11

ACL: Default Permission and Abbreviations

Subject not in ACL has no rights over the file If many subjects have similar rights, may

use groups or wildcards in ACL to ‘merge’ identical columns

Example: UNICOS entries are (user, group, rights) If user is in group, has rights over file

(holly, bant, r) ‘*’ is wildcard for user, group

(holly, *, r): holly can read file regardless of her group (*, fleep, w): anyone in group fleep can write file

22

ACL:Default Permission and Abbreviation

Example: UNIX Three classes of users: owner, group, all

others

33

ACL Abbreviations Augment abbreviated lists with ACLs

Intent is to shorten ACL without losing the granularity

Example IBM AIX ACL overrides base permission Denial takes precedence

44

Permissions in IBM AIXattributes:

base (traditional UNIX) permissions

owner(bishop): rw-

group(sys): r--

others: ---

extended permissions enabled

specify rw- u:holly [override]

permit -w- u:heidi, g=sys [Add]

permit rw- u:matt

deny -w- u:holly, g=faculty [Remove right]

55

ACL Modification and Privileged Users

Who can modify ACL? Creator is given owner rights that allows this System R provides a grant modifier (like a

copy flag) allowing a right to be transferred, so ownership not needed

Do ACLs apply to privileged users (root)? In Solaris abbreviations at root are ignored,

but full-blown ACL entries still apply

66

Revocation Problems How do you remove subject’s rights to a file?

Owner deletes rights from subject’s entry in ACL, or removes subject’s entry if there are no rights left

What if owner was not the provider?Depends on system System R restores protection state to what it was

before right was given More complicated than it seems to be Suppose Alice gives Bob a right and Bob then gives it to

Mallory, and now Alice revokes Bob’s right? Or Suppose Charlie has also given Mallory his right?

77

Windows NT ACLsSets of rights Basic:

read, write, execute, delete, change permission, take ownership

Generic: no access, read (read/execute), change

(read/write/execute/delete), full control (all), special access (assign any basic

rights) Directory:

no access, read (read/execute files in

directory), list, add, add and read, change (create, add, read, execute,

write files; delete subdirectories), full control, special access

88

Windows NT ACLs (cont.) User not in file’s ACL nor in any group

named in file’s ACL: deny access ACL entry denies user access: deny access Take union of rights of all ACL entries

giving user access: user has this set of rights over file

99

Semantics of Capability

Like a bus ticket Mere possession indicates rights that subject has

over object Object identified by capability (as part of the

token) Name may be a reference, location, or something else

The key challenge is to prevent process/user from altering capabilities

Otherwise a subject can augment its capabilities at will

10

Implementation of Capability Tagged architecture

Bits protect individual words Paging/segmentation protections

Like tags, but put capabilities in a read-only segment or page

Cryptography Associate with each capability a cryptographic

checksum enciphered using a key known to OS

When process presents capability, OS validates checksum

1111

Revocation of Rights Scan all C-lists, remove relevant capabilities

Far too expensive! (return your tickets?) Use indirection

Each object has entry in a global object table Names in capabilities name the entry, not the

object To revoke, zap the entry in the table Can have multiple entries for a single object to allow

control of different sets of rights and/or groups of users for each object

Example: Amoeba: owner requests server change random number in server table

All capabilities for that object now invalid Re-issue tickets and invalidate old tickets

1212

ACLs vs. Capabilities They are equivalent:

1. Given a subject, what objects can it access, and how?2. Given an object, what subjects can access it, and how? ACLs answer second easily; C-Lists, answer the first

easily. The second question in the past was most used;

thus ACL-based systems are more common But today some operations need to answer the

first question (e.g., in incident response)

1313

Locks and KeysAssociate lock with object and key with subject

Key controls what the subject can access and how Subject presents key; if it corresponds to any of the

locks on the object, access is granted This is flexible

Can change either locks or keys

ACL C-List

Locks/Keys

1414

Cryptographic Implementation Enciphering key is lock; deciphering key is

key Encipher object o; store Ek (o) Use subject’s key k to compute Dk (Ek (o)) Any of n can access o: store

o = (E1 (o), …, En (o)) Requires consent of all n to access o: store

o = (E1(E2(…(En(o))…))

15

Requirements & Concepts Some basic requirements of access control:

Avoid disclosing sensitive data to unauthorized users (Confidential)

Provide sensitive information to authorized users (Available)

Reliable and dependable (Integrity preserving) Scalable and expandable (long life)

Some key concepts in Access control systems: Separation of duties Least privilege Need-to-know Need-to-share (a contemporary buzz-phrase) Handle with care

15

16

What to protect?: Information classification

Based on risk of content released to mal-actors

Example the US government classification Unclassified Confidential Secret Top secret

16

17

Kinds of Access Control

Preventive Access controls Avoid having unwanted actions/events by blocking ability to do them.

