Title: Introduction to Computer Security
1Introduction to Computer Security
- Jason Crampton
- Information Security Group
- Royal Holloway, University of London
2Programme
- Introduction
- Authentication
- Access control models
- Unix security mechanisms
- Windows 2000 security mechanisms
3Learning Outcomes
- Be aware of the objectives of computer security
and the main techniques for realizing these
objectives - Be able to describe basic authentication
techniques - Be aware of access control models and their
importance to authorization mechanisms - Be able to describe basic authorization techniques
4Computer Security Goals
- Confidentiality
- Unauthorized users cannot read information
- Integrity
- Unauthorized users cannot alter information
- Availability
- Authorized users can access information
5Computer Security Reality
- The only system which is truly secure is one
which is switched off and unplugged, locked in a
titanium lined safe, buried in a concrete bunker,
and is surrounded by nerve gas and very highly
paid armed guards. Even then, I wouldnt stake my
life on it. - Professor Gene Spafford
6Why Do We Need Security?
- Protect sensitive resources
- Prevent loss
- Prevent damage
- In the context of information systems
- Prevent unauthorized users from reading
information (loss) - Guarantee confidentiality
- Prevent unauthorized users from tampering with
information (damage) - Guarantee integrity
7Some Simple Security Questions
- A human being wants to use or access some
protected resource - How should we decide whether that user is allowed
to use the resource? - What do we need to know about the user?
- What do we need to know about the resource?
- How might we prevent that user from using the
resource?
8How Do We Implement Security?
- Add mechanisms to prevent access to sensitive
resources - Locks
- Guards
- How do you gain access to protected resources?
- Locks are opened with keys
- Keys have to be distributed to users
- Guards only allow certain people in
- Guards have to be given a list of trusted users
9Computer Security Issues
- How do we control which people can use the
computer system? - How do we control which programs a user can run?
- How do we control which resources a process can
access? - How do we protect processes that share computer
resources from each other?
10Fundamental Techniques
- Authentication
- Identifies authorized users
- Access control (authorization)
- Limits access by authorized users to programs and
resources - Memory protection
- Segmented virtual memory model prevents a process
reading or overwriting memory used by other
processes
11Terminology
- Objects
- Resources (or passive entities) in the computer
system - Files
- Directories
- Printers
- Sockets
- Subjects
- Active entities that access resources
- Process
- Thread
- Principals
- Entities that represent a user
- User
- Group
- Role
- Cryptographic key
- Principals can create subjects
12Terminology
- Department of Defense Trusted Computer System
Evaluation Criteria (TCSEC) - http//www.radium.ncsc.mil/tpep/library/rainbow/52
00.28-STD.html - The trusted computing base (TCB) comprises all
the protection mechanisms within a computer
system including hardware, firmware and software - The TCB is responsible for enforcing the
enterprise security policy - The ability of the TCB to correctly enforce a
security policy depends on the mechanisms within
the TCB and on the correct configuration of the
TCB by administrators - Poor software implementation and poor
configuration can fatally compromise security
13Terminology
- The reference monitor is an abstract machine that
mediates all access requests by subjects - The security kernel consists of the hardware,
firmware and software elements of a TCB that
implement a reference monitor - The security kernel must
- mediate all accesses
- be protected from modification
- be verifiable as correct
14Authentication
15What is Authentication?
- Authentication typically performs two functions
- Identification
- Is a principal recognised by the system?
- A principal that is successfully authenticated is
said to be an authorized principal - Creation of security context
- An authorized principal is associated with
certain security information called a security
context
16Why Use Authentication?
- Without identifying and authenticating the user
logging on to the system, access to objects
cannot be controlled, user rights and abilities
cannot be enforced, and accountability cannot be
maintained via auditing. For these reasons
Windows 95 and Windows 98 can never be considered
secure operating systems. - Windows 2000 Security Technical Reference
- Mandatory logon is a fundamental security
requirement - Part of the C2 requirements in TCSEC
17Authentication Methods (1)
- Something you know
- Computer password
- which can be forgotten!
- Something you have
- Identity card ...
- which can be lost or stolen!
- A combination
- ATM card PIN number
- which can be forgotten, lost or stolen!
