Authorization Flashcards
What are the layers of access control? (5)
Policy
Model
Mechanism
Awareness
Management
What is the Policy-layer of access control?
High-level rules, what is and is not allowed
What is the Model-layer of access control?
Formal representation of the policy
What is the Mechanism-layer of access control?
Low-level implementation of the model
What is the Awareness-layer of access control?
Education
What is the Management-layer of access control?
Operation
What is priivilege creep?
People end up with more access than necessart
What are the technical layers of access control?
Application
Middleware
OS
Hardware
Name some access control models
DAC: Discretionary Access Controll
What is DAC: Discretionary Access Controll
The owner of a resource decides how it is shared
The owner chooses to give read, write or other access to other users
What is an access control matrix?
X-axis: Resource (file, program, etc.)
Y-axis: User
Entry: Permissions (own, read, write, execute, etc.)
What is an authorization table?
A mechanism to implement access control matrices.
Pick non-empty entries in the access control matrix to create a list. This list is the authorization table.
From Access control matrix:
File 1. File 2. File 3. Program 1 Ann. Own. Read Execute Read. Write Write
Authorization table entry:
User - Access Mode - Object
Ann Own. File 1
Ann Read File 1
Ann Write File 1
Ann Read File 2
Ann Write File 2
Ann Execute Program 1
Where are authorization tables used?
Database management systems (DBMS): Software systems used to store, retrieve, and run queries on data
The tables are stored as relational tables
What are access control lists (ACL)
Another mechanism to implement access control matrices
Describe Access control list (ACL)
Stores information according to objects (file 2, Program 1, etc.), stores column.
From access control matrix:
Program 1
Ann. Execute
Bob.
Carl. Execute
Read
ACL’s stores each object in a file 1 with the structure:
File 1-> Ann
Execute
-> Carl
Execute
Read
Where are ACL’s used?
In modern OS
Give an example of how ACLs are used
Linux: ls -l
rexre—
What does rwxrw—- mean in linux?
rwx: Owner can read, write and execute
rw-: User’s in the owner’s group can read and write
—: Users outside the group cannot read, write or execute
What is capabilities?
The third mechanism to implement access control matrices
Describe Capabilities
Stores information according to the subject: matrix row
File 1. File 2. File 3 Program 1 Bob. Read. Read Write
Bob -> File 1
read
-> File 3
read
write
Where is Capability used?
iOS permission control
Data is segregated into classes (contacts, calendar, photos, etc.)
Only allow basic permission at installation
At runtime, app must ask user to get permissions
What is a vulnerability of DAC?
Does not distinguish between user and process
Vulnerable to a process executing malicious programs (trojan horse), exploiting the authorization of the user.
Give an example scenario of using a Trojan horse
Hacker: Creates file steal.txt and gives CEO permission to write it, without the CEO’s knowledge
Two hidden operations (Trojan horse) is added to the CEO’s app. One operation reads the steal.txt file, the other operation writes to it.
CEO executes the app. The app executes on behalf of the CEO (Access control only checks the user, it does not check the process). Reading and writing to the secret file is allowed, without the CEO’s knowledge.
What is Mandatory Access Control? (MAC)
A system enforces a security policy independent of the user’s action. Enforces access control on the basis of regulations mandated by a central authority.
Access class is assigned to each object and subject.