Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | mildred-gibbs |
View: | 221 times |
Download: | 2 times |
Mandatory Access Control (Terms)
Labeling Security Labels Continuous Protection Assurance Provenance
Why Do We Need MAC
As it turns out, we may use DAC to protect data on a need to know basis.
That means.... if all users are Top Secret and Top Secret is the highest level, so we have no Secret users, then we run the system at System High... So data differs by Need to Know.
What does this (DAC) look like?
System and all users are Secret – for example.
That being said, there is a group looking at Anthrax attacks.
There is another group looking at Olympic Security.
These are both Secret Issues, but do they need to know each other's data?
Security levels are the same, but need to knowing differs – DAC is your answer.
Knowing What You Know How for DAC?
We know, umasks, private groups, directory permissions. So what can we do.
We can formulate groups by categories of need to know. They use group and user level permissions to control.
Example
Redskin Fans – Scott, Cheri, Ernest, Ricardo
Haters – Elijah, Shawn, Al
Redskin Injury Report -
Pierre Garcon
Rams Injury Report
Sam Bradford
Belechik Principle – Hide Our Injuries
1) Users have private groups.
2) Supplemental Groups – Redskins, Haters
3) Redskin Injury Report in a Directory owned by Redskins and only they can read or write.
4) Rams Injury Report in a Directory owned by Rams and only they (Haters) can read or write.
5) Correct people in Each Group.
Security Adjudicators Say
1) If the Classification level is the same for all users (System High) and we vary only by need to know, they we may run at level C2 – which is discretionary access control.
2) People without need to know, but know are a risk.
From a Practical Standpoint – How?
Show you logging in to a web server and where this comes about.
Look at where we get these groups and how they are used.
For all security specifications, Groups and Roles are synonymous.
Construct a Session
Brian GoogleWww.google.com
1. Do an identity assertion which is what? Username and password
Identity is Asserted
We have asserted the Identity then we do what? Gather Roles.
Brian GoogleWww.google.com
We gather the roles. Is he an admin, what is he?
Roles are in MemoryUser is valid..
Asserted Identity and gathered roles then we send a session id back to the Browser.
It stores this session id with the url
So we have www.google.com <id>
Roles ? Groups ?
A User (subject) may have many Roles and a Role may belong to many Users (subject)
Now we use this to implement need to know.
During Session Creation time the authorization module, reads all the Roles associated with a given user and loads them in memory. Now when you reference a User... you get their roles. Method Call... isInRole.
In Unix, What are our Roles?
Groups... The same groups in /etc/group..
The same group in
Command chmod 2775
Next Request
It passes the session id <cookie> with the request
Brian GoogleWww.google.comPlus Session Id
Provenance
Provenance, from the French provenir, "to come from", refers to the chronology of the ownership or location of a historical object
Who, what, when, where, confidence and original source, security labels
Weapons of Mass Destruction... not being in Iraq.
What Would Provenance Look Like
Make an Assertion....
Barack Obama is the 44th President of the United States....
Confidence = 100%
When – September 12, 2012
Security Label = Unclassified
Source = http://www.whitehouse.gov
Another Example
Assertion – Mitt Romney will be the 45th President of the United States on November 6, 2012
Confidence: .47
When: September 12, 2012
Security Label: Unclassfied
Source: rasmussenreports.com
Case Study
In the intelligence community in early 2000's we could not differentiate conjecture from fact.
So what happened, an analyst puts in something they believe with 20% certainty, and someone adds to it with 10% certainty. It is listed as a fact... What is the probability of it …. 2% accurate.
If you do this enough, you get analysis that is bogus.
Solution.....
We can no longer put any data in a computer system without Provenance.
Marked with information including source and confidence.
If I made the assertion that there is tyranny in Syria today... how would I mark this?
Assertion, there is tyranny in Syria on June 26, 2012? Yes, believe this with 99% certainty, well known, source... mp4 file loaded on your web server.
MAC
Labeling – All data must be labeled.
Security Labels – You must show an adjudicator that the label is stored with the data. Therefore you cannot get to the data without getting to the label.
Tagging every piece of data.
Still some Issues with Labeling.
Issue for Labeling
So we have an employee record.... Let's say its Mo Walters.
His name, his address and his phone number (SECRET) but his salary (TOP SECRET). So at what label granularity do we use?
One choice is to label every piece of data at the column level … clearly to cumbersome. So we label the row at the highest level. This clearly is over-classifying. But this is how we deal with it.
Continuous Protection
Can I get to the data, without using the Access Control or Adjudication? You need to prove, that the only mechanism to get to the data is via the protection mechanism. Therefore we have Continuous Protection.
How?
