L2x - Prof. Ravi Sandhu
Download
Report
Transcript L2x - Prof. Ravi Sandhu
CS 5323
Discretionary Access Control (DAC)
Prof. Ravi Sandhu
Executive Director and Endowed Chair
Lecture 2
[email protected]
www.profsandhu.com
© Ravi Sandhu
World-Leading Research with Real-World Impact!
1
Authentication
© Ravi Sandhu
World-Leading Research with Real-World Impact!
2
Authentication, Authorization, Audit
AAA
Authentication
Authorization
Audit
Who are You?
What are You
Allowed to Do?
What Did You Do?
© Ravi Sandhu
World-Leading Research with Real-World Impact!
3
Authentication, Authorization, Audit
AAA
Authentication
Authorization
Audit
Who are You?
What are You
Allowed to Do?
What Did You Do?
siloed
© Ravi Sandhu
integrated
World-Leading Research with Real-World Impact!
4
Authentication Techniques
Authentication
Something
you know
Something
you have
Something
you are
password
“secret” questions
smartphone
registered device
fingerprint
iris
keyboard dynamics
signature dynamics
© Ravi Sandhu
World-Leading Research with Real-World Impact!
5
Authentication Techniques
Authentication
Something
you know
Something
you have
Something
you are
password
“secret” questions
smartphone
registered device
fingerprint
iris
keyboard dynamics
signature dynamics
single
factor
© Ravi Sandhu
multi
factor
World-Leading Research with Real-World Impact!
6
Phishing
Personalized image to authenticate webserver to user
© Ravi Sandhu
World-Leading Research with Real-World Impact!
7
Phishing Man in the Middle
Personalized image passed through
© Ravi Sandhu
World-Leading Research with Real-World Impact!
8
Passwords
© Ravi Sandhu
World-Leading Research with Real-World Impact!
9
Password Attacks
Password Attacks
Online
Offline (Dictionary Attack)
Lock out
Throttling
Complex passwords
Salting
© Ravi Sandhu
World-Leading Research with Real-World Impact!
10
Password Storage and Verification
Password
Storage
User
ID
Password
Verification
Plaintext
Password
User
ID
Plaintext
Password
=?
User
ID
Stored
Password
User
ID
Stored
Password
Loss of stored passwords =
Catastrophic failure
© Ravi Sandhu
World-Leading Research with Real-World Impact!
11
Password Storage and Verification
Password
Storage
User
ID
Password
Verification
Plaintext
Password
User
ID
Hashing
Process
User
ID
Plaintext
Password
Hashing
Process
Computed
Hash
Stored
Hash
=?
Loss of stored hashes =
Attack by single dictionary
© Ravi Sandhu
User
ID
World-Leading Research with Real-World Impact!
Stored
Hash
12
Password Storage and Verification
Password
Storage
User
ID
Random
Salt
Password
Verification
Plaintext
Password
User
ID
Plaintext
Password
Hashing
Process
User
ID
Stored
Salt
Hashing
Process
Computed
Hash
Stored
Hash
=?
Loss of stored hashes =
Attack by different dictionary
for each salt value
© Ravi Sandhu
User
ID
Stored
Salt
World-Leading Research with Real-World Impact!
Stored
Hash
13
Access Matrix Model
© Ravi Sandhu
World-Leading Research with Real-World Impact!
14
Access Matrix Model
Objects (and Subjects)
G
F
S
u
b
j
e
c
t
s
U
V
rw
own
r
rw
own
rights
© Ravi Sandhu
World-Leading Research with Real-World Impact!
15
Access Matrix Model
Basic Abstractions
Subjects
Objects
Rights
The rights in a cell specify the access of the
subject (row) to the object (column)
© Ravi Sandhu
World-Leading Research with Real-World Impact!
16
Users and Subjects
A subject is a program (application) executing on
behalf of a user
A user may at any time be idle, or have one or more
subjects executing on its behalf
User-subject distinction is important if subject’s rights
are different from a user’s rights
Usually a subset
In many systems a subject has all the rights of a user
A human user may manifest as multiple users
(accounts, principals) in the system
© Ravi Sandhu
World-Leading Research with Real-World Impact!
17
Users and Subjects
JOE.TOP-SECRET
JOE.SECRET
JOE
JOE.CONFIDENTIAL
JOE.UNCLASSIFIED
USER
© Ravi Sandhu
SUBJECTS
World-Leading Research with Real-World Impact!
18
Users and Subjects
JANE.CHAIRPERSON
JANE.FACULTY
JANE
JANE. EMPLOYEE
JANE.SUPER-USER
USER
© Ravi Sandhu
SUBJECTS
World-Leading Research with Real-World Impact!
