CSCD 303Essential Computer SecurityFall 2017
Lecture 4 - Access Control MethodsReading: CompTIA Text Chapter 2
Access Control Digital
Detection Prevention Models - Models
Physical User Centric Building or Environment Centric
Access Control
Huge part of Security
Controlling access to information from people or systems who do not have authorization while
Allowing access to information to people or systems who do have authorized access
Access Control Different forms of Access Control
Digital Detection –
Intrusion Detection Systems Log analysis, Digital Forensics
• All help with detecting break-ins Prevention –
Disable accounts, Cryptography, Hardening systems
Access Control Different forms of Access Control
Digital Models of Access Control
Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role based Access Control (RBAC)
• All have to do with rules governing users or processes access to objects within the system
Access Control
Constrains what users can do plus what programs executing for users are allowed to do
Prevent activity leading to breach of securityProtect against accidental and malicious threats by
regulating reading, writing and execution of data and programs
Access control relies on other security servicesUser Identification and AuthenticationProtection of stored keys
Key element of computer security
7
AC is enforced by a Reference Monitor which mediates every attempted access by a user/process to system objects
Reference monitor consults authorization database to check if user is authorized for the requested operation
Access Control (AC) Principles
8
Reference monitor
Authorization database
Access control ObjectsAuthentication
Auditing
Security admin.
User
Access Control Elements
1 Subjects Active entities, such as user processes, that
gain access to information on behalf of people
2 Objects Passive repositories of information to be
protected, such as files
Access Control Elements
3 Authorization database Repository for the security attributes of subjects
and objects. From these attributes, the reference monitor determines what kind of access (if any) is authorized.
4 Audit trail Record of all security-relevant events, such as
access attempts, successful or not.5 Access right Way in which subject accesses an object E.g. read, write, execute, delete, create, search
Access Control – Reference Monitor Concept According to the reference monitor concept,
a computer system can be depicted in terms of Subjects, Objects, An authorization database, An audit trail, and a Reference monitor,
The reference monitor is the control center that authenticates subjects and implements and enforces the security policy for every access to an object by a subject
Access Control – Reference Monitor Concept In an ideal system, reference monitor must meet three
requirements: Mediate every attempt by subject to gain access to object
Provide tamperproof database and audit trail that are protected from unauthorized observation and modification
Small, simple, and well-structured piece of software effective in enforcing security requirements and can be verified to be secure
• Verified to be secure is a big deal for DOD systems that use mathematical verification for their highest level systems
1. The system must first authenticate a user seeking access
2. Access control function determines if requested access by this user is permitted
3. Security administrator maintains an authorization database which Access Control Function consults to determine whether to grant access
4. Auditing function monitors and keeps a record of user accesses to system resources
Access Control (AC) Principles
13
Over time, various Access Control Policies evolvedDiscretionary Access Control (DAC)
User-oriented security policy (based on identity of requestor)Entity has rights to enable another entity to access a resource like a
file
Mandatory Access Control (MAC)Access permissions are defined by system Based on comparing security labels of system resources with security
clearances of entities accessing the resourcesCleared entity cannot pass on access rights to another entity
Role-Based Access Control (RBAC)Based on roles that users have within system and on rules stating
what accesses are allowed to users in given roles
Access Control Policies
15
DAC MAC
RAC
Not mutually exclusive
User-oriented security policy Discretionary because an entity has rights to enable
another entity to access a resourceGeneral approach used in operating systems and
database management systems is that of an Access matrix
Lists subjects in one dimension (rows)Lists objects in the other dimension (columns)Each matrix entry specifies access rights of the specified
subject to that object
Discretionary Access Control
17
Access Matrix: Example
18
Subjects
Objects
User A
File 1
OwnReadWrite
File 2 File 3 File 4
User B
User C
OwnReadWrite
OwnReadWrite
OwnReadWrite
Read Read
Read
Write
ReadWrite
Access rights
User – a real world user
Principal – a unit of access control and authorization– Role, Level
Subject– Process or program for a user
Access Matrix Elements:
19
user
principals
subjects
User – Principal
20
One to many mapping between user and principals
System authenticates user in the context of principal
Shared principals (accounts) are not good for accountability
user principals
Alice
Alice.Secret
Bob
Bob.Dean
Bob.Faculty
Bob.Super-user
Principal – Subject
21
One to many mapping between principal and subjects
A subject is a program or application run on behalf of principal
Subjects are often treated the same as principal if all subjects of a principal have the same rights
subjectsprincipal
Alice.Top-secret
Word
Database
An object is anything on which a subject can perform operations mediated by access rights
Usually objects are passive, for example
Files Directories Memory segments
Access Matrix Elements: Objects
22
A right specifies what kind of access a subject can perform on an object
OwnReadWriteExecuteCreateDeleteTransfer...
