Introduction to Computer Security

1
Introduction to Computer Security

• Jason Crampton
• Information Security Group
• Royal Holloway, University of London

2
Programme

• Introduction
• Authentication
• Access control models
• Unix security mechanisms
• Windows 2000 security mechanisms

3
Learning Outcomes

• Be aware of the objectives of computer security
  and the main techniques for realizing these
  objectives
• Be able to describe basic authentication
  techniques
• Be aware of access control models and their
  importance to authorization mechanisms
• Be able to describe basic authorization techniques

4
Computer Security Goals

• Confidentiality
• Unauthorized users cannot read information
• Integrity
• Unauthorized users cannot alter information
• Availability
• Authorized users can access information

5
Computer Security Reality

• The only system which is truly secure is one
  which is switched off and unplugged, locked in a
  titanium lined safe, buried in a concrete bunker,
  and is surrounded by nerve gas and very highly
  paid armed guards. Even then, I wouldnt stake my
  life on it.
• Professor Gene Spafford

6
Why Do We Need Security?

• Protect sensitive resources
• Prevent loss
• Prevent damage
• In the context of information systems
• Prevent unauthorized users from reading
  information (loss)
• Guarantee confidentiality
• Prevent unauthorized users from tampering with
  information (damage)
• Guarantee integrity

7
Some Simple Security Questions

• A human being wants to use or access some
  protected resource
• How should we decide whether that user is allowed
  to use the resource?
• What do we need to know about the user?
• What do we need to know about the resource?
• How might we prevent that user from using the
  resource?

8
How Do We Implement Security?

• Add mechanisms to prevent access to sensitive
  resources
• Locks
• Guards
• How do you gain access to protected resources?
• Locks are opened with keys
• Keys have to be distributed to users
• Guards only allow certain people in
• Guards have to be given a list of trusted users

9
Computer Security Issues

• How do we control which people can use the
  computer system?
• How do we control which programs a user can run?
• How do we control which resources a process can
  access?
• How do we protect processes that share computer
  resources from each other?

10
Fundamental Techniques

• Authentication
• Identifies authorized users
• Access control (authorization)
• Limits access by authorized users to programs and
  resources
• Memory protection
• Segmented virtual memory model prevents a process
  reading or overwriting memory used by other
  processes

11
Terminology

• Objects
• Resources (or passive entities) in the computer
  system
• Files
• Directories
• Printers
• Sockets
• Subjects
• Active entities that access resources
• Process
• Thread

• Principals
• Entities that represent a user
• User
• Group
• Role
• Cryptographic key
• Principals can create subjects

12
Terminology

• Department of Defense Trusted Computer System
  Evaluation Criteria (TCSEC)
• http//www.radium.ncsc.mil/tpep/library/rainbow/52
  00.28-STD.html
• The trusted computing base (TCB) comprises all
  the protection mechanisms within a computer
  system including hardware, firmware and software
• The TCB is responsible for enforcing the
  enterprise security policy
• The ability of the TCB to correctly enforce a
  security policy depends on the mechanisms within
  the TCB and on the correct configuration of the
  TCB by administrators
• Poor software implementation and poor
  configuration can fatally compromise security

13
Terminology

• The reference monitor is an abstract machine that
  mediates all access requests by subjects
• The security kernel consists of the hardware,
  firmware and software elements of a TCB that
  implement a reference monitor
• The security kernel must
• mediate all accesses
• be protected from modification
• be verifiable as correct

14
Authentication
15
What is Authentication?

• Authentication typically performs two functions
• Identification
• Is a principal recognised by the system?
• A principal that is successfully authenticated is
  said to be an authorized principal
• Creation of security context
• An authorized principal is associated with
  certain security information called a security
  context

16
Why Use Authentication?

• Without identifying and authenticating the user
  logging on to the system, access to objects
  cannot be controlled, user rights and abilities
  cannot be enforced, and accountability cannot be
  maintained via auditing. For these reasons
  Windows 95 and Windows 98 can never be considered
  secure operating systems.
• Windows 2000 Security Technical Reference
• Mandatory logon is a fundamental security
  requirement
• Part of the C2 requirements in TCSEC

17
Authentication Methods (1)

• Something you know
• Computer password
• which can be forgotten!
• Something you have
• Identity card ...
• which can be lost or stolen!
• A combination
• ATM card PIN number
• which can be forgotten, lost or stolen!

