ETRI CIS OHP Form - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

ETRI CIS OHP Form

Description:

The aim is that the computing environment guarantee's that only ... user: e.g. root, daemon, guest, nobody, knorr, ... group: e.g. admins, ikm, students, ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 28
Provided by: caislab
Category:
Tags: cis | etri | ohp | daemon | form

less

Transcript and Presenter's Notes

Title: ETRI CIS OHP Form


1
Authorization
2
Authorization ?
  • .restrict the potential actions of users.
  • The aim is that the computing environment
    guarantees that only legitimate users can obtain
    access to computing facilities, and that only
    allowable and legitimate actions will be
    performed
  • von Solms Eloff
  • Synonyms Access Control, Entitlement

3
Introduction
  • Authorization Basics
  • Authorization Models
  • DAC
  • MAC
  • RBAC
  • Authorization in Workflow Systems
  • Authorization in UNIX systems
  • Secret Sharing

4
Motivation
5
Limitations of Authorization
  • Authorization relies on Authentication
  • Effectiveness bounded by the system as a whole
    (e.g. buffer overflow)
  • misbehavior of users, social component
  • insider threat

6
Authorization Models
7
Access Control Mechanisms
  • Supporting a DAC policy
  • directory list
  • access control list
  • access control matrix
  • Supporting a MAC policy
  • Military security model
  • BellLaPadula model

8
Discretionary Access Control
9
Directory List
10
Access Control List
11
Access Control List Example
12
Access control matrix
13
Mandatory Access Control Models
  • Military Security Model
  • principle of least privilege
  • security classification hierarchy (clearance for
    subjects)
  • each piece of information classified
  • enforce information compartmentalization

14
The security levels of the Military
15
Military Security Model (I)
  • A subject can obtain access to an object if and
    only if the following two conditions are true
  • security_class(subject) gt security_class(object)
  • compartment (object) Í compartment (subject)

16
Military Security Model (II)
Two Compartments Nuclear Missiles (NUC) and
Satelliten Verteidigungssystem (SDI) Three
Security Levels Top secret (top), confidential
(con) and unclassified (un)
17
Mandatory Access Models
  • Bell LaPadula Model
  • widely referenced model
  • successor of military model
  • subject and object labeling
  • customized classification hierarchy
  • allowable flow of information

18
Mandatory Access ControlBell LaPadula Model
  • simple security property No-read-up
  • a subject Si can have read access to an object
    Oj only if
  • C(Si) gt C(Oj)
  • star-property No-write-down
  • a subject Si can have write access to an object
    Oj only if
  • C(Si) lt C(Oj)

19
Bell LaPadula Model - Example
20
Role Based Access Control (RBAC)
21
UNIX Security File Permissions (I)
  • Subjects Objects
  • user e.g. root, daemon,
  • guest, nobody, knorr, ...
  • group e.g. admins, ikm,
  • students, ...
  • other
  • files
  • directories
  • links (symbolic, hard)
  • ...
  • Access Rights
  • Permissions, Privileges
  • r, read
  • w, write
  • x, execute

22
UNIX Security File Permissions (II)
  • Read
  • To be able to view contents of a file
  • To be able to read a directory (listing)
  • Write
  • To be able to add to, rename or change a file
  • To be able to delete, rename or move files in a
    directory
  • Execute
  • To be able to run a binary program or shell
    script
  • To be able to enter a directory
  • Privileges have no meanings for symbolic links.

23
UNIX Security File Permissions (III)
24
UNIX Security File Permissions (IV)
25
UNIX Security chmod(1) Command
  • File permissions are changed with the chmod(1)
    change mode command by the owner
  • of a file. There are two syntaxes you can use
  • (1) chmod DDD file file ...
  • The DDD are three octal digits representing bits
    of protection
  • rwx rwx rwx can be thought of as 111 111 111
    in binary
  • 111 111 111 can be thought of as 777 octal
    (14 12 1 7)
  • you specify an octal numbers whose bits are in
    the places you want turned on
  • (2) chmod ugoa-rwx file ...
  • This is the "symbolic" method
  • chmod urwx means give the User Read, Write,
    and eXecute
  • chmod grx means give the Group Read and
    eXecute
  • chmod o-rwx means take Read, Write, and
    eXecute away from the Others
  • chmod ax means give All eXecute permission
  • chmod gr means give Group Read and make sure
    it has nothing else
  • Symbolic modes can be strung together with
    commas
  • chmod urwx,g-w,o-rwx for instance

26
UNIX Security umask(1) Command
  • umask user file-creation mode mask
  • This is BACKWARDS to the chmod command
  • It tells you which permissions will NOT be given
    and is used as a TEMPLATE
  • 077 or 77 means don't let anyone but the User do
    anything with my files
  • 027 or 27 means let the User do anything, let the
    Group do anything but Write, don't let the Others
    do anything

27
UNIX Security other commands
  • chown change owner
  • Nowadays, only executable by owner of file
  • chgrp change group
  • Groups password needed
  • whoami gives users identity
  • only admin can add new users and groups
  • Groups of user are listed in the file /etc/group
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "ETRI CIS OHP Form" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!