Transcript AccessControl

CSC 382: Computer Security
Access Control
CSC 382: Computer Security
Slide #1
Access Control
• What is Access Control?
• Access Control Matrix Model
– Protection State Transitions
– Special Rights
– Principle of Attenuation of Privilege
• Groups and Roles
• Implementation of the Access Control Matrix
– Access Control Lists: by column (object).
– Capabilities: by row (subject).
– UNIX, Windows NT, and SQL ACLs.
• Hardware Protection
CSC 382: Computer Security
Slide #2
What is Access Control?
“Its function is to control which principals
(persons, processes, machines, …) have
access to which resources in the system—
which files they can read, which programs
they can execute, how they share data with
other principals, and so on.”
– Ross Anderson, Security Engineering
CSC 382: Computer Security
Slide #3
Why study Access Control?
• Center of gravity of computer security
–
–
–
–
Why do we authenticate users?
What security features do OSes provide?
What’s the purpose of cryptography?
Access Control is pervasive.
• Access Control is where Computer Science
meets Security Engineering.
– We’ll start with theory (computer science)
– Then examine implementations (engineering)
CSC 382: Computer Security
Slide #4
Access Control is Pervasive
Application
Middleware
Operating System
Hardware
CSC 382: Computer Security
Slide #5
Access Control is Pervasive
1. Application
•
•
Complex, custom security policy.
Ex: Amazon account: wish list, reviews, CC
2. Middleware
•
•
Database, system libraries, 3rd party software
Ex: Credit card authorization center
3. Operating System
•
File ACLs, IPC
4. Hardware
•
Memory management, hardware device access.
CSC 382: Computer Security
Slide #6
Access Control Matrix
• Precisely describes protection state of system.
P
Q
• Sets of system states:
– P: Set of all possible states.
– Q: Set of allowed states, according to security policy.
– P-Q: Set of disallowed states.
• ACM describes the set of states Q.
CSC 382: Computer Security
Slide #7
Access Control Matrix
• As system changes, state changes.
– State transitions.
– Only concerned with protection state.
• ACM must be enforced by a mechanism that
limits state transitions to those that go from
one element of Q to another.
CSC 382: Computer Security
Slide #8
ACM Description
objects (entities)
subjects
o1 … om s1 … sn
s1
s2
• Objects O = { o1,…,om }
– All protected entities.
• Subjects S = { s1,…,sn }
– Active entities, S  O
• Rights R = { r1,…,rk }
…
• Entries A[si, oj]  R
• A[si, oj] = { rx, …, ry }
means subject si has rights
rx, …, ry over object oj
sn
CSC 382: Computer Security
Slide #9
Example: File/Process
• Processes p, q
• Files f, g
• Rights r, w, x, a, o
p
q
f
rwo
a
g
r
ro
CSC 382: Computer Security
p
rwxo
r
q
w
rwxo
Slide #10
Example: Concurrency Control
• Procedures inc_ctr, dec_ctr, manage
• Variable counter
• Rights +, –, call
inc_ctr
dec_ctr
manage
counter inc_ctr
+
–
call
CSC 382: Computer Security
dec_ctr
manage
call
call
Slide #11
Copy Right
• Allows possessor to give rights to another
• Often attached to a right, so only applies to
that right
– r is read right that cannot be copied
– rc is read right that can be copied
• Is copy flag copied when giving r rights?
– Depends on model, instantiation of model
CSC 382: Computer Security
Slide #12
Own Right
Usually allows possessor to change entries
in ACM column
– So owner of object can add, delete rights for
others
– May depend on what system allows
• Can’t give rights to specific (set of) users
• Can’t pass copy flag to specific (set of) users
CSC 382: Computer Security
Slide #13
Attenuation of Privilege
Principle: Subject may not give rights it
does not possess to another.
– Restricts addition of rights within a system
– Usually ignored for owner
• Why? Owner gives herself rights, gives them to
others, deletes her rights.
