Authorization - Computer Engineering
Download
Report
Transcript Authorization - Computer Engineering
COEN 150: Intro to IA
Authorization
Fundamental Mechanisms:
Access Matrix
Subjects
Objects (Subjects can be objects, too.)
Access Rights
Example:
OS
Subjects = Processes
Objects = System Resources
Access Rights: read, write, execute
Fundamental Mechanisms:
Access Matrix
Example:
DBMS
Subjects = Users
Objects = Relations
Access Rights: retrieve, update, insert, delete
Fundamental Mechanisms:
Access Matrix
Access Matrix:
Row for each object
Column for each subject
Entry is a set of access rights.
Later Security Models:
Allow for administrative operations that
change the access matrix.
Example: Owner of file can give permissions to
others.
Fundamental Mechanisms:
Access Matrix
Access Control Lists
ACL for each object.
Lists all the subjects and their rights.
Capabilities
Capability list for each subject.
Contains all the objects and the rights of
the subject.
Fundamental Mechanisms:
Access Matrix
Authorization Relation
Subject
Bob
Bob
Bob
Alice
Alice
Alice
Alice
Bob
Bob
Database table with fields owner, access
mode, object.
Access Mode
Owner
Read
Write
Read
Owner
Read
Write
Read
Write
Object
File 1
File 1
File 1
File 1
File 2
File 2
File 2
File 2
File 2
Fundamental Mechanisms:
Intermediate Controls
Access matrix too storage intensive
Access matrices make it hard to change
policies.
Mechanism 1: Groups
Ideally, all access privileges mediated
through group membership.
Negative permissions implement
exceptions
Fundamental Mechanisms:
Intermediate Control
Protection Rings
Example:
Group processes and system resources into four categories
Operating System Kernel
Operating System
Utilities
User Processes
Access to an object is only granted to a subject of lower
level.
Unix only has two levels.
Sometimes protection rings have hardware support.
Fundamental Mechanisms:
Security Classes
Each object has a Security class (Security Label)
Denning:
Information Control Policy consists of
Security Classes
“Can flow” relationship
Join operation
Join A B combines rights and restrictions of both.
US DoD Security Levels
Top Secret
Secret
Confidential
Unclassified
Fundamental Mechanisms
Access Control Policies
Discretionary Access Control (DAC)
Specifies authorization solely based on object and
subject identity.
Flexible and simple.
Difficult to control information flow.
(Classical) Mandatory Access Control (MAC)
Each user and object has a security level.
Security level reflects trust that user will not pass
information to users with lower level clearance.
Access to an object based on security level.
Fundamental Mechanisms
Access Control Policies
(Refined) Mandatory Access Control (MAC)
Security Levels and Compartments.
Example:
CRYPTO for cryptographic algorithms.
COMSEC for communication security.
Possible to have top secret clearance in CRYPTO and
unclassified clearance in COMSEC
Discretionary policies typical in low security
(academic) environments.
Mandatory policies typical in high security (military)
environments.
Neither policy adequate for commercial systems.
Fundamental Mechanisms
Access Control Policies
Role Based Access Control (RBAC)
Regulate user’s access to information
based on the activities the users execute in
the system.
“Role” is a set of actions and
responsibilities associated with a particular
working activity.
Access based on role, not identity of user.
Fundamental Mechanisms
Access Control Policies
Role Based Access Control (RBAC)
User authorization is broken into two tasks:
Roles can be hierarchical
Granting roles to users
Granting rights to roles
Engineers inherent employee rights.
User can login with the least privilege for a set of
particular tasks.
Roles make it easier to enforce separation of
duties:
“No single user can subvert the system by herself/himself.”
Covert Channels
A mechanism to circumvent automatic confinement
within a security perimeter.
Example:
Person with TOP SECRET clearance runs (inadvertently)
Trojan horse.
Trojan horse has free access to files in the compartment.
Trojan horse cannot write down to an unclassified file.
But: Trojan horse can do things that are visible from the
outside and thus send contents of TOP SECRET files through
a covert channel.
T.H. either runs or waits. System load will vary. Small
bandwidth channel.
T.H. can or cannot use shared resources. To send a bit, T.H. fills
up the printer line to send 1 bit, or empties it for a 0 bit.
UNIX Woes: SUID programs
Programs can execute the setuid
system call.
Executable runs as if executed by user.
