1 / 19

Chapter 4

Chapter 4. Access Control Manage Principals operations in system. Resources. Access control Which principals have access to what resources on the system and when. Applications. Middleware. Operating system. Hardware. Access control system.

joella
Télécharger la présentation

Chapter 4

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 4 Access Control Manage Principals operations in system

  2. Resources • Access control • Which principals have access to what resources on the system and when Applications Middleware Operating system Hardware

  3. Access control system • System authenticates principal using some method, then controls access to system resources. • Often a matrix of permissions • Triple of User Program File • See matrix page 53 • Matrices grow very large • Control this through groups or roles • Certificated based systems coming about • I have a certificate signed by some authority that I have a specific right.

  4. Groups and roles • Do not assign rights individually • Assign to groups that represents the activities or job titles of employees • They define the rules, you implement them • ACL Access Control List • Column of the matrix who has what rights to resource

  5. UNIX • Root can access everything. • Not a good thing, even system admin should not have access to certain files: • Audit trails • Logs • Newer versions of UNIX have worked to separate out these duties • Military versions even more so

  6. Granularity • Security and Database • Database is 1 file so OS must give access to this one file • Within in the database security is controlled by the DBMS • This creates various issues with passwords, management and control • Many systems, many passwords • Companies striving for 1 central directory service • This is why Microsoft wants it’s Active Directory product to become a “standard”

  7. Sandboxing • Java uses this • Applet runs in a virtual restricted environment • Does not have access to hard drive • JVM has limited local access

  8. Object Request Brokers • Mediates communications between objects • Outgrowth of Object Oriented programming • Common Object Request Broker Architecture (CORBA) • Industry standard

  9. Hardware protection • Protect one process from interfering with another • Memory • Metadata (data about processes) • Hardware access control • Rings of protection • Less privileged process (user program) needs to access more privileged process (device driver)

  10. Processors • Intel processors page 63 • ARM processors page 63 • Security processors page 64 • QoS • Quality of Service issues. • One process does not hog CPU

  11. What goes wrong • Smashing the stack • Syn flooding • Trojan horse • Root kits • Single commands • Full root kits • Active web content • And many more programming defects

  12. NSA • NSA • Deep distrust of application security • Heavy emphasis on trusted OS security

  13. Environmental creep • UNIX original use was in trusted environment • Todays use is in the most untrusted environment (internet) • Many tools also develop for trusted environment FTP, SMTP, DNS… • Used in most untrusted environment • Code used to be buggy, now is malicious • Script kiddies anyone can attack system

  14. Discussion topics • Current stack smashing article • Environment Creep and OS attacks • Current state of windows root kit • Where should security lie? OS, applications, middleware? • Certificate based security.

  15. Articles • Root Kit articles:  • http://www.viruslist.com/en/analysis?pubid=168740859 • http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1086469,00.html

  16. List of resources • Access control • http://en.wikipedia.org/wiki/Access_control • http://www.owasp.org/documentation/topten/a2.html • Groups roles • http://www.microsoft.com/windowsxp/evaluation/features/accesscntrl.mspx • http://www.tech-faq.com/role-based-access-control-rbac.shtml • http://technet2.microsoft.com/WindowsServer/en/Library/72b55950-86cc-4c7f-8fbf-3063276cd0b61033.mspx

  17. List of resources • Sandboxing • http://www.kernelthread.com/publications/security/sandboxing.html • http://internetweek.cmp.com/trends/0825.htm

  18. List of resources • Object Request Brokers • http://en.wikipedia.org/wiki/Object_request_broker • http://www.sei.cmu.edu/str/descriptions/corba_body.html • Rings • http://www.devx.com/Intel/Article/30125

  19. List of Resources • NSA • http://www.nsa.gov/selinux/ • http://www.nsa.gov/selinux/info/faq.cfm

More Related