Access Controls Part 1: Computer Security Lectures 2014/15 S2
Summary
TLDRThe video script delves into the critical concept of access controls, which are mechanisms that regulate what users and programs can do within a computer system. It emphasizes the significance of access controls for security, highlighting the importance of authentication before authorization. The lecture distinguishes between physical and digital access controls, focusing on the latter. It outlines the necessity of a security policy, the trusted computing base, and the role of the reference monitor in mediating access to resources. The script also explains the access control matrix, a theoretical model for describing security states, and contrasts it with real-world implementations like access control lists (ACLs) and capabilities. The discussion further explores various access control models, including mandatory access control, discretionary access control, and role-based access control. It concludes with practical advice on using access controls, particularly the risks of operating as an administrator and the benefits of user access control in modern operating systems.
Takeaways
- ๐ **Access Controls** are critical for computer security, determining what users and programs can do within a system.
- ๐ก๏ธ **Authentication** is the first step, confirming the identity of a user or process before access control can be enforced.
- ๐ **Authorization** follows authentication, defining what actions an authenticated subject is permitted to perform.
- ๐ข **Physical Security** can be thought of as access control in the physical world, like using a badge to enter a room.
- ๐ **Digital Access Control** is analogous to physical security, but it applies to digital resources and processes.
- ๐ **Access Control Matrix** is a theoretical model that details every possible access permission in a system, though not practical for large systems.
- ๐ **Trusted Computing Base (TCB)** includes all the software and hardware responsible for enforcing security policy.
- ๐ช **Complete Mediation** ensures that all access to resources is controlled and that there are no backdoors or unguarded paths.
- ๐ **Subjects and Objects** are fundamental to access control; subjects are the entities performing actions, and objects are the resources being acted upon.
- ๐ **Security Context** includes the identity and related information assigned to each subject, which informs access decisions.
- ๐ **Access Control Policies** can be formal or informal and are defined by an organization to ensure confidentiality, integrity, and availability of information.
- ๐๏ธ **Access Control Mechanisms** are the tools or technologies that enforce the policy, such as firewalls or access control lists (ACLs).
- ๐ **Role-Based Access Control (RBAC)** assigns permissions based on roles within an organization, allowing for flexible and manageable access control.
- ๐ค **Discretionary Access Control (DAC)** allows users to control access to their own files, which is common in consumer operating systems like Windows and Linux.
- ๐ **Mandatory Access Control (MAC)** is where access is strictly defined and enforced by a central authority, often used in military or government settings.
Q & A
What is the primary purpose of access controls in computer systems?
-Access controls in computer systems are designed to restrict what people and programs are allowed to do, playing a crucial role in ensuring security.
How does physical security relate to the concept of access controls?
-Physical security involves access controls like doors, gates, and badges that keep unauthorized individuals out of certain areas, similar to how digital access controls restrict access to digital resources.
What is the difference between authentication and authorization in the context of access controls?
-Authentication is the process of verifying the identity of a user or system, while authorization is the step that follows, determining what actions the authenticated subject is permitted to perform.
What is the concept of a 'subject' in access control?
-In access control, a 'subject' refers to the person or program that is trying to perform an action or access a resource, such as a file or another process.
What is an 'object' in the context of access control?
-An 'object' in access control is typically a static resource like a file or a process that a subject might attempt to access or interact with.
Why is complete mediation important in access control systems?
-Complete mediation ensures that all access to resources is consistently checked against the security policy, preventing unauthorized access through unguarded pathways or methods.
What is the Trusted Computing Base (TCB)?
-The TCB represents all the software, hardware, and components that work together to enforce the security policy, including critical parts like the operating system kernel.
How does the concept of an Access Control Matrix help in understanding security policies?
-An Access Control Matrix is a theoretical construct that provides a comprehensive table detailing every possible access permission, helping to conceptualize and analyze security policies.
What are the two main types of access control models discussed in the script?
-The two main types of access control models are nondiscretionary access control (also known as mandatory access control) and discretionary access control.
How does discretionary access control differ from mandatory access control?
-Discretionary access control allows users to own files and decide who can access them, whereas mandatory access control is enforced by a central authority that dictates access rules for all users without their input.
What is the role of a reference monitor in access control?
-A reference monitor is a concept that ensures every access to a resource, like a file, is mediated by a central authority (like an operating system kernel) that checks if the access is allowed according to the security policy.