Detective Identify unwanted actions or events after they occur.

Corrective Remedy circumstances that enabled the unwanted activity. Return to state prior to it.

Directive Dictated by higher authority: laws, regulations, or organization policy

Deterrent Prescribe punishment for noncompliance

Recovery Restore lost computing resources or capabilities.

Compensating Reinforce or replace controls that are unavailable

17

18

3 Types of Access Control

Administrative separation of duties, dual control, etc

Physical fences, alarms, badges, CCTV, etc

Technical antivirus, antis-spam, logs, etc

Further examples in ISC2 book show how controls map to access control types.

18

19

Steps in Accessing Systems Authentication

Use a unique identifier– user ID, Account number, PIN

3 main datum used for authentication Something requester know

Passwords Pass-phrases

Something the requester is Biometrics Physical characteristics

Something the requester has Tokens (one-time passwords, time synchronized token) Smart Cards USB Tokens

Authorization Accounting

19

20

Using Tokens & Smartcards for Authentication Asynchronous Token – challenge/response

Synchronous Time / event based One-time password or hashed values Authentication server knows value from the token

Smart Cards Contact or Contact-less

20

21

Using Biometrics for Authentication

Have false (rejection, acceptance) rates. Crossover = they are equal, both tunable to

need. Some static biometrics

Fingerprint or palm print Hand Geometry Retina

Some Dynamic biometrics Face /gesture Recognition Keystrokes Voice pattern

21

22

Identity Management

What is Identity management? Set of technologies to manage user identity information.

When is it needed? For manual service provisioning Manage sophisticated and complex environments To comply with regulations

What are the major challenges? Reliability of user profiles Consistency of user profiles across different systems/devices Scalability by supporting data volumes and peaks

More details in IC3 book

22

23

Identity Management: benefits and technologies

Benefits Increase productivity Reduce head-counting

Technologies In systems that support identity management and

manage data consistently and efficiently across systems within an organization

Directories Web Access Management Password Management Legacy single sign-on’s

23

24

Single Sign-on

How they work One user ID and password for multiple

application servers through an authentication server.

Benefits Efficient log-on process Users may create stronger passwords No need for many passwords

Major Drawback A compromised password allows intruder into

all resources of owner of that account

24

25

Single Sign-on: Kerberos

25

1. Authenticate me Give me a ticket

3. Authorize me Use the ticket for s

26

Single Sign-on – Kerberos and SESAME

Kerberos Key Distribution Center serves two functions Authentication Server (AS) Ticket Granting Server (TGS)

Kerberos Issues Security depends on careful implementation and maintenance Lifetime for authentication credentials should be as short as feasible

using time stamps to minimize the threat of replayed credentials The KDC must be physically secured, it could be a point of single

failure Redundancy is recommended The KDC should be hardened and not allow any non-Kerberos activity

SESAME Stands for Secure European System for applications in a multi-vendor

environment Developed to address some of the Kerberos weaknesses Supports SSO Improves key management by using both Symmetric and Asymmetric

keys

26

27

Directory Service and Security Domains

Directory Services Applications that provide hierarchical means to

organize and manage information about network users and resources and to retrieve the information by name association

Security Domains Set of Objects that a Subject in an information

system is allowed to access Hierarchical domain relationship Equivalence classes of subjects

27

28

Access Control & Assurance

Mechanisms to assure that access control mechanisms are in place and in good standing: Audit Trail analysis and monitoring

a record of system activities Assessment tools

Audit tools cover a wide spectrum of cost, complexity, etc and must be tailored to the goals of the audit

28

29

Access control matrix

objects (entities)

subj

ects

s1

s2

…

sn

o1 … om s1 … sn

Subjects S = { s1,…,sn }

Objects O = { o1,…,om }

Rights R = { r1,…,rk }

Entries A [si, oj] R

A [si, oj] = { rx, …, ry } means subject si has rights

rx, …, ry over object oj

Describes protection state preciselyMatrix describing rights of subjectsState transitions change elements of matrix

30

ACM at 3AM and 10AM

… picture …

… A

lice

…

paint

At 3AM, time conditionmet; ACM is:

… picture …

… A

lice

…

At 10AM, time conditionnot met; ACM is:

31

AC by History and Inference

Database:name position age salaryAlice teacher 45 $40,000Bob aide 20 $20,000Cathy principal37 $60,000Dilbert teacher 50 $50,000Eve teacher 33 $50,000

Queries:1.sum(salary, “position = teacher”) = 140,0002.sum(salary, “age < 40 & position = teacher”) should not be answered (can deduce Eve’s salary)

