Security Policies

1
CSC 382 Computer Security

• Security Policies

2
Topics

1. What is a security policy?
2. Types of Access Control
3. Discretionary (DAC)
4. Mandatory (MAC)
5. Originator-based (ORBAC)
6. Types of Policies
7. Multilevel Bell LaPadula
8. Clark Wilson
9. Chinese Wall
10. Policy Expression Languages

3
Security Policy

• Security policy partitions system states into
• Authorized (secure)
• These are states the system is allowed to enter.
• Unauthorized (nonsecure)
• If the system enters any of these states, its a
  security violation.
• Secure system
• Starts in authorized state.
• Never enters unauthorized state.

4
Policy vs. Mechanism

• Security Policy
• Statement that divides system into authorized and
  unauthorized states.
• Mechanism
• