COEN 150: Intro to IA

Authorization

Fundamental Mechanisms:Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights

Example: OS

Subjects = Processes Objects = System Resources Access Rights: read, write, execute

Fundamental Mechanisms:Access Matrix

Example: DBMS

Subjects = Users Objects = Relations Access Rights: retrieve, update, insert,

delete

Fundamental Mechanisms:Access Matrix Access Matrix:

Row for each object Column for each subject Entry is a set of access rights.

Later Security Models: Allow for administrative operations

that change the access matrix. Example: Owner of file can give

permissions to others.

Fundamental Mechanisms:Access Matrix

Access Control Lists ACL for each object. Lists all the subjects and their rights.

Capabilities Capability list for each subject. Contains all the objects and the rights

of the subject.

Fundamental Mechanisms:Access Matrix

Authorization Relation Database table with fields owner,

access mode, object.

Subject Access Mode ObjectBob Owner File 1Bob Read File 1Bob Write File 1Alice Read File 1Alice Owner File 2Alice Read File 2Alice Write File 2Bob Read File 2Bob Write File 2

Fundamental Mechanisms:Intermediate Controls

Access matrix too storage intensive Access matrices make it hard to

change policies. Mechanism 1: Groups

Ideally, all access privileges mediated through group membership.

Negative permissions implement exceptions

Fundamental Mechanisms:Intermediate Control Protection Rings Example:

Group processes and system resources into four categories

Operating System Kernel Operating System Utilities User Processes

Access to an object is only granted to a subject of lower level.

Unix only has two levels. Sometimes protection rings have hardware support.

Fundamental Mechanisms:Security Classes Each object has a Security class (Security

Label) Denning:

Information Control Policy consists of Security Classes “Can flow” relationship Join operation

Join A B combines rights and restrictions of both. US DoD Security Levels

Top Secret Secret Confidential Unclassified

Fundamental MechanismsAccess Control Policies Discretionary Access Control (DAC)

Specifies authorization solely based on object and subject identity.

Flexible and simple. Difficult to control information flow.

(Classical) Mandatory Access Control (MAC) Each user and object has a security level. Security level reflects trust that user will not

pass information to users with lower level clearance.

Access to an object based on security level.

Fundamental MechanismsAccess Control Policies (Refined) Mandatory Access Control (MAC)

Security Levels and Compartments. Example:

CRYPTO for cryptographic algorithms. COMSEC for communication security. Possible to have top secret clearance in CRYPTO and

unclassified clearance in COMSEC Discretionary policies typical in low security

(academic) environments. Mandatory policies typical in high security

(military) environments. Neither policy adequate for commercial systems.

Fundamental MechanismsAccess Control Policies

Role Based Access Control (RBAC) Regulate user’s access to information

based on the activities the users execute in the system.

“Role” is a set of actions and responsibilities associated with a particular working activity.

Access based on role, not identity of user.

Fundamental MechanismsAccess Control Policies Role Based Access Control (RBAC)

User authorization is broken into two tasks: Granting roles to users Granting rights to roles

Roles can be hierarchical Engineers inherent employee rights.

User can login with the least privilege for a set of particular tasks.

Roles make it easier to enforce separation of duties:

“No single user can subvert the system by herself/himself.”

Covert Channels A mechanism to circumvent automatic

confinement within a security perimeter. Example:

Person with TOP SECRET clearance runs (inadvertently) Trojan horse.

Trojan horse has free access to files in the compartment.

Trojan horse cannot write down to an unclassified file. But: Trojan horse can do things that are visible from the

outside and thus send contents of TOP SECRET files through a covert channel.

T.H. either runs or waits. System load will vary. Small bandwidth channel.

T.H. can or cannot use shared resources. To send a bit, T.H. fills up the printer line to send 1 bit, or empties it for a 0 bit.

UNIX Woes: SUID programs Programs can execute the setuid

system call. Executable runs as if executed by

user. Sendmail uses setuid to implement

email. User can cause programs to run as

root with input they provide. Favorite targets of buffer overflow

attacks.

Access Control: Details Static access control matrix:

Easy to evaluate Easy to reflect security Can be implemented in a number of ways:

Access Control List List of Rights Database Matrix

Useless in practice because subjects and objects are constantly created.

Therefore: Need updatable access control matrix

Access Control: Details Transformation Procedures update

Access Control Matrix Harrison, Ruzzo, Ullman CACM 1975

Create subject s Create object o Enter right into ACM[s,o] Delete right from ACM[s,o] Destroy subject s Destroy subject o

Access Control: Details

Transformation Procedures update Access Control Matrix Harrison, Ruzzo, Ullman CACM 1975

System uses these primitives to update ACM But not directly: Use commands Some commands are mono-operational

They only involve a single primitive Most are more complex

Conditional commands

Access Control: Details Harrison, Ruzzo, Ullman CACM 1975

Two special rights: Copy right / Grant right

Allows possessor to grant rights to others, but only those that they also possess

“Change Permission right” in Windows Own right

Allows possessor to grant right over an object to others

UNIX chown command changes permissions that others have over an object.

Access Control: Details

Principle of Attenuation of Privilege A subject might not give rights it does

not possess to another

Access Control: Details

General Question: Given a system, how can we

determine that it is secure?

Define secure:

Access Control: Details

Definition (Leaking): When we can add a right through

ACM transformations to an element of the ACM that does not have this right, we say that the right has been leaked.

Access Control: Details

ACM is in a given state. Transformations alter the state. Definition:

If a system in initial state S0 can never leak the right r, then it is called safe with respect to the right r. Otherwise, it is called unsafe.

Access Control: Details Results (Harrison, Ruzzo, Ullman)

There exists an algorithm that will determine whether a given mono-operational protection system with initial state S0 is safe with respect to a generic right r.

It is undecidable whether a given state of a given system is safe for a given generic right.

Confidentiality Policies

Confidentiality policy a.k.a Information Flow policy prevents unauthorized disclosure of

information

Bell-LaPadula Model

Combines mandatory and discretionary access controls. Mandatory access control supersedes

discretionary access control. Only models reads and writes.

Bell-LaPadula Model I Hierarchical Levels for Objects and

Subjects: Unclassified (UC) – Confidential (C) – Secret

(S) – Top Secret (TS) S can read O if and only if

level(O) level(S) and S has discretionary read access to O.

[*property] S can write O level(O) level(S) S has discretionary write access to O

Bell-LaPadula Model I

Example: To read a secret file, you need to have

top secret or secret classification. To write to a secret file, you cannot

have top secret classification. Rationale: Someone with Secret

classification is not allowed to write a file that will be given unclassified classification.

Bell – LaPadula Model II

Expand model by introducing categories Categories reflect “Need to know”

Example: ComSec, InfoSec

Excurse: Lattices

Security levels do not need to be arranged in a complete ordering

Lattices: Rich enough mathematical structure with a partial ordering.

Excurse: Lattices

Totally Ordered Set (left) vs. Lattice (right)

Excurse: Lattices A partial ordering on a set S is

reflexive, transitive, and antisymmetric. (S, ) is a total order if for any two

elements a, b S we have a b or b a.

A least upper bound u for a, b in a partially ordered set S has the properties a u b u v S: [a v and b v] v u.

Excurse: Lattices

A greatest lower bound g for a, b in a partially ordered set S has the properties g a g b v S: [v a and v b] u v.

Excurse: Lattices

A set with a partial ordering is a lattice if any two elements have a least upper bound and a greatest lower bound.

Bell – LaPadula Model II

Model consists of Set of subjects S Set of objects O Set of access operations A = {read,

execute, append, write} Lattice of security levels Set of security level assignments F.

Bell – LaPadula Model II

An element of F is a triple maximum security level a subject can

have current security level a subject can

have classification of all objects.

The current security level is smaller or equal to the maximum security level.

