ACCESS CONTROL - PowerPoint PPT Presentation

1 / 57
About This Presentation
Title:

ACCESS CONTROL

Description:

ACCESS CONTROL & SECURITY MODELS (REVIEW) Center of gravity of computer security Fundamental Model of Access Control Possible Access Control Mechanisms are Control ... – PowerPoint PPT presentation

Number of Views:298
Avg rating:3.0/5.0
Slides: 58
Provided by: Nand151
Category:

less

Transcript and Presenter's Notes

Title: ACCESS CONTROL


1
ACCESS CONTROL SECURITY MODELS (REVIEW)
  • Center of gravity of computer security

2
Fundamental Model of Access Control
Reference Monitors
subject
Access request
object
3
Possible Access Control Mechanisms are
  • Control Matrix
  • Control lists
  • Groups and Roles
  • Extension to Distributed (file) Systems

4
Example Access Control Matrix for Bookkeeping
Operating system Accounts Program Accounting Data Audit Trail
Sam rwx rwx r r
Alice rx x - -
Accounts program rx r rw w
Bob rx r r r
Srini rx r r r
5
Basic UNIX file security
  • -rw-rw-r-- 1 root sys 1344 Jul 2 2257
    /etc/vfstab

Others
Group
Owner
-rwxrwxrwx Owner permissions -rwxrwxrwx Group
permissions -rwxrwxrwx Other permissions
6
SUID and SGID Security
  • Owner of a program can mark it as suid, enabling
    a user, special privileges of access control
    attributes
  • sgid for groups
  • What is the security issue here?

7
SUID and SGID Security(cont.)
  • SUID root programs are particularly vulnerable to
    attack.
  • If it is possible to subvert the program in some
    way, then root access can be gained.
  • A very well known method of such subversion is
    the buffer overflow.
  • Buffer overflow vulnerability results from bad
    coding practices on the part of the original
    programmer of the SUID root program!

8
ACCESS CONTROL SECURITY MODELS(2)
  • Center of gravity of computer security

9
Buffer Overflow
  • kill_sntsd.plThere is a remotely exploitable
    buffer overflow in the simple network time sync
    daemon present on RedHat 6.1.
  • adredirasp.txtMicrosoft BackOffice component
    adredir.asp contains a buffer overflow.
  • dmail27q.txtNetwin DSMTP Server v2.7q contains a
    remotely exploitable buffer overflow.
  • kdesud.txtKDE kdesud present in Mandrake 7.02
    (Air) has a buffer overflow allowing you to gain
    gid 0.
  • innd222over.txtThe news server innd 2.2.2 has a
    remotely exploitable buffer overflow.
  • cgatepro.txtCommuniGatePro 3.1 for Windows NT
    contains a buffer overflow.
  • chkperm.txtSolaris 2.x chkperm contains a buffer
    overflow.
  • winamp.txtNullsoft Winamp 2.10 contains a buffer
    overflow in its handling of playlist files
    allowing execution of arbitrary code. Exploit
    included.
  • icqover.txtICQ Version 99b 1.1.1.1 contains a
    buffer overflow.
  • qpop3.txtQpopper lt 3.0beta29 contains a buffer
    overflow that allows authenticated users to
    execute arbitrary.
  • ex_sdtcm_convert.cSparc Solaris 7 sdtcm_convert
    buffer overflow exploit.freebsdover.txtBuffer
    overflows exist in fts, du, and find in FreeBSD
    2.2.7/2.2.8.
  • netwaretts.txtThere is a buffer overflow in the
    Transaction Tracking System (TTS) built into
    Novel Netware.
  • ex_lpset.cExploit for buffer overflow in Solaris
    x86 lpset.
  • ex_admintool.cExploit for buffer overflow in
    Solaris x86 admintool.
  • ex_dtprintinfo.cExploit for buffer overflow in
    Solaris x86 dtprintinfo.
  • netbuf.cExploit for TCP buffer overflow mbuf
    panic in FreeBSD-2.x and IRIX.
  • smbval.txtThe SMB authentication library
    smbvalid.a contains many buffer overflows.
  • iis4over.txtRetina vs. IIS4, Round 2 - IIS4 SP3
    Option Pack 4 are vulnerable to remote buffer
    overflows. EXPLOIT INCLUDED.ftpd.txtRemote
    buffer overflows in various FTP servers leads to
    potential root compromise. (ProFTPD 1.2.0pre1 and
    Wuarchive ftpd (2.4.2-academBETA-18)).
  • slmail3.1.txtSLMail 3.1 contains yet another
    buffer overflow.

