secappdev.org's video: Access Control update 2015 - George Danezis

Access control is a mechanism for enforcing security policy. This is a lecture on classical access control models. Models should be assessed against expressiveness, efficiency, ability to afford full mediation and safety. Conceptually, permissions are stored in an Access Control Matrix, indicating which subjects can access which objects. There are 2 practical approaches to this: Access Control Lists (ACLs) that state which subjects have what permissions on an object and Capabilities where a subject is granted access to a set of objects. Role-Based Access Control (RBAC) can be considered a further refinement of ACLs motivated by efficiency. The Reference Monitor is the part of the system that makes access control decisions. In systems with ambient authority it is difficult to express that an action takes place "on behalf" of another principal and hence the Confused Deputy problem is common. Capability architectures may go some way to solving this, but give rise to new difficulties such as how capabilities can be revoked and how delegation can be controlled. George Danezis delivered this lecture as part of the SecAppDev 2015 course held in Leuven, Belgium. George Danezis is a Reader in Security and Privacy Engineering at the Department of Computer Science of University College London. He has been working on anonymous communications, privacy enhancing technologies (PET), and traffic analysis since 2000. He has previously been a researcher for Microsoft Research, Cambridge; a visiting fellow at K.U.Leuven (Belgium); and a research associate at the University of Cambridge (UK), where he also completed his doctoral dissertation under the supervision of Prof. R.J. Anderson. His theoretical contributions to the PET field include the established information theoretic metric for anonymity and pioneering the study of statistical attacks against anonymity systems. On the practical side he is one of the lead designers of the anonymous mail system Mixminion, and has worked on the traffic analysis of deployed protocols such as Tor. His current research interests focus around smart grid privacy, peer-to-peer and social network security, as well as the application of machine learning techniques to security problems. He has published over 50 peer-reviewed scientific papers on these topics in international conferences and journals. He was the co-program chair of ACM Computer and Communications Security Conference in 2011 and 2012, IFCA Financial Cryptography and Data Security in 2011, the Privacy Enhancing Technologies Workshop in 2005 and 2006. He sits on the PET Symposium board and he regularly serves in program committees of leading conferences in the field of privacy and security.