- Biometrics personal characteristics that can be
measured - Fingerprints
- Iris scan
- Voice recognition
- Most methods suffer from false positives and
false negatives
18Authentication Methods (2)
- The most common method of authentication in
computer systems is for a user to enter a
username and password - The username may be public knowledge
- The user should keep her password secret
- Alternative authentication methods are sometimes
used - Windows 2000 can use biometrics or hardware
tokens for authentication
19Authentication Process
- Authentication Storage Data entry
Comparison - Storage
- Computer system maintains a list of usernames and
passwords - Data entry
- User enters username
- User enters password
- Comparison
- If ((username is valid) and (entered password
stored password)) then - User is authenticated
- Else
- User is asked to re-enter username and password
20Exercise
- Suppose we use the following alternative
authentication process - User enters username
- If (username is valid)
- Then user is prompted for password
- If (user password stored password)
- Then user is authenticated
- Else
- User is asked to re-enter password
- Else
- User is asked to re-enter username
- Is this authentication process better than the
one on the previous slide? - Consider the information that is leaked to an
attacker who is trying to access the system - An answer to this question can be found in
Pfleeger
21Password Storage
- To perform authentication a computer system must
maintain information about usernames and
passwords - Plaintext password file
- Requires very strong access controls on the file
- May be stored on backup tapes and therefore may
be vulnerable - Can be circumvented by root user or superuser
- Encrypted password file
22Cryptographic Methods
- Encrypted passwords
- Stored passwords are encrypted
- Entered password is encrypted before comparison
with stored password - Why isnt stored password decrypted before
comparison with entered password? - Hashed passwords
- Stored passwords are hashed
- Entered password is hashed and compared with
stored hashed password - Cryptographically protected password files are
still vulnerable to dictionary and brute force
attacks
23Access Control
24Authorization
- Authorization (access control) assumes the
existence of an authentication process - The decision to grant an access request made by a
process is based on the security context of the
process - The security context is inherited from the user
that initiated the process - The security context of a user usually identifies
the user and any security groups to which that
user belongs
25What is Access Control?
- Generic term for the process(es) by which a
computer system controls the interaction between
users and system resources - May implement (part of) a specific security
policy that may be determined by - organisational requirements
- statutory requirements (medical records, for
example) - Policy requirements relevant to access control
include - confidentiality (restrictions on read access)
- integrity (restrictions on write access)
26Why Use Access Control?
- Prevent authorised users from having unlimited
access to system resources - Limit access of unauthorised users that manage to
break in - Access control is not required if access to
resources does not need to be constrained - Early stand-alone PCs (DOS, Windows 95) could not
(and did not need to) enforce access control
27A Schematic View
- A user requests access (read, write, print, etc.)
to a resource in the computer system - The reference monitor
- establishes the validity of the request
- and returns a decision either granting or
denying access to the user
Access Request
Reference monitor
Decision
28Locks and Keys
- A paper-based office
- Certain documents should only be read by certain
individuals - We could implement security by
- storing documents in filing cabinets
- issuing keys to the relevant individuals for the
appropriate cabinets - The reference monitor is the set of (locked)
filing cabinets - An access request (an attempt to open a filing
cabinet) is granted if the key fits the lock (and
denied otherwise)
29Guest Lists
- A night club
- Access to the club is restricted to members
- We can implement security by
- employing a bouncer
- providing the bouncer with a membership list
- The reference monitor is the security guard the
membership list - An access request is granted only if
- a clubber can prove her identity (authentication)
- she is on the membership list
30Tickets
- A further analogy is a football match
- Entry to match is allowed if a ticket has been
purchased and is presented at the match - Seat quality is determined by price of ticket
- Distributed web services are beginning to adopt
this kind of model - An (encrypted) ticket is used to prove that a
user is entitled to access a service - The ticket will include information that is
used by the service to determine what access the
user should have
31Access Modes
- There are two basic modes of interaction between
a subject and an object - Observe
- Alter
- Accessing an object can be regarded as initiating
a flow of information - A subject may observe (read) an object
- Information flows from object to subject
- A subject may alter (write to) an object
- Information flows from subject to object
32Execute Access
- Sometimes an object can be accessed without using
either observe or alter mode - Executable files (programs)
- Directories
- Cryptographic keys
- The execute access right means different things
in different contexts and in different systems - Execute access on a binary executable file grants
permission to run the program - Execute access on a Unix directory grants
permission to access the directory - Read and execute access grants permission to list
the contents of the directory
33Access Rights
- Access rights define particular ways of accessing
an object - The interpretation of an access right may differ
between operating systems - Write access in Multics allows a subject to both
read and write - Append access is write-only (or blind write)
- The interpretation of an access right may depend
on the object to which it applies - Execute means something different in Unix when
applied to programs and directories - Windows 2000 treats everything as an object (in
the programming sense) - Access rights are dependent on the class to which
an object (in the access control sense) belongs - File access rights are different from directory
access rights etc.