Hundreds of Buffer Overflow vulnerabilities have
been documented in various versions of UNIX Not
restricted to UNIX, Windows and other operating
systems can also be vulnerable. Writing a
buffer overflow attack requires some knowledge of
the stack architecture for the particular
hardware (e.g. Intel stacks implemented in a
different way from SPARC stacks)
10
Buffer Overflow The problem
  • void function(char str)
  • char buffer16
  • strcpy(buffer,str)
  • void main()
  • char string256
  • int i
  • for( i 0 i lt 255 i)
  • stringi 'A'
  • function(string)

11
Buffer Overflow
  • void function(char str)
  • char buffer16
  • strcpy(buffer,str)
  • void main()
  • char string256
  • int i
  • for( i 0 i lt 255 i)
  • stringi 'A'
  • function(string)

string



string pushed onto stack
12
Buffer Overflow
  • void function(char str)
  • char buffer16
  • strcpy(buffer,str)
  • void main()
  • char string256
  • int i
  • for( i 0 i lt 255 i)
  • stringi 'A'
  • function(string)

return address
string


return address pushed onto stack
13
Buffer Overflow
buffer16 (local variable) pushed onto stack
  • void function(char str)
  • char buffer16
  • strcpy(buffer,str)
  • void main()
  • char string256
  • int i
  • for( i 0 i lt 255 i)
  • stringi 'A'
  • function(string)

buffer0
buffer1

buffer15
return address
string


14
Buffer Overflow
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
  • void function(char str)
  • char buffer16
  • strcpy(buffer,str)
  • void main()
  • char string256
  • int i
  • for( i 0 i lt 255 i)
  • stringi 'A'
  • function(string)

A
A
A
A
A
A
A

15
Buffer Overflow Attack
  • Instead of writing A past the allocated local
    buffer and into the rest of the stack, write data
    into the stack such that
  • The return address is replaced by an address
    which points to a bit of code written by the
    attacker (which can also be written onto the
    stack)
  • This code may, for example, spawn a shell.
  • If the original program was SUID root, this will
    be a root shell!

16
Buffer Overflow Attack
  • If no patch is available from O/S vendor to fix
    the vulnerability, then at least remove SUID root
    permissions from the program in question.

17
Authentication means
  • to establish the proof of identity.
  • Authentication techniques may vary depending on
    the kind of resource being accessed.
  • The various kinds of access can be classified
    into
  • user-to-host
  • host-to-host
  • user(or process) to user (process)

18
Trusted hosts
  • UNIX allows hosts to trust another.
  • If host A trusts host B, then a user who has the
    same user name on B and A can access resources on
    A from B without a password.
  • Implemented using .rhosts and /etc/hosts.equiv
  • rlogin, rsh, rcp

19
Trusted hosts - advantages
  • Password cannot be sniffed because it is not
    transmitted.
  • Users can log in once and then subsequently move
    to any machine in the trusted network.
  • Convenience.

20
Trusted hosts - disadvantages
  • If one host is compromised (e.g. boot B to single
    user mode then change to any user you like), then
    the other host is also compromised read that
    users files on A.
  • Even if B cannot be booted to single user mode
    without a password, can physically replace B with
    another machine.
  • Trusted hosts uses IP address authentication.
  • Vulnerable to IP spoofing.

21
NFS
  • Network File System
  • Developed by Sun Microsystems
  • Supported by most UNIX systems
  • Allows remote access to local file systems

22
NFS example (Solaris)
Host ANFS Server
Network
/files
NFS calls
NFS calls
mount t nfs A/files /mnt/files
Host B
share -F nfs -o rwB,rootB /files
23
NFS Security Considerations
  • Export only to trusted hosts
  • Export only those parts of the filesystem which
    require remote access
  • Export read-only unless writing absolutely
    required
  • Be very careful mapping root on the server to
    root on the client.
  • Remove group write permissions for exported files
    and directories.
  • Be careful exporting user home directories

24
NFS Security Considerations
  • Do not allow users to log into NFS server.
  • Do not accept incoming NFS call requests on
    non-privileged ports.
  • Use Secure NFS.
  • Dont use NFS! (Is it absolutely necessary?)