Why is it recommended not to use an administrator account for daily tasks on a computer system?
-Using an administrator account for daily tasks can lead to accidental harmful actions due to the high level of permissions, potentially causing irreversible damage to the system.
Outlines
๐ Introduction to Access Controls
The video begins with an introduction to access controls, emphasizing their importance in computer security. It explains that access controls are mechanisms that restrict what users and programs can do on a computer system. The speaker highlights the significance of access controls in maintaining security and introduces the concept of digital access control, which is analogous to physical security measures like doors and gates. The video also touches on the necessity of authentication before access control can be enforced, and the importance of authorization in determining what a subject is allowed to do. The concept of subjects and objects in the context of access control is introduced, with examples provided to illustrate these abstract ideas.
๐ก๏ธ Components of Access Control Systems
This paragraph delves into the components that make up an access control system. It discusses the trusted computing base (TCB), which includes all the software, hardware, and components that work together to enforce security policies. The speaker also talks about the reference monitor concept, which ensures that all access to files is mediated through a central point, such as the kernel in Linux systems. The paragraph further explains the protection state and security context, which are used to inform access decisions. It also addresses the potential pitfalls of having a complex access control policy that might be circumvented through informal means, like email, which could undermine security.
๐ Access Control Matrix and Security Policies
The speaker introduces the access control matrix as a theoretical model used to represent all possible access permissions in a system. It is described as a large table that outlines which subjects are allowed to access which objects and in what ways. While this matrix is mostly used for theoretical analysis, it is a useful tool for expressing any security policy. The paragraph also differentiates between formal and informal security policies, with examples given to illustrate the concepts of confidentiality, integrity, and availability in the context of security policies.
๐๏ธ Nondiscretionary Access Control
The video moves on to discuss nondiscretionary or mandatory access control, which is characterized by strict rules set by system administrators. The speaker uses an analogy of filing cabinets with different types of information to explain how access is controlled in such systems. It is noted that this type of access control is suitable for environments where the organization owns all the data and needs to maintain tight control over access, such as in the military or government sectors. The paragraph also touches on the use of security context labels in files and processes to enforce these rules.
๐ Discretionary Access Control and File Ownership
The speaker contrasts mandatory access control with discretionary access control, where users have ownership of files and can decide who can access them. Using the analogy of a personal file folder, the video explains how users can specify access permissions for their files. It is noted that this approach can be chaotic due to the complexity of permission interactions but is suitable for everyday use on systems like Windows and Linux. The paragraph also mentions that modern versions of Windows implement user access control to prevent users from running as administrators all the time, which can lead to security vulnerabilities.
๐ญ Role-Based Access Control
The video introduces role-based access control as a method where permissions are assigned based on the roles within an organization. Unlike group-based permissions, roles define specific actions that can be taken by individuals assuming those roles. The speaker explains that this approach is useful for organizations that need a more structured way of assigning permissions without granting full access to all data to role holders. It is highlighted that role-based access control allows for more flexibility and can be applied in both discretionary and nondiscretionary access control contexts.
๐ Access Control Lists and Capabilities
The speaker discusses access control lists (ACLs) as the most common method of describing permissions on computer systems. ACLs are attached to each object and detail the permissions for all users on that system. The video contrasts ACLs with capabilities, where permissions are attached to the subject rather than the object. Capabilities require a token or proof of access, which is then presented when access is attempted. The paragraph also includes a discussion on the risks of using administrator accounts and the importance of using least privilege principles to enhance security.
๐ Summary and Future Topics
The video concludes with a summary of the key points covered in the lecture, including the use of access controls to mediate actions based on a subject's permissions as defined by a policy. The speaker previews that future lectures will delve into more specifics, particularly focusing on Unix systems, to explore file permissions and access controls in greater detail. The importance of understanding these concepts for anyone working in the field of security is emphasized.
Mindmap
Keywords
๐กAccess Controls
๐กAuthentication
๐กAuthorization
๐กTrusted Computing Base (TCB)
๐กReference Monitor
๐กAccess Control Matrix
๐กSecurity Policy
๐กMandatory Access Control
๐กDiscretionary Access Control
๐กRole-Based Access Control
๐กAccess Control List (ACL)
Highlights
Access controls are crucial for restricting what people and programs can do on a computer system, playing a vital role in computer security.
Physical security involves access controls like doors and gates, while digital access controls focus on authorization in computer systems.