19
Objects
An object is anything on which a subject can perform
operations (mediated by rights)
Usually objects are passive, for example:
File
Directory (or Folder)
Memory segment
with CRUD operations (create, read, update, delete)
But, subjects can also be objects, with operations
kill
suspend
resume
© Ravi Sandhu
World-Leading Research with Real-World Impact!
20
Access Matrix Model
Objects (and Subjects)
W
F
S
u
b
j
e
c
t
s
© Ravi Sandhu
U
rw
own
W
rw
own
parent
World-Leading Research with Real-World Impact!
21
Implementation
Access Control Lists
Capabilities
Relations
© Ravi Sandhu
World-Leading Research with Real-World Impact!
22
Access Control Lists
F
G
U:r
U:r
U:w
V:r
U:own
V:w
V:own
each column of the access matrix is
stored with the object corresponding to
that column
© Ravi Sandhu
World-Leading Research with Real-World Impact!
23
Capabilities
U F/r, F/w, F/own, G/r
V G/r, G/w, G/own
each row of the access matrix is stored
with the subject corresponding to that row
© Ravi Sandhu
World-Leading Research with Real-World Impact!
24
Relations
Subject
Access
Object
U
r
F
U
w
F
U
own
F
U
r
G
V
r
G
V
w
G
V
own
G
commonly used in relational
database management systems
© Ravi Sandhu
World-Leading Research with Real-World Impact!
25
ACLs versus Capabilities
Authentication
ACL's require authentication of subjects and ACL integrity
Capabilities require integrity and propagation control
Access review
ACL's are superior on a per-object basis
Capabilities are superior on a per-subject basis
Revocation
ACL's are superior on a per-object basis
Capabilities are superior on a per-subject basis
Least privilege
Capabilities provide for finer grained least privilege control with respect to
subjects, especially dynamic short-lived subjects created for specific tasks
© Ravi Sandhu
World-Leading Research with Real-World Impact!
26
ACLs versus Capabilities
Authentication
ACL's require authentication of subjects and ACL integrity
Capabilities require integrity and propagation control
Access review
ACL's are superior on a per-object basis
Capabilities are superior on a per-subject basis
Revocation
ACL's are superior on a per-object basis
Capabilities are superior on a per-subject basis
Least privilege
Capabilities provide for finer grained least privilege control with respect to
subjects, especially dynamic short-lived subjects created for specific tasks
Most Operating Systems use ACLs often in
abbreviated form: owner, group, world
© Ravi Sandhu
World-Leading Research with Real-World Impact!
27
Content-Dependent Controls
content dependent controls
you can only see salaries less than 50K, or
you can only see salaries of employees who
report to you
beyond the scope of Operating Systems
and are provided by Database
Management Systems
© Ravi Sandhu
World-Leading Research with Real-World Impact!
28
Context-Dependent Controls
context dependent controls
cannot access classified information via remote login
salary information can be updated only at year end
company's earnings report is confidential until
announced at the stockholders meeting
can be partially provided by the Operating System
and partially by the Database Management
System
more sophisticated context dependent controls
such as based on past history of accesses
definitely require Database support
© Ravi Sandhu
World-Leading Research with Real-World Impact!
29
Trojan Horse Vulnerability of DAC
Information from an object which can be
read can be copied to any other object
which can be written by a subject
Suppose our users are trusted not to do
this deliberately. It is still possible for
Trojan Horses to copy information from one
object to another.
© Ravi Sandhu
World-Leading Research with Real-World Impact!
30
Trojan Horse Vulnerability of DAC
ACL
A:r
File F
B:r
File G
A:w
User B cannot read file F
© Ravi Sandhu
World-Leading Research with Real-World Impact!
31
Trojan Horse Vulnerability of DAC
ACL
User A
executes
Program Goodies
A:r
read
File F
Trojan Horse
B:r
write
File G
A:w
User B can read contents of file F copied to file G
© Ravi Sandhu
World-Leading Research with Real-World Impact!
32
Copy Difference for rw
Read of a digital copy is as good as read
of original
Write to a digital copy is not so useful
© Ravi Sandhu
World-Leading Research with Real-World Impact!
33
DAC Subtleties
Chains of grants and revokes
Inheritance of permissions
Negative rights
© Ravi Sandhu
World-Leading Research with Real-World Impact!
34
HRU Model
Harrison, M. A., Ruzzo, W. L., & Ullman, J. D.
(1976). Protection in operating systems.
Communications of the ACM, 19(8), 461-471.
© Ravi Sandhu
World-Leading Research with Real-World Impact!
35