Access Matrix Elements: Rights
23
User A
File 1
OwnReadWrite
File 2 File 3 File 4
User B
User C
OwnReadWrite
OwnReadWrite
OwnReadWrite
Read Read
Read
Write
ReadWrite
In practice, an access matrix is usually sparseTherefore implemented by
decomposition in one of two waysBy columns – Access Control ListsBy rows – Capability tickets
Implementation of an Access Matrix
24
Each column of access control matrix is stored with corresponding object
Access Control Lists (ACL)
User A
File 1
OwnReadWrite
File 2 File 3 File 4
User B
User C
OwnReadWrite
OwnReadWrite
OwnReadWrite
Read Read
Read
Write
ReadWrite
File 1
25
File 2
File 3
File 4
Access rights stored with objectsACL may contain default (public) entries
If users not explicitelly listed in ACL – default rights (e.g., read only)
Elements of ACL include individual users as well as groups of users
ACLs are convenient to determine which subjects have which access rights to particular resources
UNIX and Windows use ACLs to protect files/processes
ACL requires subjects to be authenticated before access to a particular object!
Access Control Lists (ACL)
26
Each row of access control matrix is stored with corresponding subject
Capability Lists (Capabilities)
User A
File 1
OwnReadWrite
File 2 File 3 File 4
User B
User C
OwnReadWrite
OwnReadWrite
OwnReadWrite
Read Read
Read
Write
ReadWrite
User A
27
User B
User C
Access rights stored with subjects Capability ticket specifies authorized objects and
operations for a particular subjectEasy to determine set of access right for given user
Each user may have many ticketsUser may be authorized to give them to othersTickets may be dispersed around system, a great
security problemUnforgability – include an unforgable crypto token in
the capability Used in distributed systems – e.g. Kerberos
Capability tickets require unforgability and capability propagation control!
Capabilities
28
Comparison of ACL and Capabilities
29
ACLAccess rights stored
with objectsRequires authentication
of subjectsProvides access review
on a per-object basisMost operating systems
such as UNIX and Windows use ACL to protect files
CapabilitiesAccess rights stored with
subjectsRequires unforgeability
of capabilities and propagation control of capabilities
Provides revocation facilities on a per-subject basis
Used in authentication systems such as Kerberos
Linux Access Control• Overview of Linux Security Access Control• File System Security (DAC)
– Users and Groups– File and Directory Permissions
• Kernel Space vs. User Space
• Traditional security model– People or processes with “root” privileges can
do anything– Other accounts can do much less
• Goal of hackers – to gain root privilege– So, you can access or change anything
• Linux can be run robust and secure– Many system Admins fail to use the security
features– Add-on tools like sudo and Tripwire available
• Crux of the problem– Discretionary Access Control
Linux Access Control
File System Security• In Linux everything is a file• I/O to devices is via a “special” file
– Example: /dev/cdrom points to /dev/hdb which is a special file
• Have other special files like named pipes– A conduit between processes / programs
• Since almost everything is a file– File security very important !!!
Users and Groups • Users and Groups are not files• Users
– Someone or something capable of using files– Can be human or process– e.g. lpd (Linux Printer Daemon) runs as user lp
• Groups– List of user accounts– User’s main group membership specified in /etc/passwd– User can be added to additional groups by editing
/etc/group– Command line -> useradd, usermod, and userdel
Understanding: /etc/password
1. Username: Used when user logs in. Between 1 and 32 characters in length
2. Password: An x character indicates that encrypted password is stored in /etc/shadow file
3. User ID (UID): Each user assigned a user ID (UID). UIDs 1-99 are reserved for other predefined accounts
• UID 100-999 are reserved by system for administrative and system accounts/groups
4. Group ID (GID): The primary group ID stored in /etc/group file5. User ID Info: The comment field
• Allows you to add extra information about the users6. Home directory: Absolute dir path user will use when they log in
• If this directory does not exists then users directory becomes /7. Command/shell: The absolute path of a command or shell /bin/bash
• Typically, this is a shell. Please note that it does not have to be a shell.
Understanding of /etc/group
1. Group_name: Name of group2. Password: Generally password not used, hence it is
empty/blank. It can store encrypted password. Useful to implement privileged groups
3. Group ID (GID): Group ID must be assigned to every user
4. Group List: List of user names of users who are members of the group. The user names must be separated by commas
File Permissions• Files have two owners: a user & a group
– Each with its own set of permissions– With a third set of permissions for other
• Permissions are to read/write/execute in order: user/group/other 3 types of permissions (rights) r – read file or directory w – write to file or directory x – execute file or search directory
Command $ ls -l shows details for files and directories
$ ls -l capture2.png -rw-r--r-- 1 carol carol 42377 Mar 16 2017 capture2.png
What is the command to change permissions in Linux? chmod
Changing File Permissions How to change this file to rw for everyone?
chmod 666 capture2.png or chmod ugo+rw capture2.pngCan also show priviledges as three groups of numbers (least to most sig)
0 = No Permission 1 = Execute 2 = Write 4 = Read
You basically add up the numbers depending on the level of permission you want to give.
For the file permissions we just changed, 110 110 110 for 6 6 6
Result of the chmod command -rw-rw-rw- 1 carol carol 42377 Mar 16 2017 capture2.png
Now, all users, group and others can read+write this file
Directory Permissions• Permissions on directories slightly different
– read = list contents
– write = create or delete files in directory
– execute = use anything in or change working directory to this directory
• Example from my computer
drwxr-xr-x 2 carol carol 4096 Oct 6 2014 mydesktop
What permissions does this imply?
