Computer Security - Florida State University

Download Report

Transcript Computer Security - Florida State University

Computer Security
Access Control
7/20/2015
1
The Orange Book
First published in 1983, the Department of Defense Trusted
Computer System Evaluation Criteria, known as the Orange
Book is the de facto standard for computer security today.
The Orange Book, and others in the Rainbow Series, are still
the benchmark for systems produced almost two decades
later, and Orange Book classifications such as C2 provide a
shorthand for the base level security features of modern
operating systems.
7/20/2015
2
Access Control
Terminology
• subject, object, reference monitor
• access request
Subject
7/20/2015
Access
request
Reference
monitor
Object
3
Access Control
We can specify
• What a subject is allowed to do
• Way may be done with an object
7/20/2015
4
Access Operations
• Access modes
– Observe  look at the contents of an object
– Alter  change the contents of an object
7/20/2015
5
Access Operations
• Access rights & attributes
–
Bell-LaPadula security model
Access rights execute
append
observe
alter
7/20/2015
read
write
x
x
x
x
6
Access Operations
• Unix
file
read
read from a file
Write write to a file
execute execute a (program) file
directory
list directory contents
create or rename a file in a directory
search the directory
Access rights are changed by my modifying the file’s
entry in its directory
7/20/2015
7
Access Operations
• Windows NT
Permissions of Windows New Technology File System (NTFS)
–
–
–
–
–
–
read
write
execute
delete
change permission
change ownership
One does not rely on operations on directories for deletion of files,
or to change access rights.
7/20/2015
8
Ownership
• The owner of a resource decrees who is
allowed to access it.
• A system wide policy decrees who has access./
7/20/2015
9
Access Control Structures
Now we must state which access operations are permitted.
We do this by studying their structures.
Let
• S be a set of subjects,
• O a set of objects,
• A a set of access operations
7/20/2015
10
Access Control Matrix
Access rights are determined by a matrix
M = (Mso)seS,oeO with Mso  A
The Bell-LaPadula model employs access contol
matrices to model discretionary access policies of
the Orange Book.
7/20/2015
11
Access Control Matrix
An example
bill.doc
Alice
Bob
7/20/2015
--{read,write}
edit.exe
fun.com
{execute}
{execute, read}
{execute}
{execute,read,write}
12
Access Control Matrix
Access rights can be kept with the
• subjects or the
• objects.
7/20/2015
13
Access Control Matrix
Capabilities
If the access rights are kept with the subjects then
these are the subject’s access rights.
Every subject is given a capability.
Alice’s capability: edit.exe: execute; fun.com: read
Bob’s capability: bill.doc: read, write; edit.exe: execute;
fun.com: execute, read, write
7/20/2015
14
Access Control Matrix
Access control lists (ACL)
An ACL stores the access rights to an object with
the object itself.
ACLs are a typical feature of secure operating
systems of the Orange Book class C2
ACL for bill.doc: Bill: read write
ACL for bill.doc: Alice: execute; Bill: execute
ACL for fun.com: Alice: execute, read; Bill: execute,read, write
7/20/2015
15
Access Control Matrix
Access control lists (ACL)
Management of access rights can be cumbersome.
Therefore users are placed in groups, and derive
access from a user’s group.
7/20/2015
16
Intermediate control
Managing a security policy defined by an access
control matrix is a complex task in large systems.
There are several means of simplifying this task.
7/20/2015
17
Groups and negative permissions
subjects
s1
s2
groups
o1
objects
7/20/2015
s3
s4
g1
o2
s5
g2
o3
o4
o5
o6
18
Groups and negative permissions
subjects
groups
s1
s2
x
o1
objects
7/20/2015
s3
x
g1
o2
s4
o3
s5
g2
o4
o5
o6
19
Protection rings
0
1
2
3
operating system kernel
operating system
utilities
user processors
Each subject (or process) is assigned a number
0,1,2,3… depending on its importance.
7/20/2015
20
Protection rings
3
7/20/2015
2 1
0
0 operating system kernel
1
operating system
2
utilities
3
user processors
21
Protection rings
Protection rings are mainly used for integrity protection
An example is the QNX Neutrino microkernel OS *
• The Neutrino microkernel runs in ring 0
• The Neutrino process runs in ring 1
• All other programs run in ring 3
* A microkernel OS is structured as a tiny kernel that provides the minimal services
used by a team of optional cooperating processes, which in turn provide the higher
level OS functionality.
7/20/2015
22
Protection rings
Unix employs a similar protection but uses only two
levels
7/20/2015
23
Privileges
subjects
s1
s2
privileges
op1
s3
s4
pr1
op2
s5
pr2
op3
op4
op5
op6
operations
7/20/2015
24
Role base access control
Privileges come predefined with the OS
• Roles: a collection of procedures
– roles are assigned to users; a user can have many roles
• Procedures: high-level access control methods.
Can only be applied to objects of certain data types.
• Datatypes: each object has a certain datatype and
can only be accessed throuhg procedures defined
for this datatype.
7/20/2015
25
The lattice OS Security levels
The Mandatory Access Control (MAC) policies and the
multi-level security policies of the Orange Book refer
to security levels.
top secret
secret
confidential
unclassified
7/20/2015
26
A lattice
{a,b,c}
{a,b}
{b,c}
{a,c}
{a}
{b}
{c}
{0}
7/20/2015
27
A lattice
A lattice (L,  ) is a set with a partial ordering 
Such that for each pair of elements a,b of L there is
a lub u in L and a glb v in L.
7/20/2015
28
An example
• Let H be a set of classifications with hierarchical
ordering  .
• Take a set of categories C, e.g. project names,
company divisions, etc
• A compartment is a set of categories.
• A security label (level) is a pair (h,c), where h in H is
the security level and c in C is a compartment.
7/20/2015
29
An example
• The partial ordering is defined by:
(h1,c1)  (h2,c2) if and only if h1 h2 and c1  c2
7/20/2015
30