1

September 7, 2006Lecture 2

IS 2150 / TEL 2810Introduction to Security

2

Mathematics Review

3

Propositional logic/calculus Atomic, declarative statements (propositions)

that can be shown to be either TRUE or FALSE but not both; E.g., “Sky is blue”; “3 is less than 4”

Propositions can be composed into compound sentences using connectives

Negation p (NOT) highest precedence Disjunction p q (OR) second precedence Conjunction p q (AND) second precedence Implication p q q logical consequence of p

Exercise: Truth tables?

4

Propositional logic/calculus Contradiction:

Formula that is always false : p p What about: (p p)?

Tautology: Formula that is always True : p p

What about: (p p)? Others

Exclusive OR: p q; p or q but not both Bi-condition: p q [p if and only if q (p iff q)] Logical equivalence: p q [p is logically equivalent

to q] Some exercises…

5

Some Laws of Logic Double negation DeMorgan’s law

(p q) (p q) (p q) (p q)

Commutative (p q) (q p)

Associative law p (q r) (p q) r

Distributive law p (q r) (p q) (p r) p (q r) (p q) (p r)

6

Predicate/first order logic Propositional logic Variable, quantifiers, constants and

functions Consider sentence: Every directory

contains some files Need to capture “every” “some”

F(x): x is a file D(y): y is a directory C(x, y): x is a file in directory y

7

Predicate/first order logic Existential quantifiers (There exists)

E.g., x is read as There exists x Universal quantifiers (For all) y D(y) (x (F(x) C(x, y))) read as

for every y, if y is a directory, then there exists a x such that x is a file and x is in directory y

What about x F(x) (y (D(y) C(x, y)))?

8

Mathematical Induction Proof technique - to prove some

mathematical property E.g. want to prove that M(n) holds for all natural

numbers Base case OR Basis:

Prove that M(1) holds Induction Hypothesis:

Assert that M(n) holds for n = 1, …, k Induction Step:

Prove that if M(k) holds then M(k+1) holds

9

Mathematical Induction

Exercise: prove that sum of first n natural numbers is

S(n): 1 + … + n = n (n + 1)/2 S(n): 1^2+ .. +n^2 = n (n +1)(2n +

1)/6

10

Lattice Sets

Collection of unique elements Let S, T be sets

Cartesian product: S x T = {(a, b) | a A, b B} A set of order pairs

Binary relation R from S to T is a subset of S x T Binary relation R on S is a subset of S x S If (a, b) R we write aRb

Example: R is “less than equal to” () For S = {1, 2, 3}

Example of R on S is {(1, 1), (1, 2), (1, 3), ????) (1, 2) R is another way of writing 1 2

11

Lattice Properties of relations

Reflexive: if aRa for all a S

Anti-symmetric: if aRb and bRa implies a = b for all a, b S

Transitive: if aRb and bRc imply that aRc for all a, b, c S

Which properties hold for “less than equal to” ()? Draw the Hasse diagram Captures

all the relations

12

Lattice Total ordering:

when the relation orders all elements E.g., “less than equal to” () on natural

numbers Partial ordering (poset):

the relation orders only some elements not all

E.g. “less than equal to” () on complex numbers; Consider (2 + 4i) and (3 + 2i)

13

Lattice Upper bound (u, a, b S)

u is an upper bound of a and b means aRu and bRu

Least upper bound : lub(a, b) closest upper bound

Lower bound (u, a, b S) l is a lower bound of a and b means lRa and

lRb Greatest lower bound : glb(a, b) closest

lower bound

14

Lattice A lattice is the combination of a set of

elements S and a relation R meeting the following criteria

R is reflexive, antisymmetric, and transitive on the elements of S

For every s, t S, there exists a greatest lower bound For every s, t S, there exists a lowest upper bound

Some examples S = {1, 2, 3} and R = ? S = {2+4i; 1+2i; 3+2i, 3+4i} and R = ?