Authentication must precede access control to verify the identity of a user or process before enforcing what they're authorized to do.
The concept of a subject in access control refers to the person or program attempting an action, while an object is the resource being accessed.
Enforcing a security policy involves complete mediation, ensuring there's a consistent way to enforce security without alternative access points.
The Trusted Computing Base (TCB) includes all software, hardware, and components that work together to enforce security policies.
Hardware can also be part of the TCB, with recent exploits showing how hardware vulnerabilities can lead to security breaches.
An access control policy should prevent workarounds, such as using email to share files, which can undermine the security system.
The reference monitor concept ensures that all access to files is mediated by a central authority, like the kernel in Linux systems.
The protection state of a computer includes all processes, identities, and security contexts that inform access decisions.
An access control matrix is a theoretical model used to express any security policy through a table of permissions for every user and resource.
A security policy can be formal or informal, defining what is considered secure and the rules to enforce.
Confidentiality, integrity, and availability are key concepts in defining a security policy, focusing on what can be read, changed, and accessed.
Mandatory access control (MAC) is used in environments like the military where the system administrator sets security rules for all users.
Discretionary access control (DAC) allows users to own files and decide who can access them, which is common in everyday computing environments.
Role-based access control (RBAC) is a model where permissions are assigned based on the roles within an organization.
Access control lists (ACLs) are used in systems like Windows and Linux to attach permissions to each object, specifying who can access it.
Capabilities are an alternative to ACLs where permissions are attached to the subject, requiring a token to access an object.
It is advised not to run as an administrator or root user due to the risk of making fatal mistakes that can harm the system.
Transcripts
okay so this week we are talking about
access controls so access controls are
the things that it put in place on a
computer system that restrict what
people and programs are allowed to do
basically so very very important in
terms of security one of the most
important topics I would say uh in the
entire computer security like curriculum
so this is particularly important and
also something that I uh that is related
to research and things that that
I am involved in so there is quite a lot
of terminology in this lecture um but it
is quite important so just um bear with
me so as we know the term Access Control
can refer to physical security so we
when when there are access controls in
place it's literally you know doors and
Gates and all that sort of stuff that
keep people out when they're not
supposed to be you know in certain areas
so when you use a badge to swipe into an
area that's an access control um but
what we're focused on for this lecture
is the digital access control side of
things and it's very analogous like it's
a very similar concept and a lot of the
same Theory applies that we're about to
talk about but we are I'm particularly
focusing on the computer security side
of things so digital digital access
controls are the things that restrict
access to resources and the various
interactions with um you know different
programs and things on a F so it's all
about authorization so that's what a
subject's allowed to perform in order to
do that we need to have already done
authentication so the stuff from last
week about how do you know someone is
who they say they are you need to do
that first once you know that that
person is who they say they are now you
can start to enforce access controls so
you can say okay yeah so Chris come
tries to enter a room for example you
show your badge I check the photos the
same so okay you are authenticated
I I'm convinced that you're that you're
Chris uh then I might look at the list
of people allowed in the room and if
your name's on that list then you're
alled in so that first step is um
authentication checking who you are uh
and then the access control is the
authorization step where we actually
check what you're authorized to do um
and the important thing is this
immediates subject's access to objects
so subject is just the um person or the
thing doing something so in a computer
system it might be the program that's
running so that process is the the
subject of the access control it's
trying to do something and when we're
making Access Control decisions it's
what is that subject allowed to access
is that subject allowed to access this
object and object are just mostly static
resources so files but also if a
um you can also say an object might also
be a process because if a process is
trying to access another process in that
situation the the process that's acting
you would say is the subject and the
process they're trying to connect to is
the object um
and uh also if you're trying to access
the network that that might also be
referred to in those terms as well but
it's all about enforcing a security
policy so we need some policy so some
rules that state who's allowed to do
what um and then we're going to enforce
that with our access controls so we're
aiming for complete mediation which
means that we really want the security
to work and the program shouldn't just
be able to access some other program to
get the the files that they need to that
they want to access like there has to be
a consistent way that the security is um
enforced so for example if I was a
person standing at the door checking
name badges like are you allowed in this
room if there was another door at the
back of the building and no one was
guarding that that would fail the
complete mediation test right so that
