Access Control Mechanisms and Security Models

1
Access Control Mechanisms and Security Models

• How does the computer enforce access policy?

2
Readings

• EROS essays on capabilities (instead of access
  lists)
• http//www.eros-os.org/essays/00Essays.html
• Computer Security paper by Kemmerer

3
Access Control Mechanisms and Models

• Dual mode operation
• Access Matrix
• ACLs and Capabilities
• Multilevel and Multilateral Security
• Access Models
• Bell-LaPadula
• Biba

4
Operating System Protection

• Sharing system resources requires operating
  system to ensure that an incorrect program cannot
  interfere with other programs.
• Most computers provide hardware support to
  differentiate between at least two modes of
  operations (dual mode).
• 1. User mode execution done on behalf of a
  user.
• 2. Monitor mode (also kernel mode or system mode)
  execution done on behalf of operating system.

5
O.S. Protection

• All I/O instructions are privileged instructions.
• Must ensure that a user program could never gain
  control of the computer in monitor mode (i.e., a
  user program cannot alter OS program
  instructions).
• Must provide memory protection for the OS kernel
  and one user program from accessing memory
  allocated to another.

6

• Associate with every process, two registers that
  determine the range of legal addresses
• Base register holds the smallest legal physical
  memory address.
• Limit register contains the size of the range
• Memory outside the defined range cannot be
  accessed.
• In monitor mode, the operating system has
  unrestricted access to both monitor and users
  memory.
• The load instructions for the base and limit
  registers are privileged instructions.

7
Protecting Other Objects

• Operating system consists of a collection of
  objects (hardware and software) buffers,
  registers, memory regions, PCBs, files,
  directories, etc.
• Each object has a unique name and can be accessed
  through a well-defined set of operations. For
  files those operations are read, write, execute.
• Protection problem - ensure that each object is
  accessed correctly and only by those processes
  that are allowed to do so.

8
Subjects and Objects

• Subject
• Active entity in a computer system
• User, process, thread
• We will assume that a subject is synonymous with
  a user
• Object
• Passive entity or resource in a computer system
• Files, directories, printers

9
Assign Subjects to Domains

• Domains are entities that might want to access
  the objects processes, programs, users, roles.
• Domain granularity
• There may be just 2 domains in the system users
  and the superuser
• There may be a domain for each user
• There may be several domains per user user
  surfing web, user compiling programs, user
  changing his password, etc.

10
Access Operations

• An access is an interaction between an object and
  a subject
• A subject may observe (read) an object
• Information flows from object to subject
• A subject may alter (write to) an object
• Information flows from subject to object

11
Read and Write Access

• In a multi-user OS users open files to get access
• Files are opened for read or for write access so
  that the OS can avoid conflicts like two users
  simultaneously writing to the same file
• Write access mode is usually implemented as
  read/write mode
• A user editing a file should not be asked to open
  it twice
• The append (or blind write or write-only)
  access mode allows users to alter an object
  without observing its contents
• Rarely useful (audit log files being the main
  exception)
• Implemented in Multics

12
Execute Access

• Sometimes an object can be used without opening
  it in read or write mode
• Directories
• Binary executable files
• Cryptographic keys
• UNIX includes the execute access operation
• This may mean different things in different
  contexts and in different systems

13
Access Operations in Unix

• File access
• Read (r)
• Write (w)
• Execute (x)
• Directory access
• Read (list directory contents)
• Write (create or rename files in directory)
• Execute (search directory)

14
Unix ls command
15
Access Matrix

• The protection problem can be viewed as a matrix
  (access matrix)
• Rows represent domains
• Columns represent objects
• Access(i, j) is the set of operations that a
  process executing in Domaini can invoke on Objectj

16
Access Matrix
17
Access Matrix

• Access matrix is the mechanism for enforcing
  security policy.
• Policy
• Who can access what object and in what mode.
• Mechanism
• Operating system provides access-matrix rules.
• It ensures that the matrix is only manipulated by
  authorized agents and that rules are strictly
  enforced.