15

Overview of Lattice Based Models Confidentiality

Bell LaPadula Model First rigorously developed model for high

assurance - for military Objects are classified Objects may belong to Compartments Subjects are given clearance Classification/clearance levels form a lattice Two rules

No read-up No write-down

16

Access Control Matrix

17

ACM Background Access Control Matrix

Captures the current protection state of a system

Butler Lampson proposed the first Access Control Matrix model

Graham and Denning refined it Harrison, Russo and Ulman modified

it and presented some theoretical results

18

Protection System State of a system

Current values of memory locations, registers, secondary storage, etc. other system components

Protection state (P) A system state that is considered secure

A protection system Captures the conditions for state transition Consists of two parts:

A set of generic rights A set of commands

19

Protection System Subject (S: set of all subjects)

Active entities that carry out an action/operation on other entities; Eg.: users, processes, agents, etc.

Object (O: set of all objects) Eg.:Processes, files, devices

Right (R: set of all rights) An action/operation that a subject is

allowed/disallowed on objects Access Matrix A: a[s, o] ⊆R

Set of Protection States: (S, O, A)

20

Access Control Matrix Model Access control matrix

Describes the protection state of a system. Elements indicate the access rights that

subjects have on objects ACM is an abstract model

Rights may vary depending on the objects involved

ACM is implemented primarily in two ways Capabilities (rows) Access control lists (columns)

21

Access Control Matrix

s3 r

s1

f1 f2 f3 f4 f5 f6

s2

s3

o, r, w

o, r, w

o, r, w o, r, w

o, r, w

o, r, w

r

r

r r

w

f1

f2

f3

f4

f6

s2

s1 o, r, w s2 r

s1 o, r, w s3 r

s3 o, r, w

f5 s2 o, r, w s3 r s1 w

s3 o, r, w

f5 w s1 f2 o, r, w f3 o, r, w

f2 r s2 f1 o, r, w f5 o, r, w

f3 r s3 f4 o, r, wf2 r

f5 r f6 o, r, w

o: ownr: readw:write

Access Matrix

Access Control ListCapabilities

o, r, w

22

Access Control Matrix

Hostnames Telegraph Nob Toadflax

Telegraph own ftp ftp

Nob ftp, nsf, mail, own ftp, nfs, mail

Toadflax ftp, mail ftp, nsf, mail, own

Counter Inc_ctr Dcr_ctr Manager

Inc_ctr +

Dcr_ctr -

manager Call Call Call

•telegraph is a PC with ftp client but no server

•nob provides NFS but not to Toadfax

•nob and toadfax can exchange mail

23

State Transitions Let initial state X0 = (S0, O0, A0) Notation

Xi ├i+1 Xi+1 : upon transition i+1, the system moves from state Xi to Xi+1

X ├* Y : the system moves from state X to Y after a set of transitions

Xi ├ ci+1 (pi+1,1, pi+1,2, …, pi+1,m) Xi+1 : state transition upon a command

For every command there is a sequence of state transition operations

24

Primitive commands(Graham-Denning)

Create subject s Creates new row, column in ACM;

Create object o Creates new column in ACM

Destroy subject s Deletes row, column from ACM;

Destroy object o Deletes column from ACM

Read access right of s on o Copy a[s, o] to x

Delete access right r of s on o Removes r right from subject s over object o

Grant access right r of s on oAdds r right for subject s over object o

Transfer access right r or r* to s on o

Adds r right for subject s over object o

25

Primitive commands (HRU)

Create subject s Creates new row, column in ACM;

Create object o Creates new column in ACM

Enter r into a[s, o] Adds r right for subject s over object o

Delete r from a[s, o]

Removes r right from subject s over object o

Destroy subject s Deletes row, column from ACM;

Destroy object o Deletes column from ACM

26

System commands [Unix] process p creates file f with

owner read and write (r, w) will be represented by the following:

Command create_file(p, f)Create object fEnter own into a[p,f]Enter r into a[p,f]Enter w into a[p,f]

End

27

Process p creates a new process qCommand spawn_process(p, q)

Create object q;Enter own into a[p,q]Enter r into a[p,q]Enter w into a[p,q]Enter r into a[q,r]Enter w into a[q,r]

End

28

System commands Defined commands can be used to

update ACMCommand make_owner(p, f)

Enter own into a[p,f]

End

Mono-operational: the command invokes only one primitive

29

Conditional Commands

Mono-operational + mono-conditional

Command grant_read_file(p, f, q)

If own in a[p,f]Then Enter r into a[q,f]

End

30

Conditional Commands

Mono-operational + biconditionalCommand grant_read_file(p, f, q)

If r in a[p,f] and c in a[p,f]Then Enter r into a[q,f]

End

Why not “OR”??

