Authorization (Pres.)

Download Report

Transcript Authorization (Pres.) 

COEN 350: Network Security
Authorization
Fundamental Mechanisms:
Access Matrix

Subjects
Objects (Subjects can be objects, too.)
Access Rights

Example:



OS



Subjects = Processes
Objects = System Resources
Access Rights: read, write, execute
Fundamental Mechanisms:
Access Matrix

Example:

DBMS



Subjects = Users
Objects = Relations
Access Rights: retrieve, update, insert, delete
Fundamental Mechanisms:
Access Matrix

Access Matrix:




Row for each object
Column for each subject
Entry is a set of access rights.
Later Security Models:

Allow for administrative operations that
change the access matrix.

Example: Owner of file can give permissions to
others.
Fundamental Mechanisms:
Access Matrix

Access Control Lists



ACL for each object.
Lists all the subjects and their rights.
Capabilities


Capability list for each subject.
Contains all the objects and the rights of
the subject.
Fundamental Mechanisms:
Access Matrix

Authorization Relation

Subject
Bob
Bob
Bob
Alice
Alice
Alice
Alice
Bob
Bob
Database table with fields owner, access
mode, object.
Access Mode
Owner
Read
Write
Read
Owner
Read
Write
Read
Write
Object
File 1
File 1
File 1
File 1
File 2
File 2
File 2
File 2
File 2
Fundamental Mechanisms:
Intermediate Controls



Access matrix too storage intensive
Access matrices make it hard to change
policies.
Mechanism 1: Groups


Ideally, all access privileges mediated
through group membership.
Negative permissions implement
exceptions
Fundamental Mechanisms:
Intermediate Control


Protection Rings
Example:

Group processes and system resources into four categories







Operating System Kernel
Operating System
Utilities
User Processes
Access to an object is only granted to a subject of lower
level.
Unix only has two levels.
Sometimes protection rings have hardware support.
Fundamental Mechanisms:
Security Classes


Each object has a Security class (Security Label)
Denning:

Information Control Policy consists of



Security Classes
“Can flow” relationship
Join operation


Join A  B combines rights and restrictions of both.
US DoD Security Levels




Top Secret
Secret
Confidential
Unclassified
Fundamental Mechanisms
Access Control Policies

Discretionary Access Control (DAC)




Specifies authorization solely based on object and
subject identity.
Flexible and simple.
Difficult to control information flow.
(Classical) Mandatory Access Control (MAC)



Each user and object has a security level.
Security level reflects trust that user will not pass
information to users with lower level clearance.
Access to an object based on security level.
Fundamental Mechanisms
Access Control Policies

(Refined) Mandatory Access Control (MAC)


Security Levels and Compartments.
Example:






CRYPTO for cryptographic algorithms.
COMSEC for communication security.
Possible to have top secret clearance in CRYPTO and
unclassified clearance in COMSEC
Discretionary policies typical in low security
(academic) environments.
Mandatory policies typical in high security (military)
environments.
Neither policy adequate for commercial systems.
Fundamental Mechanisms
Access Control Policies

Role Based Access Control (RBAC)



Regulate user’s access to information
based on the activities the users execute in
the system.
“Role” is a set of actions and
responsibilities associated with a particular
working activity.
Access based on role, not identity of user.
Fundamental Mechanisms
Access Control Policies

Role Based Access Control (RBAC)

User authorization is broken into two tasks:



Roles can be hierarchical



Granting roles to users
Granting rights to roles
Engineers inherent employee rights.
User can login with the least privilege for a set of
particular tasks.
Roles make it easier to enforce separation of
duties:
“No single user can subvert the system by herself/himself.”
Covert Channels


A mechanism to circumvent automatic confinement
within a security perimeter.
Example:




Person with TOP SECRET clearance runs (inadvertently)
Trojan horse.
Trojan horse has free access to files in the compartment.
Trojan horse cannot write down to an unclassified file.
But: Trojan horse can do things that are visible from the
outside and thus send contents of TOP SECRET files through
a covert channel.


T.H. either runs or waits. System load will vary. Small
bandwidth channel.
T.H. can or cannot use shared resources. To send a bit, T.H. fills
up the printer line to send 1 bit, or empties it for a 0 bit.
UNIX Woes: SUID programs





Programs can execute the setuid
system call.
Executable runs as if executed by user.
Sendmail uses setuid to implement
email.
User can cause programs to run as root
with input they provide.
Favorite targets of buffer overflow
attacks.