Sticky Bit • Used to trigger process to “stick” in memory or lock file in
memory– Usage now obsolete
• Currently used on directories to suppress deletion of file that is owned by others
– Other users cannot delete even if they have write permissions
• Example:• Set group-write bit for directory, mydesktop
– Example from my computer$ chmod g+w mydesktop
• Set sticky bit using chmod command with +t flag– Example:
$ chmod +t mydesktop
• Directory listing includes t or T flag
– Example: drwxrwxr-t 2 carol carol 4096 Oct 6 2014 mydesktop/
SetUID and SetGID • SetUI bit: means process is
“run with same privileges as” owner
• No matter who executes it
• SetGID bit: means “run with same privileges as” a member of group that owns it– Again regardless of who executes it
• Processes with SetUID and SetGID• Are dangerous files owned by root or other privileged account or
group– Only used on executable files, not shell scripts– The command “sudo” is much better tool for delegating root’s
authority
• Example from my computer:
$ ls -l /usr/bin/passwd -rwsr-xr-x 1 root root 43280 Feb 15 2011 /usr/bin/passwd
Windows Security ArchitectureOverview
• Pieces of Security in Windows– Security Reference Monitor– Local Security Authority – Security Account Manager– Active Directory– Local vs. Domain Accounts– Access Control Lists– Integrity Control – User Account Controls
Security Problems of DACGeneral However, DAC does not provide real assurance –
access restrictions can be easily bypassedTrojan horse attack
File F
File G
ACLs
Principal U
Principal V
Write
Write
Read
Principal V is a bad guy who wants to read file F
Read
47
Security Problems of DAC (2)Principal V sends U benign software with Trojan horse includedU executes the software Trojan horse gains U’s privileges
Benign software
Trojan horse
Execute File F
File G
ACLs
Principal U
Principal VW
riteRead
Read
Principal V can read file F with the help of Trojan horse 48
MAC attaches security labels to subjects and objectsSecurity label to subject security clearanceSecurity label to object security classification
System controls access to resources by comparing security labels of resources (e.g. system, high, low security) with security clearances of subjects accessing resources
Users have no control over security labels (as in DAC)Note that cleared entity cannot pass on access rights to
another entity (as is the case in DAC)
MAC restricts information flow to certain can-flow paths (depending on the information flow policy)
Mandatory Access Control (MAC)
51
Military security classes as security labels
If subject’s level is equal to or greater than the object’s level, subject is allowed to read object (read down)
Note that a subject may only write up
Controlling Information Flow – Confidentiality
52
Top secret
Secret
Confidential
Unclassified
High level
Low level
Can-flow
Windows © Vista Mandatory Integrity Control (MIC) defines 4 integrity levels: low, medium, high and system
If subject’s level is equal to or greater than the object’s level, subject is allowed to write to or delete object (write down)
Else, can only read if allowed by the ACL (read up)
Controlling Information Flow – Integrity
53
System
High
Medium
Low
High level
Low level
Can-flow
A formal MAC model for protection of confidentialityD. E. Bell and L. J. LaPadula. Secure computer systems:
mathematical foundations and model. MITRE, 1974
Esentially, based on read down and write up principles– Read up is allowed, can read = or higher levels– Write down not allowed, can't create lower level
objects
Will show later how BLP protects against Trojan horse attack (information leakage) in the context of DAC
Bell and LaPadula model (BLP)
54
Simple-security property Subject S can read object O only if• Label(S) dominates (>=) Label(O)• Information can flow from Label(O) to Label(S)• Allowed to read all info at equal or lower levels
Star-property Subject S can write object O only if• Label(O) dominates (>=) Label(S)• Information can flow
from Label(S) to Label(O)• No Write down, higher subject can't write
to lower level objects
BLP Model (1)
55
Label(S)
Label(O)
Can-flow
Read down
Label(O)
Label(S)
Can-flow
Write up
NoteBLP model is applied to subjects, not users
Users are somewhat trustedSubjects are not trusted due to Trojan horsesProcesses or programs as subjects
Star-property prevents information leakage caused by Trojan horses
BLP Model (2)
56
Recall the Security Problem of DACPrincipal V sends U a benign software with Trojan
horse includedU executes the software Trojan horse gains U’s
privileges
Benign software
Trojan horse
Execute File F
File G
ACLs
Principal U
Principal VW
riteRead
Read
Principal V can read file F with the help of Trojan horse 57
BLP Star Property Solves the ProblemAssign a high (sensitive) security label to Principal U and
File F and low (public) security label to principal V and File G
Benign software
Trojan horse
Execute File F
File G
ACLs
Principal U
Principal VW
riteRead
Read
58
(Label H)
(Label L)
can-flow
star-proprety
MAC in Real LifeWindows © Vista Mandatory Integrity Control (MIC)
In the context of Internet Explorer, Acrobat Reader etc.E.g., user visits malicious website with IE7.0 Vulnerability in IE7.0 introduces malware to hostThe malicious code runs with low privileges (security label)Due to Windows MIC, the malicious code cannot access objects
with higher security labels
Security-Enhanced Linux (SELinux)Use Linux Security Module to implement MACEnforces MAC policies that confine user programs and
system servers to minimum amount of privilege they require to do their jobs
Android permissionsComponents that belong to different applications can
communicate if they hold the same security labels59
Traditional DAC systems define access rights of individual users and groups of users
In many organizations, users do not own information for which they are allowed accessCompany is actual owner of system objectsAccess control is often based on employee job functions
(roles) rather than data ownershipE.g. roles in a hospital: doctor, nurse, pharmacists,...
