• Title/Summary/Keyword: least privilege

Search Result 17, Processing Time 0.025 seconds

A Study on Database Access Control using Least-Privilege Account Separation Model (최소 권한 계정 분리 모델을 이용한 데이터베이스 엑세스 제어 연구)

  • Jang, Youngsu
    • Journal of Korea Society of Digital Industry and Information Management
    • /
    • v.15 no.3
    • /
    • pp.101-109
    • /
    • 2019
  • In addition to enabling access, database accounts play a protective role by defending the database from external attacks. However, because only a single account is used in the database, the account becomes the subject of vulnerability attacks. This common practice is due to the lack of database support, large numbers of users, and row-based database permissions. Therefore if the logic of the application is wrong or vulnerable, there is a risk of exposing the entire database. In this paper, we propose a Least-Privilege Account Separation Model (LPASM) that serves as an information guardian to protect the database from attacks. We separate database accounts depending on the role of application services. This model can protect the database from malicious attacks and prevent damage caused by privilege escalation by an attacker. We classify the account control policies into four categories and propose detailed roles and operating plans for each account.

A Study of Security Checks for Android Least Privilege - focusing on mobile financial services - (모바일 앱 최소권한 사전검증에 관한 연구 - 금융, 안드로이드 운영체제 중심으로 -)

  • Cho, Byung-chul;Choi, Jin-young
    • Journal of Internet Computing and Services
    • /
    • v.17 no.1
    • /
    • pp.91-99
    • /
    • 2016
  • A security system in Android OS adopts sandbox and an permission model. In particular, the permission model operates the confirmation of installation time and all-or-nothing policy. Accordingly, the Android OS requires a user agreement for permission when installing an application, however there is very low level of user awareness for the permission. In this paper, the current status of permission requirement within mobile apps will be discovered, and the key inspection list with an appropriate method, when a mobile service provider autonomously inspects the violation of least privilege around financial companies, and its usefulness will be explored.

A Model of Role Hierarchies providing Restricted Permission Inheritance (권한상속 제한 기능을 제공하는 역할계층 모델)

  • 이용훈;김용민;이형효;진승헌
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.13 no.4
    • /
    • pp.37-45
    • /
    • 2003
  • Role-based Access Control(RBAC) model has advantage of easy management of access control with constraints such as permission inheritance and separation of duty in role hierarchy. However, previous RBAC studies could not properly reflect the real-world organization structure with its role hierarchy. User who is a member of senior role can perform all permissions because senior role inherits all permissions of junior roles in the role hierarchy. Therefore there is a possibility for senior role members to abuse permissions due to violation of the least privilege principle. In this paper, we present a new model of role hierarchy, which restricts the unconditional permission inheritance. In the proposed model, a role is divided into sub roles(unconditional inheritance. restricted inheritance, private role), keeping organization structure in corporate environment. With restricted inheritance, the proposed model prevents permission abuse by specifying the degree of inheritance in role hierarchy.

An Access Control Model for Privacy Protection using Purpose Classification (사용목적 분류를 통한 프라이버시 보호를 위한 접근제어 모델)

  • Na Seok-Hyun;Park Seog
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.16 no.3
    • /
    • pp.39-52
    • /
    • 2006
  • Recently purpose is used by an crucial part to security management when collecting data about privacy. The W3C(World Wide Web Consortium) describes a standard spec to control personal data that is provided by data providers who visit the web site. But they don't say anymore about security management about personal data in transit after data collection. Recently several researches, such as Hippocratic Databases, Purpose Based Access Control and Hippocratic in Databases, are dealing with security management using purpose concept and access control mechanism after data collection a W3C's standard spec about data collection mechanism but they couldn't suggest an efficient mechanism for privacy protection about personal data because they couldn't represent purpose expression and management of purposes sufficiently. In this paper we suggest a mechanism to improve the purpose expression. And then we suggest an accesscontrol mechanism that is under least privilege principle using the purpose classification for privacy protection. We classify purpose into Along purpose structure, Inheritance purpose structure and Stream purpose structure. We suggest different mechanisms to deal with then We use the role hierarchy structure of RBAC(Role-Based Access Control) for flexibility about access control and suggest mechanisms that provide the least privilege for processing the task in case that is satisfying using several features of purpose to get least privilege of a task that is a nit of business process.

A Study on Enforcing Principle of Least Privilege on Shared Memory (공유 메모리에의 최소 특권의 원칙 적용 기법에 대한 연구)

  • Jun-Seung You;Bang-In Young;Yun-Heung Paek
    • Annual Conference of KIPS
    • /
    • 2023.05a
    • /
    • pp.26-28
    • /
    • 2023
  • 현대 시스템의 크기와 복잡도 증가로 인하여 시스템의 여러 구성 요소들이 공유하는 메모리에 대한 최소 특권의 원칙 적용의 필요성이 대두되었다. 제 3 자 라이브러리, 다중 쓰레드 등의 각 구성 요소들이 접근할 수 있는 메모리 권한을 다르게 적용함으로써 구성 요소들 중 하나에서의 취약점이 전체 시스템을 위협하는 것을 방지함과 동시에 각 요소들 간 효율적인 메모리 공유를 가능케 하기 때문이다. 본 논문에서는 공유 메모리에 대한 최소 특권의 원칙 적용 기법들의 분석과 더불어 각 기법들이 가지는 한계점을 제시한다.

