-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #51 from LeChatP/develop
Documentation improvements, build process refactoring
- Loading branch information
Showing
12 changed files
with
164 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| [[{{item.authors.[0].[0]}}{{#if item.authors.[2]}} et al.{{else}}{{#if item.authors.[1]}} & {{item.authors.[1].[0]}}{{/if}}{{/if}} {{item.pub_year}}]({{path}}#{{item.citation_key}})] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,3 @@ | ||
| # What is eBPF ? | ||
|
|
||
| eBPF (extended Berkeley Packet Filter) is a technology that allows the execution of custom programs in the Linux kernel without changing the kernel source code or loading kernel modules. In RootAsRole, we use eBPF to implement the `capable` command. This command allows you to check if a process requests any capability. | ||
| eBPF (extended Berkeley Packet Filter) @@sharafExtendedBerkeleyPacket2022 is a technology that allows the execution of custom programs in the Linux kernel without changing the kernel source code or loading kernel modules. In RootAsRole, we use eBPF to implement the `capable` command. This command allows you to check if a process requests any capability. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,10 +1,17 @@ | ||
| # Why you need to use Role-Based Access Control Model | ||
| # What is Role-Based Access Control Model? | ||
|
|
||
| Role-Based Access Control (RBAC) is a security model that grants access to resources based on a user's role within an organization. Here are some reasons why you need to use Role-Based Access Control: | ||
| Role-Based Access Control (RBAC) is a access control model that grants access to resources based on a user's role within an organization @@ferraioloProposedNISTStandard2001. This model makes it easier to manage user-centric access control policies. Indeed, this design allows to simply the distribution of user's responsibilities and better organize the access control policies in this context. | ||
|
|
||
| 1. **Simplified User Management**: RBAC eliminates the need to manage individual user permissions, making it easier to add or remove users from a system. | ||
| 1. **Increased Efficiency**: RBAC automates the process of granting and revoking access to resources, reducing the administrative burden on IT teams. | ||
| 1. **Scalability**: RBAC is highly scalable, making it an ideal solution for large and complex organizations. | ||
| 1. **Flexibility**: RBAC can be applied to various systems, applications, and networks, making it a versatile security solution. | ||
| # What about Attribute-based Access Control Model ? | ||
|
|
||
| By implementing Role-Based Access Control, RootAsRole provides a efficient way to manage user access to resources within your organization. | ||
| Attribute-Based Access Control (ABAC) is a more flexible model that grants access based on attributes of the user, the resource, the actions, and the environment by applying constraints on them. This design allows to implement generic access control policies. However, ABAC does not solve the problem of managing user-centric responsibilities access control policies. Indeed, ABAC allow to define generic policies, but not to manage them correctly given specific access control need. However, As ABAC can define a generic policy, it can be used to implement RBAC @@jinRABACRoleCentricAttributeBased2012, Bell-Lapadula (for confidentiality) @@balamuruganHoneyBeeBehaviour2015 or even Biba (for integrity) access control models @@kashmarAccessControlModels2020. | ||
|
|
||
| So ABAC is allowing to reach multiple access control properties by implementing multiple specific access control models. However, not respecting precisely these models designs may not reach the expected security properties. | ||
|
|
||
| # So why not use ABAC instead of RBAC for RootAsRole? | ||
|
|
||
| RootAsRole wants to delegate administrative responsibilities to severals users with more respect on the principle of least privilege. This means that RootAsRole access control policy is more user-centric, and thus, RBAC is more adapted to this context. | ||
|
|
||
| # Is it possible to use ABAC with RootAsRole? | ||
|
|
||
| Today, it requires some development to integrate RootAsRole in an ABAC implementation. However, RootAsRole will never implement ABAC by itself, so RootAsRole would requires to implement RBAC (with RootAsRole information) in the ABAC solution. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,106 @@ | ||
|
|
||
| @inproceedings{abedinDetectionResolutionAnomalies2006, | ||
| location = {Berlin, Heidelberg}, | ||
| title = {Detection and Resolution of Anomalies in Firewall Policy Rules}, | ||