Sendmail uses setuid to implement
email.
User can cause programs to run as root
with input they provide.
Favorite targets of buffer overflow
attacks.
Access Control: Details
Static access control matrix:
Easy to evaluate
Easy to reflect security
Can be implemented in a number of ways:
Access Control List
List of Rights
Database
Matrix
Useless in practice because subjects and objects are
constantly created.
Therefore:
Need updatable access control matrix
Access Control: Details
Transformation Procedures update
Access Control Matrix
Harrison, Ruzzo, Ullman CACM 1975
Create subject s
Create object o
Enter right into ACM[s,o]
Delete right from ACM[s,o]
Destroy subject s
Destroy subject o
Access Control: Details
Transformation Procedures update
Access Control Matrix
Harrison, Ruzzo, Ullman CACM 1975
System uses these primitives to update ACM
But not directly: Use commands
Some commands are mono-operational
They only involve a single primitive
Most are more complex
Conditional commands
Access Control: Details
Harrison, Ruzzo, Ullman CACM 1975
Two special rights:
Copy right / Grant right
Allows possessor to grant rights to others, but only
those that they also possess
“Change Permission right” in Windows
Own right
Allows possessor to grant right over an object to
others
UNIX chown command changes permissions that
others have over an object.
Access Control: Details
Principle of Attenuation of Privilege
A subject might not give rights it does not
possess to another
Access Control: Details
General Question:
Given a system, how can we determine
that it is secure?
Define secure:
Access Control: Details
Definition (Leaking):
When we can add a right through ACM
transformations to an element of the ACM
that does not have this right, we say that
the right has been leaked.
Access Control: Details
ACM is in a given state.
Transformations alter the state.
Definition:
If a system in initial state S0 can never leak
the right r, then it is called safe with
respect to the right r. Otherwise, it is called
unsafe.
Access Control: Details
Results (Harrison, Ruzzo, Ullman)
There exists an algorithm that will
determine whether a given monooperational protection system with initial
state S0 is safe with respect to a generic
right r.
It is undecidable whether a given state of a
given system is safe for a given generic
right.
Confidentiality Policies
Confidentiality policy a.k.a Information
Flow policy
prevents unauthorized disclosure of
information
Bell-LaPadula Model
Combines mandatory and discretionary
access controls.
Mandatory access control supersedes
discretionary access control.
Only models reads and writes.
Bell-LaPadula Model I
Hierarchical Levels for Objects and Subjects:
Unclassified (UC) – Confidential (C) – Secret (S) –
Top Secret (TS)
S can read O if and only if
level(O) level(S) and
S has discretionary read access to O.
[*property] S can write O
level(O) level(S)
S has discretionary write access to O
Bell-LaPadula Model I
Example:
To read a secret file, you need to have top
secret or secret classification.
To write to a secret file, you cannot have
top secret classification.
Rationale: Someone with Secret classification is
not allowed to write a file that will be given
unclassified classification.
Bell – LaPadula Model II
Expand model by introducing categories
Categories reflect “Need to know”
Example: ComSec, InfoSec
Excurse: Lattices
Security levels do not need to be
arranged in a complete ordering
Lattices: Rich enough mathematical
structure with a partial ordering.
Excurse: Lattices
Totally Ordered Set (left) vs.
Lattice (right)
Excurse: Lattices
A partial ordering on a set S is reflexive,
transitive, and antisymmetric.
(S, ) is a total order if for any two elements
a, b S we have
a b or b a.
A least upper bound u for a, b in a partially
ordered set S has the properties
au
bu
v S: [a v and b v] v u.
Excurse: Lattices
A greatest lower bound g for a, b in a
partially ordered set S has the
properties
ga
gb
v S: [v a and v b] u v.
Excurse: Lattices
A set with a partial ordering is a lattice
if any two elements have a least upper
bound and a greatest lower bound.
Bell – LaPadula Model II
Model consists of
Set of subjects S
Set of objects O
Set of access operations A = {read,
execute, append, write}
Lattice of security levels
Set of security level assignments F.
Bell – LaPadula Model II
An element of F is a triple
maximum security level a subject can have
current security level a subject can have
classification of all objects.
The current security level is smaller or
equal to the maximum security level.