would be a bad security design because
someone just come in through the other
door so in order to work we need to
actually have just like one way of
accessing a resource and we need to um
be able to carefully Define how that
behaves um and one of the ways that we
are sure that it's going to work is by
thinking about the trusted Computing
base so trusted Computing Bas or the TCB
is basically a term that represents all
of the software and hardware and all of
the parts and pieces that go together to
enforce the policy so if we're talking
about like a Linux or Windows system for
example that's basically most of the
operating system so uh let's just say
Linux for example the kernel every Pro
process is running on that system as
root um basically um
whatever login programs there are and
all all those sorts of things that's all
part of the trusted Computing base
because if there are any vulnerabilities
in any of that stuff the security is all
going to break so that you know the
security like the kernel is particularly
important that it is enforcing Security
in the correct way um so yeah even
Hardware so there's a news item I don't
know if you've heard from this week very
clever exploit where um basically by
flipping bits um in memory
in on a certain type of um Hardware it's
possible to basically corrupt um
different set of memory which can result
in privilege escalation in in Linux
basically I mean it's it's incredibly
it's incredibly clever but um so
Hardware also comes into it um so all
these things go together to actually
enforce uh the
security
um if we can if the person can basically
avoid the security controls then we're
you know it's not good so another
example that might be email in an
organization if you have this really
clever Access Control policy that
specifies which people within an
organization are allowed to access
certain files say it's a really
difficult system to use people might
just end up emailing all the files they
need back and forth between each other
and that's that's horrible right that's
the worst thing for security because now
they're going around the thing that's
supposed to keep those files controlled
and who can access them as soon as
people start just like ignoring that and
emailing things to each other then you
know that Security Systems Failing so
ideally it shouldn't be possible to um
not access things through our security
system reference monitor is basically a
concept that that there is this thing
that you use to access the files so
again on Linux it's the kernel every
time you go to access a file that
request is via a system call so a
program says to the Kel hey give me this
file and the Kel says uh let me just
check if that's okay and then if it is
okay it gives the um basically gives
access to that file to that program so
every single access to a file goes via
the kernel and a specific set of you
know the security subsystem Within the
kernel so that's basically reference
monitor where you have something that
mediates access to everything the
protection State against more
terminology um is like the this
complete state that the computer is in
in terms of you know all of the um
processes and all the identity
associated with them all security
context is the identity or the
information assigned to each sub subject
that is used to inform the access
decisions so uh if we were talking about
this exam the analogy that I've said had
before of you know standing at the door
I might you know check people's name
badges you know is David allowed into
this room is Chris allowed in the room
all in the room um the security context
in that situation is if I've checked
your name badges already the security
context is the information written on
your name badge that's the information
the person at the door is using to make
that decision so uh on a Linux system
that's the uid and the G and other
security information that is associated
with each of those processors so you
guys are processors on a computer and
you're trying to access something look
at your name badge what does your uid
say is that user allowed to access it
um
the thing the stuff happens on a
computer though where you might change
your name badge so you might Maybe I
don't know maybe Umar has permission to
sometimes act on taz's behalf right so
so you Tas may have in the past said
yeah I don't it's fine you can you can
you can access that file for me or go
into the room for me here here's a name
badge and then and and it's a piece of
paper that says you're allowed to use my
name badge or something and then you
might put your put taza's name badge
over the top of your name badge um and
in that situation you've assumed that
identity and that's okay but the act of
doing that is a transition in the
protection state of the system because
things have now changed and now you're
acting with a different set of
permissions so it's really important on
a computer system to clearly Define what
kinds of con security context changes
are allowed how are those um
transitions what are what are what are
you allowed to do what how are you
allowed to change it that needs to be
really tightly controlled obviously and
it might be that you need to actually go
up to someone else and say can you swap
open my name badge you know you
shouldn't just be able to randomly
change your own name badge um so again
that's an analogy for on a computer
where you might um change your uid so
that you can do something that you're
not normally allowed to do so um there
are various ways you can do that on a um
on a Unix
system um and that needs to be very
tightly
controlled so an access control Matrix
is the simplest way of
describing a uh Security State and
basically it's just a massive table
explaining every single access
permission that is possible and whether
it's allowed so in this case we have
user a user B you know a list of all the
different every single user is on this
table and every single resource that's
on the computer or in the room or
whatever is all uh laid out in this
tables and then for each of these cells
