilkent University Department of Computer Engineering

Bilkent University Department of Computer Engineering
Security Fall 2006McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
User Domain Policies.

User Domain Policies.
Lecture 7 Access Control

Lecture 7 Access Control
Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.

Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Li Xiong CS573 Data Privacy and Security Access Control.

Li Xiong CS573 Data Privacy and Security Access Control.
CS426Fall 2010/Lecture 191 Computer Security CS 426 Lecture 19 Discretionary Access Control.

CS426Fall 2010/Lecture 191 Computer Security CS 426 Lecture 19 Discretionary Access Control.

Similar presentations

Ads by Google