34Administrative Access Rights
- Certain operations are administrative in nature
- Involve changes to access control data structures
- Changing the access rights of a user for a
particular resource - Often related to ownership of the resource
- These operations can be controlled by granting
- execute access to programs (chmod in Unix)
- granting control access rights and privileges to
users (change permission and take ownership
privilege in Windows 2000)
35Access Control Models
36What is an Access Control Model?
- The model has the ability to represent
abstractly the elements of computer systems and
of security that are relevant to a treatment of
classified information stored in a computer
system - Bell-LaPadula, 1976
- A model comprises elements that are used to
represent the system such as sets, relations and
functions - In the context of access control, a model
typically describes a reference monitor
37Why Are Models Useful?
- Formal results can be deduced from the model that
make statements about the security of the system - Specification of security policy
- Does system maintain security policy?
- A model may also generate rules that can provide
a blueprint for an implementation - May assist in verifying that an implementation
meets requirements
38The Access Control Matrix
- Introduced by Lampson (1972) and extended by
Harrison, Ruzzo and Ullman (1976-8) - Columns indexed by objects
- Rows indexed by subjects
- Matrix entries are (sets of) access operations
- Foundation of many theoretical security models
Objects
Subjects
39The Access Control Matrix
- A request can be regarded as a triple (s, o, a)
- The subject s wants to access object o where a is
an access right - A request is granted (by the reference monitor)
if - a belongs to the access matrix entry
corresponding to subject s and object o
40The Access Control Matrix
- The request (jason, allfiles.txt, w) is granted
- The request (mick, allfiles.txt, w) is denied
Objects
Subjects
41Disadvantages
- Abstract formulation of access control
- Not suitable for direct implementation
- The matrix is likely to be extremely sparse and
therefore implementation is inefficient - Management of the matrix is likely to be
extremely difficult if there are 0000s of files
and 00s of users (resulting in 000000s of matrix
entries)
42Access Control Lists
- An ACL corresponds to a column in the access
control matrix - The ACL for a.out would be
- (jason, r,w,x), (mick, r,x)
- How would a reference monitor that uses ACLs
check the validity of the request (jason, a.out,
r)?
Objects
Subjects
43Access Control Lists
- Typically represented internally as a list of
access control entries - Each entry includes a user account identifier and
an access mask - An access mask is a bit pattern in which each bit
represents a particular access right - If the bit is set then access is granted
- If 111 represents r, w, x then 100 represents
r etc. - If jasons account identifier is 138 and micks
is 533, the ACL for a.out would be (138, 111),
(533, 101)
44Access Control Lists
- Access control lists focus on the objects
- Typically implemented at operating system level
- Windows NT uses ACLs
- Disadvantage
- How can we check the access rights of a
particular subject efficiently (before-the-act
per-subject review)?
45Capability Lists
- A capability list corresponds to a row in the
access control matrix - jasons capability list would be
- (trash, r,w), (a.out, r,w,x),
(allfiles.txt, r,w) - How would such a reference monitor check the
validity of the request (jason, a.out, r)?
Objects
Subjects
46Capability Lists
- Capability lists focus on the subjects
- Typically implemented in services and application
software - Database applications often use capability lists
to implement fine-grained access to tables and
queries - Renewed interest in capability-based access
control for distributed systems - Can be represented using object identifiers and
access masks - Disdavantage
- How can we check which subjects can access a
given object (before-the-act per-object review)?
47Back to the Analogies
- An ACL is analogous to a membership list
- The club is the (only) object
- The members appear on the list
- A capability list is analogous to the set of keys
issued to a user - The filing cabinets are the objects
48Access Control Policies
- Access control mechanisms exist to enforce
policies - Discretionary policies are based on identities
(or other characteristics of users) - Ownership of resources is typically important
- Unix access control
- Common in commercial systems
- Mandatory policies are independent of users
identities - Characteristics of resources are important
- Access is only allowed if user and object belong
to same security domain - Common in military systems
49Information Flow
- Accessing a computer resource can be regarded as
initiating an information flow - Read access causes information to flow from an
object to a subject - Write access causes information to flow from a
subject to an object
50An Information Flow Policy
- The following policy enforces confidentiality
requirements - Every object and subject has a security level
(security label) - The set of security labels is a (partially)
ordered set - Information flow must preserve the partial
ordering
51An Information Flow Policy
s1
s2
High
Direction of information flow
?
?
o4
o3
o1
o2
Medium
?
?
s4
s3
Low
- s2 can read o2
- s4 can write to o4
- s1 cannot write to o1
- s3 cannot read o3
52An Information Flow Policy
- What does this policy prevent?