RBAC is based on roles that users assume in an organization (rather than the user’s ID)RBAC systems asign access rights to roles And users are assigend to different roles
RBAC
61
Role represents usersSpecific competencyJob responsibilitySpecific duty assignment
Role defines permissions Operator roleSecurity officer roleAuditor role
Role
62
The relationship of users to roles is many to manyThe relationship of roles to resources, or system
objects is also many to many
Users, Roles and Resources
63
Object 1
Object 2
Role 1
User 1
User 2
User 3
member_
ofmember_ofmember_of
trans_a
trans_b
Roles can be composed of roles
Hierarchical Roles
64
Object 1
Object 2
Intern
User 1
User 2
User 3
member_
ofmember_ofmember_of
trans_a
trans_
b
Object 3
Object 4
Doctor
User 4
User 5
User 6
member_
ofmember_ofmember_of
trans_c
trans_
d
mem
ber_
of
Security management is simpler with rolesUser-role relationship changes over time – set of users
changes frequently Set of roles in system is likely to be more staticRole-permission relationship is relatively stable
Set of resources and specific access rights associated with a particular role are also likely to change only infrequently
Security Management with RBAC
65
user permissionroleUA: user assignment
PA: permission assignment
Sessions (one-to-many mapping)
dynamic stable
RBAC0 modelflexible
Authorization managementRBAC breaks authorization task into two independent parts:
• One which assigns users to roles and • One which assigns rights for objects to roles
Easy for revocation of rights
Hierarchical roles, specialized RBAC Model Least privilege
Roles allow a user to sign on with the least privilege required for the particular task at hand
Users with powerful roles do not need to exercise them until those privileges actually needed, think of root or admin privileges
Separation of dutiesNo single principle should be given enough privileges to misuse the
system on their ownE.g. two-person operation: 1st any authorized user, 2nd any
authorized user different from the 1st (example: banks)
Advantages of RBAC
66
Summary Access Control is a key concept to computer
security Defines what users are allowed to do within a
system What they can access How and if they can transfer access to others If they can assume other roles or identities to
access resources Historically, multi-level MAC security policies have
dominated security dialog especially in high security government environments
Today, concerns have evolved to how best to scale access to large numbers of users in multi-computer networks
References Example of RBAC in Healthcare
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4322305/ RBAC Overview
http://www.informit.com/articles/article.aspx?p=782116 Bell Lapadula MAC Model
http://www.pearsonitcertification.com/articles/article.aspx?p=1998558&seqNum=4
DAC vs. MAC Very Shorthttps://sites.google.com/site/jimmyxu101/concepts/accesscontrol
DAC Modelhttp://www.cs.cornell.edu/courses/cs5430/2015sp/notes/dac.php
Security Monitor Concepthttp://h41379.www4.hpe.com/doc/84final/ba554_90015/ch02s01.html
2
Access Control Digital
Detection Prevention Models - Models
Physical User Centric Building or Environment Centric
Access Control
Huge part of Security
Controlling access to information from people or systems who do not have authorization while
Allowing access to information to people or systems who do have authorized access
Access Control Different forms of Access Control
Digital Detection –
Intrusion Detection Systems Log analysis, Digital Forensics
• All help with detecting break-ins Prevention –
Disable accounts, Cryptography, Hardening systems
Access Control Different forms of Access Control
Digital Models of Access Control
Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role based Access Control (RBAC)
• All have to do with rules governing users or processes access to objects within the system
7
Access Control
Constrains what users can do plus what programs executing for users are allowed to do
Prevent activity leading to breach of securityProtect against accidental and malicious threats by
regulating reading, writing and execution of data and programs
Access control relies on other security servicesUser Identification and AuthenticationProtection of stored keys
Key element of computer security
7
8
AC is enforced by a Reference Monitor which mediates every attempted access by a user/process to system objects
Reference monitor consults authorization database to check if user is authorized for the requested operation
Access Control (AC) Principles
8
Reference monitor
Authorization database
Access control ObjectsAuthentication
Auditing
Security admin.
User
8
9
Access Control Elements
1 Subjects Active entities, such as user processes, that
gain access to information on behalf of people
2 Objects Passive repositories of information to be
protected, such as files
10
Access Control Elements
3 Authorization database Repository for the security attributes of subjects
and objects. From these attributes, the reference monitor determines what kind of access (if any) is authorized.
