Authorization and Access Control Flashcards
Authorization
Process of determining exactly what an authenticated party can do
Access controls
Tools and systems you use to deny and allow access
What are the four basic tasks of access controls?
Allowing access
Denying access
Limiting access
Revoking access
Sandbox
Isolated environments containing a set of resources for a given purpose
What are the two main uses of sandboxes?
Prevent contents of sandboxes from interacting with resources they shouldn’t
Contain things you don’t trust, eg, code from public websites
What are the two main methods of implementing access controls?
Access Control Lists, ACLs or ackles
Capabilities
Access control list
Contains information about what kind of access certain parties are allowed to have in a given system
Often part of application or OS software
Ex: Badge readers
What are the two types of ACL?
File system ACL
Network ACL
What are the three types of permissions in file system ACLs?
Read
Write
Execute
Characteristics of Network ACLs
Filter access based on identifiers used for network transactions, such as Internet Protocol (IP) addresses
Permissions are binary, not RWX
Grant permissions to traffic rather than users
What are three main identifiers network ACLs use to filter traffic?
Media access controls
IP addresses
Port
Media access controls (context: network ACLs)
Unique identifiers hard coded into each network interface in a given system
Easily changed
IP addresses (context: network ACLs)
Unique address for a computer
ACL can filter single address or range of addresses
Can be falsified
Port (context: network ACLs)
Numerical designation for one side of a connection between two devices
Ports are used as a convention, not by rule, ie, can be changed
Socket
When an ACL uses both an IP address and a port, it is called a socket
Confused deputy problem
When software with access to a resource (the deputy) has greater level of permission to access the resource than the user who is controlling the software
Cross-site request forgery (CSRF)
Example of confused deputy problem
If attacker knows of a website that had already authenticated user, he can embed a link in a web page or HTML email, such that when the target’s browser attempts to retrieve the image, it also executes additional malicious commands
Clickjacking, AKA user interface redressing
Example of confused deputy problem
Attacker, who has control over some portion of a website, puts invisible layer over something the user would normally click. When user clicks, client executes command that is different from what user is expecting
Blackholing
Filtering large swaths of IP addresses