Access Control: Difference between revisions
Jump to navigation
Jump to search
Robsteinde (talk | contribs) No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
Who and what has access to which resource has to be controled on every IT System. |
Who and what has access to which resource has to be controled on every IT System. |
||
==Introduction== |
==Introduction== |
||
Controled are issues like |
|||
*access to files |
|||
*access to memory |
|||
*execution of programs |
|||
*sharing datas with other principals |
|||
Access is controled at different levels: |
|||
*application |
|||
*middleware |
|||
*operating system |
|||
*hardware |
|||
The complexity of administering Access Control is growing complexity. |
|||
==Hardware Protection== |
==Hardware Protection== |
||
Protection Problem: |
|||
preventing one process to interfere with another |
|||
Confinement Problem: |
|||
preventing programs communication outwards through other than |
|||
authorized channels (e.g. memory overwriting) |
|||
===Intel 80x86 (Pentium) Processors=== |
===Intel 80x86 (Pentium) Processors=== |
||
{| |
|||
|8088/8086: |
|||
|any running program controlled the whole machine |
|||
|- |
|||
|80286: |
|||
|protected segment addressing and rings, operating systems could run proper |
|||
|- |
|||
|80386: |
|||
|built-in virtual memory and large memory segments, treated as a 32-bit flat-address machine |
|||
|} |
|||
====Rings==== |
|||
*process in ring 0 (kernel) manages privilege level of other processes |
|||
*ring 1, 2 usually system processes (e.g. win32 subsys, virtual DOS) |
|||
*ring 3 user programs |
|||
*gates between rings for executing code at an other level |
|||
===Other Procssors=== |
===Other Procssors=== |
||
Acorn Risc Machine (ARM) |
|||
*most commonly to third-party vendors of embedded systems licensed |
|||
*32-bit processor |
|||
*separat banks of registers for user and system processes |
|||
*hardware protection can be customized |
|||
Security Processors |
|||
*hardware security support for cryptography and access control |
|||
*authorized state |
|||
*password covered memory access |
|||
s.o. |
|||
==Operating Systems== |
==Operating Systems== |
||
| Line 16: | Line 82: | ||
==Problems== |
==Problems== |
||
problem if any level doesn’t controle access |
|||
Revision as of 15:08, 30 November 2004
Who and what has access to which resource has to be controled on every IT System.
Introduction
Controled are issues like
- access to files
- access to memory
- execution of programs
- sharing datas with other principals
Access is controled at different levels:
- application
- middleware
- operating system
- hardware
The complexity of administering Access Control is growing complexity.
Hardware Protection
Protection Problem: preventing one process to interfere with another
Confinement Problem: preventing programs communication outwards through other than authorized channels (e.g. memory overwriting)
Intel 80x86 (Pentium) Processors
| 8088/8086: | any running program controlled the whole machine |
| 80286: | protected segment addressing and rings, operating systems could run proper |
| 80386: | built-in virtual memory and large memory segments, treated as a 32-bit flat-address machine |
Rings
- process in ring 0 (kernel) manages privilege level of other processes
- ring 1, 2 usually system processes (e.g. win32 subsys, virtual DOS)
- ring 3 user programs
- gates between rings for executing code at an other level
Other Procssors
Acorn Risc Machine (ARM)
- most commonly to third-party vendors of embedded systems licensed
- 32-bit processor
- separat banks of registers for user and system processes
- hardware protection can be customized
Security Processors
- hardware security support for cryptography and access control
- authorized state
- password covered memory access
s.o.
Operating Systems
Groups and Roles
Access Control Lists
Capabilities
Understands
Problems
problem if any level doesn’t controle access