SlideShare une entreprise Scribd logo

Acl 6

D
darryllyrad

powerpoint

FormationTechnologieBusiness
1  sur  6
Télécharger pour lire hors ligne
Policy and Mechanism Protection mechanisms are used to authenticate access to resources File protection Memory protection Chapter 14: Protection and Security A security policy reflects an organization’s strategy to authorize access to the computer’s resources Managers have access to personnel files OS processes have access to the page table Authentication mechanisms are the basis of most protection mechanisms. Two types: External Authentication Internal Authentication External Authentication Internal Authentication User/process authentication Is this user/process who it claims to be? Passwords More sophisticated mechanisms Authentication in networks Is this computer who it claims to be? Sharing parameters: A process changing the parameter values of another process without access authorization is a violation. File downloading Confinement: Contain all rights to resources so that they do not Obtaining network services propagate outside some chosen set of processes. The Java promise Allocating rights: A process may provide another process with specific rights to use its resources. Trojan horse: If the server program takes advantage of the client process’s rights to access resources on its own behalf, it is called a Trojan horse. A Model for Resource Protection A Protection System Active parts (e.g., processes or threads) are called subjects and act on behalf of users. Subjects Objects Passive parts (i.e., resources) are called objects. The particular set of rights a process has at any given time is referred to as its protection domain. A subject is a process executing in a specific protection domain. A protection system is composed of a set of objects, a set of subjects, and a set of rules S desires α access to X specifying the protection policy. Want mechanism to implement different security policies for subjects to access objects Many different policies must be possible Policy may change over time 1
A Protection System A Protection System Subjects Objects Subjects Objects S desires α access to X Protection state reflects current ability to access X S desires α access to X Protection state reflects current ability to access X Authorities can change A Protection System A Protection System Subjects Objects Subjects Objects S desires α access to X S desires α access to X Protection state reflects current ability to access X Protection state reflects current ability to access X Authorities can change Authorities can change What are rules for changing authority? What are rules for changing authority? How are the rules chosen? Protection System Example Protection System Example Access matrix S desires α access to X S desires α access to X Captures the protection state 2
Protection State Example Protection System Example Access matrix S desires α access to X Captures the protection state Generates an unforgeable ID Protection System Example A Protection System Handling Access matrix state changes S desires α access to X Captures the protection state Generates an unforgeable ID Checks the access against the protection state Policy Rules Example Protection Domains Lampson model uses processes and domains — how is a domain implemented? Supervisor/user hardware mode bit RN-1 Software extensions — rings RS+1 The Ring Architecture R0 Inner rings have higher authority Ring 0 corresponds to supervisor mode Rings 1 to S have decreasing protection, and are used to implement the OS Rings S+1 to N-1 have decreasing protection, and are used to implement applications 3
Protection Domains Implementing Access Matrix Ring crossing is a domain change Usually a sparse matrix Inner ring crossing rights amplification Too expensive to implement as a table Specific gates for crossing Implement as a list of table entries Protected by an authentication mechanism Column oriented list is called an access control list (ACL) Outer ring crossing uses less-protected objects List kept at the object No authentication UNIX file protection bits are one example Need a return path Row oriented list is called a capability list Used in Multics and Intel 80386 (& above) hardware List kept with the subject (i.e., process) Kerberos ticket is a capability Mach mailboxes protected with capabilities More on Capabilities Cryptography Provides an address to object from a very large Information can be encoded using a key when address space it is written (or transferred) — encryption Possession of a capability represents It is then decoded using a key when it is read authorization for access (or received) — decryption Implied properties: Very widely used for secure network Capabilities must be very difficult to guess transmission Capabilities must be unique and not reused Capabilities must be distinguishable from randomly generated bit patterns More on Cryptography More on Cryptography Encryption Plaintext Ciphertext Decryption 4
More on Cryptography Cryptographic Systems Kerberos Network Authentication Kerberos Network Authentication The client asks the authentication server for the Kerberos is a set of network protocols that can be credentials of the server process. used to authenticate access to one computer by a user at a different computer using an unsecure network. In Kerberos, it is assumed that a process on one computer (the client) wishes to employ the services of a process on another computer (the server) using the network for communication. Kerberos assumes that information transmitted over the network could be tampered with during transmission. Kerberos does not assume that the operating systems on the two machines are necessarily secure. Kerberos Network Authentication Kerberos Network Authentication The authentication server returns the credentials as a After the client obtains the credentials, it decrypts the ticket and a session key. ticket and session key, keeping a copy of the session key so that it can authenticate information from the server. 5
Kerberos Network Authentication Kerberos Network Authentication The client then sends a copy of the ticket with the The server decrypts the copy of the ticket so that it encrypted fields intact to the server. can obtain a secure copy of the client’s identification and of the session key. END 6

