Authorization (Pres.)
Download
Report
Transcript Authorization (Pres.)
COEN 350: Network Security
Authorization
Fundamental Mechanisms:
Access Matrix
Subjects
Objects (Subjects can be objects, too.)
Access Rights
Example:
OS
Subjects = Processes
Objects = System Resources
Access Rights: read, write, execute
Fundamental Mechanisms:
Access Matrix
Example:
DBMS
Subjects = Users
Objects = Relations
Access Rights: retrieve, update, insert, delete
Fundamental Mechanisms:
Access Matrix
Access Matrix:
Row for each object
Column for each subject
Entry is a set of access rights.
Later Security Models:
Allow for administrative operations that
change the access matrix.
Example: Owner of file can give permissions to
others.
Fundamental Mechanisms:
Access Matrix
Access Control Lists
ACL for each object.
Lists all the subjects and their rights.
Capabilities
Capability list for each subject.
Contains all the objects and the rights of
the subject.
Fundamental Mechanisms:
Access Matrix
Authorization Relation
Subject
Bob
Bob
Bob
Alice
Alice
Alice
Alice
Bob
Bob
Database table with fields owner, access
mode, object.
Access Mode
Owner
Read
Write
Read
Owner
Read
Write
Read
Write
Object
File 1
File 1
File 1
File 1
File 2
File 2
File 2
File 2
File 2
Fundamental Mechanisms:
Intermediate Controls
Access matrix too storage intensive
Access matrices make it hard to change
policies.
Mechanism 1: Groups
Ideally, all access privileges mediated
through group membership.
Negative permissions implement
exceptions
Fundamental Mechanisms:
Intermediate Control
Protection Rings
Example:
Group processes and system resources into four categories
Operating System Kernel
Operating System
Utilities
User Processes
Access to an object is only granted to a subject of lower
level.
Unix only has two levels.
Sometimes protection rings have hardware support.
Fundamental Mechanisms:
Security Classes
Each object has a Security class (Security Label)
Denning:
Information Control Policy consists of
Security Classes
“Can flow” relationship
Join operation
Join A B combines rights and restrictions of both.
US DoD Security Levels
Top Secret
Secret
Confidential
Unclassified
Fundamental Mechanisms
Access Control Policies
Discretionary Access Control (DAC)
Specifies authorization solely based on object and
subject identity.
Flexible and simple.
Difficult to control information flow.
(Classical) Mandatory Access Control (MAC)
Each user and object has a security level.
Security level reflects trust that user will not pass
information to users with lower level clearance.
Access to an object based on security level.
Fundamental Mechanisms
Access Control Policies
(Refined) Mandatory Access Control (MAC)
Security Levels and Compartments.
Example:
CRYPTO for cryptographic algorithms.
COMSEC for communication security.
Possible to have top secret clearance in CRYPTO and
unclassified clearance in COMSEC
Discretionary policies typical in low security
(academic) environments.
Mandatory policies typical in high security (military)
environments.
Neither policy adequate for commercial systems.
Fundamental Mechanisms
Access Control Policies
Role Based Access Control (RBAC)
Regulate user’s access to information
based on the activities the users execute in
the system.
“Role” is a set of actions and
responsibilities associated with a particular
working activity.
Access based on role, not identity of user.
Fundamental Mechanisms
Access Control Policies
Role Based Access Control (RBAC)
User authorization is broken into two tasks:
Roles can be hierarchical
Granting roles to users
Granting rights to roles
Engineers inherent employee rights.
User can login with the least privilege for a set of
particular tasks.
Roles make it easier to enforce separation of
duties:
“No single user can subvert the system by herself/himself.”
Covert Channels
A mechanism to circumvent automatic confinement
within a security perimeter.
Example:
Person with TOP SECRET clearance runs (inadvertently)
Trojan horse.
Trojan horse has free access to files in the compartment.
Trojan horse cannot write down to an unclassified file.
But: Trojan horse can do things that are visible from the
outside and thus send contents of TOP SECRET files through
a covert channel.
T.H. either runs or waits. System load will vary. Small
bandwidth channel.
T.H. can or cannot use shared resources. To send a bit, T.H. fills
up the printer line to send 1 bit, or empties it for a 0 bit.
UNIX Woes: SUID programs
Programs can execute the setuid
system call.
Executable runs as if executed by user.
Sendmail uses setuid to implement
email.
User can cause programs to run as root
with input they provide.
Favorite targets of buffer overflow
attacks.