- Information leaks due to inappropriate read
actions - Prevents unclassified user reading classified
information - Information leaks due to inappropriate write
actions - Prevents Trojan horses downgrading classified
information - Prevents classified information being printed to
an unclassified printer
53The Bell-LaPadula Model
- Implements an information flow policy for
confidentiality - Employs a security lattice (a partially ordered
set of security labels) - Employs a protection matrix
- Protection matrix refines the information flow
policy
54Security Labels
- Security label has two parts c and K where c is a
security classification and K is a subset of
security categories - Security classifications
- unclassified lt classified lt secret lt top secret
- Set of security (needs-to-know) categories
- army, navy, air force, marines
- personnel, finance, marketing, research
55Partial Ordering of Security Labels
- (c1, K1) 6 (c2, K2) if
- c1 6 c2
- K1 ? K2
- Examples
- (u, ) 6 (u, army)
- (u, ) 6 (c, )
- (c, army) 6 (t, army, navy, marines)
56States
- A state (M, ?, V) is a snapshot of the system
- Protection matrix M
- Security function ? associates each object and
subject with a security label - Set of active triples V
- (s, o, a) 2 V implies that subject s currently
has access to object o using access right a
57The Simple Security Property
- For all (s, o, a) 2 V, if a is a read access
mode, then - ?(s) gt ?(o)
- In other words, if subject s has been granted
read-type access to object o, then s must have a
security label that is at least as high as that
of o
58The Simple Security Property
- Let
- ?(o) (c, army)
- ?(s1) (u, army, navy)
- ?(s2) (s, army, marines)
- The simple security property would
- prevent (s1, o, read) from entering V
- allow (s2, o, read) to enter V
59The -Property
- For all (s, o, a) 2 V, if a is a write access
mode, then - ?(s) 6 ?(o)
- In other words, if subject s has been granted
write-type access to object o, then s must have a
security label that is no higher than that of o
60The Discretionary Property
- For all (s, o, a) 2 V, (s, o, a) 2 M
- In other words, access is only granted if
authorized by the protection matrix - The protection matrix can be used to refine the
information flow policy (enforced by the simple
security property and -property)
61Example
- One subject s three objects o1, o2 and o3
- ?(s) 2, ?(o1) 1, ?(o2) 2, ?(o3) 3
- V
- Three access rights read (r), append (a) and
write (w) - Append is write only access mode
- Write is a read and write access mode
- ?(s) 6 ?(o) and ?(s) gt ?(o)
- In other words ?(s) ?(o)
- M contains every access right in each entry
- Every request is authorized
62Example
- s requests read access to o3
- Denied
- s requests read access to o1
- Granted
- V (s, o1, r)
- s requests append access to o1
- Denied
- s requests write access to o2
- Granted
- V (s, o1, r), (s, o2, w)
- s requests write access to o3
- Denied
- s requests append access to o3
- Granted
- V (s, o1, r), (s, o3, a)
63BLP disadvantages
- Lacks relevance to commercial systems
- Model for confidentiality
- Designed for military applications
- Lacks flexibility
64Unix Security Mechanisms
65User Accounts
- Every user has a unique numeric user ID (UID)
- root user has UID 0
- Every user account also has one or more group
identifiers (GID) - User accounts are stored in /etc/passwd
- Unix applications require access to /etc/passwd
in order to link user names to UIDs - /etc/passwd can be read by anybody
- /etc/passwd cannot contain plaintext passwords
- In fact /etc/passwd doesnt even contain
encrypted passwords
66User Authentication
- User enters username
- User enters password
- Password is encrypted and compared with stored
value - Encrypted password is stored in /etc/shadow
- /etc/shadow is not world-readable
- Password is encrypted using MD5 hash function
- Shell process started for user and associated
with users ID - id command lists users ID and IDs of groups
assigned to user - uid537(jason) 502(webadmin)
- Any processes spawned by shell will be associated
with users ID
67Unix Processes
- Use ps command
- e option lists all processes running on machine
- f option provides more details such as PPID
68Unix Permissions
- Three different permissions are supported
- read (r)
- write (w)
- execute (x)
- To execute a file both r and x must be granted
- To enter a directory x must be granted
- To list the contents of a directory r and x must
be granted - To create a file in a directory w and x must be
granted
69Unix Files
- Every file has an owner (identified by UID) and a
group (identified by GID) - Owner need not be a member of the group
- Devices are treated as files
- Provides consistent and conceptually elegant
interface to devices - echo hello world
- echo hello world gt myfile
- echo hello world gt /dev/lp0
- Devices must be adequately protected
70File Protection
- Each file is associated with three different
groups of permissions - Owner
- Group
- World
- Represented internally as a 9-bit access mask
- If a bit is set then the corresponding permission
