Post on 19-Dec-2015
ACCESS CONTROL & SECURITY MODELS
Center of gravity of computer security
Access Control Srini & Nandita 2
CSE2500 System Security & Privacy
Fundamental Model of Access Control
subject Access request Reference
Monitorsobject
Access Control Srini & Nandita 3
CSE2500 System Security & Privacy
Controlling Access Access control policy: what can be used to
indicate who is allowed to do what to/with whom on the system.
Who is who ? Subject is what we call active entities(processes, users, other computers) that want to
“do something” The what the subject does with the object can
be just about anything, and it may be multi-part. Typical manipulations include READ, MODIFY,
CREATE, CHANGE, DELETE
Access Control Srini & Nandita 4
CSE2500 System Security & Privacy
Access Control Policy Access right or privilege:
– An indication that a SUBJECT may legitimately use a specific type of ACCESS or MANIPULATION with respect to a particular OBJECT or set of OBJECTS.
The underlying system itself determines which primitive (or bottom level) access rights are available for which user/object combinations
Access Control Srini & Nandita 5
CSE2500 System Security & Privacy
Levels of Access Control
Application Middleware Operating system Hardware
Access Control Srini & Nandita 6
CSE2500 System Security & Privacy
Operating System Access Controls
Authenticate prinicipals/users– Passwords– Kerberos
Mediate access– Files– Communication ports– System resources
Access Control Srini & Nandita 7
CSE2500 System Security & Privacy
Models of Security
Need for a model– High assurance security system
What a model supposed to do?– Express the security policy in a formal way– Describe the entities governed by the policy– State the rules that decide who gets access to
your data
Scope and limitations of models
Access Control Srini & Nandita 8
CSE2500 System Security & Privacy
Security Models : Bell-LaPadula
– The Bell-LaPadula model is about information confidentiality, and this model formally represents the long tradition of attitudes to the flow of information concerning national secrets.
– Multi-level security (MLS)
Access Control Srini & Nandita 9
CSE2500 System Security & Privacy
Security Models: Chinese Wall
– Large consultancies can easily find there are conflicts of interest if individual consultants are given access to all information held by the consultancy. Chinese Wall models a particular way of restricting information flow.
Access Control Srini & Nandita 10
CSE2500 System Security & Privacy
Security Models : Biba We need models – continued Based on the Cold War experiences,
information integrity is also important, and the Biba model, complementary to Bell-LaPadula, is based on the flow of information where preserving integrity is critical.
Access Control Srini & Nandita 11
CSE2500 System Security & Privacy
Security Models: Clarke-Wilson
In the commercial sphere, the need is to engage in well-formed transactions which can only be undertaken by authorised personnel, and the Clarke-Wilson model is an attempt to formally model a policy based on well-formed transactions.
Access Control Srini & Nandita 12
CSE2500 System Security & Privacy
Possible Access Control Mechanisms are Control Matrix Control lists Groups and Roles Extension to Distributed (+file) Systems
Access Control Srini & Nandita 13
CSE2500 System Security & Privacy
Access Control Matrix
Object
Users
Operating system
Accounts Program
Accounting Data
Audit Trail
Sam rwx rwx rw r
Alice x x rw -
Bob rx r r r
Access Control Srini & Nandita 14
CSE2500 System Security & Privacy
Example Access Control Matrix for Bookkeeping
Operating system
Accounts Program
Accounting Data
Audit Trail
Sam rwx rwx r r
Alice rx x - -
Accounts program
rx r rw w
Bob rx r r r
Srini rx r r r
Access Control Srini & Nandita 15
CSE2500 System Security & Privacy
Access Control Matrices
2/3 dimensions used to implement protection mechanisms and model them
Do not scale well– A bank with 50,000 staff & 300 objects
15million entries– Update and performance problem– Prone to administrators’ mistakes
A more compact way is required
Access Control Srini & Nandita 16
CSE2500 System Security & Privacy
Groups and Roles
Group is a list of users/principals-- categories
Role is a fixed set of access permissions that one or more principals may assume
Group manager is a rank while the role of acting manager can be taken up by an assistant accountant standing in while the manager, deputy manager and accountant are all sick
Access Control Srini & Nandita 17
CSE2500 System Security & Privacy
Let us look at the example once againOperating
systemAccounts Program
Accounting Data
Audit Trail
Sam rwx rwx r r
Alice rx x - -
Accounts program
rx r w w
Bob rx r r r
Srini rx r r r
Access Control Srini & Nandita 18
CSE2500 System Security & Privacy
ACLs per subject(Capabilities list)
Sam
rwx
rwx
r
r
Alice
rx
x
-
-
Acc.pgm
rx
r
rw
w
Bob
rx
r
r
r
Srini
rx
r
r
r
User
OS
A/C Prgm
A/C Data
Audit trail
Access Control Srini & Nandita 19
CSE2500 System Security & Privacy
Access Control Lists
User Accounting Data
Sam rw
Alice rw
Bob r
Srini r
Access Control Srini & Nandita 20
CSE2500 System Security & Privacy
Access Control Lists/Capabilities
How do you modify the entries in the lists?– add a new entry– delete an existing entry– modify the access right to an object?