CSC 382: Computer Security
Slide #14
How can we implement the ACM?
• Problem: scale
– Thousands of subjects.
– Millions of objects.
– Yet most entries are blank or default.
• Solutions
– Group subjects together as a single entities
• Groups and Roles
– Implement by row: Capabilities
– Implement by column: Access Control Lists
CSC 382: Computer Security
Slide #15
Groups and Roles
• Collect subjects together to express:
– Need to share objects.
– Security categories (e.g., admin, faculty,
student, guest)
• role: group that ties membership to function
• Problem: loss of granularity.
CSC 382: Computer Security
Slide #16
Groups and Roles
• Implementing groups:
– static: groups are aliases for sets of subjects.
– dynamic: user belongs to one group at a time;
changes group to switch sets of rights.
CSC 382: Computer Security
Slide #17
Capabilities
• Implement ACM by row.
• Access Control associated with subject.
• Example: UNIX file descriptors
– System checks ACL on file open, returns fd.
– Process subsequently uses fd to read and write file.
– If ACL changes, process still has access via fd.
User
ls
homedir
rootdir
james
rx
rw
r
CSC 382: Computer Security
Slide #18
Capability Questions
• How to prevent user from modifying
capabilities?
• How to prevent user from copying
capabilities?
• How to revoke rights to an object?
CSC 382: Computer Security
Slide #19
How to prevent user from modifying?
• Memory protection
– Capabilities are readable, but not writable.
• Indirection
– Capability is pointer to per-process table whose
access control prevents user from touching.
• Cryptography
– Cryptographically secure checksum associated
with capability and checked before usage.
CSC 382: Computer Security
Slide #20
How to prevent user from copying?
• Copying capabilities allows users to grant
rights to others.
• Solution:
– Use indirection or cryptographic techniques
from prev slide to prevent direct access.
– Add copy flag to capability, as a specific right
given to copy capabilities in order to give rights
to other users.
CSC 382: Computer Security
Slide #21
How to revoke rights to an object?
• Direct solution
– Check capabilities of every process.
– Remove those that grant access to object.
– Computationally expensive.
• Alternative solution
– Create a global object table.
– Capabilities reference objects indirectly via
their entries in the global object table.
– Invalidate entry in global object table to revoke.
CSC 382: Computer Security
Slide #22
Access Control Lists (ACLs)
• Implement ACM by column.
• Access control by object.
• Example: UNIX ACLs
– Short “rwx” user/group/other.
– Long POSIX ACLs.
CSC 382: Computer Security
User
audit data
root
rw
james r
joe
Slide #23
Ethics Discussion
A student discovers a flaw in a university
computing system. To verify the existence of the
flaw, the student exploits the flaw to gain
additional privileges. These privileges allow the
student to read any file on the system, including
private files of other students and professors.
1. Did the student act ethically in exploiting the flaw?
2. Since the security mechanisms were insufficient to
stop the student, was the action a violation of security
or not?
3. When the student reports the problem, the university
files charges against the student. Did the university
act ethically?
CSC 382: Computer Security
Slide #24
ACL Questions
• Which subjects can modify an object’s
ACL?
• Do ACLs apply to privileged users?
• Do ACLs support groups and wildcards?
• How are ACL conflicts resolved?
• What are default permissions?
• How can a subject’s rights be revoked?
CSC 382: Computer Security
Slide #25
Which subjects can modify an ACL?
• Create an own right for an ACL.
– Only subjects with own right can modify ACL.
• Creating an object also creates object’s ACL.
– Usually creator given own right at this time.
– Other default rights may be set at creation too.
• Some systems allow anyone with access to
object to modify ACL.
– What are the security implications of sharing
access to a file on such a system?
CSC 382: Computer Security
Slide #26
Do ACLs apply to privileged users?
• Many systems have privileged users.
– UNIX: root.
– Windows NT: administrator.
• Should ACLs apply to privileged users?
– Need read access to all objects for backups.
