ACCESS CONTROL - PowerPoint PPT Presentation

1 / 58
About This Presentation
Title:

ACCESS CONTROL

Description:

ACCESS CONTROL & SECURITY MODELS Center of gravity of computer security Fundamental Model of Access Control Controlling Access Access control policy: what can be used ... – PowerPoint PPT presentation

Number of Views:406
Avg rating:3.0/5.0
Slides: 59
Provided by: Nand151
Category:

less

Transcript and Presenter's Notes

Title: ACCESS CONTROL


1
ACCESS CONTROL SECURITY MODELS
  • Center of gravity of computer security

2
Fundamental Model of Access Control
Reference Monitors
subject
Access request
object
3
Controlling Access
  • Access control policy what can be used to
    indicate who is allowed to do what to/with whom
    on the system.
  • Who is who ?
  • Subject is what we call active entities
  • (processes, users, other computers) that want to
    do something
  • The what the subject does with the object can be
    just about anything, and it may be multi-part.
  • Typical manipulations include READ, MODIFY,
    CREATE, CHANGE, DELETE

4
Access Control Policy
  • Access right or privilege
  • An indication that a SUBJECT may legitimately use
    a specific type of ACCESS or MANIPULATION with
    respect to a particular OBJECT or set of OBJECTS.
  • The underlying system itself determines which
    primitive (or bottom level) access rights are
    available for which user/object combinations

5
Levels of Access Control
  • Application
  • Middleware
  • Operating system
  • Hardware

6
Operating System Access Controls
  • Authenticate prinicipals/users
  • Passwords
  • Kerberos
  • Mediate access
  • Files
  • Communication ports
  • System resources

7
Models of Security
  • Need for a model
  • High assurance security system
  • What a model supposed to do?
  • Express the security policy in a formal way
  • Describe the entities governed by the policy
  • State the rules that decide who gets access to
    your data
  • Scope and limitations of models

8
Security Models Bell-LaPadula
  • The Bell-LaPadula model is about information
    confidentiality, and this model formally
    represents the long tradition of attitudes to the
    flow of information concerning national secrets.
  • Multi-level security (MLS)

9
Security Models Chinese Wall
  • Large consultancies can easily find there are
    conflicts of interest if individual consultants
    are given access to all information held by the
    consultancy. Chinese Wall models a particular
    way of restricting information flow.

10
Security Models Biba
  • We need models continued
  • Based on the Cold War experiences, information
    integrity is also important, and the Biba model,
    complementary to Bell-LaPadula, is based on the
    flow of information where preserving integrity is
    critical.

11
Security Models Clarke-Wilson
  • In the commercial sphere, the need is to engage
    in well-formed transactions which can only be
    undertaken by authorised personnel, and the
    Clarke-Wilson model is an attempt to formally
    model a policy based on well-formed
    transactions.

12
Possible Access Control Mechanisms are
  • Control Matrix
  • Control lists
  • Groups and Roles
  • Extension to Distributed (file) Systems

13
Access Control Matrix
Object Users Operating system Accounts Program Accounting Data Audit Trail
Sam rwx rwx rw r
Alice x x rw -
Bob rx r r r
14
Example Access Control Matrix for Bookkeeping
Operating system Accounts Program Accounting Data Audit Trail
Sam rwx rwx r r
Alice rx x - -
Accounts program rx r rw w
Bob rx r r r
Srini rx r r r
15
Access Control Matrices
  • 2/3 dimensions used to implement protection
    mechanisms and model them
  • Do not scale well
  • A bank with 50,000 staff 300 objects ?
    15million entries
  • Update and performance problem
  • Prone to administrators mistakes
  • A more compact way is required

16
Groups and Roles
  • Group is a list of users/principals-- categories
  • Role is a fixed set of access permissions that
    one or more principals may assume
  • Group manager is a rank while the role of acting
    manager can be taken up by an assistant
    accountant standing in while the manager, deputy
    manager and accountant are all sick

