Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Tema 4. Access Control
Garantía y Seguridad en Sistemas y Redes
Esteban Stafford
Departamento de Ingeniería Informá2ca y Electrónica
Este tema se publica bajo Licencia:
Crea2ve Commons BY-‐NC-‐SA 4.0
Grupo deIngeniería deComputadores
4. Access ControlG678: Garantía y Seguridad en Sistemas y RedesEsteban StaffordSantander, October 14, 2015
Contents
Access Control Principles
Subjects, Objects, and Access Rights
Discretionary Access Control
Mandatory Access Control
Role-Based Access Control
Grupo deIngeniería deComputadores
1
Access Control
jsmith1234
Auth
Authentication
Authz
Authorization Resources
SecurityAdmin.
Auditing
Grupo deIngeniería deComputadores
2
Access Control Requirements
Reliable input.Support for fine and coarse specifications.Least privilege.Separation of duty.Open and closed policies.Policy combinations and conflict resolution.Right relinquishing.
Grupo deIngeniería deComputadores
3
Access Control
jsmith1234
Auth
Authentication
Authz
Authorization Resources
SecurityAdmin.
Auditing
Grupo deIngeniería deComputadores
2
Access Control Requirements
Reliable input.Support for fine and coarse specifications.Least privilege.Separation of duty.Open and closed policies.Policy combinations and conflict resolution.Right relinquishing.
Grupo deIngeniería deComputadores
3
Access Control Policies
Mandatory
Discretionary
Role-basedMandatory
Discretionary
Role-based
Grupo deIngeniería deComputadores
4
Subjects, Objects and Access Rights
SubjectsUserGroupRoleWorld
RightsReadWriteExecuteDeleteCreateSearchAuthorise
ObjectsDeviceFilesystemDirectoryFileApplicationDatabaseTableColumnRow
LocationKernelUser spaceLocalhostIntranetWirelessVPNInternet
AuthPasswordTokenBiometric
Grupo deIngeniería deComputadores
5
Access Control Policies
Mandatory
Discretionary
Role-basedMandatory
Discretionary
Role-based
Grupo deIngeniería deComputadores
4
Subjects, Objects and Access Rights
SubjectsUserGroupRoleWorld
RightsReadWriteExecuteDeleteCreateSearchAuthorise
ObjectsDeviceFilesystemDirectoryFileApplicationDatabaseTableColumnRow
LocationKernelUser spaceLocalhostIntranetWirelessVPNInternet
AuthPasswordTokenBiometric
Grupo deIngeniería deComputadores
5
Discretionary Access ControlSubject with a certain Right can Pass it to any othersubject. (Unix filesystem, SQL)Rights are organised in an Access Matrix
File 1 File 2 File 3 File 4
User A Own, Read,Write
Own, Read,Write
User B Read Own, Read,Write Write Read
User C Read, Write Read Own, Read,Write
Access Control Lists(ACL) = columns of Access MatrixCapability Lists = rows of Access Matrix
Grupo deIngeniería deComputadores
6
Mandatory Access Control
Centrally controlled by a security policy administrator.Subjects do not have the ability to override the policy.SELinux, PolicyKit, Mandatory Integrity Control.
Grupo deIngeniería deComputadores
7
Discretionary Access ControlSubject with a certain Right can Pass it to any othersubject. (Unix filesystem, SQL)Rights are organised in an Access Matrix
File 1 File 2 File 3 File 4
User A Own, Read,Write
Own, Read,Write
User B Read Own, Read,Write Write Read
User C Read, Write Read Own, Read,Write
Access Control Lists(ACL) = columns of Access MatrixCapability Lists = rows of Access Matrix
Grupo deIngeniería deComputadores
6
Mandatory Access Control
Centrally controlled by a security policy administrator.Subjects do not have the ability to override the policy.SELinux, PolicyKit, Mandatory Integrity Control.
Grupo deIngeniería deComputadores
7
Linux DAC + MAC (SELinux)
Grupo deIngeniería deComputadores
8
Role-Based Access Control
UUser
RRole
PPermission
Userassignment
Permissionassignment
SSession
1
Activesessions Role
subset
Role hierarchy
CConstraints
Grupo deIngeniería deComputadores
9
Linux DAC + MAC (SELinux)
Grupo deIngeniería deComputadores
Role-Based Access Control
UUser
RRole
PPermission
Userassignment
Permissionassignment
SSession
1
Activesessions Role
subset
Role hierarchy
CConstraints
Grupo deIngeniería deComputadores
9
9
Linux DAC + MAC (SELinux)
Grupo deIngeniería deComputadores
8
Role-Based Access Control
UUser
RRole
PPermission
Userassignment
Permissionassignment
SSession
1
Activesessions Role
subset
Role hierarchy
CConstraints
Grupo deIngeniería deComputadores
10
Role hierarchy
ProductionEngineer 1
QualityEngineer 1
ProductionEngineer 2
QualityEngineer 2
Engineer 1 Engineer 2
EngineeringDept.
Leader 1 Leader 2
Director
Grupo deIngeniería deComputadores
Role constraints
Mutual exclusivity forces a user to belong to only one roleof a set. Useful to implement separation of duty.Maximum cardinality
Number of roles for a user or session.Number of users with a given role.Number of roles with a given permission.
Prerequisites can establish requirements for belonging tospecial roles. Useful to implement least privilegestructures.
Grupo deIngeniería deComputadores
11
11
Role hierarchy
ProductionEngineer 1
QualityEngineer 1
ProductionEngineer 2
QualityEngineer 2
Engineer 1 Engineer 2
EngineeringDept.
Leader 1 Leader 2
Director
Grupo deIngeniería deComputadores
10
Role constraints
Mutual exclusivity forces a user to belong to only one roleof a set. Useful to implement separation of duty.Maximum cardinality
Number of roles for a user or session.Number of users with a given role.Number of roles with a given permission.
Prerequisites can establish requirements for belonging tospecial roles. Useful to implement least privilegestructures.
Grupo deIngeniería deComputadores
12