Permission Inheritance Expression with Role Hierarchy of RBAC (역할기반 접근통제에서 역할 계층에 따른 접근권한 상속의 표현)

  • Lee, Sang-Ha;Jo, In-Jun;Cheon, Eun-Hong;Kim, Dong-Gyu
    • The Transactions of the Korea Information Processing Society
    • /
    • v.7 no.7
    • /
    • pp.2125-2134
    • /
    • 2000
  • RBAC(Role Based Access Control) has the advantage that reflects the real world because it presents a basic access control model based on user's role in organizations or governments. But in RBAC model, the privileges of the senior roles in these hierarchies are inherited from those of the junior roles, so RBAC model has the privileges problem that he senior are given more privileges than they need. That is, it tends to infringe the Principle of Least Privilege. On the other hand, if we give some excessive constraints on the RBAC model without scrupulous care, it may be meaningless property of role hierarchies. Furthermore, such complicated constraints make it more difficult to mange resources and roles in huge enterprise environments. The purpose of this paper is to solve the problems of role hierarchies such as inefficient role managements and abuse of privileges by using newly presented the backward tag pointer path expression in the inheritance of privileges.

  • PDF

An Advanced Permission-Based Delegation Model in RBAC (RBAC을 기반으로 하는 향상된 권한 위임 모델)

  • Kim, Tae-Shik;Chang, Tae-Mu
    • The KIPS Transactions:PartC
    • /
    • v.13C no.6 s.109
    • /
    • pp.725-732
    • /
    • 2006
  • RBAC(Role-Based Access Control) has advantages in managing access controls, because it offers the role inheritance and separation of duty in role hierarchy structures. However, RBAC does not process delegation of permission effectively that occurs frequently in the real world. This paper proposes an Advanced Permission-Based Delegation Model(APBDM) that guarantees permanency of delegated permissions and does not violate security principle of least privilege and separation of duty. APBDM, based on the well-known RBAC96, supports both user-to-user and role-to-role delegation. A delegator can give permission to a specific person, that is delegatee, and the permission can be withdrawn whenever the delegator wants. Our model is analyzed and shown to be effective in the present paper.

Analysis of Web Browser Security Configuration Options

  • Jillepalli, Ananth A.;de Leon, Daniel Conte;Steiner, Stuart;Alves-Foss, Jim
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.12 no.12
    • /
    • pp.6139-6160
    • /
    • 2018
  • For ease of use and access, web browsers are now being used to access and modify sensitive data and systems including critical control systems. Due to their computational capabilities and network connectivity, browsers are vulnerable to several types of attacks, even when fully updated. Browsers are also the main target of phishing attacks. Many browser attacks, including phishing, could be prevented or mitigated by using site-, user-, and device-specific security configurations. However, we discovered that all major browsers expose disparate security configuration procedures, option names, values, and semantics. This results in an extremely hard to secure web browsing ecosystem. We analyzed more than a 1000 browser security configuration options in three major browsers and found that only 13 configuration options had syntactic and semantic similarity, while 4 configuration options had semantic similarity, but not syntactic similarity. We: a) describe the results of our in-depth analysis of browser security configuration options; b) demonstrate the complexity of policy-based configuration of web browsers; c) describe a knowledge-based solution that would enable organizations to implement highly-granular and policy-level secure configurations for their information and operational technology browsing infrastructures at the enterprise scale; and d) argue for necessity of developing a common language and semantics for web browser configurations.

Security Verification of FTP-Proxy Security Model Coloured Petri Net (컬러드 페트리 네트를 기반으로 한 FTP 프록시 보안 모델의 안전성 검증)

  • Lee, Moon-Ku;Jun, Moon-Seog
    • Journal of KIISE:Information Networking
    • /
    • v.28 no.3
    • /
    • pp.369-376
    • /
    • 2001
  • The firewall systems can be installed between the intemal network and the extemal network. The firewall systems has the least privilege, so its does not provide transparency to user. This problem of transparency can be solved by using the proxy. In this thesis, I have designed and verified the FTP-PSM(FTP-Proxy Security Mode]) which provides transparency for the firewall systems and has a strong security function. FTP-PSM doesn't finish its work after implementing a command. Instead, its does several security functions such as user authentication, MAC(MandatOlY Access Controll, DAC(Discretionary Access Controll and authentication of user group. Those data must not be lost under any circumstances in order to implement the above security functions. So, the security against such problems as falling into deadlock or unlimited loop during the implementation must be verified. Therefore, FTP-PSM suggested in thesis was verified its security through PHPlace Invariant) based on CPNlCo]oured Petri Net).

  • PDF

A Time Constraints Permission Based Delegation Model in RBAC (RBAC을 기반으로 하는 시간제한 권한 위임 모델)

  • Kim, Tae-Shik;Chang, Tae-Mu
    • Journal of the Korea Society of Computer and Information
    • /
    • v.15 no.11
    • /
    • pp.163-171
    • /
    • 2010
  • RBAC(Role-Based Access Control) has advantages in managing access controls, because it offers the role inheritance and separation of duty in role hierarchy structures. Delegation is a mechanism of assigning access rights to a user. RBDM0 and RDM2000 models deal with user-to-user delegation. The unit of delegation in them is a role. However, RBAC does not process delegation of Role or Permission effectively that occurs frequently in the real world. This paper proposes a Time Constraints Permission-Based Delegation Model(TCPBDM) that guarantees permanency of delegated permissions and does not violate security principle of least privilege and separation of duty. TCPBDM, based on the well-known RBAC96, supports both user-to-user and role-to-role delegation with time constraints. A delegator can give permission to a specific person, that is delegatee, and the permission can be withdrawn whenever the delegator wants. Our model is analyzed and shown to be effective in the present paper.