• Biometrics personal characteristics that can be
  measured
• Fingerprints
• Iris scan
• Voice recognition
• Most methods suffer from false positives and
  false negatives

18
Authentication Methods (2)

• The most common method of authentication in
  computer systems is for a user to enter a
  username and password
• The username may be public knowledge
• The user should keep her password secret
• Alternative authentication methods are sometimes
  used
• Windows 2000 can use biometrics or hardware
  tokens for authentication

19
Authentication Process

• Authentication Storage Data entry
  Comparison
• Storage
• Computer system maintains a list of usernames and
  passwords
• Data entry
• User enters username
• User enters password
• Comparison
• If ((username is valid) and (entered password
  stored password)) then
• User is authenticated
• Else
• User is asked to re-enter username and password

20
Exercise

• Suppose we use the following alternative
  authentication process
• User enters username
• If (username is valid)
• Then user is prompted for password
• If (user password stored password)
• Then user is authenticated
• Else
• User is asked to re-enter password
• Else
• User is asked to re-enter username
• Is this authentication process better than the
  one on the previous slide?
• Consider the information that is leaked to an
  attacker who is trying to access the system
• An answer to this question can be found in
  Pfleeger

21
Password Storage

• To perform authentication a computer system must
  maintain information about usernames and
  passwords
• Plaintext password file
• Requires very strong access controls on the file
• May be stored on backup tapes and therefore may
  be vulnerable
• Can be circumvented by root user or superuser
• Encrypted password file

22
Cryptographic Methods

• Encrypted passwords
• Stored passwords are encrypted
• Entered password is encrypted before comparison
  with stored password
• Why isnt stored password decrypted before
  comparison with entered password?
• Hashed passwords
• Stored passwords are hashed
• Entered password is hashed and compared with
  stored hashed password
• Cryptographically protected password files are
  still vulnerable to dictionary and brute force
  attacks

23
Access Control
24
Authorization

• Authorization (access control) assumes the
  existence of an authentication process
• The decision to grant an access request made by a
  process is based on the security context of the
  process
• The security context is inherited from the user
  that initiated the process
• The security context of a user usually identifies
  the user and any security groups to which that
  user belongs

25
What is Access Control?

• Generic term for the process(es) by which a
  computer system controls the interaction between
  users and system resources
• May implement (part of) a specific security
  policy that may be determined by
• organisational requirements
• statutory requirements (medical records, for
  example)
• Policy requirements relevant to access control
  include
• confidentiality (restrictions on read access)
• integrity (restrictions on write access)

26
Why Use Access Control?

• Prevent authorised users from having unlimited
  access to system resources
• Limit access of unauthorised users that manage to
  break in
• Access control is not required if access to
  resources does not need to be constrained
• Early stand-alone PCs (DOS, Windows 95) could not
  (and did not need to) enforce access control

27
A Schematic View

• A user requests access (read, write, print, etc.)
  to a resource in the computer system
• The reference monitor
• establishes the validity of the request
• and returns a decision either granting or
  denying access to the user

Access Request
Reference monitor
Decision
28
Locks and Keys

• A paper-based office
• Certain documents should only be read by certain
  individuals
• We could implement security by
• storing documents in filing cabinets
• issuing keys to the relevant individuals for the
  appropriate cabinets
• The reference monitor is the set of (locked)
  filing cabinets
• An access request (an attempt to open a filing
  cabinet) is granted if the key fits the lock (and
  denied otherwise)

29
Guest Lists

• A night club
• Access to the club is restricted to members
• We can implement security by
• employing a bouncer
• providing the bouncer with a membership list
• The reference monitor is the security guard the
  membership list
• An access request is granted only if
• a clubber can prove her identity (authentication)
  