17
Let us look at the example once again
Operating system Accounts Program Accounting Data Audit Trail
Sam rwx rwx r r
Alice rx x - -
Accounts program rx r w w
Bob rx r r r
Srini rx r r r
18
ACLs per subject(Capabilities list)
Sam
rwx
rwx
r
r
Alice
rx
x
-
-
Acc.pgm
rx
r
rw
w
Bob
rx
r
r
r
Srini
rx
r
r
r
User
OS
A/C Prgm
A/C Data
Audit trail
19
Access Control Lists
User Accounting Data
Sam rw
Alice rw
Bob r
Srini r
20
Access Control Lists/Capabilities
  • How do you modify the entries in the lists?
  • add a new entry
  • delete an existing entry
  • modify the access right to an object?

21
Access Control Triples
  • Subject
  • Object
  • Access ? r, w, x, ?

22
Capabilities
  • While ACLs are kept by the O/S,capabilities are
    kept by the subject.
  • Capabilities give the possessor (of the token)
    certain rights to an object
  • Capabilities do not require authentication of
    subjects, but do require that the token be
    unforgeable (encrypted or in inaccessible
    storage) and that the propagation of capabilities
    be controlled.

23
Access Control lists (cont.)
  • Users manage their own file security, Unix
  • Data-oriented protection, for centrally set
    access control policy
  • OS checks the ACL at each file access
  • Not efficient security checking at runtime,
    though simple to implement
  • Tedious to find all files to which a user has
    access or perform system-wide checks

24
Let us look at an example of ACL implementations
  • UNIX
  • NT

25
Unix Operating System Security
  • Superuser account on Unix is root
  • UID (user identifier) equal to 0
  • The superuser can effectively do anything within
    the system
  • Superuser password is the most valuable password
    in the system
  • Dont share the superuser password outside the
    administrative group.

26
Basic file security
  • -rw-rw-r-- 1 root sys 1344 Jul 2 2257
    /etc/vfstab

Others
Group
Owner
-rwxrwxrwx Owner permissions -rwxrwxrwx Group
permissions -rwxrwxrwx Other permissions
27
Basic file security
  • Important system files must have appropriate file
    permissions
  • e.g-r--r--r-- 1 root other
    /etc/passwd-r-------- 1 root sys
    /etc/shadow-rw-r--r-- 1 root sys
    /etc/profile
  • drwxr-xr-x 18 root sys /usr
  • A finer granularity of file permissions can be
    achieved with access control lists (ACLs), e.g.
    AIX, HP-UX.

28
Unix Operating System Security(cont.)
  • A common defense against root compromise by
    hackers -- is system log to a printer in a locked
    room or to another machine/server, eg. Berkeley,
    FreeBSD
  • ACLs have only names of users, not of programs
  • Indirect method gt suid and sgid file attributes

29
SUID and SGID Security
  • Owner of a program can mark it as suid, enabling
    a user, special privileges of access control
    attributes
  • sgid for groups
  • What is the security issue here?

30
SUID and SGID Security(cont.)
  • SUID root programs are particularly vulnerable to
    attack.
  • If it is possible to subvert the program in some
    way, then root access can be gained.
  • A very well known method of such subversion is
    the buffer overflow.
  • Buffer overflow vulnerability results from bad
    coding practices on the part of the original
    programmer of the SUID root program!

31
Authentication means
  • to establish the proof of identity.
  • Authentication techniques may vary depending on
    the kind of resource being accessed.
  • The various kinds of access can be classified
    into
  • user-to-host
  • host-to-host
  • user(or process) to user (process)

32
Trusted hosts
  • UNIX allows hosts to trust another.
  • If host A trusts host B, then a user who has the
    same user name on B and A can access resources on
    A from B without a password.
  • Implemented using .rhosts and /etc/hosts.equiv
  • rlogin, rsh, rcp

33
Trusted hosts - advantages
  • Password cannot be sniffed because it is not
    transmitted.
  • Users can log in once and then subsequently move
    to any machine in the trusted network.
  • Convenience.

34
Trusted hosts - disadvantages
  • If one host is compromised (e.g. boot B to single
    user mode then change to any user you like), then
    the other host is also compromised read that
    users files on A.
  • Even if B cannot be booted to single user mode
    without a password, can physically replace B with
    another machine.
  • Trusted hosts uses IP address authentication.
  • Vulnerable to IP spoofing.