25
Threats to Availability
  • Denial of Service attacks
  • Probably more of a threat when carried out via
    the network than on the local machine alone.
  • Not UNIX specific

26
Windows accounts
  • Each user has an account
  • On a computer and/or an Active Directory domain
  • Non-human accounts are for system processes
  • Account typically has name and password
  • Authentication based on Kerberos or hashed
    password (for NT compatibility only)
  • OS supports password strength, aging policies
  • Certificates and smartcards are also supported
    (in 2000/XP, but not commonly used yet)
  • A user may belong to many groups
  • Has the union of the groups rights at any time

27
Windows file systems (1/3)
  • FAT (for backward compatibility)
  • FAT supports no access control
  • NTFS (NT File System)
  • Access control based on user IDs and file
    permissions
  • Basic permissions are Read, Write, Execute,
    Delete, Change Permissions, Take Ownership
    ?RWXDPO
  • Standard permissions are basic ones combined
  • Different permissions to a file can be granted to
    individual users/groups using ACL
  • More fine-grained, flexible than UNIX

28
Windows file systems (2/3)
  • The following access permissions apply to files
  • NoAccess
  • Read(RX) read and execute
  • Change(RWXD) read,write,exe,delete
  • Full Control(all) RWXDPO
  • Special Access any combination of RWXDPO

29
Windows file systems (2/3)
  • Files sharing using Common Internet File System
    (CIFS)
  • Shares are managed in directory (in common with
    domain management more later)
  • Machine access to shares is based on computer
    account in domain and inter-domain trust
  • User access to shares is based on share passwords
    or standard ACLs
  • NT systems use hashed password SMB auth.
  • Windows 2000/XP use Kerberos authentication
  • Encrypting File System (EFS)
  • Files encryption using random secret keys, which
    are in turn encrypted with EFS public keys

30
Windows networking
  • Essentially similar tools
  • telnet, ftp with clear-text passwords
  • SSH, and augmented versions of telnet, ftp more
    secure
  • Integrated networking explained later
  • Server Message Block (SMB) based integrated
    domain authentication, file shares access

31
Windows security internals Architecture (1/2)
  • Windows (NT/2000/XP) have layered components on
    top of a kernel
  • Security Reference Monitor (SRM)
  • Part of the kernel
  • Handles core of access control checks
  • Protected security services include
  • Winlogon process
  • Local Security Authority (LSA) and policy
    database
  • Security Account Manager (SAM) and database
  • These services perform user authentication, and
    non-core part of access control

32
Windows security internals Architecture (2/2)
  • Security identifiers (SID)
  • Represent uniquely each user or group
  • Access control entry (ACE)
  • Contains permissions to an object explicitly
    denied or granted to a subject (SID)
  • Access control list (ACL)
  • List of ACEs for an object
  • Security descriptor of an object
  • Contains is owner SID, primary group SID, its
    ACL, the applicable system ACL
  • Access token for a logged on user
  • Contains the users SID, primary group SID, etc.

33
Windows security internals Authentication
  • NT uses NTLM authentication
  • NT (MD4) and LM (DES-based) hashed password
  • Domains integration relies on sending hashed
    passwords through insecure SMB protocols
  • Inter-domain trusts are one-way, non-transitive
  • Windows 2000/XP in domains use Kerberos
  • NTLM supported for backward compatibility
  • Domains are managed by Active Directory
  • Integrated Kerberos auth. as domain controllers
    are KDCs
  • Enable hierarchical organisation and delegation
  • Inter-domain trusts are two-way, transitive
    thereby simplifying trust management
  • Logged on users run processes with their access
    tokens, basis for access control, impersonation

34
Windows security internals Access control
  • Discretionary access control
  • Based on subject SIDs and object ACLs
  • Each object has an ACL
  • Null ACL or empty means no restrictions or no
    access
  • Each process has access token with owner SID,
    group SIDs
  • Access control check matches of access tokens
    against ACLs
  • Administrators group can access everything
  • SRM performs core matching
  • Less so discretionary access control
  • Some system-wide policies applying to subjects,
    regardless of individual objects ACL

