CSC 8320 Advanced Operating System - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

CSC 8320 Advanced Operating System

Description:

CSC 8320 Advanced Operating System Discretionary Access Control Models Presenter: Ke Gao Instructor: Professor Zhang ... – PowerPoint PPT presentation

Number of Views:101
Avg rating:3.0/5.0
Slides: 32
Provided by: Dell558
Learn more at: http://www.cs.gsu.edu
Category:

less

Transcript and Presenter's Notes

Title: CSC 8320 Advanced Operating System


1
CSC 8320 Advanced Operating System
Discretionary Access Control Models Presenter Ke
Gao Instructor Professor Zhang
2
Overview
  • Part 1 Fundamental Knowledge
  • Part 2 Current Technology
  • Part 3 Future Research

3
Part 1 Fundamental Knowledge
4
The Access Control Matrix (ACM) 1, Randy Chow,
1997
The Access Control Matrix (ACM) is the most
fundamental and widely used discretionary access
control model for simple security
policies. Access control is a function that given
a subject and object pair, (s, o) and a requested
operation, r from s to o, return true if the
request is permitted.
5
Two Types of Security Policies
  • Simple Security Policy
  • A statement that specifies what privileges and
    limitation a certain subject has on an object,
    without ant special constraints.
  • Complex Security Policy
  • Security requirements that are dependent on how
    and when other access are being performed. Eg. a
    subject can access object x if it has not already
    access object y.

6
Example of ACM - Resource ACM
7
Example of ACM - Process ACM
8
Example of ACM - Domain ACM
9
Reducing the Size of Access Control Matrix
  • The user subjects are generally related and could
    have similar access rights to some commom
    objects.
  • Rows in ACM can be mergerd as a single group of
    user.
  • A user is identfied with a group name which is
    based on group rather than the user name.
  • Object columns can be merged as categories which
    a based on objects rather than the attributes of
    the users.

10
Distributed Compartments
A distributed application with collaborating
processes may consists of subject users and
object resources crossing the physical boundaries
of physical resources. Because it is impossible
to have a global ACM, a logical ACM called a
distributed compartment that regulates access
among the collaborating users would serve a
better purpose.
11
  • Each distributed compartment has at least one
    member called an owner which has the maximum
    privleged.
  • Access to the distributed compartments are based
    on distributed handles rather than user ID.
  • These handles are application oriented and they
    provide a protective wall around an application
    and are authenticated by the application.

12
(No Transcript)
13
ACM Implementations
The Linked list structure that contains all
entries in a column for a particular object is
called a Access control List (ACL) for the
object. An ACL specifies the permissible rights
that various subjects have on the
object. Likewise all entries in a row for a
subject is called a Capability List (CL) for the
subject. A CL specifies privileges to various
objects held by a subject
14
ACM Implementations
Subject Client
Object Server
ACL lt (si, Rsi)gt S Si s ? S and r ? Rs?
s
(r, s)
ACL Implementation
Object Server
Subject Client
o ? O and r ? Ro?
CL lt (Oi, Roi) gt O Oi
(o, s)
CL Implementation
15
ACM Implementations
Object Server
Subject Client
LL lt (Li, Rli) gt o ? O ? Kl? r ? Rl?
CL lt (Oi, Ki) gt O Oi
(o, r, k)
Lock-key Implemtation
16
Comparison of ACL CL
  • Authentication
  • Reviewing of Access Rights
  • Propagation of Access Rights
  • Revocation of Access Rights
  • Conversion between ACL and CL

17
Authentication
  • ACL Authenticates subjects, which is performed by
    the system, no overhead.
  • In CL, authentication is performed by the object
    server. But its easiler. Its widely used in
    distributed system.

18
Review of Access Right
  • Easier to review ACL, because ACL contains
    exactly this information.
  • Difficult for CL unless some type of activity log
    is kept.

19
Propagation Of Access Rights
  • In ACL, propagation of rights is initiated by a
    request to the object server, which modifies or
    adds an entry to its ACL.
  • In CL, theoretically it is propagate rights
    between subjects without intervention of object
    server. But it may result in uncontrollable
    system.

20
Revocation of Access Rights
  • Revocation is trivial in ACL because it is easy
    to delete subject entries from the ACL.
  • It is difficult for CLs to revoke access
    selectively.

21
Conversion Between ACL CL
  • Conversion from CL to ACL is straight forward.
  • Conversion from ACL to CL
  • Gateway Authenticates the process identifier and
    verifies the operation in the capability list.
  • The remote host grants the accss request if its
    ACL contains the process as a subject and the
    requested opertion is within the authorized
    range.

22
Part 2 Current Technology
23
Role-based Access Control (RBAC)
  • Access decisions are based on the roles that
    individual users have as part of an organization.
  • Users take on assigned roles (such as doctor,
    nurse, teller, manager). The operations that a
    user is permitted to perform are based on the
    user's role.
  • Role hierarchies can be established to provide
    for the natural structure of an enterprise.
  • Organizations establish the rules for the
    association of operations with roles.

24
Application of Role-Based Access Control for Web
Environment 2, Robles, R.J, 2004
  • Secure cookies provide three types of security
    services authentication, integrity, and
    confidentiality.
  • Authentication verifies the cookies owner.
  • Integrity protects against unauthorized
    modification of cookies.
  • Confidentiality protects against the cookies
    values being revealed to an unauthorized entity.

25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
Part 3 Future Research
29
(No Transcript)
30
Reference
  • 1 Randy Chow, Theodore Johnson, Distributed
    Operating Systems Algorithms, Addison Wesley,
    1997
  • 2 Robles, R.J. Min-Kyu Choi Sang-Soo Yeo
    Tai-hoon Kim, "Application of Role-Based Access
    Control for Web Environment," Ubiquitous
    Multimedia Computing, 2008. UMC '08.
    International Symposium on , vol., no.,
    pp.171-174, 13-15 Oct. 2008
  • 3 Ravi Sandhu, The PEI Framework for
    Application-Centric Security, 2009
  • 4 Krishnan, Ram and Sandhu, Ravi and
    anganathan, Kumar, PEI models towards scalable,
    usable and high-assurance information sharing,
    Proceedings of the 12th ACM symposium on Access
    control models and technologies

31
Thank You Q A
Write a Comment
User Comments (0)
About PowerShow.com