Discretionary access controls
Summary
Discretionary Access Controls
DAC
Access Matrix Model
DAC in Relational Database
DAC
Privileges
The System R Access Control
Content–Based Access Control
Demo
32 trang |
Chia sẻ: vutrong32 | Lượt xem: 1115 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Discretionary access controls, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
DISCRETIONARY ACCESS CONTROLS Teacher : Assoc.Prof.Dr. Dang Tran KhanhPresenter: Vo Van My*www.cse.hcmut.edu.vn*OutlineDiscretionary Access ControlsDACAccess Matrix ModelDAC in Relational DatabaseDACPrivilegesThe System R Access ControlContent–Based Access ControlDemoQ & A*www.cse.hcmut.edu.vn*Discretionary Access ControlsDAC is based on the identity of the user requesting access and on a set of rules, call authorizatons, explicitly stating which user can perform which action on which resource. *www.cse.hcmut.edu.vn*Discretionary Access ControlsDAC *www.cse.hcmut.edu.vn*BobDocument1Access Matrix ModelAccess Matrix Model: The first discretionary access control model proposed.Triple (S,O,A)S: subject; O: objects; A: actions; A[s,o] : contains the list of actions that subject s can execute over object o *www.cse.hcmut.edu.vn*O1OiOmS1A[s1,o1]A[s1,oi]A[s1,om]SiA[si,o1]A[si,oi]A[si,om]SnA[sn,o1]A[sn,oi]A[sn,om]Access Matrix ModelAccess Matrix Model: The first discretionary access control model proposed.Triple (S,O,A)S: subject; O: objects; A: actions; A[s,o] : contains the list of actions that subject s can execute over object o *www.cse.hcmut.edu.vn*Authorization state: Q=(S,O,A)For DBs, A[s,o] also includes conditions that must be satisfied in order for s to exercise the access modesPossible conditions: data-dependent (sal ON TO [WITH GRANT OPTION];REVOKE ON From ;GRANT TO REVOKE FROM ExampleIDNameBdateaddresssexSalaryDno*www.cse.hcmut.edu.vn* HRDnumberDnameEmployeeDepartmentExample*www.cse.hcmut.edu.vn*Schema HRDBAAliceGRANT CREATE TABLETO AliceWITH GRANT OPTIONAUTHORIZATION RedEmployee, DepartmentJackGRANT insert, delete ON Emp, DeptTO RedGRANT select ON Emp, DeptTO Jack WITH GRANT OPTIONBobGRANT select ON EmpTO BobAlice revokes grantgiven to Jack ?Alice does not want Bob to access the Employee relation ?Revoke select ON Emp, DeptFrom Jack Inherent weakness of DACUnrestricted DAC allows information from an object which can be read by a subject to be written to any other object.Example: Bod and JackSuppose our users are trusted not to do this deliberately. It is still possible for Trojan Horses to copy information from one object to another.*www.cse.hcmut.edu.vn*Trojan Horse Example*www.cse.hcmut.edu.vn*Trojan Horse Example*www.cse.hcmut.edu.vn*The System R Access Control ModelThe main protection objects are tables and views. *www.cse.hcmut.edu.vn*Content–Based Access Control*www.cse.hcmut.edu.vn*Schema HRDBAAliceGRANT CREATE TABLETO AliceWITH GRANT OPTIONAUTHORIZATION RedEmployee, DepartmentJackGRANT insert, delete ON Emp, DeptTO RedAlice does not want Jack to access all column of Employee relation ? ename, salaryContent–Based Access ControlEssentially, content-based access control requires that access control decisions be based on data contents.Example: a table employees of a company A content-based access control policy: a manager can only access the employees that work in his/her division.*www.cse.hcmut.edu.vn*Content–Based Access Control*www.cse.hcmut.edu.vn*Create View name [(column-name1), (column-name2), .]AS queryWITH { READ ONLY | WITH CHECK OPTION [CONSTRAINT constraint]}WITH CHECK OPTION: restricts DML operations to only the rows that are accessible to the view.WITH READ ONLY: ensure that no DML operations can be performed using the view.Content–Based Access Control*www.cse.hcmut.edu.vn*Schema HRDBAAliceGRANT CREATE TABLETO AliceWITH GRANT OPTIONAUTHORIZATION RedEmployee, DepartmentJackGRANT insert, delete ON Emp, DeptTO RedBobGRANT select ON Emp_JackTO JackAlice want Jack to access his information ?Create view Emp_Jack as select ename, salary from Emp With read onlyContent–Based Access ControlRow-level*www.cse.hcmut.edu.vn*Schema HRDBAAliceGRANT CREATE TABLETO AliceWITH GRANT OPTIONAUTHORIZATION RedEmployee, DepartmentJackGRANT insert, delete ON Emp, DeptTO RedBobGRANT select ON Emp_JackTO JackCreate view Emp_Jack as select * from Emp where name=‘Jack‘With read onlyContent–Based Access ControlDisadvantagesToo many views to createComplicated policy logic can be difficult to express and to updateUpdate anomalies*www.cse.hcmut.edu.vn*DEMOOracle*www.cse.hcmut.edu.vn*SummaryDiscretionary Access ControlsDACAccess Matrix ModelDAC in Relational DatabaseDACPrivilegesThe System R Access ControlContent–Based Access ControlDemo*www.cse.hcmut.edu.vn*References[1] M. Gertz, S. Jajodia: “Handbook of Database Security: Applications and Trends”, Springer Verlag, 2009[2] E. Bertino, G. Ghinita, A. Kamra: "Access Control for Databases: Concepts and Systems", Now Publishers, 3(1-2):1-148, 2011[3] Truong Quynh Chi, DAC.[4] Oracle Corporation: “Leveraging Oracle Database Security with J2EE Container Managed Persistence ” (white paper).[5] Oracle® Database Security Guide 11g Release 1 (11.1)
Các file đính kèm theo tài liệu này:
- dac_vvmy_6016.ppt