Stored Procedure in a data base and the stored procedure (Adjudication) is the only way to get to the data. No Vendor Independence.
Aspect Oriented Programming (AOP). You may intercept calls. They are guaranteed to happen. What will this allow us to do. If we do it at the beginning of a call, we can audit. If we do it at the end, we can remove all data the user should not see.
Assurance
There is much written on Assurance in the Orange Book.
Mathematically prove Code.
This was a disaster... Why?
You are more likely to make a mistake in the proof than you are in the code. Useless.
Assurance
But the way we do this now is By Observation.
State your case, and prove it. So why does it work this way. At the end of the day it is a management decision.
MAC
Algorithm for MAC is:
– Flatten hierarchies
– If data is a subset of users roles (groups), you can see it.
– Cannot write below. No read up, no write down. Bell-Lapadula model.
– Implement it. We recognize MLS (MAC) in a RDMBS is difficult because we typically label at the row.
– Semantic Web... Google, Google Marketplace, Whole E-Commerce Industry. Provenance at the triple level.
Flatten Hierarchies
Orange Book says (Hierarchical and Non-Hierarchical). It means you have something like Mo is Top Secret (Hierarchy) and he is a US Citizen (Non-Hierarchical).
Mo's Roles Top Secret, Secret, Confidential, Unclassified, US Citizen.
We flatten the hierarchy, so we run one algorithm.
Bell-Lapadula Model
No Read Up.... No Write Down....
So If Mo is Top Secret, can he read Secret Data.... Read Down is ok.
As a Top Secret user can he take a Top Secret Document and write it down as Unclassified – No. Why No Write Down.
Let's Adjudicate
Mo - Top Secret, US Citizen.
Roles Top Secret, Secret, Confidential, Unclassified and US Citizen
Jason – Confidential, Unclassified, US Citizen
Data – One set of data. Troop Locations (Top Secret)
More Data – Budget for DOD Department
What Can They Read
Mo - Top Secret, Secret, Confidential, Unclassified and US Citizen
Troop Locations (Top Secret)
Budget for DOD Department
Jason – Confidential, Unclassified, US Citizen
Data – One set of data.
Budget for DOD Department
What Can They Write
Mo – He has to, as well as Jason, they have to work at one security level at a time. To Prevent Write Down. What we want to avoid is Mo – re characterizing troop locations as Unclassified.
Formally State It
Take All the Users Roles as a Set R.
Take all the data's Roles as a Set D.
If D is a Subset of R, you can read.
Best Practice?
Never store data without Provenance. Keep a copy of the original source or a
reference to it. The reference could always be found on archive.org.
Store the Security Labels. Store who, what, when. Store the confidence.
MAC – Another Example
Concept... Discretionary Access Control.....
Coarse control So a file or a directory had controls at the Owner, Group, World and Read, Write, Execute, Set Group Id.
Here is the concept. What if a piece of data is Top Secret, another piece is Secret, a third piece in For UK Citizens... what do we have here?
We have a problem that does not nicely fit into Owner, Group, World, Read Write, Execute.
Fine Grained
So what does this mean.
We have some data: what do we use to label it. Provenance.
So we in a relational database
We have a row that is troop locations, It is Top Secret and only for US Citizens.
The next row is Military Bases. It is Secret and only for NATO. How do we do this?
What does this look like?
Row 1
Vietnam we have 2,000 troops in XYZ
Row 2
We have a military base in Japan.
This is called Multi-level secure.
Multi-level Secure (MLS)
It does not just apply to military... Consider the following:
Bank of America... To do a wire transfer that is $5,000 is different than one for $5,000,000
What is this,,,, Multi-level Secure.
Specification
B1 – TCSEC...
Security shall have …. categories that are... flat and categories that are hierarchical
What is an example of this? Citizenship... Flat
Hierarchical... Top Secret implies.. Top Secret, Secret, Confidential, FOUO, etc.
MLS Requires Labeling
This means that every piece of data must be labeled. How do we do this... Provenance... Get labels, who, what, when, confidence, source.
Proof that the protection is constant..... Come back to this... Important.
Adjudication algorithm.... How do we do this.
Adjudication Algorithm
Step 1).. Gather roles which are all labels.
Step 2).. Flatten all hierarchies
Step 3).. Is the data (roles) a subset of the Users? If so,,,, user may read.. If not. Don't show it.
Algorithm for Read. Now let's see it in Action.
Our MLS Example
Troops 2,000 is Top Secret US Citizen
Labels …. Top Secret, Secret, Unclassified, FOUO, US Citizen
Military Base – Secret...
