Studied by 0 people
Looks like no one added any tags here yet for you.
Access controls
function is to control which principals (persons, processes, machines, . . .) have access to which resources in the system ā which files they can read, which programs they can execute, how they share data with other principals, and so on.
Access controls at the call center staff in a bank
not allowed to see your account details until you have answered a couple of security questions; this not only stops outsiders from impersonating you, but also stops the bank staff looking up the accounts of celebrities, or their neighbors
(DAC)
discretionary access control (DAC) mechanisms, which leave protection to the machine operator
(MAC)
mandatory access control (MAC) mechanisms which are typically under the control of the vendor and protect the operating system itself from being modified by malware.Ā
access triples of
(user, program, file) read write run
Access controls can often be modeled as
a matrix of access permissions, with columns for files and rows for users.
The traditional way to simplify the management of access rights is to store the access control matrix a column at a time, along with the resource to which the column refers.
This is called an access control list or ACL (pronounced āackleā).
ACLs are suited to environments where
protection is data-oriented; they are less suited where the user population is large and constantly changing, or where users want to be able to delegate their authority to run a particular program to another user for some set period of time.Ā
ACLs are simple to implement, but
Ā are not efficient for security checking at runtime, as the typical operating system knows which user is running a particular program, rather than what files it has been authorized to access since it was invoked. The operating system must either check the ACL at each file access, or keep track of the active access rights in some other way.
In traditional Unix systems,
files are not allowed to have arbitrary access control lists, but simply rwx attributes that allow the file to be read, written and executed. The access control list as normally displayed has a flag to show whether the file is a directory, then flags r, w and x for owner, group and world respectively; it then has the ownerās name and the group name.
The program that gets control when the machine is booted runs as the supervisor, and has unrestricted access to the whole machine.
(the operating system kernel)
Access decisions are made on the basis of the userid associated with the program. However if this is zero (root), then the access control decision is
āyesā. So root can do what it likes ā access any file, become any user, or whatever. Whatās more, there are certain things that only root can do, such as starting certain communication processes. The root userid is typically made available to the system administrator in systems with discretionary access control.-- ROOT IS BASICALLY GOD
Second, ACLs only contain the names of users,
Ā not of programs; so there is no straightforward way to implement access triples of (user, program, file). Instead, Unix provides an indirect method: the set-user-id (suid) file attribute.Ā
suid
the set-user-id (suid) file attribute. The owner of a program can mark the file representing that program as suid, which enables it to run with the privilege of its owner rather than the privilege of the user who has invoked it.
The strengths and weaknesses of capabilities are roughly the opposite of ACLs.
Runtime security checking is more efficient, and we can delegate a right without much difficulty
On the other hand, changing a fileās status becomes more tricky as it can be hard to find out which users have access. This can be tiresome when we have to investigate an incident or prepare evidence.
Access control matrices (whether in two or three dimensions) can be used to implement protection mechanisms as well as just model them; but they donāt
scale well: a bank with 50,000 staāµ and 300 applications would have a matrix of 15,000,000 entries, which might not only impose a performance overhead but also be vulnerable to administratorsā mistakes.
a group is
a list of principals,
Ā a role is
a fixed set of access permissions that one or more principals may assume for a period of time.
Groups and roles can be combined.
In banking, the manager of the Cambridge branch might have their privileges expressed by membership of the group manager and assumption of the role acting manager of Cambridge branch.
Programmers are often lazy or facing tight deadlines; so they just make the application
suid root, so it can do anything. This practice leads to some shocking security holes.
The IBM AS/400 series systems brought
capability-based protection to the mainstream computing market in 1988, and enjoyed some commercial success. The public key certificates used in cryptography are in eāµect capabilities, and became mainstream from the mid-1990s. C
Unix ACL only names
one user.
access control function is to control which principals (persons, processes, machines
have access to which resources in the system ā which files they can read, which programs they can execute, how they share data with other principals, and so on.
Access control works at least at four levels
e application level (domain security policy), middleware(web browser, a bankās bookkeeping system), system level resources (files and communications ports from lower level components), and hardware protection (processor and its associated memory-management hardware)
Downfall of ACLs -
This means that the system administrator can do anything, so we have difficulty implementing an audit trail as a file that they cannot modify. Second, ACLs only contain the names of users, not of programs; so there is no straightforward way to implement access triples of (user, program, file). ACLs are not very good at expressing mutable state. Fourth, the Unix ACL only names one user. If a resource will be used by more than one of them, and you want to do access control at the OS level, you have a couple of options.
Note 
Flashcard (80)