| isbn = {978-3-540-36799-4}, | ||
| doi = {10.1007/11805588_2}, | ||
| series = {Lecture Notes in Computer Science}, | ||
| abstract = {A firewall is a system acting as an interface of a network to one or more external networks. It implements the security policy of the network by deciding which packets to let through based on rules defined by the network administrator. Any error in defining the rules may compromise the system security by letting unwanted traffic pass or blocking desired traffic. Manual definition of rules often results in a set that contains conflicting, redundant or overshadowed rules, resulting in anomalies in the policy. Manually detecting and resolving these anomalies is a critical but tedious and error prone task. Existing research on this problem have been focused on the analysis and detection of the anomalies in firewall policy. Previous works define the possible relations between rules and also define anomalies in terms of the relations and present algorithms to detect the anomalies by analyzing the rules. In this paper, we discuss some necessary modifications to the existing definitions of the relations. We present a new algorithm that will simultaneously detect and resolve any anomaly present in the policy rules by necessary reorder and split operations to generate a new anomaly free rule set. We also present proof of correctness of the algorithm. Then we present an algorithm to merge rules where possible in order to reduce the number of rules and hence increase efficiency of the firewall.}, | ||
| pages = {15--29}, | ||
| booktitle = {Data and Applications Security {XX}}, | ||
| publisher = {Springer}, | ||
| author = {Abedin, Muhammad and Nessa, Syeda and Khan, Latifur and Thuraisingham, Bhavani}, | ||
| editor = {Damiani, Ernesto and Liu, Peng}, | ||
| date = {2006}, | ||
| langid = {english}, | ||
| keywords = {Anomalies, Firewalls, Network Security, Packet Filters, Security Policy}, | ||
| file = {Abedin et al_2006_Detection and Resolution of Anomalies in Firewall Policy Rules.pdf:/home/ebilloir/Zotero/storage/SF8UN3P2/Abedin et al_2006_Detection and Resolution of Anomalies in Firewall Policy Rules.pdf:application/pdf}, | ||
| } | ||
|
|
||
| @article{sharafExtendedBerkeleyPacket2022, | ||
| title = {Extended Berkeley Packet Filter: An Application Perspective}, | ||
| volume = {10}, | ||
| rights = {https://creativecommons.org/licenses/by-nc-nd/4.0/}, | ||
| issn = {2169-3536}, | ||
| url = {https://ieeexplore.ieee.org/document/9968265/}, | ||
| doi = {10.1109/ACCESS.2022.3226269}, | ||
| shorttitle = {Extended Berkeley Packet Filter}, | ||
| pages = {126370--126393}, | ||
| journaltitle = {{IEEE} Access}, | ||
| shortjournal = {{IEEE} Access}, | ||
| author = {Sharaf, Husain and Ahmad, Imtiaz and Dimitriou, Tassos}, | ||
| urldate = {2024-06-20}, | ||
| date = {2022}, | ||
| } | ||
|
|
||
| @incollection{jinRABACRoleCentricAttributeBased2012, | ||
| location = {Berlin, Heidelberg}, | ||
| title = {{RABAC}: Role-Centric Attribute-Based Access Control}, | ||
| volume = {7531}, | ||
| isbn = {978-3-642-33703-1 978-3-642-33704-8}, | ||
| url = {http://link.springer.com/10.1007/978-3-642-33704-8_8}, | ||
| shorttitle = {{RABAC}}, | ||
| pages = {84--96}, | ||
| booktitle = {Computer Network Security}, | ||
| publisher = {Springer Berlin Heidelberg}, | ||
| author = {Jin, Xin and Sandhu, Ravi and Krishnan, Ram}, | ||
| editor = {Kotenko, Igor and Skormin, Victor}, | ||
| editorb = {Hutchison, David and Kanade, Takeo and Kittler, Josef and Kleinberg, Jon M. and Mattern, Friedemann and Mitchell, John C. and Naor, Moni and Nierstrasz, Oscar and Pandu Rangan, C. and Steffen, Bernhard and Sudan, Madhu and Terzopoulos, Demetri and Tygar, Doug and Vardi, Moshe Y. and Weikum, Gerhard}, | ||
| editorbtype = {redactor}, | ||
| urldate = {2024-06-20}, | ||
| date = {2012}, | ||
| doi = {10.1007/978-3-642-33704-8_8}, | ||
| note = {Series Title: Lecture Notes in Computer Science}, | ||
| } | ||
|
|
||
| @inproceedings{balamuruganHoneyBeeBehaviour2015, | ||
| location = {Chennai, India}, | ||
| title = {A Honey Bee behaviour inspired novel Attribute-based access control using enhanced Bell-Lapadula model in cloud computing}, | ||
| isbn = {978-1-4799-8787-0 978-1-4799-8788-7}, | ||
| url = {http://ieeexplore.ieee.org/document/7396064/}, | ||
| doi = {10.1109/ICIICT.2015.7396064}, | ||
| eventtitle = {2015 International Conference on Innovation Information in Computing Technologies ({ICIICT})}, | ||
| pages = {1--6}, | ||
| booktitle = {International Confernce on Innovation Information in Computing Technologies}, | ||
| publisher = {{IEEE}}, | ||