Access Control Srini & Nandita 21
CSE2500 System Security & Privacy
Access Control Triples
Subject Object Access r, w, x, ?
Access Control Srini & Nandita 22
CSE2500 System Security & Privacy
Capabilities While ACLs are kept by the
O/S,capabilities are kept by the subject. Capabilities give the possessor (of the
token) certain rights to an object Capabilities do not require authentication
of subjects, but do require that the token be unforgeable (encrypted or in inaccessible storage) and that the propagation of capabilities be controlled.
Access Control Srini & Nandita 23
CSE2500 System Security & Privacy
Access Control lists (cont.)
Users manage their own file security, Unix Data-oriented protection, for centrally set access
control policy OS checks the ACL at each file access Not efficient security checking at runtime, though
simple to implement Tedious to find all files to which a user has access
or perform system-wide checks
Access Control Srini & Nandita 24
CSE2500 System Security & Privacy
Let us look at an example of ACL implementations UNIX NT
Access Control Srini & Nandita 25
CSE2500 System Security & Privacy
Unix Operating System Security
Superuser account on Unix is root – UID (user identifier) equal to ‘0’
The superuser can effectively do anything within the system
Superuser password is the most valuable password in the system
Don’t share the superuser password outside the administrative group.
Access Control Srini & Nandita 26
CSE2500 System Security & Privacy
Basic file security-rw-rw-r-- 1 root sys 1344 Jul 2 22:57 /etc/vfstab
Owner
Group
-rwxrwxrwx Owner permissions
-rwxrwxrwx Group permissions
-rwxrwxrwx Other permissions
Others
Access Control Srini & Nandita 27
CSE2500 System Security & Privacy
Basic file security Important system files must have appropriate file
permissions e.g:
-r--r--r-- 1 root other /etc/passwd-r-------- 1 root sys /etc/shadow-rw-r--r-- 1 root sys /etc/profile drwxr-xr-x 18 root sys /usr
A finer granularity of file permissions can be achieved with access control lists (ACLs), e.g. AIX, HP-UX.
Access Control Srini & Nandita 28
CSE2500 System Security & Privacy
Unix Operating System Security(cont.)
A common defense against root compromise by hackers -- is system log to a printer in a locked room or to another machine/server, eg. Berkeley, FreeBSD
ACLs have only names of users, not of programs
Indirect method => suid and sgid file attributes
Access Control Srini & Nandita 29
CSE2500 System Security & Privacy
SUID and SGID Security
Owner of a program can mark it as suid, enabling a user, special privileges of access control attributes
sgid for groups What is the security issue here?
Access Control Srini & Nandita 30
CSE2500 System Security & Privacy
SUID and SGID Security(cont.)
SUID root programs are particularly vulnerable to attack.
If it is possible to subvert the program in some way, then root access can be gained.
A very well known method of such subversion is the buffer overflow.
Buffer overflow vulnerability results from bad coding practices on the part of the original programmer of the SUID root program!
Access Control Srini & Nandita 31
CSE2500 System Security & Privacy
Authentication means
to establish the proof of identity. Authentication techniques may vary
depending on the kind of resource being accessed.
The various kinds of access can be classified into– user-to-host– host-to-host– user(or process) –to – user (process)
Access Control Srini & Nandita 32
CSE2500 System Security & Privacy
Trusted hosts
UNIX allows hosts to trust another. If host A trusts host B, then a user who has
the same user name on B and A can access resources on A from B without a password.
Implemented using .rhosts and /etc/hosts.equiv
rlogin, rsh, rcp
Access Control Srini & Nandita 33
CSE2500 System Security & Privacy
Trusted hosts - advantages
Password cannot be sniffed because it is not transmitted.
Users can log in once and then subsequently move to any machine in the trusted network.
Convenience.