– What security problems are produced by
ignoring ACLs for privileged users?
CSC 382: Computer Security
Slide #27
Do ACLs support groups and *?
• Easier to use ACLs when they support:
– Groups
– Wildcards
CSC 382: Computer Security
Slide #28
How are ACL conflicts resolved?
• What happens when multiple ACL entries
give different permissions to same subject?
– First entry wins.
– Last entry wins.
– Deny wins over allow.
CSC 382: Computer Security
Slide #29
What are the default permissions?
• Interaction of ACLs with base permissions.
– POSIX ACLs modify UNIX base permissions.
• How are default ACLs determined?
– Subject
• Subject sets default permissions, like UNIX umask.
– Inheritance
• Objects in hierarchical system inherit ACLs of
parent object.
• Subjects inherit sets of default permissions from
their parent subjects.
CSC 382: Computer Security
Slide #30
How are rights revoked?
• Removal of subject’s rights to object.
– Delete entries for subject from ACL.
– If ownership doesn’t control granting rights,
matters can be complex:
• If A has granted rights to B, what should happen to
B’s rights if you remove A’s rights?
• Removal of subject’s rights to all objects.
– Very expensive (millions of objects.)
– Most systems don’t support.
– Why isn’t disabling subject’s account sufficient?
CSC 382: Computer Security
Slide #31
ACLs vs Capabilities
ACLs
Capabilities
• Slow: OS has to read
• Fast: OS always knows
ACL foreach object
subject identity.
accessed.
• Easy to find/change
• Easy to find/change
rights on a particular
rights on a particular
subject.
object.
• Difficult to revoke
• Difficult to revoke
privileges to a subject
privileges for a specific
object.
subject.
CSC 382: Computer Security
Slide #32
UNIX Access Control Model
• UID
– integer user ID
– UID=0 is root
• GID
– integer group ID
– Users can belong to multiple groups
• Objects have both a user + group owner
CSC 382: Computer Security
Slide #33
UNIX Access Control Model
• OS checks EUID + EGID on object access
• Usually: EUID=UID, EGID=GID
• setuid/setgid programs run with different
EUID/EGID, allowing you privileged
access
– ex: crontab, login, lp, passwd, su
– Target for attackers wanting elevated privilege
CSC 382: Computer Security
Slide #34
UNIX File Permissions
• Three sets of permissions:
– User owner
– Group owner
– Other (everyone else)
• Three permissions per group
– read
– write
– Execute
• UID 0 can access regardless of permissions
• Files: directories, devices (disks, printers), IPC
CSC 382: Computer Security
Slide #35
UNIX File Permissions
• Best-match policy
– OS applies permission set that most closely
matches.
– You can be denied access by best match even if
you match another set.
• Directories
– read = listing of directory
– execute = traversal of directory
– write = add or remove files from directory
CSC 382: Computer Security
Slide #36
Special File Permissions
• Each object has set of special permission bits
– sticky
• On a directory, means users can only delete files that
they own
– setuid
• Execute program with EUID = owner’s UID
– setgid
• Execute program with EGID = owner’s GID
• On directories, causes default group owner to be that
of directory owner’s GID.
CSC 382: Computer Security
Slide #37
Changing Permissions: chmod
• Permission set
specifiers
– u = user
– g = group
– o = other
# remove other access
chmod
o-rwx *.c
# add group r/w access
chmod g+rw *.c
• Permissions
– r = read
– w = write
– x = execute
CSC 382: Computer Security
# allow only you access
chmod u=rwx *
Slide #38
Octal Permission Notation
• Each permissionset
(u,g,o) is octal digit
• Each permission (r,w,x) 4
is one bit
2
• ex: chmod 0644 file
1
– u: rw, g: r, o: r
read
setuid
write
setgid
execute sticky
• ex: chmod 0711 bin
– u: rwx, g: x, o: x
CSC 382: Computer Security
Slide #39
Changing Ownership
• newgrp
– Group owner of files is your default group.