31

Attenuation of privilege Principle of attenuation

A subject may not give rights that it does not posses to others

Copy Augments existing rights

Often attached to a right, so only applies to that right

r is read right that cannot be copied rc is read right that can be copied

Also called the grant right

32

Attenuation of privilege Own

Allows adding or deleting rights, and granting rights to others

Creator has the own right Subjects may be granted own right Owner may give rights that he does not have

to others on the objects he owns (chown command)

Example: John owns file f but does not have read permission over it. John can grant read right on f to Matt.

33

Fundamental questions How can we determine that a system is

secure? Need to define what we mean by a system

being “secure” Is there a generic algorithm that allows

us to determine whether a computer system is secure?

We will wait till next time …..

34

Unix File SystemOverview

35

Unix file security Each file has owner and group Permissions set by owner

Read, write, execute Owner, group, other Represented by vector of four octal values

Only owner, root can change permissions This privilege cannot be delegated or

shared

36

Unix File Permissions File type, owner, group, othersdrwx------ 2 jjoshi isfac 512 Aug 20 2003 risk

managementlrwxrwxrwx 1 jjoshi isfac 15 Apr 7 09:11 risk_m->risk

management-rw-r--r-- 1 jjoshi isfac 1754 Mar 8 18:11 words05.ps-r-sr-xr-x 1 root bin 9176 Apr 6 2002 /usr/bin/rs-r-sr-sr-x 1 root sys 2196 Apr 6 2002

/usr/bin/passwd

File type: regular -, directory d, symlink l, device b/c, socket s, fifo f/p

Permission: r, w, x, s or S (set.id), t (sticky)

37

User ids Each process has three Ids

Real user ID (RUID) same as the user ID of parent (unless changed) used to determine which user started the

process Effective user ID (EUID)

from set user ID bit on the file being executed, or sys call

determines the permissions for process Saved user ID (SUID)

Allows restoring previous EUID

38

User ids

Similarly we have Real group ID, Effective group ID,

While accessing files Process EUID compared against the

file UID GIDs are compared

39

IDs/Operations Root can access any file Fork and Exec

Inherit three IDs, except exec of file with setuid bit

Setuid system calls seteuid(newid) can set EUID to

Real ID or saved ID, regardless of current EUID Any ID, if EUID=0

Related calls: setuid, seteuid, setgid, setegid

40

Setid bits on executable Unix file Three setid bits

setuid set EUID of process to ID of file owner

setgid set EGID of process to GID of file

setuid/setgid used when a process executes a file If setuid (setgid) bit is on – the EUID of the process

changed to UID (GUID) of the file Sticky

Off: if user has write permission on directory, can rename or remove files, even if not owner

On: only file owner, directory owner, and root can rename or remove file in the directory

41

Example

…;

…;

exec( );

…;

…;

exec( );

RUID 25RUID 25 SetUIDSetUID

programprogram

…;

…;

i=getruid()

setuid(i);

…;

…;

…;

…;

i=getruid()

setuid(i);

…;

…;

RUID 25EUID 18

RUID 25EUID 25

-rw-r--r---rw-r--r--

filefile

-rw-r--r---rw-r--r--

filefile

Owner 18Owner 18

Owner 25Owner 25

read/write

read/write

Owner 18Owner 18

42

Careful with Setuid ! Can do what owner of file is allowed to

do Be sure not to

Take action for untrusted user Return secret data to untrusted user

Principle of least privilege change EUID when root privileges no

longer needed Setuid scripts (bad idea)

Race conditions: begin executing setuid program; change contents of program before it loads and is executed