Access Control Srini & Nandita 34
CSE2500 System Security & Privacy
Trusted hosts - disadvantages
If one host is compromised (e.g. boot B to single user mode then change to any user you like), then the other host is also compromised – read that user’s files on A.
Even if B cannot be booted to single user mode without a password, can physically replace B with another machine.
Trusted hosts uses IP address authentication. Vulnerable to IP spoofing.
Access Control Srini & Nandita 35
CSE2500 System Security & Privacy
NFS
Network File System Developed by Sun Microsystems Supported by most UNIX systems Allows remote access to local file systems
Access Control Srini & Nandita 36
CSE2500 System Security & Privacy
NFS example (Solaris)
mount –t nfs A:/files /mnt/files
/files
Host ANFS Server
Host B
NetworkNetwork
share -F nfs -o rw=B,root=B /files
NFS calls
NFS calls
Access Control Srini & Nandita 37
CSE2500 System Security & Privacy
NFS Security Considerations Export only to trusted hosts Export only those parts of the filesystem which
require remote access Export read-only unless writing absolutely
required Be very careful mapping root on the server to root
on the client. Remove group write permissions for exported
files and directories. Be careful exporting user home directories
Access Control Srini & Nandita 38
CSE2500 System Security & Privacy
NFS Security Considerations
Do not allow users to log into NFS server. Do not accept incoming NFS call requests
on non-privileged ports. Use Secure NFS. Don’t use NFS! (Is it absolutely necessary?)
Access Control Srini & Nandita 39
CSE2500 System Security & Privacy
Threats to Availability
“Denial of Service” attacks Probably more of a threat when carried out
via the network than on the local machine alone.
Not UNIX specific
Access Control Srini & Nandita 40
CSE2500 System Security & Privacy
Windows NT
Based on ACLs Attributes to users & groups
– Read, Write, Execute– Take ownership, change permissions, and
delete
Multiple values to attributes instead of on/off– AccessDenied, AccessAllowed, SystemAudit
Access Control Srini & Nandita 41
CSE2500 System Security & Privacy
Benefits
Less than full administrator privileges required for routine tasks, eg. installing printers
Users and resources can be partitioned into domains with distinct administrators
Trust can be inherited between domains in one direction or both
Registry is the data structure used to hide the ACL details from the user interface
Access Control Srini & Nandita 42
CSE2500 System Security & Privacy
Problems Not very suitable for large organisations Naming issues Domains scale badly when number of
principals increase Complex interactions between local and
global groups due to restrictions that a user in another domain can’t be administrator
Peculiarity of ‘everyone’ is a principal, and a resource can be locked quickly
Access Control Srini & Nandita 43
CSE2500 System Security & Privacy
Other Access Control methods
Sandboxing– Software that provides limited access rights to
programs of unknown origins
Proof-carrying code– Programs to be executed must carry a proof that
it doesn’t do anything that contravenes the local security policy
Access Control Srini & Nandita 44
CSE2500 System Security & Privacy
Policies (1) Historical considerations
– The history of information systems and their automation is a history of compromise. Automation had to fit into existing schemes of information management. Similarly, the addition of security mechanisms has to fit into existing structures and systems. Highly secure systems are often a consequence of redesign and re-engineering of existing systems.
Mandatory Security Policies– A system wide policy decrees that all subjects and all objects
are classified. Access classes are associated with every subject-object pair.