Labels Secret, Unclassified, FOUO
Michael US CITIZEN,
Jeremiah, SECRET, US CITIZEN
Tim, US CITIZEN, Top Secret, Secret, Unclassfied, FOUO.
What can Tim see... 2,000 troops and the Base
What can Jeremiah see, Just the Base
What can Michael, Nothing.
Rules for MLS
Bell and LaPadula Model.
No read up and no write down.
The previous slide was no read up. How did we do it. Flatten hierarchies and apply set theory.
What's left. No Write Down. How? What?
Write Example – No Write Down
Troops 2,000 is Top Secret US Citizen
Labels …. Top Secret, Secret, Unclassified, FOUO, US Citizen
Military Base – Secret...
Labels Secret, Unclassified, FOUO
Michael US CITIZEN,
Jeremiah, SECRET, US CITIZEN
Tim, US CITIZEN, Top Secret, Secret, Unclassified, FOUO
If we have no restrictions on writing. Then Tim could take something Top Secret, Troop Locations and write it as Secret.. That invalidates security.
How You do No Write Down
For Writing Purposes, you work at one and only one security level at a time.
So if Tim is working at Top Secret. What can he write as Top Secret.
We summarize the Bell-Lapadula model as No Read Up, No Write Down.
LabTim US Citizen, Over Six Feet Tall, Gasol,
Bryant
Michael, US Citizen,
Jeremiah, US Citizen
Data:
Pau Gasol Contract (Over Six Feet Tall)
Kobe Bryant Contract (Over Six Feet Tall), US Citizen
Andrew Bynum Contract (Over Seven Feet Tall), US Citizen
Who can see what?
Granularity
RDBMS
Row
½ data on the row is Secret and ½ is Top Secret? What do you do?
Label it, Row? By columns. So this drives the query and the data nuts.
Typically in an RDBMS we do Row Level Labeling. So it is not granular enough for MLS. So you say to me, Scott how do we do MLS then.
New Technology
Semantic Web, Web 2.0????
Databases there are two forms of storing Data.
1) is Normalized... Customer has many Accounts and a Account participates in many Transactions.
What if... Your Model Changes Constantly
So in the previous example... the structure was Stable. Jesus, Luke, Quickbooks does it. Not likely to change. What happens if the structure is morphing constantly. What is an example.
Threats in the war on Terror.
Human Genome Project
Column-Wise Data Structure
Dr. E.F. Codd in 1978.. He said it was column wise data because we need tag/value pairs
Id Tag value Parent_id
2 Person Michael null
3 Child Damien 2
4 Child Patrick 2
Philosophy
Tim Berners-Lee he invented html... The current web. He said, we have solved the easy problems... Problems whose structure are fairly static, so what is left... Those that are morphing. Morphing structures are column-wise and they require a different set of processing rules. They are the Web 2.0 or ….
The semantic web.
Semantic Web
Label at Data Items
So all data is represented as
Subject Predicate Object …. and Provenance
Therefore, we label every piece of data … and therefore …. make it MLS.
Example
The entire field of E-Commerce is defined by two sets of Ontologies - Good Relations and Schema.org. Google says …. Doug Cutting... Google says... if the world was structured and not unstructured, boy could searches be accurate.
Structure... S P O.... and Provenance... What can you do easily.... MLS...
Continuous Protection
So to this point..... we have a simple adjudication... In fact, I believe that by flattening hierarchies and using set theory.. the adjudicator is simple.
So what's left... Proving that the only way you may get to the data is ….. through the adjudicator.
How Do You Prove it?
Fortunately, there is a specification that handles it. AOP.. Aspect-Oriented Programming. Invented by Bill Burke at Redhat... What does it say.. It says that I may define in an XML file that all methods (or some) must call a method at call time and exit time.
So call method --- browser calls for data... turns into Browser calls Aspect.. calls Data.. calls Aspect. Guaranteed interceptor....
Interceptor Does
Adjudication and Auditing.. Therefore we are MLS. We have an adjudication model, simple. We label all data – provenance. We guarantee all calls, AOP.. What do we have here. About 30-40 lines of code to do it all.
So now we have MLS...... easily.
So At This Point
We have covered the TCSEC in its entirety.
Now all you have to do, is pass that test... That means Nothing....
Interpreted Languages Php you build the statement dynamically. Nothing other than check prohibits changing
a value to more SQL SELECT * from Person where name =
“<SOMETHING>” Can easily become – SELECT * from
Person where name = 'abc' or '1' = '1'. This would be injected!!!! Allowing us to see everything.
Prepared Statements
PreparedStmt stmt = new PreparedStatement (“SELECT * from Person where name = ?”);
The value placed for ? Must be a literal. Later in the software you do a
stmt.setValue(0, “abc”). The value is interpreted as a Literal. Therefore no SQL Injection.
