Access control & memory Flashcards
What is access control?
a broad term that describes the administrative, physical, and technical controls that regulate the interaction between subjects and objects
What is access control also known as?
Identity and access management (IAM)
What is a subject?
any active entity that requests access to a resource (an object)
Examples of subjects (2)
- Users
- Processes
What is an object?
a resource, a passive entity that is or contains the information that is needed by a subject
Examples of resources (3)
- files
- I/O
- database entries
What is access control used for?
granting, preventing, or revoking access to an object
What are the four stages of the access control process?
- Identification
- Authentication
- Authorisiation
- Accounting
What are the three authentication methods?
- knowlegde
- ownership
- characteristic
What is a type 1 error (false rejection)?
when a known legitimate authorised user is rejected as unknown/unauthorised user
What is a type 2 error (false acceptance)?
when an unknown/unauthorised user is authenticated as a known/authorised user
What is multi-factor authentication?
requiring multiple independent evidences to establish identity
What are the three requirements for authentication?
- Implicit deny
- Neet to know
- Separation of duties
What is implicit deny?
if no rule is specified for the transaction of the subject/object, the authorization policy should deny the transaction (conforming with the more general “default-safe” principle)
What is meant by “need to know”?
a subject should be granted access to an object only if the access is needed to carry out the job of the subject (conforming with the more general “least-privilege” principle)
What is “separation of duties”?
a single individual should not
perform all the critical- or privileged-level duties.
Important duties must be separated/divided among
several individual
Access control models (4)
- Mandatory Access Control: MAC
- Discretionary Access Control: DAC
- Role-Based Access Control: RBAC
- Attribute-Based Access Control: ABAC
Alternative name for mandatory access control (MAC)?
Rule-based access control
Alternative name for discretionary access control (DAC)?
Identity-based access control
What is an access control policy?
a specification for an access decision function
Examples of access control policies (2)
Bell-LaPadula & Biba
What does the Bell-LaPadula access control policy model guarantee?
Confidentiality
What does the Biba access control policy model guarantee?
Data integrity
How is access control often expressed?
Using an access control matrix?
In what two ways are access control matrices implemented?
Access control lists & capability lists
Why are access control matrices not the most efficient?
Advantages of access controls lists over capability lists (3)
- Easier for human interpretation
- Easy to remove rights on a particular resource (only need to modify one list)
- particularly suitable when new resources may be added/removed but the users are pretty stable
- scale up well and work in distributed settings
Advantages of capability lists over access controls lists (2)
1.
What is Address Space Layout Randomisation (ASLR)?
randomizing the addresses of functions and data, specifically, the positions of the initial stack, the heap, and the libraries, between every run of the program
What is the benefit of Address Space Layout Randomisation?
it becomes much harder for the attacker to exploit the system through memory corruption vulnerabilities, as it will be more difficult to predict addresses of interest for the attacker (e.g. where certain secrets are loaded, where certain libraries/shellcodes will be loaded to.)
What is the purpose of an operating system?
To provide an interface between the computer users and the computer’s hardware