– Access rights depend on the triple subject-object-access class for all triplets
<Sam, Production Log, Write>
Access Control Srini & Nandita 45
CSE2500 System Security & Privacy
Policies (2)
Discretionary Security Policies– Users are allowed to grant access to other users
- often the OWNER of an object can grant access privileges to other users, (at the owners discretion )
Discretionary Policies may allow one user to pass data to another user without the authority of the creator of the data
Access Control Srini & Nandita 46
CSE2500 System Security & Privacy
Security Models Formal Methods
One benefit of using formal models is that mathematical (sometimes called formal) methods can be used to confirm that all transitions allowed by the model preserve the secure state of the system being modeled
For real systems, modeling is not easy
Access Control Srini & Nandita 47
CSE2500 System Security & Privacy
Access Control - Ranked Model (1)
Multi-level Often called Lattice methods Basis of military and commercial security Set of ordered security levels, users assigned to a
level User subjects are privileged to access a rank
and all lower ranks Students do not need to master the notation used
in ‘Gollman’
Access Control Srini & Nandita 48
CSE2500 System Security & Privacy
Access Control - Ranked Model (2)
We are also concerned about need to know
Compartment the information to be secured Granting access :
– A subject is cleared to access object – only if rank(subject) >= rank (object) AND– The set of all compartments that contain the object are
contained within the set of compartments that the subject is cleared to access
– (The personnel manager will not be allowed to access confidential production data)
Access Control Srini & Nandita 49
CSE2500 System Security & Privacy
Access Control - Ranked Model (3) Companies often use the ranks:
– Public, Company Confidential, Executive-only
Deciding what lies in what compartment keeps security staff occupied
Access Control Srini & Nandita 50
CSE2500 System Security & Privacy
Bell - LaPadula (1) Earliest formal model Each user subject and information object
has a fixed security class Use the notation >= to indicate dominance Simple Security (ss) property:
the no read-up (NRU) property– A subject has read access to an object if the – class of the subject C(s) is greater than or equal to the
class of the object C(o)– need C(s) >= C(o)
Access Control Srini & Nandita 51
CSE2500 System Security & Privacy
Bell - LaPadula (2) * property (star):
the no write-down (NRD) property
– While a subject has read access to object O, the subject can only write to object P ifC(P) >= C (O)
Leads to concentration of irrelevant detail at upper levels
Discretionary Security (ds) propertyIf discretionary policies are in place, accesses are further limited to this access matrix
– Although all users in the personnel department can read all [personnel] documents, the personnel manager would expect to limit the readers of a document that dealt with redundancies in the personnel department !
Access Control Srini & Nandita 52
CSE2500 System Security & Privacy
Transitions If a system starts in a secure state, and all
transitions are secure, then the system remains in a secure state.
But what if we allow users to downgrade all objects, and then modify the access control matrix so all modes are allowed for each entry
?
So we need to beware of transitions that change access rights
Access Control Srini & Nandita 53
CSE2500 System Security & Privacy
Tranquility Gollman p 49 Pfleeger (3ed) p 305 Starting with a Bell-LaPadula model, with ranked
classes of users– Say Executive, Company-confidential, Public
And segregated compartments, – Say Sales, Production
And all users assigned a rank, And all files assigned a rank and a compartment
TRANQUILITY is when these assignments do not change – or are not allowed to change
Access Control Srini & Nandita 54
CSE2500 System Security & Privacy
Tranquility in practice
Production program systems need to open and use work files, and open and use spool print files, class or subroutine libraries need to be accessed.
For systems with mandatory security, these entities all need labels and levels.
In practice assigning security levels to these sorts of entities is not easy.
Access Control Srini & Nandita 55
CSE2500 System Security & Privacy
Chinese Wall Model Suppose a consultancy has several airlines as clients
– It is a conflict of interest if a consultant working with Quantas has access to confidential data on Gulf gathered from another assignment
– Security policy builds on 3 levels of abstraction:
• Objects: lowest levels, eg. Files• Company groups : all objects concerning a particular company are
grouped together• Conflict classes: at the highest level, all groups of objects for
competing companies are clustered.
– No information flow that causes a conflict of interest• For this model to work, a history of access rights has to be
maintained
– (Also, if confidential information is written across conflict classes, an effective conflict of interest is created)
Access Control Srini & Nandita 56
CSE2500 System Security & Privacy
Biba Concerned with integrity of information We wish to prevent the spread of untrusted information A Cold war issue - the intelligence services of the UK
were known to have been compromised by the Soviets.
How then could the USA ensure that USA intelligence data was not ‘corrupted’ by possibly misleading data flowing from UK sources ?
Subject s can only modify object o if I(s) >= I(o) ( no write up)
Integrity * propertyIf s can read o, s can only write to p if I(o) >= I(p)
So ‘clean’ objects do not become ‘contaminated’
Access Control Srini & Nandita 57
CSE2500 System Security & Privacy
Clark-Wilson (1) The security requirements of commercial transactions
are about integrity, and the prevention of error and fraud.
There is an established principle of separation of duties, which aims to ensure that users must collaborate to validly manipulate data, and hence users must collude to commit fraud.
Clark-Wilson aim to define well-formed transactions, so users cannot directly access data,
and specific data items can only be modified by defined programs.
Access Control Srini & Nandita 58
CSE2500 System Security & Privacy
Clark-Wilson (2) Internal consistency of data items should be
ensured by the system Overall:– Subjects have to be identified and authenticated– Objects can be manipulated by a restricted set of
programs– Subjects can execute only a restricted set of
programs– A proper audit has to be maintained.– The system has to be certified to work properly.
An application oriented IT system model, a framework and guideline for security policy