P1L5: Access Control

Question 1

Two parts to Access Control

Answer 1

1. Decide who should have access to certain resources. An access control policy.2. Enforcement–only accesses defined by the access control policy are granted

Question 2

Access Control Matrix (ACM)

Answer 2

Rows correspond to sources of the request (users/subjects/groups)Columns correspond to the resources that need protected

Question 3

Discretionary Access Control

Answer 3

Access is at the discretion of its owner. Owner can grant access to other users and also allow or not allow the other users to propagate this access.

Question 4

Flaw with DAC

Answer 4

Other user can copy to another file and then share with third party.

Question 5

Access Control List (ACL)

Answer 5

Columns for an object that define each users rights of that object.

Question 6

Capability List (C-List)

Answer 6

Rows for a user that define that user’s rights for each object.

Question 7

Where should ACL be stored?

Answer 7

–In trusted part of system–Consists of access control entries–Should be stored along with other object meta-data–Checking requires traversal of the ACL

Question 8

Where should C-List be stored?

Answer 8

–It is per user–A capability is an unforgeable reference/handle for a resource–User catalogue of capabilities defines what a certain user can access–Can be stored in objects/resources themselves

Question 9

ACL vs C-List

Answer 9

Efficiency–ACL are not as efficient as C-ListAccountability–Can be found easily in ACL. With C-List, each user’s catalog must be checked to see if access ok.Revocation–Revoking access in ACL is easyMost OS uses ACL

Question 10

How does OS implement ACL?

Answer 10

The OS keeps track of info about each file and its metadata, called an i-node. Open files are stored in the meta-data table. The file must be active.

Question 11

Role Based Access Control (RBAC)

Answer 11

The access rights are associated by roles/jobs. Users can have more than one role.

Question 12

RBAC benefits

Answer 12

–Policy need not be updated when a certain person leaves–new employee should be able to activate the desired role.–Start with minimum accessSELinux supports RBAC

Question 13

Fail-safe defaults

Answer 13

Implies that when an access control policy is silent about access to a certain user, that access must be denied.

Question 14

The principal objectives of computer security are to prevent unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner. T/F

Answer 14

True

Question 15

Security labels indicate which system entities are eligible to access certain resources. T/F

Answer 15

True

Question 16

A user may belong to multiple groups. T/F

Answer 16

True

Question 17

An access right describes the way in which a subject may access an object. T/F

Answer 17

True

Question 18

Any program that is owned by, and SetUID to, the “superuser” potentially grants unrestricted access to the system to any user executing that program. T/F

Answer 18

True

Question 19

_____ implements a security policy that specifies who or what may have access to each specific system resource and the type of access that is permitted in each instance.

Answer 19

Access Control

Question 20

What is Access Control?

Answer 20

It implements a security policy that specifies who or what may have access to each specific system resource and the type of access that is permitted in each instance.

Question 21

What is Authorization?

Answer 21

Authorization is the granting of a right or permission to a system entity to access a system resource.

Question 22

What is Mandatory Access Control?

Answer 22

Mandatory Access Control controls access based on comparing security labels with security clearances.

Question 23

What is a Role?

Answer 23

A role is a named job function within the organization that controls this computer system.

Question 24

What do constraints do?

Answer 24

Constraints provide a means of adapting RBAC to the specifics of administrative and security policies in an organization.

Question 25

What is Discretionary access control?

Answer 25

Discretionary access control controls access based on the identity of the requestor and on access rules stating what requestors are or not allowed to do.

Question 26

______ access control controls access based on the identity of the requestor and on access rules stating what requestors are or not allowed to do.

Answer 26

Discretionary

Question 27

____ access control controls access based on the roles hat users have within the system and on rules stating what accesses are allowed to users in given roles.

Answer 27

Role based

Question 28

What is Role based access control?

Answer 28

Role based access control controls access based on the roles hat users have within the system and on rules stating what accesses are allowed to users in given roles.

Question 29

What are the basic elements of Access Control?

Answer 29

Subject
Object
Access Right.

Question 30

Basic access control systems typically define three classes of subject: owner, _______ and world.

Answer 30

Group

Question 31

What 3 classes of subject do Basic Access Control Systems define?

Answer 31

Owner
Group
World

Question 32

What’s the difference between Authentication and Authorization?

Answer 32

Authentication - Verification that the credentials of a user or other system entity are valid

Authorizatoin - The granting of a right or permission to a system entity to access a system resource

Question 33

What is an Access Control Matrix?

Answer 33

Matrix of who can access what. Subjects in row, objects in column

Question 34

What is a Capability List?

Answer 34

For every user, objects are listed with their access right for that user. stored in objects themselves