Access Controls Part 1: Computer Security Lectures 2014/15 S2
https://www.ispeech.org
This video is part of the computer/information/cyber security and ethical hacking lecture series; by Z. Cliffe Schreuders at Leeds Beckett University. Laboratory work sheets, slides, and other open educational resources are available at http://z.cliffe.schreuders.org.
The slides themselves are creative commons licensed CC-BY-SA, and images used are licensed as individually attributed.
Topics covered in this lecture include:
Access Control
Physical security access controls
Digital security access controls
Concerned with authorisation: what a subject is allowed to perform
Mediates subjects' access to objects
Enforces a security policy, limiting which actions are allowed
Complete mediation
Trusted computing base (TCB)
Reference monitor concept
Protection state
Security context
The protection state of a system
Access Control Matrix
A table showing every subject and every object, and the permitted types of access between them
This is an abstract model, describing the association of rules
Security policy
A policy expresses what is allowed, either formally or informally
Mechanisms and Models
A model, is a way of representing a policy or types of policies
A confidentiality policy deals only with confidentiality
An integrity policy deals only with integrity
Types of Access Control
Non-discretionary Access Control, AKA Mandatory Access Control (MAC)
When a system/security administrator configures security rules that apply to users
Users cannot change the rules set by admins, and are not usually considered to “own” files
Mandatory Access Control (MAC)
MAC models typically work by attaching security context labels (such as clearance) to objects (files)
Rules define what interactions are allowed
Bell and La Padula model, and the Biba model
Common consumer OSs have started having some aspects of access control that is not configured by end users (MAC)
For example, on Linux: SELinux and AppArmor
Discretionary Access Control (DAC)
When users can configure who can access the resources that they “own”
Each user can control which other users can access the files that they create
Can grant permissions, without involving a system admin
This is the type of security that has traditionally been built into most consumer OSs such as Windows and Unix
Processes are treated based on user identity
Role-based Access Control (RBAC)
Access Control Lists (ACL)
Capabilities
Rules are kept with the process
ACLs, Capabilities, and OSs
2015-06-13 14:47:33
source
Gloss