35
NFS
  • Network File System
  • Developed by Sun Microsystems
  • Supported by most UNIX systems
  • Allows remote access to local file systems

36
NFS example (Solaris)
Host ANFS Server
Network
/files
NFS calls
NFS calls
mount t nfs A/files /mnt/files
Host B
share -F nfs -o rwB,rootB /files
37
NFS Security Considerations
  • Export only to trusted hosts
  • Export only those parts of the filesystem which
    require remote access
  • Export read-only unless writing absolutely
    required
  • Be very careful mapping root on the server to
    root on the client.
  • Remove group write permissions for exported files
    and directories.
  • Be careful exporting user home directories

38
NFS Security Considerations
  • Do not allow users to log into NFS server.
  • Do not accept incoming NFS call requests on
    non-privileged ports.
  • Use Secure NFS.
  • Dont use NFS! (Is it absolutely necessary?)

39
Threats to Availability
  • Denial of Service attacks
  • Probably more of a threat when carried out via
    the network than on the local machine alone.
  • Not UNIX specific

40
Windows NT
  • Based on ACLs
  • Attributes to users groups
  • Read, Write, Execute
  • Take ownership, change permissions, and delete
  • Multiple values to attributes instead of on/off
  • AccessDenied, AccessAllowed, SystemAudit

41
Benefits
  • Less than full administrator privileges required
    for routine tasks, eg. installing printers
  • Users and resources can be partitioned into
    domains with distinct administrators
  • Trust can be inherited between domains in one
    direction or both
  • Registry is the data structure used to hide the
    ACL details from the user interface

42
Problems
  • Not very suitable for large organisations
  • Naming issues
  • Domains scale badly when number of principals
    increase
  • Complex interactions between local and global
    groups due to restrictions that a user in another
    domain cant be administrator
  • Peculiarity of everyone is a principal, and a
    resource can be locked quickly

43
Other Access Control methods
  • Sandboxing
  • Software that provides limited access rights to
    programs of unknown origins
  • Proof-carrying code
  • Programs to be executed must carry a proof that
    it doesnt do anything that contravenes the local
    security policy

44
Policies (1)
  • Historical considerations
  • The history of information systems and their
    automation is a history of compromise.
    Automation had to fit into existing schemes of
    information management. Similarly, the addition
    of security mechanisms has to fit into existing
    structures and systems. Highly secure systems
    are often a consequence of redesign and
    re-engineering of existing systems.
  • Mandatory Security Policies
  • A system wide policy decrees that all subjects
    and all objects are classified. Access classes
    are associated with every subject-object pair.
  • Access rights depend on the triple
    subject-object-access class for all triplets
    ltSam, Production Log, Writegt

45
Policies (2)
  • Discretionary Security Policies
  • Users are allowed to grant access to other users
    - often the OWNER of an object can grant access
    privileges to other users, (at the owners
    discretion )
  • Discretionary Policies may allow one user to pass
    data to another user without the authority of the
    creator of the data

46
Security Models Formal Methods
  • One benefit of using formal models is that
    mathematical (sometimes called formal) methods
    can be used to confirm that all transitions
    allowed by the model preserve the secure state of
    the system being modeled
  • For real systems, modeling is not easy

47
Access Control - Ranked Model (1)
  • Multi-level
  • Often called Lattice methods
  • Basis of military and commercial security
  • Set of ordered security levels, users assigned to
    a level
  • User subjects are privileged to access a rank
    and all lower ranks
  • Students do not need to master the notation used
    in Gollman

48
Access Control - Ranked Model (2)
  • We are also concerned about need to know
  • Compartment the information to be secured
  • Granting access
  • A subject is cleared to access object
  • only if rank(subject) gt rank (object) AND
  • The set of all compartments that contain the
    object are contained within the set of
    compartments that the subject is cleared to
    access
  • (The personnel manager will not be allowed to
    access confidential production data)

49
Access Control - Ranked Model (3)
  • Companies often use the ranks
  • Public, Company Confidential, Executive-only
  • Deciding what lies in what compartment keeps
    security staff occupied

50
Bell - LaPadula (1)
  • Earliest formal model
  • Each user subject and information objecthas a
    fixed security class
  • Use the notation gt to indicate dominance
  • Simple Security (ss) propertythe no read-up
    (NRU) property
  • A subject has read access to an object if the
  • class of the subject C(s) is greater than or
    equal to the class of the object C(o)
  • need C(s) gt C(o)

51
Bell - LaPadula (2)
  • property (star) the no write-down (NRD)
    property
  • While a subject has read access to object O, the
    subject can only write to object P ifC(P) gt
    C (O)
  • Leads to concentration of irrelevant detail at
    upper levels
  • Discretionary Security (ds) propertyIf
    discretionary policies are in place, accesses are
    further limited to this access matrix
  • Although all users in the personnel department
    can read all personnel documents, the personnel
    manager would expect to limit the readers of a
    document that dealt with redundancies in the
    personnel department !

52
Transitions
  • If a system starts in a secure state, and all
    transitions are secure, then the system remains
    in a secure state.
  • But what if we allow users to downgrade all
    objects, and then modify the access control
    matrix so all modes are allowed for each entry
    ?
  • So we need to beware of transitions that change
    access rights

53
Tranquility
  • Gollman p 49 Pfleeger (3ed) p 305
  • Starting with a Bell-LaPadula model, with ranked
    classes of users
  • Say Executive, Company-confidential, Public
  • And segregated compartments,
  • Say Sales, Production
  • And all users assigned a rank,
  • And all files assigned a rank and a
    compartmentTRANQUILITY is when these
    assignments do not change or are not allowed to
    change

54
Tranquility in practice
  • Production program systems need to open and use
    work files, and open and use spool print files,
    class or subroutine libraries need to be
    accessed.
  • For systems with mandatory security, these
    entities all need labels and levels.
  • In practice assigning security levels to these
    sorts of entities is not easy.

55
Chinese Wall Model
  • Suppose a consultancy has several airlines as
    clients
  • It is a conflict of interest if a consultant
    working with Quantas has access to confidential
    data on Gulf gathered from another assignment
  • Security policy builds on 3 levels of
    abstraction
  • Objects lowest levels, eg. Files
  • Company groups all objects concerning a
    particular company are grouped together
  • Conflict classes at the highest level, all
    groups of objects for competing companies are
    clustered.
  • No information flow that causes a conflict of
    interest
  • For this model to work, a history of access
    rights has to be maintained
  • (Also, if confidential information is written
    across conflict classes, an effective conflict of
    interest is created)

56
Biba
  • Concerned with integrity of information
  • We wish to prevent the spread of untrusted
    information
  • A Cold war issue - the intelligence services of
    the UK were known to have been compromised by the
    Soviets. How then could the USA ensure that USA
    intelligence data was not corrupted by possibly
    misleading data flowing from UK sources ?
  • Subject s can only modify object o if I(s) gt
    I(o) ( no write up)
  • Integrity propertyIf s can read o, s can
    only write to p if I(o) gt I(p)
  • So clean objects do not become contaminated

57
Clark-Wilson (1)
  • The security requirements of commercial
    transactions are about integrity, and the
    prevention of error and fraud.
  • There is an established principle of separation
    of duties, which aims to ensure that users must
    collaborate to validly manipulate data, and hence
    users must collude to commit fraud.
  • Clark-Wilson aim to define well-formed
    transactions, so users cannot directly access
    data,
  • and specific data items can only be modified by
    defined programs.

58
Clark-Wilson (2)
  • Internal consistency of data items should be
    ensured by the system Overall
  • Subjects have to be identified and authenticated
  • Objects can be manipulated by a restricted set of
    programs
  • Subjects can execute only a restricted set of
    programs
  • A proper audit has to be maintained.
  • The system has to be certified to work properly.
  • An application oriented IT system model, a
    framework and guideline for security policy
Write a Comment
User Comments (0)
About PowerShow.com