is whether or not that subject is
allowed to access to that object and in
what ways um
so in this example here user a is
allowed to read and write to file one
and actually that user owns that file so
they're allowed to change permissions
and things for that file um whereas user
B is not allowed to read or write to the
file they're only allowed to append to
the file so they can just stick
something at the end of it they can't
access what is inside the file or change
what's inside the file and and so on so
this is an access control
Matrix but this is basically an abstract
way of thinking about things because in
reality um you would never use this
system because just you
know how many
people you know this table is just going
to be massive once you've got 100 files
you know and 10 users it just become
becomes no unmanageable so that's not
the way that we um store information
about security but it is one way of
thinking about it um so we actually need
some kind of implementation to actually
enforce this and also you need to Define
what does this mean what does reading
mean you know what does writing mean and
owning what do own give you the ability
to do
so but the nice thing about an access
control Matrix this big table is you can
use it to express any policy you can if
you got this massive table if you can
Express anything this way so so I could
say that you know you three are allowed
to access these files and you guys are
allowed to access this in these ways and
everything like that um but yeah it's
mostly used for theoretical you know
analysis and things it's not actually
used in real life but we will come back
to that in order to explain you know
different types of security systems so a
policy um defines what's allowed so that
can either be formally or informally so
a formal policy might literally
be you know like this the this is what
these users are exactly about to do an
informal policy might be more like in a
business context the sorts of things
that you're supposed to do and and um
you know not not specifically specified
if it's just written in English it can
be you know a bit
ambiguous um but a security policy
basically defines what's secure um and
what what are the rules that we're
trying to enforce so if this is our
policy this Access Control Matrix here
if user B finds a way to write to file
one they've managed to subvert our
security system and we're in an insecure
State that's really we don't we never
want user B to be able to um you know
write to file one if they figure out a
way then things are horribly
broken
um and the way that we Define what our
policy is is going to be in terms of
like confidentiality integrity and
availability so again thinking about
those basic concepts in security um you
know are do we want people to be able to
read certain information we are they
allowed to change it and you know is it
available to them
basically um can you guys think of
practical examples of a security policy
just anything just
to you know we all know what the terms
mean yeah so for
example whether or not the information
is aailable
[Music]
Oran yeah yeah so you will um often
organizations will say whether certain
resources are supposed to be publicly
available and a lot of time there's a
lot of information that shouldn't be
available for the public and I don't
know can you think of an
example of when information that we
wouldn't want to
share that's a reason but yeah finances
finances is a good answer company
policies sorry company policies company
policies yeah you know some of that
stuff you don't really want everyone to
see um so yeah there's all sorts of
reasons why you don't want stuff to be
available and in that case um are we
talking about confidentiality Integrity
or
availability conf yeah so it's about
what someone has you know the ability to
read so that's confidentiality if we're
talking about whether someone can change
something we're talking about integrity
and whether it's something that's
available as
availability um yeah okay so you know as
as we've discussed a mechanism is
something that enforces a
policy um so for example a firewall is a
mechanism right it's a thing that does
something a model is a way of
representing a policy or types of
policies um so we're starting to get a
bit abstract so a way of representing
the the kinds of rules so for example
the um you know this Access Control
Matrix that's like a security model
um and again we are I'm introducing
quite a lot of terminology but this is
really important especially if you end
up working on the defensive side of
security you know or any type of
security it is important to understand
this stuff so okay we just s all this so
confidentiality deals with sorry
confidentiality policy deals o only with
confidentiality
so there are types of security systems
that the military use for example where
the most important thing to them is that
things St remain confident confidential
so there are security systems they have
that will basically won't stop someone
from altering information as long as
they can't see the stuff they're not
allowed to see like that's like the most
important thing to them an Integrity
policy Deals Only with Integrity they
really it doesn't matter what people can
see but it's super important that no one
can alter this information that's like
the most important goal for us and that
is often the case in like a commercial
setting um but in reality as like you
can probably guess when I'm saying this
most people want a bit of
confidentiality and integrity so we have
like a mixed model um so real life
policies do a bit of both um you know
but there usually is an emphasis on one
or
another so some types of access control
so these are Access Control models uh
there's nondescript access control which
is also known as mandatory access
control and there's discretionary Access
Control those are the two big ones so
I'm going to talk about those so
nondiscretionary access
control or mandatory access control um
it's one of those areas where the people