SQL Injection
Cannot do SQL Injection on Compiled Statements that place literals.
One Statement at a time. Cannot drop tables with it. Can see more that you are supposed to. Can update more than you are supposed to.
To Stop SQL Injection
Use Compiled statements that handle literals.
Check for SQL Syntax in Interpreted languages.
Can affect Update or Delete.
Let's Do It
Have a lab for you. That we will do together.
Review SQL Syntax.
Play with the site.
Then, I am going to print out each statement you are going to run. So you can SQL INJECT (not for REAL).
Then do it for Real.
SQL
Structure Query Language – ANSI 1989.
DML – Data Modification Language (Includes Reads)
SELECT, INSERT, UPDATE and DELETE
SELECT <columns> FROM <table> WHERE col <boolean_operator> <value>
SELECT * from USERS WHERE id = 5
SELECT id from USERS where name = 'Mo'
Lab 3.1
1) go to http://10.10.10.243/admin
Just play the with application
2) Try to read something you should not see. So I will, not run the SQL, but print out the command it would run. Plan your SQL Injection Strategy.
3) Inject and see something you would not normally see.
Lab 3.2
1) go to http://10.10.10.243/admin
And go to http://10.10.10.243/admin/searchMembers2.php
2) Use searchMember2.php to see statement and /admin to see the results of the query.
3) Inject and see something you would not normally see.
Buffer Overflow
In the 70's and 60's for that matter Operating Systems were written in assembler and therefore ran on distinct hardware.
In the Late 70's AT&T (Kernighan, Ritchie, Thompson) create as Operating System to run on any hardware (Unix).
To do this, they need a computer programming language to run on any hardware. They create the 'C' programming language.
Business users wanted their software to run on any hardware so they programmed in 'C'.
Buffer Overflow (Continued)
C was designed to go low level. It was a replacement for Assembler..
Using 'C' in a business context meant you could overwrite buffers or buffer overflow.
This no longer occurs for what reason? Programming languages now are virtualized
meaning you cannot go beyond memory bounds.
Therefore no …. Buffer Overflow.
Avoiding Buffer Overflow
Be born after 1970. Use fully virtualized languages Java, Php, C+
+, etc. etc. The only parts of the system written in 'C' are
the operating system something you cannot touch in an application program. Period.
Get vs. Post
Web page pushes information to the sever is a Post
<form>
<input type=”text”>
</form>
Get is http://host?val=a&val2=b Parameters passed on the url Gets and Posts are the same thing.
Access Control in Unix
We wish to limit access to a Unix system.
Obvious methods?
Username/password
Public key/private key
What else? TCP Wrappers!
Restrict by IP address
192.168.1.150
Or even IP address range 192.
204.158.
TCP Wrappers
Where do we accomplish this?
The /etc/hosts.allow and /etc/hosts.deny files
Traditional safe setup
hosts.deny
ALL:ALL
hosts.allowList all allowable IP addresses or IP address ranges.
This will deny access to all IP addresses that aren’t explicitly granted access.
This access control is done at the kernel level.
There’s no circumventing this
TCP Wrappers
/etc/hosts.allow
/etc/hosts.deny
Now you take hosts.deny
ALL:ALL
Then you take hosts.allow
ALL: 192.168.1.
You do not have to use all
sshd: 192.
Gotcha!!! Big One
TCP Wrappers does a reverse DNS lookup.
If you have in the hosts.allow file
ALL: www.scottstreit.com
This will not work. Why? Take www.scottstreit.com and tell me the IP address now take that IP Address and tell me the authoritative server name. FIOS,
Work Around
Use IP Address.
Or be the authoritative name.
You are mail.scottstreit.com www.scottstreit.com
Wiki.scottstreit.com
In hosts.allow .scottstreit.com
Syntax is SERVICE: WHO
Lab 3.3
Take your backtrack instance
In /etc/hosts.deny ALL: ALL
In /etc/hosts.allow ALL: an ip address
Restrict one of your neighbors and allow one in.
Use a regular account.
Lab - ScenarioYour employer decides to restrict computers by
MAC address.
So, to exist on the network, you must fill out a form and wait for an Admin to put you in the MAC address table.
Security? Secure? Not Secure? Annoying. Useful?
Lab – Scenario - AnswerYour employer decides to restrict computers by
MAC address.
So, to exist on the network, you must fill out a form and wait for an Admin to put you in the MAC address table.
Security? Secure? Not Secure? Annoying. Useful?
Not secure. See MAC address – unencrypted. Spoof... You are on.
IDS – look for more than one DHCP or DNS server.