Date post: | 18-Dec-2015 |
Category: |
Documents |
Upload: | nathan-chapman |
View: | 233 times |
Download: | 3 times |
Fundamental Mechanisms:Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights
Example: OS
Subjects = Processes Objects = System Resources Access Rights: read, write, execute
Fundamental Mechanisms:Access Matrix
Example: DBMS
Subjects = Users Objects = Relations Access Rights: retrieve, update, insert,
delete
Fundamental Mechanisms:Access Matrix Access Matrix:
Row for each object Column for each subject Entry is a set of access rights.
Later Security Models: Allow for administrative operations
that change the access matrix. Example: Owner of file can give
permissions to others.
Fundamental Mechanisms:Access Matrix
Access Control Lists ACL for each object. Lists all the subjects and their rights.
Capabilities Capability list for each subject. Contains all the objects and the rights
of the subject.
Fundamental Mechanisms:Access Matrix
Authorization Relation Database table with fields owner,
access mode, object.
Subject Access Mode ObjectBob Owner File 1Bob Read File 1Bob Write File 1Alice Read File 1Alice Owner File 2Alice Read File 2Alice Write File 2Bob Read File 2Bob Write File 2
Fundamental Mechanisms:Intermediate Controls
Access matrix too storage intensive Access matrices make it hard to
change policies. Mechanism 1: Groups
Ideally, all access privileges mediated through group membership.
Negative permissions implement exceptions
Fundamental Mechanisms:Intermediate Control Protection Rings Example:
Group processes and system resources into four categories
Operating System Kernel Operating System Utilities User Processes
Access to an object is only granted to a subject of lower level.
Unix only has two levels. Sometimes protection rings have hardware support.
Fundamental Mechanisms:Security Classes Each object has a Security class (Security
Label) Denning:
Information Control Policy consists of Security Classes “Can flow” relationship Join operation
Join A B combines rights and restrictions of both. US DoD Security Levels
Top Secret Secret Confidential Unclassified
Fundamental MechanismsAccess Control Policies Discretionary Access Control (DAC)
Specifies authorization solely based on object and subject identity.
Flexible and simple. Difficult to control information flow.
(Classical) Mandatory Access Control (MAC) Each user and object has a security level. Security level reflects trust that user will not
pass information to users with lower level clearance.
Access to an object based on security level.
Fundamental MechanismsAccess Control Policies (Refined) Mandatory Access Control (MAC)
Security Levels and Compartments. Example:
CRYPTO for cryptographic algorithms. COMSEC for communication security. Possible to have top secret clearance in CRYPTO and
unclassified clearance in COMSEC Discretionary policies typical in low security
(academic) environments. Mandatory policies typical in high security
(military) environments. Neither policy adequate for commercial systems.
Fundamental MechanismsAccess Control Policies
Role Based Access Control (RBAC) Regulate user’s access to information
based on the activities the users execute in the system.
“Role” is a set of actions and responsibilities associated with a particular working activity.
Access based on role, not identity of user.
Fundamental MechanismsAccess Control Policies Role Based Access Control (RBAC)
User authorization is broken into two tasks: Granting roles to users Granting rights to roles
Roles can be hierarchical Engineers inherent employee rights.
User can login with the least privilege for a set of particular tasks.
Roles make it easier to enforce separation of duties:
“No single user can subvert the system by herself/himself.”
Covert Channels A mechanism to circumvent automatic
confinement within a security perimeter. Example:
Person with TOP SECRET clearance runs (inadvertently) Trojan horse.
Trojan horse has free access to files in the compartment.
Trojan horse cannot write down to an unclassified file. But: Trojan horse can do things that are visible from the
outside and thus send contents of TOP SECRET files through a covert channel.
T.H. either runs or waits. System load will vary. Small bandwidth channel.
T.H. can or cannot use shared resources. To send a bit, T.H. fills up the printer line to send 1 bit, or empties it for a 0 bit.