18
Access Control Mechanism

• A request can be regarded as a triple (s,o,a)
• s is a subject
• o is an object
• a is an access operation
• A request is granted if
• a belongs to the access matrix entry
  corresponding to subject s and object o

19
Implementation of Access Matrix

• Sparse matrix (list of access right/domain pairs)
  or Access control lists or Capability lists
• Each column Access-control list for one object.
  Defines who can perform what operation. Domain
  1 Read, Write Domain 2 Read Domain 3 Read
• Each Row Capability List (like a key). For each
  domain, what operations allowed on what objects.
• Object 1 Read
• Object 4 Read, Write, Execute
• Object 5 Read, Write, Delete, Copy

20
Access Control Lists (ACL)

• Access control lists focus on the objects
• Typically implemented at operating system level
• Windows NT uses ACLs
• Disadvantage
• How can we check the access rights of a
  particular subject efficiently (before-the-act
  per-subject review)?

21
Capability Lists

• Capability lists focus on the subjects
• Typically implemented in services and application
  software
• Database applications often use capability lists
  to implement fine-grained access to tables and
  queries
• Renewed interest in capability-based access
  control for distributed systems
• Disdavantage
• How can we check which subjects can access a
  given object (before-the-act per-object review)?

22
Administrative Tasks

• Tasks include
• Creation of new objects and subjects
• Deletion of objects and subjects
• Changing entries in access control matrix
  (changing entries in ACLs and capability lists)
• The administration of access control structures
  is extremely time-consuming, complicated and
  error-prone

23
Administering Access Control

• Access control structures that aggregate subjects
  and objects are used to simplify the
  administrative burden
• User groups and roles aggregate subjects
  (student, faculty, staff)
• Data types aggregate objects (account files,
  binary executables)

24
(No Transcript)
25
ACLs or Capability Lists?

• Theoretically these implementations are the same
  any protection state that can be represented in
  one can be represented in the other. In
  practice, some actions are just impractical in
  one implementation or the other.
• Removing a user (because he left the company) is
  more efficient in capability lists.
• Changing a file to read-only for everyone
  (february-sales is made read-only when February
  is over) is easier in ACLs.

26
Implementation Considerations

• In a given implementation, new lists can be
  created or changed easily, whereas the items in
  the lists must be well-defined and unchanging.
• Creating a new domain or splitting a current one
  is easy in capability lists. domainB as
  manager and domainB as payroll person.
• The result is that capability list systems create
  fine-grained domains. This makes it easy to
  enforce the principle of least privilege a
  fundamental principle in computer security.

27
Example ACL Systems

• In ACL systems, the password program and many
  system utilities, like compilers, run as root
  since the available domains are limited.
• Suppose you discover that the password file is
  kept in /x/y/z (or the IDS logs showing that you
  tried to break into the system). You invoke the
  compiler and specify that it should write the
  output to /x/y/z !!!
• This (and many other problems) can be patched in
  ACL systems, but it never exists as a problem in
  capability list systems.

28
Example Capability Lists

• Capability lists
• Password-program /x/y/z, read, write
• Compiler /usr/bin/prog, read
• Jholliday /usrs/faculty/jholliday, read, write,
  owner
• A new domain is created
• Compiler-jholliday /user/bin/prog, read
  /usrs/faculty/jholliday, write
• Note this domain does not have the capability to
  write to /x/y/z
• UNIX, an ACL system, handles this type of problem
  with the setuid bit but this has lead to many
  security problems.
• Each file has associated with it a domain bit
  (setuid bit).
• When file is executed and setuid on, then
  user-id is set to owner of the file being
  executed. When execution completes user-id is
  reset.

29
Multilevel and Multilateral Security

• Multilevel Security levels are like user and
  super-user or secret and top-secret. The higher
  level (super-user, top-secret) includes all of
  the privileges of the lower level(s).
• Multilateral security is concerned with security
  between domains at the same level (different user
  accounts should not interfere with each other).

30
Where to Place Security Mechanisms?
31
Security Mechanisms Security Layers are Best

• Visualize security mechanisms as concentric
  protection rings, with hardware mechanisms in the
  center and application mechanisms at the outside.

Hardware/ physical
Mechanisms towards the center tend to be more
generic while mechanisms at the outside are more
likely to address individual user requirements.
O.S.
application
32
Protection Rings

• Often, the location of a security mechanism on
  the protection ring is related to its complexity.
  Generic mechanisms (inner rings) are simple,
  applications (outer rings) clamour for
  feature-rich security functions.
• Do you prefer simplicity - and higher assurance -
  to a feature-rich security environment?
• Fundamental dilemma simple generic mechanisms
  may not match specific security requirements. To
  choose the right features from a rich menu, you
  have to be a security expert. Security unaware
  users are in a no-win situation.