don't agree with the terminology that
you should be using basically manat
access
control is when a a system um
administrator or a Security
administrator gets to configure the
security role uh rules and that applies
to everyone so if I for example had this
list of who's
allowed hang on let's let's adjust the
analogy so it works better um say we've
got a room and uh this analog is really
boring got filing cabinets and there's
certain filing cabinets have different
types of information in them um so for
example one might be for finances one
might be for um use
uh Personnel information right and all
of you guys have name badges and you're
allowed in the room but someone's
standing next to these two filing
covenants and just checking that you're
allowed to access that filing Covenant
it's not a very good analogy but we
we'll go with it um so it's like it's
almost not even analogy it's like what's
happening on a computer so okay so
that's what's happening um if I get to
write all the
rules about that information then we've
got a mandatory access control system so
you guys have no say over what you're
allowed to access because I've labeled
all of the files in these and filing
covenants with information that says
this file is about Personnel information
this file is about um you know all the
everything in this folder is about
finances and then I've written on your
name tags you know your name and then on
my little piece of paper that no none of
you get to touch it says
list of names and who and whether or not
you're allowed to access certain things
right that's manag Access Control you've
got no choice you can't change any of
the security policies you are subject to
them uh and you have to basically uh
you've got no ownership over any of
those files either you just have access
to them and um the rules specify what
you're allowed to do so that is manager
access control so it works well when the
organization owns all of the data so all
the information is owned by the
organization and I want to keep like
tight control over what you're allowed
to do so for example in the military or
government that's often the case so I I
really know that you're only supposed to
access certain stuff um and it can
prevent the problem where you guys if
you were allowed to change who's allowed
to access what and you made a mistake
you might accidentally end up doing
something that you don't mean to do so
that stops you from making mistakes and
it's really predictable for me being the
person that's in control of all these
files and everything I know what's going
to happen it's it's quite
straightforward
um usually the way that works on a
computer is you you literally attach a
security context label to an object so I
attach some information to each
individual file on the computer um and
also I attach a separate label to every
single running um process or every user
on a system And Then There are rules
that say what's allowed to happen so
it's literally exact the analogy is not
too bad so in in this example if I had
certain um printouts and I put a sticky
note on it that said you know is this a
per is is this specific file a um you
know Personnel information or Finance
information and then I look up on my
name and I look you know is Chris
allowed to access finances uh I I say
yes so yeah okay so you you can access
it that's what happens on a computer
basically um
so uh so yeah there's rules that Define
what's that to happen um some ways of
modeling traditional mandatory access
controls is using like formal math so
there's like actual like a notation that
describes exactly how this model Works
um and the seminal models are very
important um traditional like papers and
um models that have been proposed uh
such as Bell and lapadula model which is
focused entirely on confidentiality and
the bber model which is um entirely
about strong
Integrity
um but uh it's starting to become the
case
where there are certain abil there is a
there are
some security features in things you
know consumer operating systems like
Windows and Linux where we can do things
like this
where we can Define security rules that
the users have no say over so for
example on Linux we can use SE Linux and
app armor and that stuff that we'll look
at in the next Topic in the module um
when we start looking at virtualization
sandboxing and
things um but for the most part systems
aren't based on what we've just
described right what I've just described
is not the way that most windows and
Linux systems work so the way that they
work is via discretionary access control
which is where users own the files and
get to choose who can access them
basically so in this previous thing
where I'm standing in front of the um
set of all all of these um files and
checking against my set of rules and
that's not exactly how it works I guess
my altering my analogy
slightly say we've got a um each user
has their own um file fer with their own
files in it um and you get to say who's
allowed to access them so in this
situation there might be a um a list on
the front of of a particular print out
where you get to say who's allowed to
access this file and I might still be
standing in front of the um the filing
covenants just to check that you're all
behaving yourselves but now you guys get
to Define what the policy is so um Chris
you might have
you know a certain file that you want to
share with David so you might change the
rules for that file and say David's
allowed to access this file and
obviously I'm standing there and check
that you only you get to write on the
front say who's allowed to access it but
now um you know it still might be that
that Stig can't can't come along and
access that file
sorry um because his name is not on the
list of who's allowed to access it but
if David comes along it's like yeah I I
know that Chris said that you're allowed
to access the file Chris owns the file
and maybe you're even allowed to say I'm
going to give away ownership of this
file to someone else and then you aren't
allowed to change those rules anymore