• she is on the membership list

30
Tickets

• A further analogy is a football match
• Entry to match is allowed if a ticket has been
  purchased and is presented at the match
• Seat quality is determined by price of ticket
• Distributed web services are beginning to adopt
  this kind of model
• An (encrypted) ticket is used to prove that a
  user is entitled to access a service
• The ticket will include information that is
  used by the service to determine what access the
  user should have

31
Access Modes

• There are two basic modes of interaction between
  a subject and an object
• Observe
• Alter
• Accessing an object can be regarded as initiating
  a flow of information
• A subject may observe (read) an object
• Information flows from object to subject
• A subject may alter (write to) an object
• Information flows from subject to object

32
Execute Access

• Sometimes an object can be accessed without using
  either observe or alter mode
• Executable files (programs)
• Directories
• Cryptographic keys
• The execute access right means different things
  in different contexts and in different systems
• Execute access on a binary executable file grants
  permission to run the program
• Execute access on a Unix directory grants
  permission to access the directory
• Read and execute access grants permission to list
  the contents of the directory

33
Access Rights

• Access rights define particular ways of accessing
  an object
• The interpretation of an access right may differ
  between operating systems
• Write access in Multics allows a subject to both
  read and write
• Append access is write-only (or blind write)
• The interpretation of an access right may depend
  on the object to which it applies
• Execute means something different in Unix when
  applied to programs and directories
• Windows 2000 treats everything as an object (in
  the programming sense)
• Access rights are dependent on the class to which
  an object (in the access control sense) belongs
• File access rights are different from directory
  access rights etc.

34
Administrative Access Rights

• Certain operations are administrative in nature
• Involve changes to access control data structures
• Changing the access rights of a user for a
  particular resource
• Often related to ownership of the resource
• These operations can be controlled by granting
• execute access to programs (chmod in Unix)
• granting control access rights and privileges to
  users (change permission and take ownership
  privilege in Windows 2000)

35
Access Control Models
36
What is an Access Control Model?

• The model has the ability to represent
  abstractly the elements of computer systems and
  of security that are relevant to a treatment of
  classified information stored in a computer
  system
• Bell-LaPadula, 1976
• A model comprises elements that are used to
  represent the system such as sets, relations and
  functions
• In the context of access control, a model
  typically describes a reference monitor

37
Why Are Models Useful?

• Formal results can be deduced from the model that
  make statements about the security of the system
• Specification of security policy
• Does system maintain security policy?
• A model may also generate rules that can provide
  a blueprint for an implementation
• May assist in verifying that an implementation
  meets requirements

38
The Access Control Matrix

• Introduced by Lampson (1972) and extended by
  Harrison, Ruzzo and Ullman (1976-8)
• Columns indexed by objects
• Rows indexed by subjects
• Matrix entries are (sets of) access operations
• Foundation of many theoretical security models

Objects
Subjects
39
The Access Control Matrix

• A request can be regarded as a triple (s, o, a)
• The subject s wants to access object o where a is
  an access right
• A request is granted (by the reference monitor)
  if
• a belongs to the access matrix entry
  corresponding to subject s and object o

40
The Access Control Matrix

• The request (jason, allfiles.txt, w) is granted
• The request (mick, allfiles.txt, w) is denied

Objects
Subjects
41
Disadvantages

• Abstract formulation of access control
• Not suitable for direct implementation
• The matrix is likely to be extremely sparse and
  therefore implementation is inefficient
• Management of the matrix is likely to be
  extremely difficult if there are 0000s of files
  and 00s of users (resulting in 000000s of matrix
  entries)

42
Access Control Lists

• An ACL corresponds to a column in the access
  control matrix
• The ACL for a.out would be
• (jason, r,w,x), (mick, r,x)
• How would a reference monitor that uses ACLs
  check the validity of the request (jason, a.out,
  r)?