– Changes default group to another group to
which you belong.
• chgrp
– Changes group owner of existing file.
• chmod
– Changes owner of existing file.
– Only root can use this command.
CSC 382: Computer Security
Slide #40
Default Permissions: umask
• Determines access permissions given to
newly created files
• Three-digit octal number
–
–
–
–
Programs default to 0666
Umask modifies to: 0666 & ~umask
ex: umask=022 => file has mode 0644
ex: umask=066 => file has mode 0600
CSC 382: Computer Security
Slide #41
setuid/setgid
• Solution to UNIX ACLs inability to directly
handle (user, program, file) triplets.
• Process runs with EUID/EGID of file, not
of user who spawned the process.
• Follow principle of least privilege
– create special user/groups for most purposes
• Follow principle of separation of privilege
– keep setuid functions/programs small
– drop privileges when unnecessary
CSC 382: Computer Security
Slide #42
ACL Programming: fchmod
#include <sys/types.h>
#include <sys/stat.h>
/* example: BSS, pp. 195-196 */
int set_perms_to_0600(FILE *f) {
int fd = fileno(f);
if( fchmod(fd, S_IRUSR | S_IWUSR) ) {
perror(“set_perms_to_0600”);
return -1;
}
return 0;
}
CSC 382: Computer Security
Slide #43
ACL Programming: umask
• Ensure that no one else can read files
created by process:
#include <sys/types.h>
#include <sys/stat.h>
mode_t set_safe_umask() {
mode_t old_umask = umask(066);
return old_umask;
}
CSC 382: Computer Security
Slide #44
Limitations of Classic ACLs
• ACL control list only contains 3 entries
– Limited to one user.
– Limited to one group.
• Root (UID 0) can do anything.
CSC 382: Computer Security
Slide #45
POSIX Extended ACLs
• Supported by most UNIX/Linux systems.
– Slight syntax differences may exist.
• getfacl
• setfacl
– chmod 600 file
– setfacl -m user:gdoor:r-- file
– File unreadable by other, but ACL allows gdoor
CSC 382: Computer Security
Slide #46
Immutable Files
• Immutable Files on Linux
– chattr +i
– Cannot delete, rename, write to, link to
– Applies to root too
– Only root can remove immutable flag
• Immutable Files on FreeBSD
– chflags +noschg
– Cannot be removed by root in securelevel >0
CSC 382: Computer Security
Slide #47
Host-based Access Control
• /etc/hosts.allow and /etc/hosts.deny
• used by tcpd, sshd, other servers
• Identify subjects by
– hostname
– IP address
– network address/mask
• Allow before Deny
– use last rule in /etc/hosts.deny to deny all
CSC 382: Computer Security
Slide #48
Windows NT Access Control
• Security IDs (SIDs)
– users
– groups
– hosts
• Token: user SID + group SIDs for a subject
• ACLs on
– files and directories
– registry keys
– many other objects: printers, IPC, etc.
CSC 382: Computer Security
Slide #49
Standard NT Permissions
• Read: read file or contents of a directory
• Write: create or write files and directories
• Read & Execute: read file and directory attributes,
view directory contents, and read files within
directory.
• List Folder Contents: RX, but not inherited by
files within a folder.
• Modify: delete, write, read, and execute.
• Full Control: all, including taking ownership and
changing permissions
CSC 382: Computer Security
Slide #50
Windows NT Conflict Resolution
1. If user not present in ACL and not a
member of any group in ACL, access is
denied.
2. If ACL explicitly denies user access,
access is denied.
3. Otherwise, if user named in ACL, user has
union of set of rights from each ACL entry
in which user is named.
CSC 382: Computer Security
Slide #51
Special NT Permissions
•
•
•
•
•
•
•
•
•
•
•
•
•
Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Delete Subfolders and Files
Delete
Read Permissions
Change Permissions
Take Ownership
CSC 382: Computer Security
Slide #52
SQL Access Control
• Subjects
– Users.