UNIX Woes: SUID programs Programs can execute the setuid
system call. Executable runs as if executed by
user. Sendmail uses setuid to implement
email. User can cause programs to run as
root with input they provide. Favorite targets of buffer overflow
attacks.
Access Control: Details Static access control matrix:
Easy to evaluate Easy to reflect security Can be implemented in a number of ways:
Access Control List List of Rights Database Matrix
Useless in practice because subjects and objects are constantly created.
Therefore: Need updatable access control matrix
Access Control: Details Transformation Procedures update
Access Control Matrix Harrison, Ruzzo, Ullman CACM 1975
Create subject s Create object o Enter right into ACM[s,o] Delete right from ACM[s,o] Destroy subject s Destroy subject o
Access Control: Details
Transformation Procedures update Access Control Matrix Harrison, Ruzzo, Ullman CACM 1975
System uses these primitives to update ACM But not directly: Use commands Some commands are mono-operational
They only involve a single primitive Most are more complex
Conditional commands
Access Control: Details Harrison, Ruzzo, Ullman CACM 1975
Two special rights: Copy right / Grant right
Allows possessor to grant rights to others, but only those that they also possess
“Change Permission right” in Windows Own right
Allows possessor to grant right over an object to others
UNIX chown command changes permissions that others have over an object.
Access Control: Details
Principle of Attenuation of Privilege A subject might not give rights it does
not possess to another
Access Control: Details
General Question: Given a system, how can we
determine that it is secure?
Define secure:
Access Control: Details
Definition (Leaking): When we can add a right through
ACM transformations to an element of the ACM that does not have this right, we say that the right has been leaked.
Access Control: Details
ACM is in a given state. Transformations alter the state. Definition:
If a system in initial state S0 can never leak the right r, then it is called safe with respect to the right r. Otherwise, it is called unsafe.
Access Control: Details Results (Harrison, Ruzzo, Ullman)
There exists an algorithm that will determine whether a given mono-operational protection system with initial state S0 is safe with respect to a generic right r.
It is undecidable whether a given state of a given system is safe for a given generic right.
Confidentiality Policies
Confidentiality policy a.k.a Information Flow policy prevents unauthorized disclosure of
information
Bell-LaPadula Model
Combines mandatory and discretionary access controls. Mandatory access control supersedes
discretionary access control. Only models reads and writes.
Bell-LaPadula Model I Hierarchical Levels for Objects and
Subjects: Unclassified (UC) – Confidential (C) – Secret
(S) – Top Secret (TS) S can read O if and only if
level(O) level(S) and S has discretionary read access to O.
[*property] S can write O level(O) level(S) S has discretionary write access to O
Bell-LaPadula Model I
Example: To read a secret file, you need to have
top secret or secret classification. To write to a secret file, you cannot
have top secret classification. Rationale: Someone with Secret
classification is not allowed to write a file that will be given unclassified classification.
Bell – LaPadula Model II
Expand model by introducing categories Categories reflect “Need to know”
Example: ComSec, InfoSec
Excurse: Lattices
Security levels do not need to be arranged in a complete ordering
Lattices: Rich enough mathematical structure with a partial ordering.
Excurse: Lattices A partial ordering on a set S is
reflexive, transitive, and antisymmetric. (S, ) is a total order if for any two
elements a, b S we have a b or b a.
A least upper bound u for a, b in a partially ordered set S has the properties a u b u v S: [a v and b v] v u.
Excurse: Lattices
A greatest lower bound g for a, b in a partially ordered set S has the properties g a g b v S: [v a and v b] u v.
Excurse: Lattices
A set with a partial ordering is a lattice if any two elements have a least upper bound and a greatest lower bound.
Bell – LaPadula Model II
Model consists of Set of subjects S Set of objects O Set of access operations A = {read,
execute, append, write} Lattice of security levels Set of security level assignments F.
Bell – LaPadula Model II
An element of F is a triple maximum security level a subject can
have current security level a subject can
have classification of all objects.
The current security level is smaller or equal to the maximum security level.