Bell – LaPadula Model II
Simple Security Property:
No read-up security policy
* Property
For writes / appends:
Current security level of writer needs to be
smaller than the security level of the object
No write-down
Bell – LaPadula Model II
Definition does not allow high-level
subjects to write to low level subjects.
In this case, either:
1.
2.
Temporarily downgrade writer.
Identify a set of subjects (aka Trusted
Subjects), which are permitted to violate
the * policy.
Bell – LaPadula Model II
Discretionary Security Policy
An access is only allowed if it is allowed by
the discretionary access matrix.
Basic Security Theorem:
If all state transitions in a system are
secure and if the initial state is secure then
all states of the system are secure.
Bell – LaPadula Model II
Limitations:
BLP can become meaningless if there are
state transitions that allow changes of
access rights.
BLP only deals with confidentiality
BLP does not address management of
access control.
(See Harrison-Ruzzo-Ullman model)
BLP does not prevent covert channels.
Chinese Wall
Chinese Wall model (Brewer & Nash)
Models access rules in a consultancy
business
Analysts should not have conflicts of
interests:
Alice first helps Client 1, gaining knowledge
over a market.
Alice then helps Client 2 with the knowledge
gained from helping Client 1
Chinese Wall
Set of subjects S are consultants
Set of companies is C
Set of objects O is items of information
concerning a single company
Conflict of interest classes indicate
which companies are in competition
Security label of an object is
List of competitors of company
Chinese Wall
Sanitizing
Remove all information from an object that
can be used.
Chinese Wall
Chinese Wall rules:
Access is granted only if:
The object belongs to a company dataset
already held by the user.
Or: An entirely different conflict of interest
class.
Write access is granted only if:
No other object can be read which is in a
different company dataset and contains
unsanitized information.
Security Kernel
Orange Book
Trusted Computer Security Evaluation
Criteria (TCSEC)
yardstick for users to assess the degree of trust
that can be placed in a computer system
guidance for manufacturers of computer
security systems
basis for specifying security requirements when
acquiring a computer security system
Security Kernel
Orange Book Security Divisions:
D – Minimal protection
C1 – Discretionary Security Protection
C2 – Controlled Access Protection
B1 – Labeled Security Protection
B2 – Structured Protection
B3 – Security Domains
A1 – Verified Design
Security Kernel
Computer Systems are designed in
layers.
A security mechanism at one layer can be
subverted by an attack at a lower level/
Implementing security mechanisms at
lower levels can lead to less performance
overhead.
Security Kernel
Orange Book Definitions:
REFERENCE MONITOR: Access control
SECURITY KERNEL: Hardware, firmware,
TRUSTED COMPUTING BASE: The
concepts that refers to an abstract machine that
mediates all accesses to objects by subjects.
software elements of a trusted computing base
that implements the reference monitor concept.
totality of protection mechanisms within a
computer system.
Security Kernel
Users must not be able to modify the
operating system.
Users should be able to invoke the OS
Users should not be able to invoke the OS
Tools:
status information
controlled invocation = restricted privilege
Security Kernel
OS needs to distinguish between operations
on behalf of the OS and on behalf of a user.
Motorola 68000: One status bit allows to
distinguish between user mode and kernel mode.
Intel 80386: Two status bits giving 4 modes.
Example: How to allow processes to switch
between root and user level?
SUID, …
Security Kernel
Motorola 68000:
Has a 16b status register including
T – trace bit
S – supervisor bit
Interrupt level in 3 bits.
Operating systems are implemented with TRAP calls
Processor uses memory mapped I/O
Address decoder receives input from status bits.
Based on status, processes can access:
user data
user program
supervisor data
supervisor program
interrupt acknowledge
Security Kernel
Intel 80386
Supports 4 privilege levels
Stores information about system objects in
descriptors.
Stored in descriptor table.
Accessed via selectors.
Privilege level of object stored in descriptor.
Selectors contain a Requested Privilege Level
(RPL) field
Security Kernel
Intel 80386
Assume application level program needs service
from an OS service.
Done by gates
System object that points to a procedure.
To be used, gate needs to have same level as
invoking procedure.
When invoking a subroutine through a gate,
current privilege level changes to that of the
procedure pointed to by gate.
Part of the stack is copied to a more privileged
stack segment.
Security Kernel
80836
Security policy needs to take both current
privilege level and privilege level of
triggering application into account.
Done by the RPL field and the adjusted
requested privilege level instruction.