Objects
Subjects
43
Access Control Lists

• Typically represented internally as a list of
  access control entries
• Each entry includes a user account identifier and
  an access mask
• An access mask is a bit pattern in which each bit
  represents a particular access right
• If the bit is set then access is granted
• If 111 represents r, w, x then 100 represents
  r etc.
• If jasons account identifier is 138 and micks
  is 533, the ACL for a.out would be (138, 111),
  (533, 101)

44
Access Control Lists

• Access control lists focus on the objects
• Typically implemented at operating system level
• Windows NT uses ACLs
• Disadvantage
• How can we check the access rights of a
  particular subject efficiently (before-the-act
  per-subject review)?

45
Capability Lists

• A capability list corresponds to a row in the
  access control matrix
• jasons capability list would be
• (trash, r,w), (a.out, r,w,x),
  (allfiles.txt, r,w)
• How would such a reference monitor check the
  validity of the request (jason, a.out, r)?

Objects
Subjects
46
Capability Lists

• Capability lists focus on the subjects
• Typically implemented in services and application
  software
• Database applications often use capability lists
  to implement fine-grained access to tables and
  queries
• Renewed interest in capability-based access
  control for distributed systems
• Can be represented using object identifiers and
  access masks
• Disdavantage
• How can we check which subjects can access a
  given object (before-the-act per-object review)?

47
Back to the Analogies

• An ACL is analogous to a membership list
• The club is the (only) object
• The members appear on the list
• A capability list is analogous to the set of keys
  issued to a user
• The filing cabinets are the objects

48
Access Control Policies

• Access control mechanisms exist to enforce
  policies
• Discretionary policies are based on identities
  (or other characteristics of users)
• Ownership of resources is typically important
• Unix access control
• Common in commercial systems
• Mandatory policies are independent of users
  identities
• Characteristics of resources are important
• Access is only allowed if user and object belong
  to same security domain
• Common in military systems

49
Information Flow

• Accessing a computer resource can be regarded as
  initiating an information flow
• Read access causes information to flow from an
  object to a subject
• Write access causes information to flow from a
  subject to an object

50
An Information Flow Policy

• The following policy enforces confidentiality
  requirements
• Every object and subject has a security level
  (security label)
• The set of security labels is a (partially)
  ordered set
• Information flow must preserve the partial
  ordering

51
An Information Flow Policy
s1
s2
High
Direction of information flow
?
?
o4
o3
o1
o2
Medium
?
?
s4
s3
Low

• s2 can read o2
• s4 can write to o4

• s1 cannot write to o1
• s3 cannot read o3

52
An Information Flow Policy

• What does this policy prevent?
• Information leaks due to inappropriate read
  actions
• Prevents unclassified user reading classified
  information
• Information leaks due to inappropriate write
  actions
• Prevents Trojan horses downgrading classified
  information
• Prevents classified information being printed to
  an unclassified printer

53
The Bell-LaPadula Model

• Implements an information flow policy for
  confidentiality
• Employs a security lattice (a partially ordered
  set of security labels)
• Employs a protection matrix
• Protection matrix refines the information flow
  policy

54
Security Labels

• Security label has two parts c and K where c is a
  security classification and K is a subset of
  security categories
• Security classifications
• unclassified lt classified lt secret lt top secret
• Set of security (needs-to-know) categories
• army, navy, air force, marines
• personnel, finance, marketing, research

55
Partial Ordering of Security Labels

• (c1, K1) 6 (c2, K2) if
• c1 6 c2
• K1 ? K2
• Examples
• (u, ) 6 (u, army)
• (u, ) 6 (c, )
• (c, army) 6 (t, army, navy, marines)

56
States

• A state (M, ?, V) is a snapshot of the system
• Protection matrix M
• Security function ? associates each object and
  subject with a security label
• Set of active triples V
• (s, o, a) 2 V implies that subject s currently
  has access to object o using access right a

57
The Simple Security Property

• For all (s, o, a) 2 V, if a is a read access
  mode, then
• ?(s) gt ?(o)
• In other words, if subject s has been granted
  read-type access to object o, then s must have a
  security label that is at least as high as that
  of o