Bell – LaPadula Model II
Simple Security Property: No read-up security policy
* Property For writes / appends:
Current security level of writer needs to be smaller than the security level of the object
No write-down
Bell – LaPadula Model II
Definition does not allow high-level subjects to write to low level subjects. In this case, either:
1. Temporarily downgrade writer.2. Identify a set of subjects (aka
Trusted Subjects), which are permitted to violate the * policy.
Bell – LaPadula Model II
Discretionary Security Policy An access is only allowed if it is allowed
by the discretionary access matrix.
Basic Security Theorem: If all state transitions in a system are
secure and if the initial state is secure then all states of the system are secure.
Bell – LaPadula Model II Limitations:
BLP can become meaningless if there are state transitions that allow changes of access rights.
BLP only deals with confidentiality BLP does not address management of
access control. (See Harrison-Ruzzo-Ullman model)
BLP does not prevent covert channels.
Chinese Wall
Chinese Wall model (Brewer & Nash) Models access rules in a consultancy
business Analysts should not have conflicts of
interests: Alice first helps Client 1, gaining knowledge
over a market. Alice then helps Client 2 with the knowledge
gained from helping Client 1
Chinese Wall Set of subjects S are consultants Set of companies is C Set of objects O is items of
information concerning a single company
Conflict of interest classes indicate which companies are in competition
Security label of an object is List of competitors of company
Chinese Wall Chinese Wall rules:
Access is granted only if: The object belongs to a company dataset
already held by the user. Or: An entirely different conflict of
interest class. Write access is granted only if:
No other object can be read which is in a different company dataset and contains unsanitized information.
Security Kernel
Orange Book Trusted Computer Security Evaluation
Criteria (TCSEC) yardstick for users to assess the degree of
trust that can be placed in a computer system
guidance for manufacturers of computer security systems
basis for specifying security requirements when acquiring a computer security system
Security Kernel Orange Book Security Divisions:
D – Minimal protection C1 – Discretionary Security Protection C2 – Controlled Access Protection B1 – Labeled Security Protection B2 – Structured Protection B3 – Security Domains A1 – Verified Design
Security Kernel
Computer Systems are designed in layers. A security mechanism at one layer
can be subverted by an attack at a lower level/
Implementing security mechanisms at lower levels can lead to less performance overhead.
Security Kernel Orange Book Definitions:
REFERENCE MONITOR: Access control concepts that refers to an abstract machine that mediates all accesses to objects by subjects.
SECURITY KERNEL: Hardware, firmware, software elements of a trusted computing base that implements the reference monitor concept.
TRUSTED COMPUTING BASE: The totality of protection mechanisms within a computer system.
Security Kernel
Users must not be able to modify the operating system. Users should be able to invoke the OS Users should not be able to invoke the
OS Tools:
status information controlled invocation = restricted
privilege
Security Kernel OS needs to distinguish between
operations on behalf of the OS and on behalf of a user. Motorola 68000: One status bit allows to
distinguish between user mode and kernel mode.
Intel 80386: Two status bits giving 4 modes. Example: How to allow processes to
switch between root and user level? SUID, …
Security Kernel Motorola 68000:
Has a 16b status register including T – trace bit S – supervisor bit Interrupt level in 3 bits.
Operating systems are implemented with TRAP calls Processor uses memory mapped I/O
Address decoder receives input from status bits. Based on status, processes can access:
user data user program supervisor data supervisor program interrupt acknowledge
Security Kernel Intel 80386
Supports 4 privilege levels Stores information about system
objects in descriptors. Stored in descriptor table. Accessed via selectors. Privilege level of object stored in
descriptor. Selectors contain a Requested Privilege
Level (RPL) field
Security Kernel Intel 80386
Assume application level program needs service from an OS service.
Done by gates System object that points to a procedure.
To be used, gate needs to have same level as invoking procedure.
When invoking a subroutine through a gate, current privilege level changes to that of the procedure pointed to by gate.
Part of the stack is copied to a more privileged stack segment.