Lecture 9: 9th October 2019

Question 1

What is access control?

Answer 1

How usage of a resource by users is restricted.

Question 2

What are active subjects?

Answer 2

Humans or processes, the ones seeking to access a passive object (i.e. resource)

Question 3

What are passive objects?

Answer 3

A resource, being accessed by an active object (i.e. a person or process)

Question 4

What are reference monitors?

Answer 4

Software or hardware that examine and grant or deny access requests. A conceptual authoritative controller for access control policies in an OS.

Question 5

What is the Trusted Computing Base?

Answer 5

The set of all hardware, firmware, and/or software components that are critical to the security of a computer system

Question 6

What forms of separation provide protection?

Answer 6

physical separation – different processes use different objects such as printers, files or servers.

temporal separation – processes with different security requirements can only be run at separate times.

logical separation – a process’s access is constrained so that it cannot access outwith its permitted domain.

cryptographic separation – files (data) or processes are hidden or obfuscated under cryptographic protocols.

Question 7

What are access rights?

Answer 7

The permissions that are granted to a user or application to read, modify, and erase files on a computer.

Question 8

What are the access rights on Unix?

Answer 8

execute, read, append, write

Question 9

What are ACLs?

Answer 9

Access Control List = a list of permissions attached to an object that specifies which subjects are granted access to objects, as well as what operations are allowed on given objects.

Question 10

What are ACLs aka?

Answer 10

access permission matrices

Question 11

What are some issues with ACLs?

Answer 11

simple but inefficient because of repetition throughout the system: at run-time, the ACLs would be checked for every file access; revoking permissions for 1 user will require a lot of searching (high complexity); so essentially not scalable or efficient

Question 12

Which types of systems are ACLs more useful in?

Answer 12

ACLs work better with data-oriented systems where permissions are stored with the data or owners can set up permissions.

Question 13

What are C-lists?

Answer 13

Capability lists are arrays of capabilities grouped by subject. Subject has a pointer to a linked list, with each node referring to an object and describing the subject’s permissions wrt that object

Question 14

What are some issues with C-lists?

Answer 14

C-lists are more user-oriented and runtime checking is more efficient than with ACL. However, it is more time-consuming to determine who has access to a resource. Capabilities may be time-limited or even passed on to another user, e.g. allow access to X between 9am and 5pm, agents in smart spaces.

Question 15

How does MAC work?

Answer 15

Security attributes (labels) that determine whether a subject can access a resource are assigned by an administrator. Subjects cannot change the security class of an object.

Question 16

What are the differences between DAC and MAC?

Answer 16

In DAC object creator decides mutuable access rights of others. In MAC, admin/OS always does. MAC is immutable to untrusted processes and is therefore
used in highly sensitive or life critical systems. Both DAC and MAC have issues with cancelling, adding, merging etc of subjects or objects.

Question 17

What are negative permissions?

Answer 17

Disallowing a subject from performing some access function on a certain object

Question 18

What are policy conflicts?

Answer 18

When two or more access rules contradict one another and are mutually exclusive but both are present

Question 19

How are policy conflicts resolved?

Answer 19

By querying a reference monitor

Question 20

What are privileges?

Answer 20

Privileges are the right to exercise rights and like groups, can be seen as an intermediate layer between Subjects and Objects.

Question 21

What are execution monitors?

Answer 21

Abstract processes that provide the audit trails for reference monitors

Question 22

Where do reference models execute?

Answer 22

A Reference Monitor may be placed in the access control system, a hypervisor, in the services layer or in an application.

Question 23

What are security kernels?

Answer 23

The Security Kernel is the software, firmware or hardware that implements the Reference Monitor. It must be tamper-proof and verifiable.

Question 24

What are TCBs?

Answer 24

Trusted Computer Base (TCB) is a group of systems to enforce a security policy. A TCB can consist of any number of processes (daemons, firmware, software controls) that ensure correct access and correct inputs
to a system such as authentication and authorisation routines. It may include virus protection and firewalls or interrogate software with proof-carrying code or with static type checking.

Question 25

What do TCBs do?