58
The Simple Security Property

• Let
• ?(o) (c, army)
• ?(s1) (u, army, navy)
• ?(s2) (s, army, marines)
• The simple security property would
• prevent (s1, o, read) from entering V
• allow (s2, o, read) to enter V

59
The -Property

• For all (s, o, a) 2 V, if a is a write access
  mode, then
• ?(s) 6 ?(o)
• In other words, if subject s has been granted
  write-type access to object o, then s must have a
  security label that is no higher than that of o

60
The Discretionary Property

• For all (s, o, a) 2 V, (s, o, a) 2 M
• In other words, access is only granted if
  authorized by the protection matrix
• The protection matrix can be used to refine the
  information flow policy (enforced by the simple
  security property and -property)

61
Example

• One subject s three objects o1, o2 and o3
• ?(s) 2, ?(o1) 1, ?(o2) 2, ?(o3) 3
• V
• Three access rights read (r), append (a) and
  write (w)
• Append is write only access mode
• Write is a read and write access mode
• ?(s) 6 ?(o) and ?(s) gt ?(o)
• In other words ?(s) ?(o)
• M contains every access right in each entry
• Every request is authorized

62
Example

• s requests read access to o3
• Denied
• s requests read access to o1
• Granted
• V (s, o1, r)
• s requests append access to o1
• Denied
• s requests write access to o2
• Granted
• V (s, o1, r), (s, o2, w)

• s requests write access to o3
• Denied
• s requests append access to o3
• Granted
• V (s, o1, r), (s, o3, a)

63
BLP disadvantages

• Lacks relevance to commercial systems
• Model for confidentiality
• Designed for military applications
• Lacks flexibility

64
Unix Security Mechanisms
65
User Accounts

• Every user has a unique numeric user ID (UID)
• root user has UID 0
• Every user account also has one or more group
  identifiers (GID)
• User accounts are stored in /etc/passwd
• Unix applications require access to /etc/passwd
  in order to link user names to UIDs
• /etc/passwd can be read by anybody
• /etc/passwd cannot contain plaintext passwords
• In fact /etc/passwd doesnt even contain
  encrypted passwords

66
User Authentication

• User enters username
• User enters password
• Password is encrypted and compared with stored
  value
• Encrypted password is stored in /etc/shadow
• /etc/shadow is not world-readable
• Password is encrypted using MD5 hash function
• Shell process started for user and associated
  with users ID
• id command lists users ID and IDs of groups
  assigned to user
• uid537(jason) 502(webadmin)
• Any processes spawned by shell will be associated
  with users ID

67
Unix Processes

• Use ps command
• e option lists all processes running on machine
• f option provides more details such as PPID

68
Unix Permissions

• Three different permissions are supported
• read (r)
• write (w)
• execute (x)
• To execute a file both r and x must be granted
• To enter a directory x must be granted
• To list the contents of a directory r and x must
  be granted
• To create a file in a directory w and x must be
  granted

69
Unix Files

• Every file has an owner (identified by UID) and a
  group (identified by GID)
• Owner need not be a member of the group
• Devices are treated as files
• Provides consistent and conceptually elegant
  interface to devices
• echo hello world
• echo hello world gt myfile
• echo hello world gt /dev/lp0
• Devices must be adequately protected

70
File Protection

• Each file is associated with three different
  groups of permissions
• Owner
• Group
• World
• Represented internally as a 9-bit access mask
• If a bit is set then the corresponding permission
  is granted
• Represented symbolically using letters for access
  rights
• 111 101 101 is displayed as rwx r-x r-x by
  commands such as ls l
• Owner has read, write and execute access
• Group and world have read and execute access

71
File Protection

• Applies to most specific group to which user
  belongs
• Protection mechanism first tries to match
  requesting UID with file owner UID
• If match then requester has those access rights
• Else protection mechanism then tries to match
  requesting GID with file GID
• If match then requester has group access rights
• Otherwise requester has world access rights

72
File Protection

• Given the following output from ls l
• -rwxr-xr-x jason research ... test.exe
• ----rwxr- jason research ... example.exe
• jason has full access to test.exe
• jason has no access to example.exe even if he
  belongs to the research group
• Any member of the research group (except jason)
  has full access to example.exe