4 Audit trail Record of all security-relevant events, such as
access attempts, successful or not.5 Access right Way in which subject accesses an object E.g. read, write, execute, delete, create, search
11
Access Control – Reference Monitor Concept According to the reference monitor concept,
a computer system can be depicted in terms of Subjects, Objects, An authorization database, An audit trail, and a Reference monitor,
The reference monitor is the control center that authenticates subjects and implements and enforces the security policy for every access to an object by a subject
12
Access Control – Reference Monitor Concept In an ideal system, reference monitor must meet three
requirements: Mediate every attempt by subject to gain access to object
Provide tamperproof database and audit trail that are protected from unauthorized observation and modification
Small, simple, and well-structured piece of software effective in enforcing security requirements and can be verified to be secure
• Verified to be secure is a big deal for DOD systems that use mathematical verification for their highest level systems
13
1. The system must first authenticate a user seeking access
2. Access control function determines if requested access by this user is permitted
3. Security administrator maintains an authorization database which Access Control Function consults to determine whether to grant access
4. Auditing function monitors and keeps a record of user accesses to system resources
Access Control (AC) Principles
13
13
14
Windows File Access Control
Examples: UNIX and WINDOWS
14
Unix File Access Control (WinSCP view)
14
15
Over time, various Access Control Policies evolvedDiscretionary Access Control (DAC)
User-oriented security policy (based on identity of requestor)Entity has rights to enable another entity to access a resource like a
file
Mandatory Access Control (MAC)Access permissions are defined by system Based on comparing security labels of system resources with security
clearances of entities accessing the resourcesCleared entity cannot pass on access rights to another entity
Role-Based Access Control (RBAC)Based on roles that users have within system and on rules stating
what accesses are allowed to users in given roles
Access Control Policies
15
DAC MAC
RAC
Not mutually exclusive
15
17
User-oriented security policy Discretionary because an entity has rights to enable
another entity to access a resourceGeneral approach used in operating systems and
database management systems is that of an Access matrix
Lists subjects in one dimension (rows)Lists objects in the other dimension (columns)Each matrix entry specifies access rights of the specified
subject to that object
Discretionary Access Control
17
17
18
Access Matrix: Example
18
Subjects
Objects
User A
File 1
OwnReadWrite
File 2 File 3 File 4
User B
User C
OwnReadWrite
OwnReadWrite
OwnReadWrite
Read Read
Read
Write
ReadWrite
Access rights
18
19
User – a real world user
Principal – a unit of access control and authorization– Role, Level
Subject– Process or program for a user
Access Matrix Elements:
19
user
principals
subjects
19
20
User – Principal
20
One to many mapping between user and principals
System authenticates user in the context of principal
Shared principals (accounts) are not good for accountability
user principals
Alice
Alice.Secret
Bob
Bob.Dean
Bob.Faculty
Bob.Super-user
20
21
Principal – Subject
21
One to many mapping between principal and subjects
A subject is a program or application run on behalf of principal
Subjects are often treated the same as principal if all subjects of a principal have the same rights
subjectsprincipal
Alice.Top-secret
Word
Database
21
22
An object is anything on which a subject can perform operations mediated by access rights
Usually objects are passive, for example
Files Directories Memory segments
Access Matrix Elements: Objects
22
22
23
A right specifies what kind of access a subject can perform on an object
OwnReadWriteExecuteCreateDeleteTransfer...
Access Matrix Elements: Rights
23
23
24
User A
File 1
OwnReadWrite
File 2 File 3 File 4
User B
User C
OwnReadWrite
OwnReadWrite
OwnReadWrite
Read Read
Read
Write
ReadWrite
In practice, an access matrix is usually sparseTherefore implemented by
decomposition in one of two waysBy columns – Access Control ListsBy rows – Capability tickets
Implementation of an Access Matrix
24
24
25
Each column of access control matrix is stored with corresponding object
Access Control Lists (ACL)
User A
File 1
OwnReadWrite
File 2 File 3 File 4
User B
User C
OwnReadWrite
OwnReadWrite
OwnReadWrite
Read Read
Read
Write
ReadWrite
File 1
25
File 2
File 3
File 4
25
26
Access rights stored with objectsACL may contain default (public) entries
If users not explicitelly listed in ACL – default rights (e.g., read only)
Elements of ACL include individual users as well as groups of users
ACLs are convenient to determine which subjects have which access rights to particular resources
UNIX and Windows use ACLs to protect files/processes
ACL requires subjects to be authenticated before access to a particular object!
Access Control Lists (ACL)
26
26
27
Each row of access control matrix is stored with corresponding subject
Capability Lists (Capabilities)
User A
File 1
OwnReadWrite
File 2 File 3 File 4
User B
User C
OwnReadWrite
OwnReadWrite
OwnReadWrite
Read Read
Read
Write
ReadWrite
User A
27
User B
User C
27
28
Access rights stored with subjects Capability ticket specifies authorized objects and
operations for a particular subjectEasy to determine set of access right for given user
Each user may have many ticketsUser may be authorized to give them to othersTickets may be dispersed around system, a great
security problemUnforgability – include an unforgable crypto token in
the capability Used in distributed systems – e.g. Kerberos
Capability tickets require unforgability and capability propagation control!
