Chapter 5

Question 1

What is access control?

Answer 1

Who is allowed to do what ?

Question 2

What does access control do?

Answer 2

Access control enforces operational security policies.

Question 3

What’s a policy?

Answer 3

A policy specifies who is allowed to do what.

Question 4

What’s a principle?

Answer 4

The active entity requesting access to a resource.

Question 5

What’s an object?

Answer 5

The resource access is requested.

Question 6

What’s a reference monitor?

Answer 6

Reference monitor is the abstract machine enforcing access control; guard mediating all access requests.

Question 7

What’s authentication?

Answer 7

Reference monitor verifies the identity of the principle making the request. Example: user identity.

Question 8

What’s authorization?

Answer 8

Reference monitor decides whether access is granted or denied.

Question 9

From where does request to the reference monitor come from?

Answer 9

They come from the process.

Question 10

What’s the subject?

Answer 10

The active entity making a request within the system.

Question 11

Define: user, user identity (principle), process (subject)

Answer 11

User: person
User identity (principle): name used in the system, possibly associated with a user.
Process (subject): running under a given user identity.

Question 12

Principles and subjects terminology.

Answer 12

A principle is an entity that can be granted access to objects or can make statements affecting access control decisions. (Policy)
Example: user ID

Subjects operate on behalf of (human users we call) principles; access is based on the principle’s name bound to the subject in some unforgeable manner at authentication time.
Example: process (running under a user ID)

Question 13

What’s access operations?

Answer 13

Access operations vary from basic memory access (read, write) to method calls in object-oriented systems.

Question 14

Define the following access operations: access right, permission, privilege.

Answer 14

Access right: right to perform an (access) operation;

Permission: synonym to access right.

Privilege: a set of access rights given directly to roles like administrator, operator,…

Question 15

What can a subject do (access modes)?

Answer 15

A subject can:

• observe an object, or
• alter an object.

Question 16

State the access rights of the Bell-LaPadula model.

Answer 16

Execute
Read
Append (or Blind Write)
Write

Question 17

List the three access operations on files.

Answer 17

Read: from a file
Write: to a file
Execute: a file

Question 18

List the access operations on directories.

Answer 18

Read: list contents
Write: create or rename files in the directory
Execute: search directory

Question 19

Where is deleting files or subdirectories is handled?

Answer 19

In the directory.

Question 20

What are the administrative access rights?

Answer 20

1) policies for creating and deleting files expressed by:
* access control on the directory (unix).
* specific create and delete rights (windows, openVMS)

2) policies for defining security settings such as access rights handled by:
* access control on the directory.
* specific rights like grant and revoke.

Question 21

Where is a policy stored?

Answer 21

Policy is stored in an access control structure.

Question 22

What can the access control structure help to do?

Answer 22

It help to capture your desired access control policy.

Question 23

What could be specified on runtime?

Answer 23

At runtime, we could specify for each combination of subject and object the operations that are permitted.
S: set of subjects
O: set of objects
A: set of access operations

Question 24

What’s the access control matrix equation? And what’s Mso?

Answer 24

M = (M so) s€S, o€O

Mso specifies the set of access operations subject s may perform on object o.

Question 25

What are the disadvantages of the Access Control Matrix?

Answer 25

1) access control matrix is an abstract concept
2) not very suitable for direct implementation
3) not very convenient for managing security

Question 26

What are the options of implementing an access control matrix?

Answer 26

Access rights can be kept with the subjects or with the objects.

Question 27

How does the access rights are kept with the subject?

Answer 27

Every subject is given a “capability”, an unforgeable token that specifies this subject’s access rights. This capability corresponds to the subject’s row in the access control matrix.
Example: Alice’s capability: edit.exe: execute; fun.com: execute, read.

Question 28

How are capabilities associated with discretionary access control?

Answer 28

When a subject creates a new object, it can give other subjects access to this object by granting them the appropriate capabilities. Also, when a subject (process) calls another subject, it can pass on its capabilities to the invoked subject.

Question 29

Where does the Access Control Lists (ACLs) store the access rights?

Answer 29

ACLs stores the access rights to an object as a list with the object itself. An ACL therefore corresponds to a column of the access control matrix and states who may access a given object.
Example: ACL for bill.doc: bill:read, write.

Question 30

To whom can the responsibility for setting policy can be assigned to?

Answer 30

1) the owner of a resource, who may decide who is allowed to access; such policies are called discretionary as access control is at the owner’s discretion.
2) a system wide policy deciding who is allowed access; such policies are called mandatory.

Question 31

What’s discretionary access control (DAC)?

Answer 31

Access control based on policies that refer to user identities. Referring to individual users in a policy works best within closed organization

Question 32

What’s mandatory access control (MAC)?

Answer 32

Access control based on policies that refer to security labels (confidential, top secret,…).

Question 33

Name an alternative to DAC.

Answer 33

Identity based access control (IBAC).

Question 34

What’s the cons of IBAC?

Answer 34

IBAC doesn’t scale well and will incur an identity management overhead.

Question 35

What’s groups?

Answer 35

Intermediate layer between users and objects.

Question 36

What can be used to handle access control exception?

Answer 36

Negative permissions.

Question 37

What’s a negative permission?

Answer 37

A negative permission is an entry in an access control structure that specifies the access operations a user is not allowed to perform.

Question 38

Define Role.

Answer 38

A role is a collection of procedures assigned to user.a user can have more than one role and more than one user can have the same role.

Question 39

Define procedures.

Answer 39

Procedures are ‘high-level’ access control methods with a more complex semantic than read or write. Procedures can only be
applied to objects of certain data types.
Example: funds transfer between bank accounts.

Question 40

Where is Role Based Access Control (RBAC) found?

Answer 40

Application level.

Question 41

What’s Role Hierarchies ?

Answer 41

Role hierarchies define relationships between roles; senior role has all access rights of the junior role.

Question 42

What are the levels of RBAC?

Answer 42

1) flat RBAC:
* users are assigned to roles,
* permissions are assigned to roles,
* users get permissions via role membership,
* support for user-role reviews.

2) hierarchical RBAC: adds support for role hierarchies
3) constrained RBAC: adds separation of duties
4) symmetric RBAC: adds support for permission-role reviews (can be difficult to provide in large distributed systems).

Question 43

What are protection rings used for?

Answer 43

Protection rings are mainly used for integrity protection.

Question 44

What’s a protection rings?

Answer 44

Each subject (process) and each object is assigned a number, depending in its importance. Numbers correspond to concentric protection rings, ring 0 in center gives highest degree of protection. If a process is assigned a number i, we say the process “runs in ring i”. Access control decisions are made by comparing the subject’s and object’s ring.

Question 45

How does policy instantiation work?

Answer 45

When developing software you will hardly know who will eventually make use of it. At this stage, security policies cannot refer to specific user identities. A customer deploying the software may know its “authorized” users and can instantiate a generic policy with their respective user identities. Generic policies will refer to ‘placeholders’ principals like owner, group, others. Reference monitor resolves values of ‘placeholders’ to user identities when processing an actual request.