and the file is now owned by someone
else
yeah
Google yes yeah um yeah so you you get
to specify who's allowed to access the
file um yeah so like Google Drive that
that is a form of access controls so
there's a list of people and what
they're allowed to do on on that file um
and I don't think on Google Drive though
you can give away ownership of a file as
far as I'm aware but you can give full
letter yeah yeah so on on like a Windows
system or a Linux system you can give
the file away entirely if you want so
you can say uh yeah you own this file
now and then um you've got no longer
have any control over the permissions on
it
um but yeah so there are um ways of a
user controlling um their own files
basically and you can basically specify
what other people are allowed to do but
as you can imagine it's a little bit
chaotic right so all there's so many
interactions and ways that permissions
can change so if you are an organization
like the military that's not going to
suit your needs very well is it but for
real everyday life it works quite well I
mean it's we get by with it on on Linux
and windows
um you know we've got by on that system
for a really long time I mean it
works
um so that's that's what we're used to
using uh if you're using older version
of Windows like Windows Millennium
edition if anyone here can remember that
and earlier so like you know talking
about like Windows 98 Windows
95 Windows
3.11 there was no access controls at all
there's literally nothing in place to
stop
you from accessing each other's files it
was just freefor all in all senses of of
the word there there was no controls
there at all
um there only in Windows NT the server
systems where they actually had some
form of security actually there for
access controls and Windows XP provides
discretionary access controls but almost
everyone runs as administrator on
Windows XP for practical reasons because
if you don't run as administrator Vol
programs complain and crash um
but um you know since Windows Vista
there is actually user access control uh
is available in Windows and
um it now you're if you're using Windows
it's good because you can run as not an
administrator just a phone call from
Australia
um so
um
yeah so now you can actually have a um
Windows system where you run and you you
know it's not Poss you know hopefully it
makes it harder to just accidentally
screw up your whole system or for a
security problem to cause a huge huge
impact um but that's something we can
talk about again later Unix has had
discretionary Access Control since the
1970s so all along there've been
Security in place on a Unix
system so um the way that discretionary
Access Control usually works is the
process is a traded um based on user
identity so you know I talking about
name badges you know we've said this
before hopefully you got hopefully
you're sick of hearing me say it that
the processes on a Windows and a Linux
system is most of the security decision
is based on who started that program so
what is the user identity associated
with that program um in practice what
that
means is that
um programs can influence security
configuration so um you know a user a
program can then set permissions on your
own files and things like that because
the pro program is running with your
permission on that system and we're
going to come back to program security
throughout the module
really um so another kind of Access
Control in addition to ro base uh discre
access control and manager access
control one of the main models used to
describe access control is role based
access control and that's um usually you
use for non non um discretionary access
control so kind of a manager control
usually but basically the the idea is
that if we've got an organization
everyone who has certain roles within
the organization should be allowed to do
certain
things um and this is slightly different
from groups um but it's a similar
concept um but if we have a um I don't
know say a bank we might have a manager
role and people who are manager managers
in the bank get to access certain
information that everyone else can
access but rather than having to
manually give that person all those
permissions we just have a role that
they're allowed to assume at certain
times and maybe the same person has
multiple roles that they can activate at
various points so rather than just
giving that person always access to
everything because they're a manager
they might also have the role of being
an employee which gives them a basic
amount of access and then every now and
then they can escalate to being a
manager and then they get these extra
per missions so that's what role based
access control
is so I said we were going to come back
to that um Access Control Matrix and
this is where I will so an access
control list is the most common way of
describing permissions on a computer
system so an access control list or an
AAL is um attached to each object and it
describes the subjects that are allowed
access so um so it's like this so you
can see this diagram here this is the
original diagram we had but now attached
to each file is a list of all the
permissions for all the users on that
system
um so it basically stores all the rules
for that specific specific file attached
to each file so that's the way that um
windows and Linux works so and in
slightly different ways but similar so
on Windows they have a full access
control list associated with every
single file in the system if you go into
security properties for that file you
can see the list of all of the users and
um that are allowed to access that file
uh on Linux it's a slightly um
simplified version of that where you it
simplifies the permissions down to the
owner of the
file everyone in um a specific group
that the file has associated with it and
everyone else on the entire system so
rather than a list of every single
independent user on the system it kind
of groups people together into these
categories that's this the typical Unix
way of doing things um but it you know
it's
not Linux has lots of extra security