Answer 25

They ensure that system security policies are enforced. For example, they ensure the correct access rights are given in a system and that inputs such as authorisation and authentication are carried out correctly.

Question 26

What are roles?

Answer 26

Abstract groups of subjects assigned specific privileges or access procedures.

Question 27

How does RBAC work?

Answer 27

In role-based access control, functional groups or user roles are assigned to subjects that determine their access to resources at the application layer.

Question 28

Give an example of when RBAC could be used.

Answer 28

Could be used for studres. A user could be a system administrator, a student, a lecturer etc. Some roles could be qualified such as a leccturer on CS2002.

Question 29

What are rings of protection?

Answer 29

Abstract collections of users that have different levels of access to subejcts and permissions, ina a hierarchy. They protect data and functionality from faults (by improving fault tolerance) and malicious behaviour (by providing computer security).

Question 30

How do rings of protection wortk?

Answer 30

Ring 0 : kernel, access to disk
Ring 1 : supervisor
Ring 3 : all other programs

Current privilege can only be changed by a process in Ring 0. Outer rings have fewer privileges, e.g. I/O forbidden, memory mapping disallowed. Segments are either data or procedure and have rwea access.

Moving to an inner ring is allowed through gates (system calls) but there are problems of kernel bloat. Unix has 2 rings: kernel and user area, modern hardware supports 4 or more rings.

Question 31

How are all Windows resources accessed?

Answer 31

Through ACLs. They are DACLs or SACLs.

Question 32

What is a DACL?

Answer 32

Discretionary Access Control List = a list of access control entities (ACEs). If none then the object is
presumed to allow full access to all Subjects or Principals.

Question 33

What is a SACL?

Answer 33

Systems Access Control List = ACLs specialised to logging attempts to access resources, for examination by administrators

Question 34

What are ACEs?

Answer 34

ACE = access control entry = element in an ACL

Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both.

Possible values: Generic_Read, Write, Execute, All

Question 35

How do DACLs work?

Answer 35

In Windows, each object in Active Directory or a local NTFS volume has an attribute called Security Descriptor that stores information about:

• The object’s owner (the security identifier or the owner) and the groups to which the owner belongs.
• The discretionary access control list (DACL) of the object, which lists the security principals (users, groups, and computers) that have access to the object and their level of access.
• The system access control list (SACL), which lists the security principals that should trigger audit events when accessing the list.

Question 36

How do SACLs work?

Answer 36

Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both.

Question 37

What are the possible values of types in ACEs?

Answer 37

Access_Denied, Access_Allowed or System_Audit

Question 38

What are the possible values of ACLs?

Answer 38

Generic_Read, Write, Execute, All

Question 39

What is HAL in Windows?

Answer 39

HAL = Hardware Abstraction Layer = interface of kernel rings to software

Question 40

What is the Security Reference Monitor?

Answer 40

Security Reference Monitor is a component of the Microsoft Windows NT executive running in kernel mode that acts like a security watchdog, enforcing security when applications try to access system resources. It implements the Reference Monitor concept in Windows, making it Windows’ security kernel.

Question 41

What are active entities?

Answer 41

subjects: users, domains, domains, or machines

Question 42

What are principals?

Answer 42

Entities who are granted or denied access with a username and security ID

Question 43

What is IBAC?

Answer 43

Identity-Based Access Control is a simple, coarse-grained digital security method that determines whether a user will be permitted or denied access to an electronic resource based on whether their name appears on an ACL.

Question 44

What is DAC?

Answer 44

Discretionary Access Control: on multi-user Windows systems, users that made or own resources set their own protection levels for users and groups for the system (admin or OS) to enforce. Identity-based access control is implemented in DAC since it is based on the identities of subjects.

Question 45

What is MAC?

Answer 45

MAC = Mandatory Access Control: global policies that subjects can’t change on objects they own. Since based on global policy rather than identity, is an example of rule-based access control.

Question 46

What are the differences between discretionary and mandatory security levels?

Answer 46

Mandatory levels set by the system and enforced globally. Discretionary by owner subject for that file only.