35
Windows security internals Impersonation
  • No equivalence of UNIX suid, sgid or su, sudo
    programs
  • But processes frequently programmatically
    impersonate others
  • A thread takes on access token of another subject
  • This access token may be exact copy or variant of
    a primary access token
  • Thread gets security privileges of the
    impersonated subject
  • Impersonation is application-controlled, as
    opposed to administrator-controlled in UNIX

36
Windows security internals Logging auditing
  • The LSA and SRM create logs through the system
    event logger
  • The LSA logs mostly logon events based on its
    audit policy
  • The SRM logs access check events based on the
    system access control list (SACL)
  • Each object has an SACL
  • Logs are stored locally

37
UNIX and Windows security some evaluations
  • Windows security more complex, less mature
  • More susceptible to faults
  • Windows integrated Kerberos auth. more secure
    than hashed passwords
  • Windows access control more fine-grained
  • But Windows has more viruses?
  • Default security leaves programs writable
  • Users education
  • Historically more UNIX buffer flow attacks?
  • Longer lifetime, more accessible source code
  • Windows code inaccessible, but faults will show
    up eventually (obscurity not good security)

38
Other Access Control methods
  • Sandboxing
  • Software that provides limited access rights to
    programs of unknown origins
  • Proof-carrying code
  • Programs to be executed must carry a proof that
    it doesnt do anything that contravenes the local
    security policy

39
Policies (1)
  • Historical considerations
  • The history of information systems and their
    automation is a history of compromise.
    Automation had to fit into existing schemes of
    information management. Similarly, the addition
    of security mechanisms has to fit into existing
    structures and systems. Highly secure systems
    are often a consequence of redesign and
    re-engineering of existing systems.
  • Mandatory Security Policies
  • A system wide policy decrees that all subjects
    and all objects are classified. Access classes
    are associated with every subject-object pair.
  • Access rights depend on the triple
    subject-object-access class for all triplets
    ltSam, Production Log, Writegt

40
Policies (2)
  • Discretionary Security Policies
  • Users are allowed to grant access to other users
    - often the OWNER of an object can grant access
    privileges to other users, (at the owners
    discretion )
  • Discretionary Policies may allow one user to pass
    data to another user without the authority of the
    creator of the data

41
Security Models Formal Methods
  • One benefit of using formal models is that
    mathematical (sometimes called formal) methods
    can be used to confirm that all transitions
    allowed by the model preserve the secure state of
    the system being modeled
  • For real systems, modeling is not easy

42
Access Control - Ranked Model (1)
  • Multi-level
  • Often called Lattice methods
  • Basis of military and commercial security
  • Set of ordered security levels, users assigned to
    a level
  • User subjects are privileged to access a rank
    and all lower ranks
  • Students do not need to master the notation used
    in Gollman

43
Access Control - Ranked Model (2)
  • We are also concerned about need to know
  • Compartment the information to be secured
  • Granting access
  • A subject is cleared to access object
  • only if rank(subject) gt rank (object) AND
  • The set of all compartments that contain the
    object are contained within the set of
    compartments that the subject is cleared to
    access
  • (The personnel manager will not be allowed to
    access confidential production data)

44
Access Control - Ranked Model (3)
  • Companies often use the ranks
  • Public, Company Confidential, Executive-only
  • Deciding what lies in what compartment keeps
    security staff occupied

45
Bell - LaPadula (1)
  • Earliest formal model
  • Each user subject and information objecthas a
    fixed security class
  • Use the notation gt to indicate dominance
  • Simple Security (ss) propertythe no read-up
    (NRU) property
  • A subject has read access to an object if the
  • class of the subject C(s) is greater than or
    equal to the class of the object C(o)
  • need C(s) gt C(o)

46
Bell - LaPadula (2)
  • property (star) the no write-down (NRD)
    property
  • While a subject has read access to object O, the
    subject can only write to object P ifC(P) gt
    C (O)
  • Leads to concentration of irrelevant detail at
    upper levels
  • Discretionary Security (ds) propertyIf
    discretionary policies are in place, accesses are
    further limited to this access matrix
  • Although all users in the personnel department
    can read all personnel documents, the personnel
    manager would expect to limit the readers of a
    document that dealt with redundancies in the
    personnel department !

