You are on page 1of 23

Access Control

Access Control

Odat ce este stabilit un canal securizat de transmise a


datelor ntre client i un server, clientul poate solicita
date de la server.
Execuia datelor se face doar n cazul n care clientul
are suficiente drepturi de accesare (access rights).
Verificarea drepturilor de accesare se numete acces
de control, iar acordarea acestora se numete
autorizaie.
2

The Basic Model for Access Control

This model is generally used to help understand the


various issues involved in access control

The subject issues requests to access the object, and


protection is enforced by a reference monitor that
knows which subjects are allowed to issue which
requests
3

Access Control Matrix

The access control matrix is a matrix with each subject


represented by a row, and each object represented by a
column

The entry M[s, o] lists the operations that subject s may


carry out on object o

Is this matrix a good way to represent access rights

Of course, we dont really want to implement it as a matrix


in any system of reasonable size, because there would be
a whole lot of wasted space

Access Control Matrix

There are two main approaches that are used instead


of an actual matrix:

Each object can maintain a list, the access control list, of the
access rights of subjects that want to access that object - this
effectively distributes the matrix column-wise, leaving out empty
entries

Each subject can maintain a list of capabilities for objects - this


effectively distributes the matrix row-wise, leaving out empty
entries

Of course, capabilities cant be totally maintained by the subjects they must be given to the subjects by some other trusted entity
(like the reference monitor)

Access Control Lists vs. Capabilities

Access Matrix

Access Control List

Capability Lists

Protection Domains

ACLs and capabilities help to efficiently implement the


access control matrix, but can still become quite
cumbersome

A protection domain is a set of (object, access rights)


pairs, where each pair specifies for a given object
exactly what operations can be carried out

By associating a protection domain with each request,


we can cut down on redundant information in access
control lists
10

Protection Domains

One approach to using protection domains is to


construct groups of users

Another approach is to use roles instead of groups

Roles: head of a department, manager of a project, member of


a personnel search committee
11

Firewalls

We can use encryption to protect the files that make up


the access control matrix, and various secure channel
protocols to communicate that information to the
objects that need it

This works well, as long as all the components in the


system play by the same sets of rules - but that might
not always be the case

12

Firewalls - Example

Take the idea of an NFS server, which uses UNIX user


and group IDs to control access to files

This works great on a private network where you can


guarantee that none of the machines local user and
group databases will be tampered with

If I tamper with a machine, create a new user with some


existing user ID in my password file, and then hop onto
the NFS server, I can access all that users files and
exercise all his rights!
13

Firewalls

A firewall is a special kind of reference monitor that


inspects packets traveling into and out of a private
network to ensure that they arent harmful

There are two main types:

Packet-filtering gateways inspect only the headers of packets


travelling on the network, for example, based on the source and
destination addresses

Application-level gateways inspect the contents of the packets


as well, for example, spam email filters

14

Secure Mobile Code

Code migration: Its important to protect hosts against


malicious mobile agents, and also to protect the mobile
agents against malicious hosts

Much more attention has been paid to the former, because the
latter is in a sense impossible - even if you protect the agent
from tampering with various cryptographic techniques, nothing
prevents a host from simply keeping the agent a prisoner
forever

15

Secure Mobile Code


Protecting the Host

One approach to protecting the host is to build a


sandbox, which allows the execution of a downloaded
agent to be fully controlled

If the agent attempts to execute an instruction that the host


doesnt like, it can be terminated by the host

Implementing a sandbox is nontrivial

Probably the best known example is the Java sandbox


model

16

Secure Mobile Code


The Java Sandbox Model

The Java sandbox model consists of several


components:

Class Loaders

Byte Code Verifier

Security Manager

17

Secure Mobile Code


The Java Sandbox Model

Class loaders are responsible for fetching classes from


servers and installing them in the hosts JVM

Only trusted class loaders are used - a Java program cant


circumvent the sandbox by creating some special kind of class
loader

A byte code verifier checks whether downloaded


classes obey the sandboxs security rules

In particular, it checks to see if the code contains illegal


instructions or instructions that could corrupt the stack or
memory
18

Secure Mobile Code


The Java Sandbox Model

A security manager performs checks at runtime to


ensure that mobile code doesnt break any rules

For instance, downloaded code cannot write to the filesystem


unless given special permission to do so

In the original Java security model, the security


manager was very strict and didnt distinguish
programs from different servers- Javas current
security model is much more flexible
19

Secure Mobile Code


Playgrounds

An alternative model is to designate a single machine


on the local network as a playground in which mobile
code can run

Resources local to the playground are available to code


running in the playground, while resources local to
other machines are isolated from the playground

20

Secure Mobile Code


Sandboxes vs. Playgrounds

(a) illustrates a sandbox-based system, while (b)


illustrates a playground-based one
21

Distributed Denial of Service

DDoS

Can be classified into two kinds, roughly. Bandwidth depletion and


server resource depletion.

How does a typical DDoS work? How can we protect against them?

Distributed Denial of Service

No single way to protect, need comprehensive plan

Protect machines from getting taken over.

Monitor egress routers.

Monitor ingress (how well does this work?)

Monitor overall network.