Security notes / Glossary

From Helpful
Revision as of 19:36, 16 March 2021 by Helpful (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Security related stuff.





Access control

Least privilege (principle)

The principle of least privilege means each actor in a system should be able to access no more than it needs.

For example, you can say

your web server shoudn't be able to read the filsystem except its own documents.
your backup program should not be able to
run anything (beyond its own components
write anywhere except the backup disk, or its own logs

This is part of why (functional) user accounts are often created for each such part - so you can handle that via filesystem permissions (see DAC).

When you want to crack down on this more, look at things like SELinux (because it adds MAC).

Note that the isolation in VMs and OS containers, are implicitly least-privilege as well: no connection to the outside unless permitted.

See also:

Discretionary Access Control (model)

Discretionary access control (DAC) means access to an object is at the discretion of the object's owner.

...more precisely, the identity of subjects. Usually that's owner-based, though e.g. capability systems often allow transfer to other parts.

Mainly contrasted with MAC


permissions in most filesystems

Mandatory Access Control (model)

Mandatory access control (MAC) means the system, not the users, decides access between objects.

Often means labeling objects (usually with particular categories), and having rules based on these categories.

...for practical reasons: it keeps the rules sane, and in most cases sorting objects into categories is practical.

In various user this assists DAC, because while MAC is good at partitioning off parts of a system in broad terms (e.g. web server may only read under /var/www regardless of permissions), it is less flexible at anything you can't describe well up front (like people sharing specific files securely).

(And while you can sort of implement DAC with MAC, it's not a very sane solution.)

Role-Based Access Control (model)

Role-based access control (RBAC) does not refer directly to a way of implementing access control (like DAC and MAC), but to the the focus on roles and inheritance, that are often also present in DAC, MAC and others.

That said, it's a moderately detailed abstraction, so considered a thing of its own, and can be used to implement DAC and MAC (and others).

Related notes

If you squint, there is sometimes very little difference between a category that a MAC system works on and a group that a DAC works on. what they mean to use - the difference lies largely in who may change them - the admin, or the relevant user.

This is also roughly why there is value in mixing them. E.g. stricly separate web server, database, and other in terms of many resources. And have users as a third general pile, they can figure out among themselves and mostly just care about filesystem DAC anyway.

Hacking terminology

Passive recon

Attack vector

Attack surface

Attack factor

Red Team


Forward secrecy

the idea that past session keys are not compromised even if a secret key is compromised in the future
basically, it refers to protocols that negotiate unique keys for a session based on a key, rather than using that key directly

Man in the middle

Two generals problem

The bitter ex test

Forward secrecy

Worm, virus, trojan, etc.