| author = {Balamurugan, B and Shivitha, N Gnana and Monisha, V and Saranya, V}, | ||
| urldate = {2024-06-20}, | ||
| date = {2015-02}, | ||
| } | ||
|
|
||
| @incollection{kashmarAccessControlModels2020, | ||
| location = {Cham}, | ||
| title = {From Access Control Models to Access Control Metamodels: A Survey}, | ||
| volume = {70}, | ||
| isbn = {978-3-030-12384-0 978-3-030-12385-7}, | ||
| url = {http://link.springer.com/10.1007/978-3-030-12385-7_61}, | ||
| shorttitle = {From Access Control Models to Access Control Metamodels}, | ||
| pages = {892--911}, | ||
| booktitle = {Advances in Information and Communication}, | ||
| publisher = {Springer International Publishing}, | ||
| author = {Kashmar, Nadine and Adda, Mehdi and Atieh, Mirna}, | ||
| editor = {Arai, Kohei and Bhatia, Rahul}, | ||
| urldate = {2024-06-20}, | ||
| date = {2020}, | ||
| langid = {english}, | ||
| doi = {10.1007/978-3-030-12385-7_61}, | ||
| note = {Series Title: Lecture Notes in Networks and Systems}, | ||
| } | ||
|
|
||
| @article{ferraioloProposedNISTStandard2001, | ||
| title = {Proposed {NIST} standard for role-based access control}, | ||
| volume = {4}, | ||
| issn = {1094-9224, 1557-7406}, | ||
| url = {https://dl.acm.org/doi/10.1145/501978.501980}, | ||
| doi = {10.1145/501978.501980}, | ||
| abstract = {In this article we propose a standard for role-based access control ({RBAC}). Although {RBAC} models have received broad support as a generalized approach to access control, and are well recognized for their many advantages in performing large-scale authorization management, no single authoritative definition of {RBAC} exists today. This lack of a widely accepted model results in uncertainty and confusion about {RBAC}'s utility and meaning. The standard proposed here seeks to resolve this situation by unifying ideas from a base of frequently referenced {RBAC} models, commercial products, and research prototypes. It is intended to serve as a foundation for product development, evaluation, and procurement specification. Although {RBAC} continues to evolve as users, researchers, and vendors gain experience with its application, we feel the features and components proposed in this standard represent a fundamental and stable set of mechanisms that may be enhanced by developers in further meeting the needs of their customers. As such, this document does not attempt to standardize {RBAC} features beyond those that have achieved acceptance in the commercial marketplace and research community, but instead focuses on defining a fundamental and stable set of {RBAC} components. This standard is organized into the {RBAC} Reference Model and the {RBAC} System and Administrative Functional Specification. The reference model defines the scope of features that comprise the standard and provides a consistent vocabulary in support of the specification. The {RBAC} System and Administrative Functional Specification defines functional requirements for administrative operations and queries for the creation, maintenance, and review of {RBAC} sets and relations, as well as for specifying system level functionality in support of session attribute management and an access control decision process.}, | ||
| pages = {224--274}, | ||
| number = {3}, | ||
| journaltitle = {{ACM} Transactions on Information and System Security}, | ||
| shortjournal = {{ACM} Trans. Inf. Syst. Secur.}, | ||
| author = {Ferraiolo, David F. and Sandhu, Ravi and Gavrila, Serban and Kuhn, D. Richard and Chandramouli, Ramaswamy}, | ||
| urldate = {2022-11-24}, | ||
| date = {2001-08}, | ||
| langid = {english}, | ||
| file = {Ferraiolo et al_2001_Proposed NIST standard for role-based access control.pdf:/home/ebilloir/Zotero/storage/U5ID298G/Ferraiolo et al_2001_Proposed NIST standard for role-based access control.pdf:application/pdf}, | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| {{#if citation_key}} | ||
|
|
||
| <div class="bib_div"> | ||
|
|
||
| <details data-key="{{citation_key}}" class=ref> | ||
|
|
||
| {{!-- citation --}} | ||
| <summary class=citation> | ||
| <a id="{{citation_key}}">[{{citation_key}}]</a> - {{#if authors}}{{authors}} - {{/if}}{{#if title}}{{#if url}}<a href="{{url}}" target="_blank">{{/if}}<cite>{{title}}</cite>{{#if url}}</a>{{/if}}.{{/if}} - {{#if pub_year}}{{pub_year}}.{{/if}} | ||
| </summary> | ||
|
|
||
| {{!-- summary/abstract --}} | ||
| {{#if summary}} | ||
| <section class=abstract> | ||
| <h1>Summary/Abstract</h1> | ||
| <div>{{summary}}</div> | ||
| </section> | ||
| {{/if}} | ||
|
|
||
| </details> | ||
|
|
||
| <br/> | ||
|
|
||
| </div> | ||
|
|
||
| {{/if}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters