Title: ACCESS CONTROL
1ACCESS CONTROL SECURITY MODELS
- Center of gravity of computer security
2Fundamental Model of Access Control
Reference Monitors
subject
Access request
object
3Controlling Access
- Access control policy what can be used to
indicate who is allowed to do what to/with whom
on the system. - Who is who ?
- Subject is what we call active entities
- (processes, users, other computers) that want to
do something - The what the subject does with the object can be
just about anything, and it may be multi-part. - Typical manipulations include READ, MODIFY,
CREATE, CHANGE, DELETE
4Access Control Policy
- Access right or privilege
- An indication that a SUBJECT may legitimately use
a specific type of ACCESS or MANIPULATION with
respect to a particular OBJECT or set of OBJECTS. - The underlying system itself determines which
primitive (or bottom level) access rights are
available for which user/object combinations
5Levels of Access Control
- Application
- Middleware
- Operating system
- Hardware
6Operating System Access Controls
- Authenticate prinicipals/users
- Passwords
- Kerberos
- Mediate access
- Files
- Communication ports
- System resources
7Models of Security
- Need for a model
- High assurance security system
- What a model supposed to do?
- Express the security policy in a formal way
- Describe the entities governed by the policy
- State the rules that decide who gets access to
your data - Scope and limitations of models
8Security Models Bell-LaPadula
- The Bell-LaPadula model is about information
confidentiality, and this model formally
represents the long tradition of attitudes to the
flow of information concerning national secrets. - Multi-level security (MLS)
9Security Models Chinese Wall
- Large consultancies can easily find there are
conflicts of interest if individual consultants
are given access to all information held by the
consultancy. Chinese Wall models a particular
way of restricting information flow.
10Security Models Biba
- We need models continued
- Based on the Cold War experiences, information
integrity is also important, and the Biba model,
complementary to Bell-LaPadula, is based on the
flow of information where preserving integrity is
critical.
11Security Models Clarke-Wilson
- In the commercial sphere, the need is to engage
in well-formed transactions which can only be
undertaken by authorised personnel, and the
Clarke-Wilson model is an attempt to formally
model a policy based on well-formed
transactions.
12Possible Access Control Mechanisms are
- Control Matrix
- Control lists
- Groups and Roles
- Extension to Distributed (file) Systems
13 Access Control Matrix
Object Users Operating system Accounts Program Accounting Data Audit Trail
Sam rwx rwx rw r
Alice x x rw -
Bob rx r r r
14 Example Access Control Matrix for Bookkeeping
Operating system Accounts Program Accounting Data Audit Trail
Sam rwx rwx r r
Alice rx x - -
Accounts program rx r rw w
Bob rx r r r
Srini rx r r r
15Access Control Matrices
- 2/3 dimensions used to implement protection
mechanisms and model them - Do not scale well
- A bank with 50,000 staff 300 objects ?
15million entries - Update and performance problem
- Prone to administrators mistakes
- A more compact way is required
16Groups and Roles
- Group is a list of users/principals-- categories
- Role is a fixed set of access permissions that
one or more principals may assume - Group manager is a rank while the role of acting
manager can be taken up by an assistant
accountant standing in while the manager, deputy
manager and accountant are all sick
17 Let us look at the example once again
Operating system Accounts Program Accounting Data Audit Trail
Sam rwx rwx r r
Alice rx x - -
Accounts program rx r w w
Bob rx r r r
Srini rx r r r
18ACLs per subject(Capabilities list)
Sam
rwx
rwx
r
r
Alice
rx
x
-
-
Acc.pgm
rx
r
rw
w
Bob
rx
r
r
r
Srini
rx
r
r
r
User
OS
A/C Prgm
A/C Data
Audit trail
19Access Control Lists
User Accounting Data
Sam rw
Alice rw
Bob r
Srini r
20Access Control Lists/Capabilities
- How do you modify the entries in the lists?
- add a new entry
- delete an existing entry
- modify the access right to an object?
21Access Control Triples
- Subject
- Object
- Access ? r, w, x, ?
22Capabilities
- While ACLs are kept by the O/S,capabilities are
kept by the subject. - Capabilities give the possessor (of the token)
certain rights to an object - Capabilities do not require authentication of
subjects, but do require that the token be
unforgeable (encrypted or in inaccessible
storage) and that the propagation of capabilities
be controlled.
23Access Control lists (cont.)
- Users manage their own file security, Unix
- Data-oriented protection, for centrally set
access control policy - OS checks the ACL at each file access
- Not efficient security checking at runtime,
though simple to implement - Tedious to find all files to which a user has
access or perform system-wide checks
24Let us look at an example of ACL implementations
25Unix Operating System Security
- Superuser account on Unix is root
- UID (user identifier) equal to 0
- The superuser can effectively do anything within
the system - Superuser password is the most valuable password
in the system - Dont share the superuser password outside the
administrative group.