Recommandé

Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgDatabase development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgJohn M. Kennedy
 
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Information Security Awareness Group
 
ISACA National Capital Area Chapter (NCAC) in Washington, DC - Ulf Mattsson
ISACA National Capital Area Chapter (NCAC) in Washington, DC - Ulf MattssonISACA National Capital Area Chapter (NCAC) in Washington, DC - Ulf Mattsson
ISACA National Capital Area Chapter (NCAC) in Washington, DC - Ulf MattssonUlf Mattsson
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center SecuritySzymon Dowgwillowicz-Nowicki
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Anindya Ghosh,
 
File protection.59 to 60
File protection.59 to 60File protection.59 to 60
File protection.59 to 60myrajendra
 
10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer Experience10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer ExperienceYuan Wang
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionIn a Rocket
 

Recommandé

Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgDatabase development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgJohn M. Kennedy
 
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Information Security Awareness Group
 
ISACA National Capital Area Chapter (NCAC) in Washington, DC - Ulf Mattsson
ISACA National Capital Area Chapter (NCAC) in Washington, DC - Ulf MattssonISACA National Capital Area Chapter (NCAC) in Washington, DC - Ulf Mattsson
ISACA National Capital Area Chapter (NCAC) in Washington, DC - Ulf MattssonUlf Mattsson
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center SecuritySzymon Dowgwillowicz-Nowicki
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Anindya Ghosh,
 
File protection.59 to 60
File protection.59 to 60File protection.59 to 60
File protection.59 to 60myrajendra
 
10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer Experience10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer ExperienceYuan Wang
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionIn a Rocket
 
Topic 7 access control
Topic 7 access controlTopic 7 access control
Topic 7 access controlKhawar Nehal khawar.nehal@atrc.net.pk
 
Chapter 14 - Protection
Chapter 14 - ProtectionChapter 14 - Protection
Chapter 14 - ProtectionWayne Jones Jnr
 
Ch18 OS
Ch18 OSCh18 OS
Ch18 OSC.U
 
OSCh18
OSCh18OSCh18
OSCh18Joe Christensen
 
OS_Ch18
OS_Ch18OS_Ch18
OS_Ch18Supriya Shrivastava
 
Design for security in operating system
Design for security in operating systemDesign for security in operating system
Design for security in operating systemBhagyashree Barde
 
Protection and Security in Operating Systems
Protection and Security in Operating SystemsProtection and Security in Operating Systems
Protection and Security in Operating Systemsvampugani
 
System protection in Operating System
System protection in Operating SystemSystem protection in Operating System
System protection in Operating Systemsohaildanish
 
Ppt.1
Ppt.1Ppt.1
Ppt.1veeresh35
 
Ppt.1
Ppt.1Ppt.1
Ppt.1veeresh35
 
Network security chapter 1
Network security chapter 1Network security chapter 1
Network security chapter 1osama elfar
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 
امن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكاتامن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكاتAmr Rashed
 
Thesis Proposal
Thesis ProposalThesis Proposal
Thesis ProposalMichele Guglielmi
 
2. access control
2. access control2. access control
2. access control7wounders
 
Access control by amin
Access control by aminAccess control by amin
Access control by aminaminpathan11
 
Protection Structures & Capabilities in Operating System
Protection Structures & Capabilities in Operating SystemProtection Structures & Capabilities in Operating System
Protection Structures & Capabilities in Operating SystemMeghaj Mallick
 
CSI-503 - 10. Security & Protection (Operating System)
CSI-503 - 10. Security & Protection (Operating System) CSI-503 - 10. Security & Protection (Operating System)
CSI-503 - 10. Security & Protection (Operating System) ghayour abbas
 
