Access Control Flashcards
What is access control?
Control who has access to services and resources in the network
What are the forms of access control?
Authentication servers
Physical access control
Traffic filters
Access control lists in an OS
What does access to a system mean?
Subject, in the form of a human or process, requests a passive object (resource) with some specific access operation.
What is a reference monitor?
Piece of software or hardware that examines and can grant or deny the request.
At what level does the reference monitor support security?
Hardware or OS layer, a subject can be allowed to access resources and the type of access decided
What types of protective separation is done?
Physical Seperation
Logical Seperation
Temporal Seperation
Cryptographic Seperation
What is physical separation?
Different processes use different object such as printers, files or servers
What is temporal separation?
Processes with different security requirements can only be run at separate times.
What is logical separation?
A process’s access is constrained so that it cannot access outwith its permitted domain
What is cryptographic separation?
Files (data) or processes are hidden or obfuscated under cryptographic protocols.
What are the Unix access rights?
Execute, read, append, write
What do some systems split their permissions into further?
Rename or change permissions
Create Files
Transfer
Propagate
What is the Principle of Least Privilege?
only users that need a resource for their role should have access to it.
What is an access control list?
Describes the rights of subjects and objects
Works best in data-oriented systems where permissions are stored alongside the data
What are the drawbacks of ACL?
Inefficient, the repetition throughout the system of values.
Checked for each file at runtime
Doesn’t scale, on change for a user has to change each and every file
Is C-List used for access control?
No as it’s easier for an OS to control access to objects rather than users.
Despite being more efficient at runtime checking, slower in determining who has resource access
Uses PK certificates for user identification
What is DAC?
Discretionary Access Control (DAC)
Subject creates a resource it can allow access to.
User sets own protection level which is enforced by the system.
What does strict DAC do?
Allows for the granting of access but not ownership to subjects. Ownership must be transferred.
What is MAC?
Mandatory Access Control is where users and resources have fixed security attributes (labels) assigned by an admin. User can access the resources with labels allowing them to.
MAC is set globally and can’t be changed.
Can MAC be changed?
It can be by trusted processes, otherwise it is immutable.
What issues do both MAC and DAC have?
Canceling
Adding
Merging
How are policy conflicts dealt with?
Resolved by reference monitor
What are privileges?
The right to exercise rights. Like groups, can be seen as an intermediate layer between objects and subjects.
What do Reference monitors mediate access to?
Objects such as the kernel and physical resources.