26Basic file security
- -rw-rw-r-- 1 root sys 1344 Jul 2 2257
/etc/vfstab
Others
Group
Owner
-rwxrwxrwx Owner permissions -rwxrwxrwx Group
permissions -rwxrwxrwx Other permissions
27Basic file security
- Important system files must have appropriate file
permissions - e.g-r--r--r-- 1 root other
/etc/passwd-r-------- 1 root sys
/etc/shadow-rw-r--r-- 1 root sys
/etc/profile - drwxr-xr-x 18 root sys /usr
- A finer granularity of file permissions can be
achieved with access control lists (ACLs), e.g.
AIX, HP-UX.
28Unix Operating System Security(cont.)
- A common defense against root compromise by
hackers -- is system log to a printer in a locked
room or to another machine/server, eg. Berkeley,
FreeBSD - ACLs have only names of users, not of programs
- Indirect method gt suid and sgid file attributes
29SUID and SGID Security
- Owner of a program can mark it as suid, enabling
a user, special privileges of access control
attributes - sgid for groups
- What is the security issue here?
30SUID and SGID Security(cont.)
- SUID root programs are particularly vulnerable to
attack. - If it is possible to subvert the program in some
way, then root access can be gained. - A very well known method of such subversion is
the buffer overflow. - Buffer overflow vulnerability results from bad
coding practices on the part of the original
programmer of the SUID root program!
31Authentication means
- to establish the proof of identity.
- Authentication techniques may vary depending on
the kind of resource being accessed. - The various kinds of access can be classified
into - user-to-host
- host-to-host
- user(or process) to user (process)
32Trusted hosts
- UNIX allows hosts to trust another.
- If host A trusts host B, then a user who has the
same user name on B and A can access resources on
A from B without a password. - Implemented using .rhosts and /etc/hosts.equiv
- rlogin, rsh, rcp
33Trusted hosts - advantages
- Password cannot be sniffed because it is not
transmitted. - Users can log in once and then subsequently move
to any machine in the trusted network. - Convenience.
34Trusted hosts - disadvantages
- If one host is compromised (e.g. boot B to single
user mode then change to any user you like), then
the other host is also compromised read that
users files on A. - Even if B cannot be booted to single user mode
without a password, can physically replace B with
another machine. - Trusted hosts uses IP address authentication.
- Vulnerable to IP spoofing.
35NFS
- Network File System
- Developed by Sun Microsystems
- Supported by most UNIX systems
- Allows remote access to local file systems
36NFS example (Solaris)
Host ANFS Server
Network
/files
NFS calls
NFS calls
mount t nfs A/files /mnt/files
Host B
share -F nfs -o rwB,rootB /files
37NFS Security Considerations
- Export only to trusted hosts
- Export only those parts of the filesystem which
require remote access - Export read-only unless writing absolutely
required - Be very careful mapping root on the server to
root on the client. - Remove group write permissions for exported files
and directories. - Be careful exporting user home directories
38NFS Security Considerations
- Do not allow users to log into NFS server.
- Do not accept incoming NFS call requests on
non-privileged ports. - Use Secure NFS.
- Dont use NFS! (Is it absolutely necessary?)
39Threats to Availability
- Denial of Service attacks
- Probably more of a threat when carried out via
the network than on the local machine alone. - Not UNIX specific
40Windows NT
- Based on ACLs
- Attributes to users groups
- Read, Write, Execute
- Take ownership, change permissions, and delete
- Multiple values to attributes instead of on/off
- AccessDenied, AccessAllowed, SystemAudit
41Benefits
- Less than full administrator privileges required
for routine tasks, eg. installing printers - Users and resources can be partitioned into
domains with distinct administrators - Trust can be inherited between domains in one
direction or both - Registry is the data structure used to hide the
ACL details from the user interface
42Problems
- Not very suitable for large organisations
- Naming issues
- Domains scale badly when number of principals
increase - Complex interactions between local and global
groups due to restrictions that a user in another
domain cant be administrator - Peculiarity of everyone is a principal, and a
resource can be locked quickly
43Other Access Control methods
- Sandboxing
- Software that provides limited access rights to
programs of unknown origins - Proof-carrying code
- Programs to be executed must carry a proof that
it doesnt do anything that contravenes the local
security policy
44Policies (1)
- Historical considerations
- The history of information systems and their
automation is a history of compromise.
