CS687

Information Systems Security

Access Control / Authorization

HiLCoE School of Computer Science &

Technology
Text Book
William Stallings & Lawrie Brown, “Computer
Security: Principles and Practice”, Pearson, 2008

HiLCoE School of Computer Science &

Technology
Access
Access is the ability to do something with a computer
resource.

HiLCoE School of Computer Science &

Technology
Resources to protect
 Files
 Programs
 Computers
 Communication ports
 Printers and other peripherals
 Disks
 etc

HiLCoE School of Computer Science &

Technology
Access to Whom
 Individual users or processes on their
behalf
 Servers, machines
 Group of users/entities
◦ finance department, etc
 Public
 Anonymous

HiLCoE School of Computer Science &

Technology
Access … Roles
o In certain cases, access is defined by
functional assignment rather than a
specific user:
 Eg. Manager, CEO, CIO, Operator,
Administrator, etc
o See Role Based Access Control (RBAC)
o Auditing, however, is done per the
individual’s account

HiLCoE School of Computer Science &

Technology
Access Restrictions
 Locations: Access to particular system resources may
also be based upon physical or logical location.

 Time of access: Time-of-day or day-of-week

restrictions are common limitations on access.

 Transaction: Access maybe granted for a limited

duration to do a very restricted tasks. Eg. Accessing
the /etc/passwd to change a password

HiLCoE School of Computer Science &

Technology
Common Access Rights
 Read access provides users with the capability to
view information in a system resource (such as a
file, certain records, certain fields, or a
combination), but not to alter it .
 Write access allows users to add to, modify, or
delete information in system resources (e.g., files,
records, programs). Normally user has read access
to anything they have write access to.

HiLCoE School of Computer Science &

Technology
Access Rights/Privileges
 Execute privilege allows users to run
programs.
 Delete access allows users to erase
system resources (e.g., files, records, fields,
programs). Note that if users have write
access but not delete access, they could
overwrite the field or file with any thing
effectively deleting the information.

HiLCoE School of Computer Science &

Technology
Access Rights/Privileges
 Create access allows users to create new
files, records, or fields.

 Search access allows users to list the files

in a directory.

HiLCoE School of Computer Science &

Technology
Access Rights In DB
 Select
 Insert
 Update
 Create
 Delete
 Drop

HiLCoE School of Computer Science &

Technology
Resources in DB
 Database
 Table
 Column
 Field // dynamic
 Stored procedure

HiLCoE School of Computer Science &

Technology
Access Control
Access control is a mechanisms to enforce access
policies on resources.

HiLCoE School of Computer Science &

Technology
AC Protects
 Confidential information from being disclosed to
unauthorized individuals.

 Operating systems and other system software from

unauthorized modification or manipulation (and
thereby help ensure the system's integrity and
availability);

 Availability of information by restricting the number

of users and processes

HiLCoE School of Computer Science &

Technology
Placement of Access Control
 It depends on the resources access to
which is to be restricted
 Operating systems
 Applications
 Database systems
 etc

HiLCoE School of Computer Science &

Technology
Discretional Access Control
 A DAC is a type of access control whereby the entity
(ie. Subject) is allowed to define and change its access
rights.
 Many UNIX varieties use DAC since they allow
“owners” to set and unset access rights on files and
directories.
 Note, however, that some aspects of UNIX access
control are set centrally by the super user. Example is
‘x’ and ‘s’ access to some program files.

HiLCoE School of Computer Science &

Technology
Mandatory Access Control
 A mandatory access control (MAC) is a type of
access control whereby access is defined based on
regulations by a central authority.
 The philosophy underlying these policies is that
information belongs to an organization (rather than
individual members of it), and it is that organization
which should define the access control.
 E.g. Unix System V

HiLCoE School of Computer Science &

Technology
Representing and Implementing
AC

HiLCoE School of Computer Science &

Technology
Access Control Matrix
The access control matrix model is the most precise
model used which describes the rights of subjects
over resources in a matrix.

HiLCoE School of Computer Science &

Technology
 ACM: Example
File1 File2 File3 File4

User1 Read, Execute read write

write,
execute
User2 execute Read, read, read
write write,
execute

HiLCoE School of Computer Science &

Technology
ACM: Questions
 Adding and deleting ACM entries: who has the right
to add and delete privileges.
 Default privileges
 Undefined entries
 Inconsistencies
 Management issues (for the admin)
◦ Re-adjusting access rights, etc

HiLCoE School of Computer Science &

Technology
ACL
ACL is a simplified implementation of ACM on column basis. In
other words, access privileges are kept by the objects (ie. Column
wise in the Matrix). A good example is a file systems in UNIX
where the access rights are implemented per file (ie. Object)

HiLCoE School of Computer Science &

Technology
Capability
A simplified implementation of ACM on rows basis. Each subject
maintains an un-forgeable list of the rights it has to objects.

HiLCoE School of Computer Science &

Technology
ACL vs Capability
Both implementations make certain questions easier to answer
than others. For example, it is easy in an ACL implementation to
find the set of all subjects who may read a file, but it is difficult to
find the set of all files that a subject may read.

HiLCoE School of Computer Science &

Technology
Constrained User Interface
Often used in conjunction with ACLs are constrained user
interfaces, which restrict users' access to specific functions by
never allowing them to request the use of information, functions,
or other specific system resources for which they do not have
access. Three major types exist: (1) menus, (2) database views, and
(3) physically constrained user interfaces.