Capabilities
28
28
29
Comparison of ACL and Capabilities
29
ACLAccess rights stored
with objectsRequires authentication
of subjectsProvides access review
on a per-object basisMost operating systems
such as UNIX and Windows use ACL to protect files
CapabilitiesAccess rights stored with
subjectsRequires unforgeability
of capabilities and propagation control of capabilities
Provides revocation facilities on a per-subject basis
Used in authentication systems such as Kerberos
29
31
Linux Access Control• Overview of Linux Security Access Control• File System Security (DAC)
– Users and Groups– File and Directory Permissions
• Kernel Space vs. User Space
32
• Traditional security model– People or processes with “root” privileges can
do anything– Other accounts can do much less
• Goal of hackers – to gain root privilege– So, you can access or change anything
• Linux can be run robust and secure– Many system Admins fail to use the security
features– Add-on tools like sudo and Tripwire available
• Crux of the problem– Discretionary Access Control
Linux Access Control
Traditional security model
People or processes with “root” privileges can do anything
Other accounts can do much less
Thus, from attacker perspective, the challenge is cracking a linux system therefore boils down to grating root privileges
Once root privileges granted, attackers can erase or edit logs; hide their processes, files and directories; and basically redefine the reality of the system as experienced by its admins and users.
Linux security is a game of “root takes all”
Main cause of exposure: many linux admins fail to take advantage of the security features available to them
People can and do run robust, secure linux systems by making careful native linux security contols, plus selected add-on tools such as sudo or Tripleware
However crux of the problem of linux secutiry is linux security model on discretionary access control (DAC)
33
Linux Security Transactions
In the linux DAC system there users, each belongs to one or more group
There are objects: files and directories
Users read, write, and execute these objects, based on the object’s permissions of which each object has three sets: user-owner, group-owner, and other
These permissions are enforced by the linux kernel, the brain of operating system
Basic transaction: subject attempts some action against some object
Whoever owns an object can set or change its permissions
Real weakness: root account has ability to both takes ownership and change the permissions s of all objects in the system, this provide way for attackers to hijack those privileges
Lets take closer look at how the linux DAC implementation actually works
34
File System Security• In Linux everything is a file• I/O to devices is via a “special” file
– Example: /dev/cdrom points to /dev/hdb which is a special file
• Have other special files like named pipes– A conduit between processes / programs
• Since almost everything is a file– File security very important !!!
Linux treats everything as file
Documents, pictures even executable programs are very easy to conceptualize as files
Special files such as named pipes, act as I/O “conduits”, allowing one process or program to pass data to another.
One common example of a named pipe on linux systems is /dev/urandom: when programs reads this file /dev/urandom return random characters from kernal’s random number generators
35
Users and Groups • Users and Groups are not files• Users
– Someone or something capable of using files– Can be human or process– e.g. lpd (Linux Printer Daemon) runs as user lp
• Groups– List of user accounts– User’s main group membership specified in /etc/passwd– User can be added to additional groups by editing
/etc/group– Command line -> useradd, usermod, and userdel
There are two things on a Unix system that aren’t represented by files: user accounts and group accounts which for short we can call users and groups
User account represents some or something capable of using files…ex users, processes
Standard linux user accounts “lp” for example, is used by the line printer demon(lpd): lpd program runs as the user lp
A group account is simply a list of user accounts. Each user accounts is defined with a main group membership, but may in fact belongs to as many groups as you went or need it to
User’s main group memebership is specified in the user account’s entry in /etc/password; you can add that user to additional groups by editing /etc/group and adding the username to the end of the entry for each group the user needs to belong to or via the usermod command
36
Understanding: /etc/password
1. Username: Used when user logs in. Between 1 and 32 characters in length
2. Password: An x character indicates that encrypted password is stored in /etc/shadow file
3. User ID (UID): Each user assigned a user ID (UID). UIDs 1-99 are reserved for other predefined accounts
• UID 100-999 are reserved by system for administrative and system accounts/groups
4. Group ID (GID): The primary group ID stored in /etc/group file5. User ID Info: The comment field
• Allows you to add extra information about the users6. Home directory: Absolute dir path user will use when they log in
• If this directory does not exists then users directory becomes /7. Command/shell: The absolute path of a command or shell /bin/bash
• Typically, this is a shell. Please note that it does not have to be a shell.
37
Understanding of /etc/group
1. Group_name: Name of group2. Password: Generally password not used, hence it is
empty/blank. It can store encrypted password. Useful to implement privileged groups
3. Group ID (GID): Group ID must be assigned to every user
4. Group List: List of user names of users who are members of the group. The user names must be separated by commas
38
File Permissions• Files have two owners: a user & a group
– Each with its own set of permissions– With a third set of permissions for other
• Permissions are to read/write/execute in order: user/group/other 3 types of permissions (rights) r – read file or directory w – write to file or directory x – execute file or search directory
Command $ ls -l shows details for files and directories
$ ls -l capture2.png -rw-r--r-- 1 carol carol 42377 Mar 16 2017 capture2.png
What is the command to change permissions in Linux? chmod
39
Changing File Permissions How to change this file to rw for everyone?
chmod 666 capture2.png or chmod ugo+rw capture2.pngCan also show priviledges as three groups of numbers (least to most sig)
0 = No Permission 1 = Execute 2 = Write 4 = Read
You basically add up the numbers depending on the level of permission you want to give.