Automation had to fit into existing schemes of
information management. Similarly, the addition
of security mechanisms has to fit into existing
structures and systems. Highly secure systems
are often a consequence of redesign and
re-engineering of existing systems. - Mandatory Security Policies
- A system wide policy decrees that all subjects
and all objects are classified. Access classes
are associated with every subject-object pair. - Access rights depend on the triple
subject-object-access class for all triplets
ltSam, Production Log, Writegt
45Policies (2)
- Discretionary Security Policies
- Users are allowed to grant access to other users
- often the OWNER of an object can grant access
privileges to other users, (at the owners
discretion ) - Discretionary Policies may allow one user to pass
data to another user without the authority of the
creator of the data
46Security Models Formal Methods
- One benefit of using formal models is that
mathematical (sometimes called formal) methods
can be used to confirm that all transitions
allowed by the model preserve the secure state of
the system being modeled - For real systems, modeling is not easy
47Access Control - Ranked Model (1)
- Multi-level
- Often called Lattice methods
- Basis of military and commercial security
- Set of ordered security levels, users assigned to
a level - User subjects are privileged to access a rank
and all lower ranks - Students do not need to master the notation used
in Gollman
48Access Control - Ranked Model (2)
- We are also concerned about need to know
- Compartment the information to be secured
- Granting access
- A subject is cleared to access object
- only if rank(subject) gt rank (object) AND
- The set of all compartments that contain the
object are contained within the set of
compartments that the subject is cleared to
access - (The personnel manager will not be allowed to
access confidential production data)
49Access Control - Ranked Model (3)
- Companies often use the ranks
- Public, Company Confidential, Executive-only
- Deciding what lies in what compartment keeps
security staff occupied
50Bell - LaPadula (1)
- Earliest formal model
- Each user subject and information objecthas a
fixed security class - Use the notation gt to indicate dominance
- Simple Security (ss) propertythe no read-up
(NRU) property - A subject has read access to an object if the
- class of the subject C(s) is greater than or
equal to the class of the object C(o) - need C(s) gt C(o)
51Bell - LaPadula (2)
- property (star) the no write-down (NRD)
property - While a subject has read access to object O, the
subject can only write to object P ifC(P) gt
C (O) - Leads to concentration of irrelevant detail at
upper levels - Discretionary Security (ds) propertyIf
discretionary policies are in place, accesses are
further limited to this access matrix - Although all users in the personnel department
can read all personnel documents, the personnel
manager would expect to limit the readers of a
document that dealt with redundancies in the
personnel department !
52Transitions
- If a system starts in a secure state, and all
transitions are secure, then the system remains
in a secure state. - But what if we allow users to downgrade all
objects, and then modify the access control
matrix so all modes are allowed for each entry
? - So we need to beware of transitions that change
access rights
53Tranquility
- Gollman p 49 Pfleeger (3ed) p 305
- Starting with a Bell-LaPadula model, with ranked
classes of users - Say Executive, Company-confidential, Public
- And segregated compartments,
- Say Sales, Production
- And all users assigned a rank,
- And all files assigned a rank and a
compartmentTRANQUILITY is when these
assignments do not change or are not allowed to
change
54Tranquility in practice
- Production program systems need to open and use
work files, and open and use spool print files,
class or subroutine libraries need to be
accessed. - For systems with mandatory security, these
entities all need labels and levels. - In practice assigning security levels to these
sorts of entities is not easy.
55Chinese Wall Model
- Suppose a consultancy has several airlines as
clients - It is a conflict of interest if a consultant
working with Quantas has access to confidential
data on Gulf gathered from another assignment - Security policy builds on 3 levels of
abstraction - Objects lowest levels, eg. Files
- Company groups all objects concerning a
particular company are grouped together - Conflict classes at the highest level, all
groups of objects for competing companies are
clustered. - No information flow that causes a conflict of
interest - For this model to work, a history of access
rights has to be maintained - (Also, if confidential information is written
across conflict classes, an effective conflict of
interest is created)
56Biba
- Concerned with integrity of information
- We wish to prevent the spread of untrusted
information - A Cold war issue - the intelligence services of
the UK were known to have been compromised by the
Soviets. How then could the USA ensure that USA
intelligence data was not corrupted by possibly
misleading data flowing from UK sources ? - Subject s can only modify object o if I(s) gt
I(o) ( no write up) - Integrity propertyIf s can read o, s can
only write to p if I(o) gt I(p) - So clean objects do not become contaminated
57Clark-Wilson (1)
- The security requirements of commercial
transactions are about integrity, and the
prevention of error and fraud. - There is an established principle of separation
of duties, which aims to ensure that users must
collaborate to validly manipulate data, and hence
users must collude to commit fraud. - Clark-Wilson aim to define well-formed
transactions, so users cannot directly access
data, - and specific data items can only be modified by
defined programs.
58Clark-Wilson (2)
- Internal consistency of data items should be
ensured by the system Overall - Subjects have to be identified and authenticated
- Objects can be manipulated by a restricted set of
programs - Subjects can execute only a restricted set of
programs - A proper audit has to be maintained.
- The system has to be certified to work properly.
- An application oriented IT system model, a
framework and guideline for security policy