47
Transitions
  • If a system starts in a secure state, and all
    transitions are secure, then the system remains
    in a secure state.
  • But what if we allow users to downgrade all
    objects, and then modify the access control
    matrix so all modes are allowed for each entry
    ?
  • So we need to beware of transitions that change
    access rights

48
Tranquility
  • Gollman p 49 Pfleeger (3ed) p 305
  • Starting with a Bell-LaPadula model, with ranked
    classes of users
  • Say Executive, Company-confidential, Public
  • And segregated compartments,
  • Say Sales, Production
  • And all users assigned a rank,
  • And all files assigned a rank and a
    compartmentTRANQUILITY is when these
    assignments do not change or are not allowed to
    change

49
Tranquility in practice
  • Production program systems need to open and use
    work files, and open and use spool print files,
    class or subroutine libraries need to be
    accessed.
  • For systems with mandatory security, these
    entities all need labels and levels.
  • In practice assigning security levels to these
    sorts of entities is not easy.

50
Limitations of BLP model
  • Only deals with confidentiality aspect of
    security and not integrity
  • Not addressing the management of access control
  • Containing covert channels

51
Chinese Wall Model(1/2)
  • Suppose a consultancy has several airlines as
    clients
  • It is a conflict of interest if a consultant
    working with Quantas has access to confidential
    data on Gulf gathered from another assignment
  • Security policy builds on 3 levels of
    abstraction
  • Objects lowest levels, eg. Files
  • Company groups all objects concerning a
    particular company are grouped together
  • Conflict classes at the highest level, all
    groups of objects for competing companies are
    clustered.
  • No information flow that causes a conflict of
    interest
  • For this model to work, a history of access
    rights has to be maintained
  • (Also, if confidential information is written
    across conflict classes, an effective conflict of
    interest is created)

52
Chinese Wall Model(2/2)
  • Simple security(ss) policy
  • Access is granted only if the object requested
    belongs to a company dataset already held by user
    or entirely different conflict of interest class
  • -property
  • A subject is granted write access to an object if
    no other object can be read which is in a
    different company dataset.

53
Biba
  • Concerned with integrity of information
  • We wish to prevent the spread of untrusted
    information
  • A Cold war issue - the intelligence services of
    the UK were known to have been compromised by the
    Soviets. How then could the USA ensure that USA
    intelligence data was not corrupted by possibly
    misleading data flowing from UK sources ?
  • Simple integrity property
  • Subject s can only modify object o if I(s)
    gt I(o) ( no write up)
  • Integrity propertyIf s can read o, s can
    only write to p if I(o) gt I(p)
  • So clean objects do not become contaminated

54
Biba(1/2)
  • Covers untrustworthy information in a natural
    way.
  • Suppose John is untruthful, all documents
    created/modified by John are untrustworthy
  • An untrusted subject who has write access to an
    object reduces the integrity of that object
  • Low integrity of source objects implies low
    integrity for any object based on the source
    object.

55
Clark-Wilson (1/3)
  • The security requirements of commercial
    transactions are about data integrity, and the
    prevention of error and fraud.
  • There is an established principle of separation
    of duties, which aims to ensure that users must
    collaborate to validly manipulate data, and hence
    users must collude to commit fraud.
  • Clark-Wilson aim to define well-formed
    transactions, so users cannot directly access
    data,
  • and specific data items can only be modified by
    defined programs.

56
Clark-Wilson (2/3)
  • Internal consistency of data items should be
    ensured by the system Overall
  • Subjects have to be identified and authenticated
  • Objects can be manipulated by a restricted set of
    programs
  • Subjects can execute only a restricted set of
    programs
  • A proper audit has to be maintained.
  • The system has to be certified to work properly.
  • An application oriented IT system model, a
    framework and guideline for security policy

57
Clark-Wilson (3/3)
  • Policy in terms of constrained data items(CDI)
  • CDIs are processed by transformation
    procedures(TP)
  • TP is like a monitor that performs only
    particular operations on specific data items
  • Access triples combine TP, one or more CDI and
    user ID who is authorised to operate on those
    CDIs by means of the TP.
Write a Comment
User Comments (0)
About PowerShow.com