features in addition to that basic way
of doing things the Unix way and we'll
come back to that so basically the idea
is with an Ackle the rules are stored
with the object so that's
important capabilities yeah
sorry with ACLS
though especially Windows if you try to
edit a file access because of the ACL
yeah and you actually change you can
actually write you can actually append
the file say I'm right to it you when
you change it sometimes still you access
to it um it well no if you change the
permissions in theory and I'm not
advocating the fact that Windows does
security perfectly but if it's working
properly it well there might be multiple
layers of security things going on but
just looking at that one specific layer
right the akles because Windows uh
inherits permissions from folders and
things like that above it but but
generally the permissions on an
individual file should specify who can
access that file and if you own that
file you can change those submissions if
you don't you need to be an
administrator or the person who owns
that file to change those
submissions but you can
um yeah it should work as it's supposed
to so you can say if you're not allowed
access to it if you're actually using
your computer correctly and you've got
multiple users sharing that computer
they should have dependent user accounts
and then if you've got certain files
that you want everyone to be able to use
on that computer you would set the
permission so that everyone's allowed to
access it or certain users are allowed
to access
it um it's not good practice to have a
shared computer with everyone using one
account um it's just it's good to have
separate accounts for everyone even just
so that they don't set you don't have to
look at desktop backgrounds that you
don't like you know um but you know from
a security perspective you should be
using it
correctly um does that answer your
question sort
of
yeah okay that's fine uh so capabilities
is an alternative approach so instead of
attaching all of the information about
who's allowed to do what to the to the
objects we instead attach that
information to the
subject so basically we keep the rules
with the
processes so if for example um going
going back to our not that inventive
analogy of having physical files with
things attached to them if I had a print
out of something and I staple to it a
list of all the users that are allowed
to read that file that's an access
control list if instead I give you on
your name badge a thing that you can
clip onto it that has a list of files
are allowed to access we're now talking
about capabilities
so uh it's information that's kept with
the with the the actual subjects of the
system and obviously you need a way of
obtaining the actual capabilities um but
there's there will be some mechanism for
you to get proof a token that says
you're allowed to access something and
then when you go to access it you you'll
be allowed uh to access it so that's
what a capability
is says
Windows um is it okay to from security
perspective um to v as administrator
there only one account or you have an
administrator account you should never
ever ever run as an administrator you
should not log in as an administrator or
a root user ever because it's too easy
to well I could list how many reasons do
you want I'll give you two main ones
is that you can make mistakes that are
fatal hopefully not physically fatal but
you know you can make you accidentally
type in a command and you've just wiped
the Entire Computer like deleted the
operating
system Windows will let you do that well
there's been various problems with that
on on Windows as well but it but yeah
that still at least that's a level where
you actually need to authenticate like
on a on a Linux or Unix system you
should be logged in not as rout and then
you should have to elevate your
privileges to do the things that are
important so you type the root password
to prove that you're allow to do certain
things or if it's an auntu system you um
have the permission to basically use
your own password to do root things
which is similar to a Windows like user
account control where you can like
specifically escalate to do certain
things so the Windows security system
tries to have that balance where you
might be a administrator but you can't
just delete things without clicking
something on the screen but there have
been various problems with that
mechanism in the past so it's not it's
not perfect but it's better than
nothing um so if we're talking about
capabilities versus Arles capabilities
require applications to be aware of them
and they're they can well they're
considered to be hard to manage uh
although some people in the security
Community will strongly argue the
opposite but access
controlers are just easy in general
because we just store them with the
files so it's very straightforward
basically um and they're stored within
the file system and that's the way that
most Opera operating systems do things
um so on Windows and Unix which includes
Linux and Mac um we use AAL for
discretionary Access Control although
there are other security features that
we will talk about um in the next couple
of weeks so that's where I'm going to um
cover for now in today's lecture and
then next week we put pick this up and
talk about some specifics to do um
mostly with like Unix uh as the example
where we look at the way that the um
file per missions and access controls
and things work so the takeaway messages
from the lecture is the fact that we use
Access Control to imediate actions based
on what a subject's allowed to do and
there's a policy that defines what
you're allow what different people are
allowed to do so what you're authorized
to do um and there are things that we're
going to cover next next week about the
quite powerful and expressive ways that
we can do that in Linux um so yeah so
we're going to continue on with this
topic next week and go into some more
detail uh that's all I'm going to cover
this week
Browse More Related Video
5.0 / 5 (0 votes)