Access Control: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 5: | Line 5: | ||
Controlled are issues like |
|||
*access to files |
*access to files |
||
*access to memory |
*access to memory |
||
*execution of programs |
*execution of programs |
||
*sharing |
*sharing data with other principals |
||
Access is |
Access is controlled at different levels: |
||
*application |
*application |
||
| Line 26: | Line 26: | ||
Protection Problem: |
Protection Problem: |
||
preventing one process |
preventing one process from interfering with another |
||
Confinement Problem: |
Confinement Problem: |
||
preventing programs |
preventing programs communicating outwards through other than |
||
authorized channels (e.g. memory overwriting) |
authorized channels (e.g. memory overwriting) |
||
| Line 60: | Line 60: | ||
Acorn Risc Machine (ARM) |
Acorn Risc Machine (ARM) |
||
*most commonly to third-party vendors of embedded systems |
*most commonly licensed to third-party vendors of embedded systems |
||
*32-bit processor |
*32-bit processor |
||
* |
*separate banks of registers for user and system processes |
||
*hardware protection can be customized |
*hardware protection can be customized |
||
| Line 83: | Line 83: | ||
==Problems== |
==Problems== |
||
problem if any level doesn’t |
problem if any level doesn’t controll access |
||
Revision as of 12:30, 1 December 2004
Who and what has access to which resource has to be controled on every IT System.
Introduction
Controlled are issues like
- access to files
- access to memory
- execution of programs
- sharing data with other principals
Access is controlled at different levels:
- application
- middleware
- operating system
- hardware
The complexity of administering Access Control is growing complexity.
Hardware Protection
Protection Problem: preventing one process from interfering with another
Confinement Problem: preventing programs communicating outwards through other than authorized channels (e.g. memory overwriting)
Intel 80x86 (Pentium) Processors
| 8088/8086: | any running program controlled the whole machine |
| 80286: | protected segment addressing and rings, operating systems could run proper |
| 80386: | built-in virtual memory and large memory segments, treated as a 32-bit flat-address machine |
Rings
- process in ring 0 (kernel) manages privilege level of other processes
- ring 1, 2 usually system processes (e.g. win32 subsys, virtual DOS)
- ring 3 user programs
- gates between rings for executing code at an other level
Other Procssors
Acorn Risc Machine (ARM)
- most commonly licensed to third-party vendors of embedded systems
- 32-bit processor
- separate banks of registers for user and system processes
- hardware protection can be customized
Security Processors
- hardware security support for cryptography and access control
- authorized state
- password covered memory access
s.o.
Operating Systems
Groups and Roles
Access Control Lists
Capabilities
Understands
Problems
problem if any level doesn’t controll access