Security Now Episode #95

Steve Gibson and Leo Laporte talked about OpenID on Episode 95.  OpenID would provide a single-sign on verification for site logins.  This would not replace something like SSL (which is mutual authentication), but it would be better for simple site logins to sites like, and others.

BYU professor Philip J. Windley, explains how OpenID works on his site.

Recognize and be able to differentiate and explain the following access control models

· MAC (Mandatory Access Control)
· DAC (Discretionary Access Control)
· RBAC (Role Based Access Control)

To understand MAC, DAC and RBAC you must first understand Access Control.

Access Control is the control of user and process control access to  network and operating system resources.  For example, many spyware and adware applications not only download themselves on to your computer without your permission, but they also help themselves to your systems CPU, hard drive and memory.  What happens to most of us is that we get hit with 10 or 15 of these applications by accessing the Internet without protection.  Imagine 10 to 15 badly written memory hogs using your CPU and memory to access your cached references to your web surfing habits (or worse credit card, ssn) and send that potentially valuable information to some server in Nigeria or Russia.


Mandatory Access Control (MAC)


Mandatory Access Control is military grade security.  Like DAC, it has been around since the 60’s.  With MAC, the security on all resources are strictly policy controlled.  All processes and users (or subjects) must specifically given permission to access a resource (or object). 


Subjects are given a number indicating their level of access.  Subjects can access any object with a lower number.  With modern military and national security systems this permissions matrix is supplemented with a classification level.


Discrestionary Access Control (DAC)


Discretionary Access Control is where a subject has control over an object. In this case a “subject” could be a home user.  And lets say the home user has admin privileges because he wants to download applications like Kazaa Lite ++.  The “object” or resource is Money Quick, a financial application that creates important bank account spreadsheets. 


The home user is no fool so he locks the Money Quick application down so that only the administrator has permissions to the file.  She is the only administrator on the computer so there is no problem right?  Wrong.  With DAC any application that runs while the current user is logged on has the same permissions. 


So, the home user finds Kazaa Lite ++ on Internet and downloads it.  The shareware app is of course loaded with all kinds of spyware, adware, Trojan filth that goes directly for her Money Quick software.


Is very popular and has been in use primarily in the commercial and academic worlds since the ’60’s.


Role Based Access Control (RBAC)


Role Based Access Control is fairly new and is considered the evolution of the DAC & MAC.  With RBAC, each subject is assigned a role.  Users without roles can be put into groups that pertain to a certain department or job such as sales or management.  Objects only allow subjects on a permission basis.  Modern operating systems such as Solaris, Linux and Window 2k/XP/03 are perfect example of how Role Based Access Control works.


The RBAC started in the 1990s and fully materialized in the RBAC96.  There is currently a lot of research being done on the RBAC.