32

ACM of Database Queries

Oi = { objects referenced in query i }

f(oi) = permission set of query i

f(oi) = {read} for oj Oi, if |j = 1,…,iOj| < 2

f(oi) = for oj Oi, otherwise

O1 = { Alice, Dilbert, Eve } and no previous query set, so: A[asker, Alice] = f(Alice) = { read } A[asker, Dilbert] = f(Dilbert) = { read} A[asker, Eve] = f(Eve) = { read }

and the query can be answered

33

But Query 2

f(oi) = { read } for oj in Oi, if | j = 1,…,iOj| <2

f(oi) = for oj in Oi, otherwise

2. O2 = { Alice, Dilbert } but | O2 O1 | = 2 so

A[asker, Alice] = f(Alice) = A[asker, Dilbert] = f(Dilbert) = and query cannot be answered

34

State Transitions

Change the protection state of system Xi is a state of the ACM at time i |– represents transition

Xi |– Xi+1: command moves system from state Xi to Xi+1

Xi |– * Xi+1: a sequence of commands moves system from state Xi to Xi+1

Commands often called transformation procedures, because the transform the state of the access control matrix

35

Primitive Operations

create subject s, create object o Creates new row, column in ACM; creates new

column in ACM destroy subject s, destroy object o

Deletes row, column from ACM; deletes column from ACM

enter r into A[s, o] Adds r rights for subject s over object o

delete r from A[s, o] Removes r rights from subject s over object o

36

Access control requests

Transforms state of the ACM Access control request can be precisely

defined using Pre-conditions Post-conditions

Use notation (from Z) Pre-state without primes Post-state with primes

Example: pre-state - A[alice, file1] is the permission set of Alice to file 1 before a requests, and A’[alice, file1] is a post-state

37

Create Subject – pre and post conditions

Pre-condition: s S Primitive command: create subject s Post-conditions:

S = S { s }, O = O { s } (y O)[a[s, y] = ] (x S)[a[x, s] = ] (x S)(y O)[a[x, y] = a[x, y]]

38

Create Object

Precondition: o O Primitive command: create object o Post-conditions:

S = S, O = O { o } (x S)[a[x, o] = ] (x S)(y O)[a[x, y] = a[x, y]]

39

Add Right

Precondition: s S, o O Primitive command: enter r into a[s, o] Post-conditions:

S = S, O = O a[s, o] = a[s, o] { r } (x S)(y O – { o }) [a[x, y] = a[x, y]] (x S – { s })(y O) [a[x, y] = a[x, y]]

40

Delete Right

Precondition: s S, o O Primitive command: delete r from a[s, o] Postconditions:

S = S, O = O a[s, o] = a[s, o] – { r } (x S)(y O – { o }) [a[x, y] = a[x, y]] (x S – { s })(y O) [a[x, y] = a[x, y]]

41

Destroy Subject

Precondition: s S Primitive command: destroy subject s Postconditions:

S = S – { s }, O = O – { s } (y O)[a[s, y] = ], (x S)[a´[x, s] = ] (x S)(y O) [a[x, y] = a[x, y]]

42

DestroyDestroy Object

Precondition: o O Primitive command: destroy object o Postconditions:

S = S, O = O – { o } (x S)[a[x, o] = ] (x S)(y O) [a[x, y] = a[x, y]]

43

Creating File

Process p creates file f with r and w permissioncommand create•file(p, f)

create object f;enter own into A[p, f];enter r into A[p, f];enter w into A[p, f];

end

44

Mono-Operational Commands

Make process p the owner of file gcommand make•owner(p, g)

enter own into A[p, g];end

Mono-operational command Single primitive operation in this command

45

Conditional Commands

Let p give q r rights over f, if p owns fcommand grant•read•file•1(p, f, q)

if own in A[p, f]then

enter r into A[q, f];end

Mono-conditional command Single condition in this command

46

Multiple Conditions

Let p give q r and w rights over f, if p owns f and p has c rights over qcommand grant•read•file•2(p, f, q)

if own in A[p, f] and c in A[p, q]then

enter r into A[q, f];enter w into A[q, f];

end

47

Copy Right

Allows possessor to give rights to another Often attached to a right, so only applies

to that right r is read right that cannot be copied rc is read right that can be copied

Is copy flag copied when giving r rights? Depends on the model and its instantiation

48

Own Right

Usually allows possessor to change entries in ACM column Owner of an object can add, delete rights for

others May depend on what system allows

Can’t give rights to specific (set of) users Can’t pass copy flag to specific (set of) users

49

Attenuation of Privilege

You cannot give rights you do not possess Restricts addition of rights within a system Usually ignored for owner

Why? Owner gives him/herself rights, gives them to others, deletes rights.

50

Main Points

ACM simple mechanism for representing protection states

Transitions alter protection state Six primitive operations can alter the matrix

Transitions can be expressed as commands composed of these operations and, possibly, conditions