355668
Description
Mind Map by Craig Parker, updated more than 1 year ago
|
Created by Craig Parker
over 10 years ago
|
|
U3.1 Access Control
- Permit or deny user access to computer
resources according to redefined security policy
- Who/What (system/user) is allowed to read and
write to system resources
- Who/What (system/user) is allowed to read and
write to system resources
- Reference Monitor
- Establishes validity of access requests
- REFERENCE MONITOR > either
grants or denies request
- Subject tries an
Access request >
- System decision
- Part of the OS. Its integrity
is extremely Important
- Subject tries an
Access request >
- REFERENCE MONITOR > either
grants or denies request
- Establishes validity of access requests
- Subjects
- Can be user or process
- Will try gain access
- May be represented by more than 1 principal
- Can be user or process
- Objects
- passive entity / resource in a
computer system. IE:file / directory.
- passive entity / resource in a
computer system. IE:file / directory.
- Principal
- attribute or property
associated with a subject
- User ID, process running
on behalf of the user
- Subject may be represented
by more than 1 principal
- Subject may be represented
by more than 1 principal
- User ID, process running
on behalf of the user
- attribute or property
associated with a subject
- Unix has 3 Access Operations
- read (r)
- write (w)
- does not include read
- does not include read
- execute (e)
- For file access
meanings are clear
- For directory access
- read
- list the contents of the
directory
- list the contents of the
directory
- write
- create or rename the
files in the directory
- create or rename the
files in the directory
- execute
- enter the directory.
- enter the directory.
- read
- For directory permissions are
listed consecutivly in a row
- IE drwxr-xr--
- d indicates driectory, the next 3 are owners positions,
following 3 groups permissions, remaining = everyone elses
permissions
- d indicates driectory, the next 3 are owners positions,
following 3 groups permissions, remaining = everyone elses
permissions
- IE drwxr-xr--
- For directory access
- read (r)
- Bell-LaPladula
- Assigns security labels
- Policy that information may not
flow downwards from a high level
to a lower level entity
- Policy that information may not
flow downwards from a high level
to a lower level entity
- Observe mode
- read / write
- read / write
- Alter mode
- append / write
- append / write
- Assigns security labels
- Access Operations - Interaction
between a subject and an object
that causes a flow of information
- 4 Primitive
Access
Operations
- Read
- Can observe and
object. Read only
- Can observe and
object. Read only
- Write
- Able to read and write
or alter/delete objects
- Write includes read
- Write includes read
- Able to read and write
or alter/delete objects
- Execute
- Allows the subject to use the object without
reading or writing
- Subject runs a program,
or access a crypto key
- Subject runs a program,
or access a crypto key
- Allows the subject to use the object without
reading or writing
- Append
- Sometimes = blind write or write only. subject
allowed to alter the object without observing contents
- Sometimes = blind write or write only. subject
allowed to alter the object without observing contents
- Read
- 4 Primitive
Access
Operations
Want to create your own Mind Maps for free with GoConqr? Learn more.