Access Control: Discretionary and Mandatory Flashcards

1
Q

How does the TCB decide if a request should be granted?

A

Authentication (establishes source) and authorization (grants access based on identity)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Who can grant access?

A

Normally the person who creates/owns a resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the difference between policy and enforcement?

A

Policy is who can access

Enforcement is only allowing authorized people to access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is an Access Control Matrix?

A

Essentially a table that stores access rights to resources
Usually very large
Can be sparse

Rows = users/subjects/groups
Columns = resources
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Where should the ACL/C-List be stored?

A

Trusted part of the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is an ACL?

A

Access control list
Consists of access control entries (ACEs) and other object meta-data
Indexed by object/resource (lists users and their access rights per object)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a C-List?

A

Capabilities list that defines what a certain user can access

Can be stored in objects/resources
Indexed by user (lists objects and their access rights)
Sharing access requires propagation of capabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a capability?

A

Unforgeable reference/handle for a resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How does UNIX implement access controls?

A

Each resource looks like a file, and has an owner
RWX bits for owner, group and world
Originally 9 bits for access, but other bits there now
There are other variants for access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Who is authenticated when running a program/accessing a file?

A

The owner, not the person accessing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is role based access control?

A

Used in enterprise settings
Based on job function or role of a user
Users can have one or more roles
Users authenticate themselves to the system and then activate their roles
Policy does not need to be updated as employees come and go
New employees can activate themselves

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is Mandatory Access Control?

A

Company decides how data should be shared

Users have classification levels that limit what they can access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the issues with Discretionary Access Control?

A

Cannot control information flow

In some cases, user cannot decide how certain types of data can be shared

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How do we implement MAC?

A

Label files to indicate sensitivity and category of data
TCB checks user label and object labels
Labels largely depend on the organization using them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is involved in a label?

A

The sensitivity level and the compartment

Compartment = descriptor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Characteristics of the Bell and LaPadua Model

A
Four classes: Top Secret, Secret, Classified, Unclassified
Simple security property (no read up)
Start property (no write down)
17
Q

Characteristics of the Biba Model

A

Focuses on integrity rather than confidentiality

Allows for read up and write down

18
Q

Policies for Commercial Environments

A

User clearance is not common
Data only accessible by applications
Requires separation of duty and conflict of interest requirements

19
Q

What is the Clark-Wilson Policy?

A

Same user cannot execute two programs that require separation of duty

20
Q

What is the Chinese Wall Policy?

A

User can access any object as long as they have not access an object from another company in the same conflict class