ACCESS CONTROL
Download
Report
Transcript ACCESS CONTROL
ACCESS CONTROL &
SECURITY MODELS
Center of gravity of computer
security
Fundamental Model of Access
Control
subject
Access request
Reference
Monitors
object
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
2
Controlling Access
Access control policy: what can be used to
indicate who is allowed to do what to/with whom
on the system.
Who is who ?
Subject is what we call active entities
(processes, users, other computers) that want to “do
something”
The what the subject does with the object can be
just about anything, and it may be multi-part.
Typical manipulations include READ, MODIFY,
CREATE, CHANGE, DELETE
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
3
Access Control Policy
Access right or privilege:
– An indication that a SUBJECT may
legitimately use a specific type of ACCESS
or MANIPULATION with respect to a
particular OBJECT or set of OBJECTS.
The underlying system itself determines
which primitive (or bottom level) access
rights are available for which
user/object combinations
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
4
Levels of Access Control
Application
Middleware
Operating system
Hardware
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
5
Operating System Access Controls
Authenticate prinicipals/users
– Passwords
– Kerberos
Mediate access
– Files
– Communication ports
– System resources
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
6
Models of Security
Need for a model
– High assurance security system
What a model supposed to do?
– Express the security policy in a formal way
– Describe the entities governed by the policy
– State the rules that decide who gets access to
your data
Scope and limitations of models
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
7
Security Models : Bell-LaPadula
– The Bell-LaPadula model is about
information confidentiality, and this
model formally represents the long
tradition of attitudes to the flow of
information concerning national
secrets.
– Multi-level security (MLS)
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
8
Security Models: Chinese Wall
– Large consultancies can easily find
there are conflicts of interest if
individual consultants are given
access to all information held by the
consultancy.
Chinese Wall models a particular
way of restricting information flow.
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
9
Security Models : Biba
We need models – continued
Based on the Cold War experiences,
information integrity is also
important, and the Biba model,
complementary to Bell-LaPadula, is
based on the flow of information
where preserving integrity is critical.
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
10
Security Models: Clarke-Wilson
In the commercial sphere, the need is to
engage in well-formed transactions which
can only be undertaken by authorised
personnel, and the Clarke-Wilson model is
an attempt to formally model a policy based
on well-formed transactions.
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
11
Possible Access Control
Mechanisms are
Control Matrix
Control lists
Groups and Roles
Extension to Distributed (+file) Systems
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
12
Access Control Matrix
Object
Operating
system
Accounts Accounting
Program
Data
Audit
Trail
Users
Sam
rwx
rwx
rw
r
Alice
x
x
rw
-
Bob
rx
r
r
r
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
13
Example Access Control Matrix for
Bookkeeping
Operating
system
Accounts Accounting
Program
Data
Audit
Trail
Sam
rwx
rwx
r
r
Alice
rx
x
-
-
Accounts
program
Bob
rx
r
rw
w
rx
r
r
r
Srini
rx
r
r
Access Control
Srini & Nandita
r
CSE2500 System Security & Privacy
14
Access Control Matrices
2/3 dimensions used to implement
protection mechanisms and model them
Do not scale well
– A bank with 50,000 staff & 300 objects
15million entries
– Update and performance problem
– Prone to administrators’ mistakes
A more compact way is required
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
15
Groups and Roles
Group is a list of users/principals--
categories
Role is a fixed set of access permissions
that one or more principals may assume
Group manager is a rank while the role of
acting manager can be taken up by an
assistant accountant standing in while the
manager, deputy manager and accountant
are all sick
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
16
Let us look at the example once again
Operating
system
Accounts Accounting
Program
Data
Audit
Trail
Sam
rwx
rwx
r
r
Alice
rx
x
-
-
Accounts
program
Bob
rx
r
w
w
rx
r
r
r
Srini
rx
r
r
r
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
17
ACLs per subject(Capabilities
list)
Sam
Alice
Bob
Srini
User
rx
Acc.
pgm
rx
rwx
rx
rx
OS
rwx
x
r
r
r
r
-
rw
r
r
r
-
w
r
r
A/C
Prgm
A/C
Data
Audit
trail
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
18
Access Control Lists
User
Accounting Data
Sam
rw
Alice
rw
Bob
r
Srini
r
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
19
Access Control Lists/Capabilities
How do you modify the entries in the lists?
– add a new entry
– delete an existing entry
– modify the access right to an object?
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
20
Access Control Triples
Subject
Object
Access r, w, x, ?
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
21
Capabilities
While ACLs are kept by the O/S,capabilities
are kept by the subject.
Capabilities give the possessor (of the token)
certain rights to an object
Capabilities do not require authentication of
subjects, but do require that the token be
unforgeable (encrypted or in inaccessible
storage) and that the propagation of
capabilities be controlled.
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
22
Access Control lists (cont.)
Users manage their own file security, Unix
Data-oriented protection, for centrally set access
control policy
OS checks the ACL at each file access
Not efficient security checking at runtime, though
simple to implement
Tedious to find all files to which a user has access
or perform system-wide checks
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
23
Let us look at an example of ACL
implementations
UNIX
NT
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
24
Unix Operating System Security
Superuser account on Unix is root
– UID (user identifier) equal to ‘0’
The superuser can effectively do anything
within the system
Superuser password is the most valuable
password in the system
Don’t share the superuser password outside
the administrative group.
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
25
Basic file security
-rw-rw-r--
1 root sys
1344 Jul
2 22:57 /etc/vfstab
Others
Group
Owner
Access Control
-rwxrwxrwx
Owner permissions
-rwxrwxrwx
Group permissions
-rwxrwxrwx
Other permissions
Srini & Nandita
CSE2500 System Security & Privacy
26
Basic file security
Important system files must have appropriate file
permissions
e.g:
-r--r--r--r--------rw-r--r-drwxr-xr-x
1
1
1
18
root
root
root
root
other
sys
sys
sys
/etc/passwd
/etc/shadow
/etc/profile
/usr
A finer granularity of file permissions can be
achieved with access control lists (ACLs), e.g.
AIX, HP-UX.
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
27
Unix Operating System
Security(cont.)
A common defense against root compromise
by hackers -- is system log to a printer in a
locked room or to another machine/server,
eg. Berkeley, FreeBSD
ACLs have only names of users, not of
programs
Indirect method => suid and sgid file
attributes
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
28
SUID and SGID Security
Owner of a program can mark it as suid,
enabling a user, special privileges of access
control attributes
sgid for groups
What is the security issue here?
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
29
SUID and SGID Security(cont.)
SUID root programs are particularly vulnerable to
attack.
If it is possible to subvert the program in some
way, then root access can be gained.
A very well known method of such subversion is
the buffer overflow.
Buffer overflow vulnerability results from bad
coding practices on the part of the original
programmer of the SUID root program!
CSE2500 System Security & Privacy
Access Control
Srini & Nandita
30