Ch01
Ch01Ch01
Ch01n C
 
Protection and security of operating system
Protection and security of operating systemProtection and security of operating system
Protection and security of operating systemAbdullah Khosa
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 

Contenu connexe

Similaire à Acl 6

Ch18 OS
Ch18 OSCh18 OS
Ch18 OSC.U
 
Design for security in operating system
Design for security in operating systemDesign for security in operating system
Design for security in operating systemBhagyashree Barde
 
Protection and Security in Operating Systems
Protection and Security in Operating SystemsProtection and Security in Operating Systems
Protection and Security in Operating Systemsvampugani
 
System protection in Operating System
System protection in Operating SystemSystem protection in Operating System
System protection in Operating Systemsohaildanish
 
Network security chapter 1
Network security chapter 1Network security chapter 1
Network security chapter 1osama elfar
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 
امن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكاتامن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكاتAmr Rashed
 
2. access control
2. access control2. access control
2. access control7wounders
 
Access control by amin
Access control by aminAccess control by amin
Access control by aminaminpathan11
 
Protection Structures & Capabilities in Operating System
Protection Structures & Capabilities in Operating SystemProtection Structures & Capabilities in Operating System
Protection Structures & Capabilities in Operating SystemMeghaj Mallick
 
CSI-503 - 10. Security & Protection (Operating System)
CSI-503 - 10. Security & Protection (Operating System) CSI-503 - 10. Security & Protection (Operating System)
CSI-503 - 10. Security & Protection (Operating System) ghayour abbas
 
Ch01
Ch01Ch01
Ch01n C
 
Protection and security of operating system
Protection and security of operating systemProtection and security of operating system
Protection and security of operating systemAbdullah Khosa
 

Similaire à Acl 6 (20)

Topic 7 access control
Topic 7 access controlTopic 7 access control
Topic 7 access control
 
Chapter 14 - Protection
Chapter 14 - ProtectionChapter 14 - Protection
Chapter 14 - Protection
 
Ch18 OS
Ch18 OSCh18 OS
Ch18 OS
 
OSCh18
OSCh18OSCh18
OSCh18
 
OS_Ch18
OS_Ch18OS_Ch18
OS_Ch18
 
Design for security in operating system
Design for security in operating systemDesign for security in operating system
Design for security in operating system
 
Protection and Security in Operating Systems
Protection and Security in Operating SystemsProtection and Security in Operating Systems
Protection and Security in Operating Systems
 
System protection in Operating System
System protection in Operating SystemSystem protection in Operating System
System protection in Operating System
 
Ppt.1
Ppt.1Ppt.1
Ppt.1
 
Ppt.1
Ppt.1Ppt.1
Ppt.1
 
Network security chapter 1
Network security chapter 1Network security chapter 1
Network security chapter 1
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system security
 
امن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكاتامن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكات
 
Thesis Proposal
Thesis ProposalThesis Proposal
Thesis Proposal
 
2. access control
2. access control2. access control
2. access control
 
Access control by amin
Access control by aminAccess control by amin
Access control by amin
 
Protection Structures & Capabilities in Operating System
Protection Structures & Capabilities in Operating SystemProtection Structures & Capabilities in Operating System
Protection Structures & Capabilities in Operating System
 
CSI-503 - 10. Security & Protection (Operating System)
CSI-503 - 10. Security & Protection (Operating System) CSI-503 - 10. Security & Protection (Operating System)
CSI-503 - 10. Security & Protection (Operating System)
 
Ch01
Ch01Ch01
Ch01
 
Protection and security of operating system
Protection and security of operating systemProtection and security of operating system
Protection and security of operating system
 

Dernier

Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)cama23
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 

Dernier (20)

Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 

Acl 6

  • 1. Policy and Mechanism Protection mechanisms are used to authenticate access to resources File protection Memory protection Chapter 14: Protection and Security A security policy reflects an organization’s strategy to authorize access to the computer’s resources Managers have access to personnel files OS processes have access to the page table Authentication mechanisms are the basis of most protection mechanisms. Two types: External Authentication Internal Authentication External Authentication Internal Authentication User/process authentication Is this user/process who it claims to be? Passwords More sophisticated mechanisms Authentication in networks Is this computer who it claims to be? Sharing parameters: A process changing the parameter values of another process without access authorization is a violation. File downloading Confinement: Contain all rights to resources so that they do not Obtaining network services propagate outside some chosen set of processes. The Java promise Allocating rights: A process may provide another process with specific rights to use its resources. Trojan horse: If the server program takes advantage of the client process’s rights to access resources on its own behalf, it is called a Trojan horse. A Model for Resource Protection A Protection System Active parts (e.g., processes or threads) are called subjects and act on behalf of users. Subjects Objects Passive parts (i.e., resources) are called objects. The particular set of rights a process has at any given time is referred to as its protection domain. A subject is a process executing in a specific protection domain. A protection system is composed of a set of objects, a set of subjects, and a set of rules S desires α access to X specifying the protection policy. Want mechanism to implement different security policies for subjects to access objects Many different policies must be possible Policy may change over time 1
  • 2. A Protection System A Protection System Subjects Objects Subjects Objects S desires α access to X Protection state reflects current ability to access X S desires α access to X Protection state reflects current ability to access X Authorities can change A Protection System A Protection System Subjects Objects Subjects Objects S desires α access to X S desires α access to X Protection state reflects current ability to access X Protection state reflects current ability to access X Authorities can change Authorities can change What are rules for changing authority? What are rules for changing authority? How are the rules chosen? Protection System Example Protection System Example Access matrix S desires α access to X S desires α access to X Captures the protection state 2
  • 3. Protection State Example Protection System Example Access matrix S desires α access to X Captures the protection state Generates an unforgeable ID Protection System Example A Protection System Handling Access matrix state changes S desires α access to X Captures the protection state Generates an unforgeable ID Checks the access against the protection state Policy Rules Example Protection Domains Lampson model uses processes and domains — how is a domain implemented? Supervisor/user hardware mode bit RN-1 Software extensions — rings RS+1 The Ring Architecture R0 Inner rings have higher authority Ring 0 corresponds to supervisor mode Rings 1 to S have decreasing protection, and are used to implement the OS Rings S+1 to N-1 have decreasing protection, and are used to implement applications 3
  • 4. Protection Domains Implementing Access Matrix Ring crossing is a domain change Usually a sparse matrix Inner ring crossing rights amplification Too expensive to implement as a table Specific gates for crossing Implement as a list of table entries Protected by an authentication mechanism Column oriented list is called an access control list (ACL) Outer ring crossing uses less-protected objects List kept at the object No authentication UNIX file protection bits are one example Need a return path Row oriented list is called a capability list Used in Multics and Intel 80386 (& above) hardware List kept with the subject (i.e., process) Kerberos ticket is a capability Mach mailboxes protected with capabilities More on Capabilities Cryptography Provides an address to object from a very large Information can be encoded using a key when address space it is written (or transferred) — encryption Possession of a capability represents It is then decoded using a key when it is read authorization for access (or received) — decryption Implied properties: Very widely used for secure network Capabilities must be very difficult to guess transmission Capabilities must be unique and not reused Capabilities must be distinguishable from randomly generated bit patterns More on Cryptography More on Cryptography Encryption Plaintext Ciphertext Decryption 4
  • 5. More on Cryptography Cryptographic Systems Kerberos Network Authentication Kerberos Network Authentication The client asks the authentication server for the Kerberos is a set of network protocols that can be credentials of the server process. used to authenticate access to one computer by a user at a different computer using an unsecure network. In Kerberos, it is assumed that a process on one computer (the client) wishes to employ the services of a process on another computer (the server) using the network for communication. Kerberos assumes that information transmitted over the network could be tampered with during transmission. Kerberos does not assume that the operating systems on the two machines are necessarily secure. Kerberos Network Authentication Kerberos Network Authentication The authentication server returns the credentials as a After the client obtains the credentials, it decrypts the ticket and a session key. ticket and session key, keeping a copy of the session key so that it can authenticate information from the server. 5
  • 6. Kerberos Network Authentication Kerberos Network Authentication The client then sends a copy of the ticket with the The server decrypts the copy of the ticket so that it encrypted fields intact to the server. can obtain a secure copy of the client’s identification and of the session key. END 6