For the file permissions we just changed, 110 110 110 for 6 6 6
Result of the chmod command -rw-rw-rw- 1 carol carol 42377 Mar 16 2017 capture2.png
Now, all users, group and others can read+write this file
40
Directory Permissions• Permissions on directories slightly different
– read = list contents
– write = create or delete files in directory
– execute = use anything in or change working directory to this directory
• Example from my computer
drwxr-xr-x 2 carol carol 4096 Oct 6 2014 mydesktop
What permissions does this imply?
42
Sticky Bit • Used to trigger process to “stick” in memory or lock file in
memory– Usage now obsolete
• Currently used on directories to suppress deletion of file that is owned by others
– Other users cannot delete even if they have write permissions
• Example:• Set group-write bit for directory, mydesktop
– Example from my computer$ chmod g+w mydesktop
• Set sticky bit using chmod command with +t flag– Example:
$ chmod +t mydesktop
• Directory listing includes t or T flag
– Example: drwxrwxr-t 2 carol carol 4096 Oct 6 2014 mydesktop/
Drummer friend Biff wants to all his fellow drummers not only to read this recipes, but also to add their own….he needs set the “group-write” bit for this directory.
There’s only one problem with this: “write” permissions include both the ability to create new files in this directory, but also to delete them. What’s to stop one of his drummer pals from deleting other people's recipes? The ‘sticky bit”
In linux, When you set sticky bit on a directory, it limits user ability to delete things in that directory, to delete a given file in the directory you must either own that file or own that directory.
To issue sticky bit, issue chomd comand with +t flag
After issuing sticky bit command, not the “T” at the end of permissions string, “T” denotes that the directory is not “other-executable” but has the stick bit set.
A lowercase “t” would denote that directory is othe-executable and has the stick bit set
43
SetUID and SetGID • SetUI bit: means process is
“run with same privileges as” owner
• No matter who executes it
• SetGID bit: means “run with same privileges as” a member of group that owns it– Again regardless of who executes it
• Processes with SetUID and SetGID• Are dangerous files owned by root or other privileged account or
group– Only used on executable files, not shell scripts– The command “sudo” is much better tool for delegating root’s
authority
• Example from my computer:
$ ls -l /usr/bin/passwd -rwsr-xr-x 1 root root 43280 Feb 15 2011 /usr/bin/passwd
Most dangerous permissions bit in the unix world” setuid and setgid
45
Windows Security ArchitectureOverview
• Pieces of Security in Windows– Security Reference Monitor– Local Security Authority – Security Account Manager– Active Directory– Local vs. Domain Accounts– Access Control Lists– Integrity Control – User Account Controls
Anyone who wants to understand windows security must have knowledge of the basic fundamental security blocks of security system.
There are many components in windows that make up the fundamental security infrastructure.
47
47
Security Problems of DACGeneral However, DAC does not provide real assurance –
access restrictions can be easily bypassedTrojan horse attack
File F
File G
ACLs
Principal U
Principal V
Write
Write
Read
Principal V is a bad guy who wants to read file F
Read
47
48
48
Security Problems of DAC (2)Principal V sends U benign software with Trojan horse includedU executes the software Trojan horse gains U’s privileges
Benign software
Trojan horse
Execute File F
File G
ACLs
Principal U
Principal V
Write
Read
Read
Principal V can read file F with the help of Trojan horse 48
51
MAC attaches security labels to subjects and objectsSecurity label to subject security clearanceSecurity label to object security classification
System controls access to resources by comparing security labels of resources (e.g. system, high, low security) with security clearances of subjects accessing resources
Users have no control over security labels (as in DAC)Note that cleared entity cannot pass on access rights to
another entity (as is the case in DAC)
MAC restricts information flow to certain can-flow paths (depending on the information flow policy)
Mandatory Access Control (MAC)
51
51
52
Military security classes as security labels
If subject’s level is equal to or greater than the object’s level, subject is allowed to read object (read down)
Note that a subject may only write up
Controlling Information Flow – Confidentiality
52
Top secret
Secret
Confidential
Unclassified
High level
Low level
Can-flow
52
53
Windows © Vista Mandatory Integrity Control (MIC) defines 4 integrity levels: low, medium, high and system
If subject’s level is equal to or greater than the object’s level, subject is allowed to write to or delete object (write down)
Else, can only read if allowed by the ACL (read up)
Controlling Information Flow – Integrity
53
System
High
Medium
Low
High level
Low level
Can-flow
53
54
A formal MAC model for protection of confidentialityD. E. Bell and L. J. LaPadula. Secure computer systems:
mathematical foundations and model. MITRE, 1974
Esentially, based on read down and write up principles– Read up is allowed, can read = or higher levels– Write down not allowed, can't create lower level
objects
Will show later how BLP protects against Trojan horse attack (information leakage) in the context of DAC
Bell and LaPadula model (BLP)
54
54
55
