Authorization

Question 1

What are the layers of access control? (5)

Answer 1

Policy

Model

Mechanism

Awareness

Management

Question 2

What is the Policy-layer of access control?

Answer 2

High-level rules, what is and is not allowed

Question 3

What is the Model-layer of access control?

Answer 3

Formal representation of the policy

Question 4

What is the Mechanism-layer of access control?

Answer 4

Low-level implementation of the model

Question 5

What is the Awareness-layer of access control?

Answer 5

Education

Question 6

What is the Management-layer of access control?

Answer 6

Operation

Question 7

What is priivilege creep?

Answer 7

People end up with more access than necessart

Question 8

What are the technical layers of access control?

Answer 8

Application

Middleware

OS

Hardware

Question 9

Name some access control models

Answer 9

DAC: Discretionary Access Controll

Question 10

What is DAC: Discretionary Access Controll

Answer 10

The owner of a resource decides how it is shared

The owner chooses to give read, write or other access to other users

Question 11

What is an access control matrix?

Answer 11

X-axis: Resource (file, program, etc.)
Y-axis: User

Entry: Permissions (own, read, write, execute, etc.)

Question 12

What is an authorization table?

Answer 12

A mechanism to implement access control matrices.

Pick non-empty entries in the access control matrix to create a list. This list is the authorization table.

From Access control matrix:

      File 1.        File 2.       File 3.      Program 1 Ann.  Own.         Read                         Execute
      Read.         Write
      Write

Authorization table entry:
User - Access Mode - Object
Ann Own. File 1
Ann Read File 1
Ann Write File 1
Ann Read File 2
Ann Write File 2
Ann Execute Program 1

Question 13

Where are authorization tables used?

Answer 13

Database management systems (DBMS): Software systems used to store, retrieve, and run queries on data

The tables are stored as relational tables

Question 14

What are access control lists (ACL)

Answer 14

Another mechanism to implement access control matrices

Question 15

Describe Access control list (ACL)

Answer 15

Stores information according to objects (file 2, Program 1, etc.), stores column.

From access control matrix:
Program 1
Ann. Execute

Bob.

Carl. Execute
Read

ACL’s stores each object in a file 1 with the structure:

File 1-> Ann
Execute
-> Carl
Execute
Read

Question 16

Where are ACL’s used?

Answer 16

In modern OS

Question 17

Give an example of how ACLs are used

Answer 17

Linux: ls -l

rexre—

Question 18

What does rwxrw—- mean in linux?

Answer 18

rwx: Owner can read, write and execute

rw-: User’s in the owner’s group can read and write

—: Users outside the group cannot read, write or execute

Question 19

What is capabilities?

Answer 19

The third mechanism to implement access control matrices

Question 20

Describe Capabilities

Answer 20

Stores information according to the subject: matrix row

      File 1.         File 2.         File 3           Program 1 Bob.  Read.                             Read
                                              Write

Bob -> File 1
read
-> File 3
read
write

Question 21

Where is Capability used?

Answer 21

iOS permission control

Data is segregated into classes (contacts, calendar, photos, etc.)

Only allow basic permission at installation

At runtime, app must ask user to get permissions

Question 22

What is a vulnerability of DAC?

Answer 22

Does not distinguish between user and process

Vulnerable to a process executing malicious programs (trojan horse), exploiting the authorization of the user.

Question 23

Give an example scenario of using a Trojan horse

Answer 23

Hacker: Creates file steal.txt and gives CEO permission to write it, without the CEO’s knowledge

Two hidden operations (Trojan horse) is added to the CEO’s app. One operation reads the steal.txt file, the other operation writes to it.

CEO executes the app. The app executes on behalf of the CEO (Access control only checks the user, it does not check the process). Reading and writing to the secret file is allowed, without the CEO’s knowledge.

Question 24

What is Mandatory Access Control? (MAC)

Answer 24

A system enforces a security policy independent of the user’s action. Enforces access control on the basis of regulations mandated by a central authority.

Access class is assigned to each object and subject.

Question 25

What are the types of Object classificaion?

Answer 25

TOP SECRET
SECRET
CONFIDENTIAL
UNCLASSIFIED

Question 26

What are the types of Subject classification?

Answer 26

TOP MANAGER
MIDDLE LEVEL MANAGER
EMPLOYEE
GENERAL PUBLIC

Question 27

What is the Bell-LaPadula model?

Answer 27

A state machine model used for enforcing access control.

Main focus: enforce confidentiality, only allows operations on the same level

No read up (NRU)
No write down (NWD)

Question 28

What is the Biba model?

Answer 28

Another state machine used to enforce access control.

Main focus: Enforce integrity

No read down (NRD)
No write up (NWU)

Question 29

Why is the Biba model useful for integrity?

Answer 29

No improper modification of high integrity objects from low classified subjects. E.g. a downloaded software cannot write to the OS.

High integrity objects are not contaminated because they do not read lower-level data, which can be unreliable.

Question 30

How can Bell-LaPadula and Biba be combined?

Answer 30

Combined when we want integrity and confidentiality.

Objects and subjects have to be assigned two access classes:
- One for confidentiality control
- One for integrity control

Question 31

What are the pros and cons of MAC?

Answer 31

Pros:
- Strict control over information flow
- Strong exploit containment

Cons:
- Cumbersome administration

Question 32

What are the pros and cons of DAC?

Answer 32

Pros:
- Simple and efficient access right management
- Scalability

Cons:
- Weak control over information flow

Question 33

What is Role-Based Access Control? (RBAC)

Answer 33

Based on the idea of assigning permissions to users based on their roles. Analyses needs of users, and group them intro roles based on the same responsibilities and needs.

More manageable approach to access management that is less prone to error than assigning permissions to users individually.

Question 34

What are some benefits of RBAC?

Answer 34

Easy authorization management

Maps to real-world role hierarchy

Question 35

What is attribute-Based Access Control? (ABAC)

Answer 35

Access control model that evaluates attributes (characteristics) rather than roles, to determine access.

Each user has a set of attributes

Question 36

What access control model is used for coarse-grain access control?

Answer 36

RBAC

Question 37

What access control model is used for fine-grain access control?

Answer 37

ABAC, but this is more difficult to use correctly

Question 38

How should RBAC and ABAC be combined?

Answer 38

RBAC before ABAC

Decide who can see what module, BEFORE deciding what they can see inside a module

Question 39

What is the Browser Same-origin policy?

Answer 39

Only communicate with the IP you originated from

Question 40

when does two URLs have the same origin?

Answer 40

Protocol, port and host are the same

Question 41

What is a Sandbox?

Answer 41

Restricted environment, separates running programs so that they are unable to affect other applications.