Transcript WEEK 13-14 - State University of Zanzibar

WEEK 13-14
Access Control and Privilege
Management
Access Control
• Once a client and a server have established a
secure channel, the client can issue requests
to the server
• Requests can only be carried out if the client
has sufficient access rights
• The verification of access rights is access
control, and the granting of access rights is
authorization
– These two terms are often used interchangeably
2
What is Access Control?
• The ability to allow only authorized users,
programs or processes system or resource access
• The granting or denying, according to a particular
security model, of certain permissions to access a
resource
• An entire set of procedures performed by
hardware, software and administrators, to
monitor access, identify users requesting access,
record access attempts, and grant or deny access
based on pre-established rules.
• Access control is the heart of security
Examples of Access Control
• Social Networks: In most social networks, such as Facebook
and MySpace, some of your personal information can only
be accessed by yourself, some can be accessed by your
friends, and some can be accessed by everybody.
– The part of system that implements such kind of control is doing
access control.
• Web Browsers: When you browse a web site, and run
JavaScript code from that web site, the browser has to
control what such JavaScript code can access, and what it
cannot access.
– For example, a code from one web site cannot access the
cookies from another web site, and it cannot modify the
contents from another web site either.
– These controls are conducted by the browser’s access control.
Examples of Access Control
• Operating Systems: In an operating system, one user cannot
arbitrarily access another user’s files; a normal user cannot kill
another user’s processes.
– These are done by operating system access control.
• Memory Protection: In Intel 80x86 architecture, code in one region
(for example, in Ring 3), cannot access the data in another more
privileged region (e.g. Ring0).
– This is done by the access control implemented in the CPU (e.g. 80386
Protection Mode).
• Firewalls: Firewalls inspect every incoming (sometimes outgoing)
packet, if a packet matches with certain conditions, it will be
dropped by the firewalls, preventing it from accessing the protected
networks.
– This is also access control.
The Basic Model for Access Control
• This model is generally used to help
understand the various issues involved in
access control
• The subject issues requests to access the
object, and protection is enforced by a
reference monitor that knows which subjects
are allowed to issue which requests
6
Identification & Authentication
• Identification is nothing more than claiming
you are somebody.
• In the information security world, this is
analogous to entering a username.
• Authentication is how one proves that they
are who they say they are.
• Most systems use a password for this, which is
based on “something you know”, i.e. a secret
between you and the system.
Identification & Authentication
Techniques
• The practical value of any
identification/authentication scheme,
however, generally exists in one of three
states:
• certain and unambiguous (deterministic)
• certain based on a low probability of error
(probabilistic)
• uncertain and ambiguous and therefore (for
all practical purposes) false.
Biometric Identification
• Biometric identification is a sophisticated
variation on a token-based, single-factor security
scheme.
• In this case, the token is some physical attribute
of the person—fingerprint, iris, retina, face, vein
pattern, etc.
• Biometric identification systems typically follow
three high-level processing steps.
• First, the system must acquire an image of the
attribute through an appropriate scanning
technique.
cont
• Once the scanned content is acquired, it must be localized for
processing purposes.
• During this step, extraneous informational content is discarded and
minutiae are isolated and turned into a template, a sort of internal
canonical form for matching attributes stored in a database.
• Minutiae are the uniquely differentiating characteristics of the
biometric attribute.
• Whorls and loops and their relationship to one another on a
fingerprint are and example of the minutiae that might be
extracted.
• Finally, templates stored in the database are searched for a match
with the one just presented.
• If a match is found, the identification is a success and the
succeeding steps of the security process can begin.
cont
Biometric Authentication
• Biometric authentication virtually eliminates the risk of
anonymity in a two-factor security scenario by using a
physical attribute of the person to authenticate a
token.
• The process is similar to biometric identification.
• First, the requestor presents a token to assert identity.
• For example, an ATM or credit card is inserted into a
reader.
• (A number encoded on the card is actually the token;
the card is more like a container for the token, but
treating the card as a token is appropriate.)
cont
• As with identification, the system must acquire
an image of the personal attribute.
• Second, the attribute must be localized, minutiae
extracted, and a matching template created.
• Finally, the value of the token is used to look up
the template previously stored for this individual.
• If it matches the template presented on this
occasion, the requestor is authenticated.
cont
Limitations of Biometric Ident/Auth
• Whether biometric technology is used for
identification or authentication, its main
limitation is that it uses probabilistic
techniques for matching.
• This means that every case includes some
margin for error.
• In daily practice, false rejections are
considered more acceptable than false
acceptance.
Access Control Matrix
• The access control matrix is a matrix with each
subject represented by a row, and each object
represented by a column
• The entry M[s, o] lists the operations that subject s
may carry out on object o
• Is this matrix a good way to represent access rights
• Of course, we don’t really want to implement it as
a matrix in any system of reasonable size, because
there would be a whole lot of wasted space…
?
?
Access Control Matrix
• There are two main approaches that are used
instead of an actual matrix:
– Each object can maintain a list, the access control
list, of the access rights of subjects that want to
access that object - this effectively distributes the
matrix column-wise, leaving out empty entries
– Each subject can maintain a list of capabilities for
objects - this effectively distributes the matrix
row-wise, leaving out empty entries
• Of course, capabilities can’t be totally maintained by the subjects - they
must be given to the subjects by some other trusted entity (like the
reference monitor)
Access Control Lists vs. Capabilities
Access Matrix
Access Control List
Capability Lists
Protection Domains
• ACLs and capabilities help to efficiently
implement the access control matrix, but can still
become quite cumbersome
• A protection domain is a set of (object, access
rights) pairs, where each pair specifies for a given
object exactly what operations can be carried out
• By associating a protection domain with each
request, we can cut down on redundant
information in access control lists
Protection Domains
• One approach to using protection domains is to construct
groups of users
• Another approach is to use roles instead of groups
– Roles: head of a department, manager of a project,
member of a personnel search committee
Handling Access Control
•
•
•
•
Three methods for handling access control:
MAC Mandatory Access Control
DAC Discretionary Access Control
RBAC Role-based Access Control
MAC: Mandatory Access Control
• Definition: A system-wide policy decrees who is
allowed to have access; individual user cannot
alter that access.
• Relies on the system to control access.
• Examples: The law allows a court to access
driving records without the owners’ permission.
• Traditional MAC mechanisms have been tightly
coupled to a few security models.
• Recently, systems supporting flexible security
models start to appear (e.g., SELinux, Trusted
Solaris, TrustedBSD, etc.)
DAC: Discretionary Access Control
• Definition: An individual user can set an
access control mechanism to allow or deny
access to an object.
• Relies on the object owner to control access.
• DAC is widely implemented in most operating
systems, and we are quite familiar with it.
• Strength of DAC:
– Flexibility: a key reason why it is widely known and
implemented in mainstream operating systems.
RBAC: Role-based Access Control
• Definition: Controls access based on roles that
users have within the system and on rules stating
what accesses are allowed to users in given roles.
• RBAC models define a role as a job function
within an organization.
• RBAC systems assign access rights to role instead
of individual users.
• Users are assigned to different roles according to
their responsibilities.
cont
• RBAC is scalable provided that your
organizational policy, is strong and well
documented.
• Individual administration of accounts is greatly
reduced if not eliminated.
• RBAC supports a hierarchal design allowing
rights to flow down the tree and to rights to
be constrained.
cont
• Where RBAC can create headaches is during an
implementation where the organizational policy
is poorly documented or not adhered to.
• Adding additional unnecessary roles because of a
poor organizational policy will increase the
administrative workload and over time can
increase the administrator to end-user ratio to
resemble more of a DAC implementation.