73
Windows 2000 Security Mechanisms
74
Windows 2000 Authentication

• The Winlogon process initiates the authentication
  procedure by intercepting the user secure
  attention sequence (CtrlAltDel)
• The user enters a username and password and
  authenticates to a Windows 2000 domain using the
  Kerberos protocol
• A successful authentication process results in an
  access token being returned to the Winlogon
  process
• The access token is bound to the authenticated
  user

75
Windows 2000 Authorization

• When a process makes a file access request the
  access token is presented to the NTFS service
• The NTFS service forwards the request, the access
  token and the files access control list (ACL) to
  the security reference monitor (SRM)
• The SRM compares the identities contained in the
  access token with those in the ACL entries

76
Windows 2000 Authorization
Access token
File access request
Object handle
Requested access mask access token and DACL
DACL
Granted access mask
77
Access Masks

• Windows recognizes several different access
  rights and encodes them in a 32-bit access mask
• An access request is handled as an access mask
• The security reference monitor constructs a
  granted access mask
• If the granted access mask is the same as the
  requested access mask then access is granted

78
Access Control Entries

• Each file in Windows 2000 has a security
  descriptor
• The most important item in the security
  descriptor is the discretionary access control
  list (DACL)
• The DACL is a list of access control entries
  (ACEs)
• Each ACE contains a security identifier and an
  access mask

79
Building the Granted Access Mask

• The SRM examines each ACE
• If the access token contains an SID that matches
  the ACE SID then
• The matching entries in the requested access mask
  and the ACE access mask are added to the granted
  access mask
• When the end of the DACL is reached the requested
  and granted access masks are compared

80
Building the Granted Access Mask

• Requested access mask 0110
• Initial granted access mask 0000
• Access token contains SIDs 1, 4 and 5
• Access denied

DACL
Granted access mask
SID 1 Access mask 1010
0010
SID 2 Access mask 0100
0010
SID 3 Access mask 1100
0010
SID 4 Access mask 0011
0010
81
Bells and Whistles

• Windows 2000 also has
• Access-denied ACEs
• Inherit-only ACEs
• Restricted SIDs
• Disabled SIDs
• Deny-only SIDs
• Privileges

82
Why Are Operating Systems Insecure?

• If an attacker can obtain Administrator access in
  Windows 2000 or root access in Unix then the
  security of the system can be fatally compromised
• Software vulnerabilities
• Incorrect or inadequate validation of user input
• Poor design
• Poor programming practice
• Poor implementation of standards
• Configuration vulnerabilities
• Poor choice of passwords and password policies
• Lack of control over services running on servers

83
Hardening Operating Systems

• Remove vulnerabilities
• Use security controls provided by operating
  system
• Follow the principle of least privilege
• Delete all access rights that are not required
• Remove or disable all services that are not
  required
• Use dedicated servers
• Multiple services on a single machine mean more
  avenues of attack and the compromise of all
  services
• Simpler to manage and defend against attack
• Rename powerful accounts and use strong passwords
• Many default accounts are powerful and have
  preset passwords

84
Further Reading

• C.P. Pfleeger. Security in Computing,
  Prentice-Hall (1997)
• B. Schneier. Secrets and Lies, Wiley (2000)
• R. Anderson. Security Engineering, Wiley (2000)
• D.E. Bell and L. LaPadula. Secure Computer
  Systems Mathematical Foundations, Mitre
  Corporation Technical Report MTR-2547 (1973)
• D.D. Clark and D.R. Wilson. A comparison of
  military and commercial computer security
  policies, Proceedings of IEEE Symposium on
  Security and Privacy, 184194 (1987)
• R.S. Sandhu et al. Role-based access control
  models, IEEE Computer, 29(6), 3847 (1996)

85
Information Security Reports

• CERT (Computer Emergency Response Team)
• http//www.cert.org/
• SysAdmin, Audit, Network, Security (SANS)
  Institute
• http//www.sans.org/
• Security Tracker
• http//www.securitytracker.com/