– Roles.
create role faculty
grant faculty to james
• Objects
– Databases, tables, table columns.
• Rights
– Select, insert, update, delete, references, grant.
CSC 382: Computer Security
Slide #53
SQL Access Control
• The grant command gives access to a user
grant select on students to james
or a role:
grant select, insert, update on grades
to faculty
and includes power to grant options:
grant insert on students to registrar
with grant option
• The revoke command removes access
remove insert on grades from faculty
CSC 382: Computer Security
Slide #54
Hardware Protection
• Confidentiality
– Processes cannot read memory space of kernel
or of other processes without permission.
• Integrity
– Processes cannot write to memory space of
kernel or of other processes without permission.
• Availability
– One process cannot deny access to CPU or other
resources to kernel or other processes.
CSC 382: Computer Security
Slide #55
Hardware Mechanisms: VM
• Each process has its own address space.
– Prevents processes from accessing memory of
kernel or other processes.
• Attempted violations produce page fault exceptions.
– Implemented using a page table.
– Page table entries contain access control info.
•
•
•
•
Read
Write
Execute (not separate on Intel CPUs)
Supervisor (only accessible in supervisor mode)
CSC 382: Computer Security
Slide #56
VM Address Translation
CSC 382: Computer Security
Slide #57
Hardware Mechanisms: Rings
• Protection Rings.
– Lower number rings have more rights.
– Intel CPUs have 4 rings
• Ring 0 is supervisor mode.
• Ring 3 is user mode.
• Most OSes do not use other rings.
– Multics used 64 protection rings.
• Different parts of OS ran in different rings.
• Procedures of same program could have different
access rights.
CSC 382: Computer Security
Slide #58
Hardware Mechanisms: Privileged
Instructions
• Only can be used in supervisor mode.
• Setting address space
– MOV CR3
• Enable/disable interrupts
– CLI, STI
• Reading/writing to hardware
– IN, OUT
• Switch from user to supervisor mode on
interrupt.
CSC 382: Computer Security
Slide #59
Hardware Mechanisms: System Timer
• Processes can voluntarily give up control to
OS via system calls to request OS services.
– SYSENTER, INT 2e
• Timer interrupt
–
–
–
–
Programmable Interval Timer chip.
Happens every 1-100 OS, depending on OS.
Transfers control from process to OS.
Ensures no process can deny availability of
machine to kernel or other processes.
CSC 382: Computer Security
Slide #60
Why is Access Control hard?
• Complex Objects
– Identifying objects of interest.
• Is your choice of objects too coarse or fine-grained?
– Hierarchical structure like filesystem or XML
• Subjects are Complex
– Identifying subjects of interest.
– What are the relationships between subjects?
• Access Control states change.
• Security objectives often unclear.
CSC 382: Computer Security
Slide #61
Key Points
• Center of gravity of security; pervasive.
• Access Control Matrix simplest abstraction
mechanism for representing protection state.
• ACM is too big, so real systems use either:
– ACLs: columns (objects) of ACM.
– Capabilities: rows (subjects) of ACM.
• Access Control in Practice: UNIX.
• Access control rests on hardware foundation.
– Virtual memory, rings, privileged instructions.
CSC 382: Computer Security
Slide #62
References
1. Anderson, Ross, Security Engineering, Wiley,
2001.
2. Bishop, Matt, Introduction to Computer Security,
Addison-Wesley, 2005.
3. Bovet, Daniel and Cesati, Marco, Understanding
the Linux Kernel, 2nd edition, O’Reilly, 2003.
4. Silberschatz, et. al., Database System Concepts,
4th edition, McGraw-Hill, 2002.
5. Silberschatz, et. al., Operating System Concepts,
7th edition, Wiley, 2005.
6. Viega, John, and McGraw, Gary, Building Secure
Software, Addison-Wesley, 2002.
CSC 382: Computer Security
Slide #63