Access Control Flashcards
What is access control?
Control who has access to services and resources in the network
What are the forms of access control?
Authentication servers
Physical access control
Traffic filters
Access control lists in an OS
What does access to a system mean?
Subject, in the form of a human or process, requests a passive object (resource) with some specific access operation.
What is a reference monitor?
Piece of software or hardware that examines and can grant or deny the request.
At what level does the reference monitor support security?
Hardware or OS layer, a subject can be allowed to access resources and the type of access decided
What types of protective separation is done?
Physical Seperation
Logical Seperation
Temporal Seperation
Cryptographic Seperation
What is physical separation?
Different processes use different object such as printers, files or servers
What is temporal separation?
Processes with different security requirements can only be run at separate times.
What is logical separation?
A process’s access is constrained so that it cannot access outwith its permitted domain
What is cryptographic separation?
Files (data) or processes are hidden or obfuscated under cryptographic protocols.
What are the Unix access rights?
Execute, read, append, write
What do some systems split their permissions into further?
Rename or change permissions
Create Files
Transfer
Propagate
What is the Principle of Least Privilege?
only users that need a resource for their role should have access to it.
What is an access control list?
Describes the rights of subjects and objects
Works best in data-oriented systems where permissions are stored alongside the data
What are the drawbacks of ACL?
Inefficient, the repetition throughout the system of values.
Checked for each file at runtime
Doesn’t scale, on change for a user has to change each and every file
Is C-List used for access control?
No as it’s easier for an OS to control access to objects rather than users.
Despite being more efficient at runtime checking, slower in determining who has resource access
Uses PK certificates for user identification
What is DAC?
Discretionary Access Control (DAC)
Subject creates a resource it can allow access to.
User sets own protection level which is enforced by the system.
What does strict DAC do?
Allows for the granting of access but not ownership to subjects. Ownership must be transferred.
What is MAC?
Mandatory Access Control is where users and resources have fixed security attributes (labels) assigned by an admin. User can access the resources with labels allowing them to.
MAC is set globally and can’t be changed.
Can MAC be changed?
It can be by trusted processes, otherwise it is immutable.
What issues do both MAC and DAC have?
Canceling
Adding
Merging
How are policy conflicts dealt with?
Resolved by reference monitor
What are privileges?
The right to exercise rights. Like groups, can be seen as an intermediate layer between objects and subjects.
What do Reference monitors mediate access to?
Objects such as the kernel and physical resources.
Where can the reference monitor be situated?
Access Control System
Hypervisor
In an application
In the services layer
What is a security kernel?
Piece of Hardware, Software or Firmware that implements the reference monitor
What are the conditions of the security kernel?
Must be tamper-proof and verifiable
What is TCB?
Trusted Computer Base
Group of systems that enforce a security policy
What is the TCB made up of?
Daemon, Firmware, Software Controls, Firewalls, Interrogate software, Virus Protection
These ensure correct access and correct inputs
How s RBAC implemented?
At the application layer.
Functional groups or user roles based on info needed for job function.
Each role allows certain privileges.
What are the rings of protection and what do they do?
Offer different levels of privilege for the users or system programs.
Ring 0: Kernel
Ring 1: Supervisor
Ring 3: User Space
What ring changes privileges in a system?
Ring 0
How can userspace programs communicate with the kernel?
System calls
What forms can Windows ACL take?
Discretionary ACL (DACL) Systems ACL (SACL)
What is DACL?
List of access control entities (ACEs). If there are none then the object is presumed to allow full access to all subjects.
What is an ACE?
Access Control Entity. Each ACE controls or monitors access to an object by a specified trustee.
Can be of type Access Denied, Access Allowed or System_Audit
What is SACL?
Logs attempt to access resources.
What is HAL?
Hardware Acceleration Layer
Provides an interface ot the hardware
How is the security reference monitor run on Windows?
Run from the windows executive
local security authority runs at login
The security account manager keeps the user database account.
What can subjects be in Windows?
Users
Domains
Groups
Machines
What are principles made of?
Username
SID
What is stored in an access token?
Security credentials for a process
What are the security levels?
Attributes of a system, policies may consist of them.
What type of access control does MAC use?
Rule BAC
What type of access control does DAC use?
Identity BAC (IBAC)