Bell – LaPadula Model II

Simple Security Property: No read-up security policy

* Property For writes / appends:

Current security level of writer needs to be smaller than the security level of the object

No write-down

Bell – LaPadula Model II

Definition does not allow high-level subjects to write to low level subjects. In this case, either:

1. Temporarily downgrade writer.2. Identify a set of subjects (aka

Trusted Subjects), which are permitted to violate the * policy.

Bell – LaPadula Model II

Discretionary Security Policy An access is only allowed if it is allowed

by the discretionary access matrix.

Basic Security Theorem: If all state transitions in a system are

secure and if the initial state is secure then all states of the system are secure.

Bell – LaPadula Model II Limitations:

BLP can become meaningless if there are state transitions that allow changes of access rights.

BLP only deals with confidentiality BLP does not address management of

access control. (See Harrison-Ruzzo-Ullman model)

BLP does not prevent covert channels.

Chinese Wall

Chinese Wall model (Brewer & Nash) Models access rules in a consultancy

business Analysts should not have conflicts of

interests: Alice first helps Client 1, gaining knowledge

over a market. Alice then helps Client 2 with the knowledge

gained from helping Client 1

Chinese Wall Set of subjects S are consultants Set of companies is C Set of objects O is items of

information concerning a single company

Conflict of interest classes indicate which companies are in competition

Security label of an object is List of competitors of company

Chinese Wall

Sanitizing Remove all information from an

object that can be used.

Chinese Wall Chinese Wall rules:

Access is granted only if: The object belongs to a company dataset

already held by the user. Or: An entirely different conflict of

interest class. Write access is granted only if:

No other object can be read which is in a different company dataset and contains unsanitized information.

Security Kernel

Orange Book Trusted Computer Security Evaluation

Criteria (TCSEC) yardstick for users to assess the degree of

trust that can be placed in a computer system

guidance for manufacturers of computer security systems

basis for specifying security requirements when acquiring a computer security system

Security Kernel Orange Book Security Divisions:

D – Minimal protection C1 – Discretionary Security Protection C2 – Controlled Access Protection B1 – Labeled Security Protection B2 – Structured Protection B3 – Security Domains A1 – Verified Design

Security Kernel

Computer Systems are designed in layers. A security mechanism at one layer

can be subverted by an attack at a lower level/

Implementing security mechanisms at lower levels can lead to less performance overhead.

Security Kernel Orange Book Definitions:

REFERENCE MONITOR: Access control concepts that refers to an abstract machine that mediates all accesses to objects by subjects.

SECURITY KERNEL: Hardware, firmware, software elements of a trusted computing base that implements the reference monitor concept.

TRUSTED COMPUTING BASE: The totality of protection mechanisms within a computer system.

Security Kernel

Users must not be able to modify the operating system. Users should be able to invoke the OS Users should not be able to invoke the

OS Tools:

status information controlled invocation = restricted

privilege

Security Kernel OS needs to distinguish between

operations on behalf of the OS and on behalf of a user. Motorola 68000: One status bit allows to

distinguish between user mode and kernel mode.

Intel 80386: Two status bits giving 4 modes. Example: How to allow processes to

switch between root and user level? SUID, …

Security Kernel Motorola 68000:

Has a 16b status register including T – trace bit S – supervisor bit Interrupt level in 3 bits.

Operating systems are implemented with TRAP calls Processor uses memory mapped I/O

Address decoder receives input from status bits. Based on status, processes can access:

user data user program supervisor data supervisor program interrupt acknowledge

Security Kernel Intel 80386

Supports 4 privilege levels Stores information about system

objects in descriptors. Stored in descriptor table. Accessed via selectors. Privilege level of object stored in

descriptor. Selectors contain a Requested Privilege

Level (RPL) field

Security Kernel Intel 80386

Assume application level program needs service from an OS service.

Done by gates System object that points to a procedure.

To be used, gate needs to have same level as invoking procedure.

When invoking a subroutine through a gate, current privilege level changes to that of the procedure pointed to by gate.

Part of the stack is copied to a more privileged stack segment.

Security Kernel

80836 Security policy needs to take both

current privilege level and privilege level of triggering application into account.

Done by the RPL field and the adjusted requested privilege level instruction.