is granted - Represented symbolically using letters for access
rights - 111 101 101 is displayed as rwx r-x r-x by
commands such as ls l - Owner has read, write and execute access
- Group and world have read and execute access
71File Protection
- Applies to most specific group to which user
belongs - Protection mechanism first tries to match
requesting UID with file owner UID - If match then requester has those access rights
- Else protection mechanism then tries to match
requesting GID with file GID - If match then requester has group access rights
- Otherwise requester has world access rights
72File Protection
- Given the following output from ls l
- -rwxr-xr-x jason research ... test.exe
- ----rwxr- jason research ... example.exe
- jason has full access to test.exe
- jason has no access to example.exe even if he
belongs to the research group - Any member of the research group (except jason)
has full access to example.exe
73Windows 2000 Security Mechanisms
74Windows 2000 Authentication
- The Winlogon process initiates the authentication
procedure by intercepting the user secure
attention sequence (CtrlAltDel) - The user enters a username and password and
authenticates to a Windows 2000 domain using the
Kerberos protocol - A successful authentication process results in an
access token being returned to the Winlogon
process - The access token is bound to the authenticated
user
75Windows 2000 Authorization
- When a process makes a file access request the
access token is presented to the NTFS service - The NTFS service forwards the request, the access
token and the files access control list (ACL) to
the security reference monitor (SRM) - The SRM compares the identities contained in the
access token with those in the ACL entries
76Windows 2000 Authorization
Access token
File access request
Object handle
Requested access mask access token and DACL
DACL
Granted access mask
77Access Masks
- Windows recognizes several different access
rights and encodes them in a 32-bit access mask - An access request is handled as an access mask
- The security reference monitor constructs a
granted access mask - If the granted access mask is the same as the
requested access mask then access is granted
78Access Control Entries
- Each file in Windows 2000 has a security
descriptor - The most important item in the security
descriptor is the discretionary access control
list (DACL) - The DACL is a list of access control entries
(ACEs) - Each ACE contains a security identifier and an
access mask
79Building the Granted Access Mask
- The SRM examines each ACE
- If the access token contains an SID that matches
the ACE SID then - The matching entries in the requested access mask
and the ACE access mask are added to the granted
access mask - When the end of the DACL is reached the requested
and granted access masks are compared
80Building the Granted Access Mask
- Requested access mask 0110
- Initial granted access mask 0000
- Access token contains SIDs 1, 4 and 5
- Access denied
DACL
Granted access mask
SID 1 Access mask 1010
0010
SID 2 Access mask 0100
0010
SID 3 Access mask 1100
0010
SID 4 Access mask 0011
0010
81Bells and Whistles
- Windows 2000 also has
- Access-denied ACEs
- Inherit-only ACEs
- Restricted SIDs
- Disabled SIDs
- Deny-only SIDs
- Privileges
82Why Are Operating Systems Insecure?
- If an attacker can obtain Administrator access in
Windows 2000 or root access in Unix then the
security of the system can be fatally compromised - Software vulnerabilities
- Incorrect or inadequate validation of user input
- Poor design
- Poor programming practice
- Poor implementation of standards
- Configuration vulnerabilities
- Poor choice of passwords and password policies
- Lack of control over services running on servers
83Hardening Operating Systems
- Remove vulnerabilities
- Use security controls provided by operating
system - Follow the principle of least privilege
- Delete all access rights that are not required
- Remove or disable all services that are not
required - Use dedicated servers
- Multiple services on a single machine mean more
avenues of attack and the compromise of all
services - Simpler to manage and defend against attack
- Rename powerful accounts and use strong passwords
- Many default accounts are powerful and have
preset passwords
84Further Reading
- C.P. Pfleeger. Security in Computing,
Prentice-Hall (1997) - B. Schneier. Secrets and Lies, Wiley (2000)
- R. Anderson. Security Engineering, Wiley (2000)
- D.E. Bell and L. LaPadula. Secure Computer
Systems Mathematical Foundations, Mitre
Corporation Technical Report MTR-2547 (1973) - D.D. Clark and D.R. Wilson. A comparison of
military and commercial computer security
policies, Proceedings of IEEE Symposium on
Security and Privacy, 184194 (1987) - R.S. Sandhu et al. Role-based access control
models, IEEE Computer, 29(6), 3847 (1996)
85Information Security Reports
- CERT (Computer Emergency Response Team)
- http//www.cert.org/
- SysAdmin, Audit, Network, Security (SANS)
Institute - http//www.sans.org/
- Security Tracker
- http//www.securitytracker.com/