33
Blocking Access to the Layer Below

• Attackers try to bypass protection mechanisms.
  The parts of the system that can disable the
  mechanism lie within the current layer or the
  layer below (or within). The parts of the system
  that can malfunction without compromising the
  mechanism lie outside.
• How do you stop an attacker from getting access
  to a layer below your protection mechanism?

34
The Layer Below Examples

• Recovery tools, like Norton Utilities, restore
  the data by reading memory directly and then
  restoring the file structure. Such a tool can be
  used to circumvent logical access control as it
  does not care for the logical memory structure
• Unix treats I/O devices and physical memory
  devices like files. If access permissions are
  defined badly, e.g. if read access is given to a
  disk containing read protected files, then an
  attacker can read the disk contents and
  reconstruct the files.

35
Examples

• Backup whoever has access to a backup tape has
  access to all the data on it. Logical access
  control is of no help and backup tapes have to be
  locked away safely to protect the data.

36
Security Models

• A security model is a formal description of a
  security policy
• Models are used in high assurance security
  evaluations
• Models are important historic milestones in
  computer security (e.g. Bell-LaPadula)
• The models presented today are not recipes for
  security but can be a starting point when you
  have to define a model yourself.

37
Basic Security Theorem

• To design a secure system with the help of state
  machine models,
• define state set so that it captures security
• check that all state transitions starting in a
  secure state yield a secure state
• check that initial state of the system is
  secure
• Security is then preserved by all state
  transitions. The system will always be secure.

38
Bell LaPadula (BLP) Model

• Early state machine approach
• an access operation is described by a tuple
• (s,o,a), s ? S, o ? O, a ? A
• E.g. (Alice, fun.com, read)
• Well studied and formalized. Used in government
  Orange Book and Common Criteria
• Considers only multi-level security needs, thus
  describes confidentiality requirements.

39
Bell LaPadula (BLP) Model

• Subjects and objects are labeled with security
  levels that form a partial ordering
• The policy No information flow from high
  security levels down to low security level
  (confidentiality)
• BLP only considers information flows that occur
  when a subject observes or alters an object

40
BLP Information Flow
Top Secret
Read down
Secret
Write up
Confidential
Prevents subjects from acting as channels by
reading one memory object and transferring
information to another memory object
41
BLP Model

• C(s) is the confidentiality level of subject s.
• C(o) is the level of object o.
• Subject s can read object o if C(s) ? C(o)
• Subject s can write to object o if C(o) ? C(s)
• property that prevents information leakage if
  s has read o, then he can write to p only if C(p)
  ? C(o)

42
Biba Model

• BLP applies to secrecy of information
  (confidentiality), but not integrity. Biba model
  identifies inappropriate modification of data.
• State machine model similar to BLP for integrity
  policies that regulate modification of objects
• Integrity levels (such as trustworthy,
  untrusted or corrupted) are assigned to
  subjects and objects
• The Biba model has policies for an invoke
  operation whereby one subject can access (invoke)
  another subject
• The policies for static integrity levels are the
  dual of the BLP confidentiality levels

43
Biba Model

• Subjects and objects are ordered by integrity
  levels
• I(s) is the integrity of subject s
• I(o) is the integrity of object o
• Subject s can modify o only if I(s) ? I(o)
• Integrity property If s has read access to
  object o with integrity level I(o), then s can
  have write access to p only if I(o) ? I(p)
  (anti-pollution property)

44
Biba Dynamic Integrity Levels

• Subject Low Watermark Policy Subject s can read
  (observe) an object o at any integrity level. The
  new integrity level of s is g.l.b.(IS(s),IO(o))
• Object Low Watermark Policy Subject s can modify
  (alter) an object o at any integrity level. The
  new integrity level of o is g.l.b.(IS(s),IO(o))

45
For Further Study

• Other security models
• Changing access rights Harrison-Ruzo-Ullman,
  Chinese Wall
• Integrity Clark-Wilson
• Computer Security, Dieter Gollmann, Wiley, 1999