Simple-security property Subject S can read object O only if• Label(S) dominates (>=) Label(O)• Information can flow from Label(O) to Label(S)• Allowed to read all info at equal or lower levels
Star-property Subject S can write object O only if• Label(O) dominates (>=) Label(S)• Information can flow
from Label(S) to Label(O)• No Write down, higher subject can't write
to lower level objects
BLP Model (1)
55
Label(S)
Label(O)
Can-flow
Read down
Label(O)
Label(S)
Can-flow
Write up
55
56
NoteBLP model is applied to subjects, not users
Users are somewhat trustedSubjects are not trusted due to Trojan horsesProcesses or programs as subjects
Star-property prevents information leakage caused by Trojan horses
BLP Model (2)
56
56
57
57
Recall the Security Problem of DACPrincipal V sends U a benign software with Trojan
horse includedU executes the software Trojan horse gains U’s
privileges
Benign software
Trojan horse
Execute File F
File G
ACLs
Principal U
Principal V
Write
Read
Read
Principal V can read file F with the help of Trojan horse 57
58
58
BLP Star Property Solves the ProblemAssign a high (sensitive) security label to Principal U and
File F and low (public) security label to principal V and File G
Benign software
Trojan horse
Execute File F
File G
ACLs
Principal U
Principal V
Write
Read
Read
58
(Label H)
(Label L)
can-flow
star-proprety
59
59
MAC in Real LifeWindows © Vista Mandatory Integrity Control (MIC)
In the context of Internet Explorer, Acrobat Reader etc.E.g., user visits malicious website with IE7.0 Vulnerability in IE7.0 introduces malware to hostThe malicious code runs with low privileges (security label)Due to Windows MIC, the malicious code cannot access objects
with higher security labels
Security-Enhanced Linux (SELinux)Use Linux Security Module to implement MACEnforces MAC policies that confine user programs and
system servers to minimum amount of privilege they require to do their jobs
Android permissionsComponents that belong to different applications can
communicate if they hold the same security labels59
61
Traditional DAC systems define access rights of individual users and groups of users
In many organizations, users do not own information for which they are allowed accessCompany is actual owner of system objectsAccess control is often based on employee job functions
(roles) rather than data ownershipE.g. roles in a hospital: doctor, nurse, pharmacists,...
RBAC is based on roles that users assume in an organization (rather than the user’s ID)RBAC systems asign access rights to roles And users are assigend to different roles
RBAC
61
61
62
Role represents usersSpecific competencyJob responsibilitySpecific duty assignment
Role defines permissions Operator roleSecurity officer roleAuditor role
Role
62
62
63
The relationship of users to roles is many to manyThe relationship of roles to resources, or system
objects is also many to many
Users, Roles and Resources
63
Object 1
Object 2
Role 1
User 1
User 2
User 3
member_
ofmember_ofmember_of
trans_a
trans_b
63
64
Roles can be composed of roles
Hierarchical Roles
64
Object 1
Object 2
Intern
User 1
User 2
User 3
member_
ofmember_ofmember_of
trans_a
trans_
b
Object 3
Object 4
Doctor
User 4
User 5
User 6
member_
ofmember_ofmember_of
trans_c
trans_
d
mem
ber_
of
64
65
Security management is simpler with rolesUser-role relationship changes over time – set of users
changes frequently Set of roles in system is likely to be more staticRole-permission relationship is relatively stable
Set of resources and specific access rights associated with a particular role are also likely to change only infrequently
Security Management with RBAC
65
user permissionroleUA: user assignment
PA: permission assignment
Sessions (one-to-many mapping)
dynamic stable
RBAC0 modelflexible
65
66
Authorization managementRBAC breaks authorization task into two independent parts:
• One which assigns users to roles and • One which assigns rights for objects to roles
Easy for revocation of rights
Hierarchical roles, specialized RBAC Model Least privilege
Roles allow a user to sign on with the least privilege required for the particular task at hand
Users with powerful roles do not need to exercise them until those privileges actually needed, think of root or admin privileges
Separation of dutiesNo single principle should be given enough privileges to misuse the
system on their ownE.g. two-person operation: 1st any authorized user, 2nd any
authorized user different from the 1st (example: banks)
Advantages of RBAC
66
66
67
Summary Access Control is a key concept to computer
security Defines what users are allowed to do within a
system What they can access How and if they can transfer access to others If they can assume other roles or identities to
access resources Historically, multi-level MAC security policies have
dominated security dialog especially in high security government environments
Today, concerns have evolved to how best to scale access to large numbers of users in multi-computer networks
68
References Example of RBAC in Healthcare
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4322305/ RBAC Overview
http://www.informit.com/articles/article.aspx?p=782116 Bell Lapadula MAC Model
http://www.pearsonitcertification.com/articles/article.aspx?p=1998558&seqNum=4
DAC vs. MAC Very Shorthttps://sites.google.com/site/jimmyxu101/concepts/accesscontrol
DAC Modelhttp://www.cs.cornell.edu/courses/cs5430/2015sp/notes/dac.php
Security Monitor Concepthttp://h41379.www4.hpe.com/doc/84final/ba554_90015/ch02s01.html