HiLCoE School of Computer Science &

Technology
Menus ..
Menus can be used to implement AC by
allowing and disallowing certain activities
depending on the access rights users.

HiLCoE School of Computer Science &

Technology
Database View
Database views is a mechanism for restricting user access to data
contained in a database. It may be necessary to allow a user to
access a database, but that user may not need access to all the
data in the database (e.g., not all fields of a record nor all records
in the database).

HiLCoE School of Computer Science &

Technology
Physically …
Physically constrained user interfaces can also limit a user's
abilities. A common example is an ATM machine, which provides
only a limited number of physical buttons to select options; no
alphabetic keyboard is usually present

HiLCoE School of Computer Science &

Technology
 AC in Unix
 Subjects are processes that execute on behalf of users
 Subjects: user (u), group (g), other (o)

 Objects are all considered as “files”: files, directories,

devices, etc

 Access rights are: read (r), write(w), execute (x)

 … but also SetUID and SetGID

HiLCoE School of Computer Science &

Technology
 Access Control Model in Windows
 AC in windows enables to control access to
securable objects by a process running on
behalf of a user.
 Two components:
◦ Access token: a ticket issued to the user upon
successful login. Every process executed on behalf
of this user will have a copy of this access token.
◦ Security descriptor: security attributes of
securable objects (see later slides).

HiLCoE School of Computer Science &

Technology
 Access token
Access token:
 The security identifier (SID) for the user's account [Example of SID: S-1-
5-21-1004336348-1177238915-682003330-512]
 SIDs for the groups of which the user is a member
 A logon SID that identifies the current logon session
 A list of the privileges held by either the user or the user's groups
 An owner SID
 The SID for the primary group
 The default DACL that the system uses when the user creates a
securable object without specifying a security descriptor
 The source of the access token
 Whether the token is a primary or impersonation token
 An optional list of restricting SIDs
 Current impersonation levels
 Other statistics

HiLCoE School of Computer Science &

Technology
 Access Token
 Every process executed on behalf of the user has a
copy of the access token.

 The token identifies the user, the user's groups, and the
user's privileges.

 A token also contains a logon SID (Security Identifier)

that identifies the current logon session.

HiLCoE School of Computer Science &

Technology
 Securable Object
 Securable object: Any resource within a
system that needs to be protected against
unauthorized access.

 Example: files, directories, registry keys,

,ports, pipes, devices, etc

HiLCoE School of Computer Science &

Technology
 Securable Object
Ownership
 A securable object has an owner.

 By default, the creator of the object is the owner.

 The owner of the object can always change the

permissions that might have been set on an object by
default or otherwise.

HiLCoE School of Computer Science &

Technology
 Securable Object
Security Descriptor
 Security Descriptor (SD): an access (security)
information attached to a securable object.
 The access information is created either by the user-
creator or by a default access policy.
 [In particular] an SD contains the following:
◦ Object’s owner (mostly creator)
◦ A discretionary access control list (DACL) that
identifies the users and groups allowed or denied access
to the object.
◦ A system access control list (SACL) that controls how
the system audits attempts to access the object.
HiLCoE School of Computer Science &
Technology
 Access Control List (ACL)
Permissions
 An ACL (or permission) is a list of Access Control
Entries (ACE) where each ACE contains the following:
◦ A SID (Security Identifier) that identifies a particular
user or group.
◦ An access mask that specifies access rights.
◦ A set of bit flags that determine whether or not
child objects can inherit the ACE.
◦ A flag that indicates the type of ACE.
 Common permissions to most objects: Read, Modify,
Change Owner, Delete

HiLCoE School of Computer Science &

Technology
Changing Permissions in Windows

HiLCoE School of Computer Science &

Technology
 Access Control List (ACL)
Two types
 Explicit permissions are those that are set by default
on non-child objects when the object is created, or by
user action on non-child, parent, or child objects.

 Inherited permissions are those that are propagated

to an object from a parent object. Inherited
permissions ease the task of managing permissions
and ensure consistency of permissions among all
objects within a given container.

HiLCoE School of Computer Science &

Technology
 User Rights & Privileges
 This is different from permissions. A permission is an
ACL that is associated with a securable object where
as user rights/privileges apply to user accounts.
 A privilege is the right of an account, such as a user or
group account, to perform various system-related
operations (ie. Privileged operations) on the local
computer
 Examples: logging on to a system interactively,
backing up files and directories, restore files and
directories, shutting down the system, loading device
drivers, or changing the system time.

HiLCoE School of Computer Science &

Technology
 User Rights & Privileges
c:> whoami /all
Privilege Description State
 SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
 SeSecurityPrivilege Manage auditing and security log Disabled
 SeTakeOwnershipPrivilege Take ownership of files or other obj Disabled
 SeLoadDriverPrivilege Load and unload device drivers Disabled
 SeSystemProfilePrivilege Profile system performance Disabled
 SeSystemtimePrivilege Change the system time Disabled
 SeProfileSingleProcessPrivilege Profile single process Disabled
 SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
 SeCreatePagefilePrivilege Create a pagefile Disabled
 SeBackupPrivilege Back up files and directories Disabled
 SeRestorePrivilege Restore files and directories Enabled
 …………………..
 ………………......

HiLCoE School of Computer Science &

Technology
User Rights & Privileges

(Optional) further exploration is left to those

interested!

HiLCoE School of Computer Science &

Technology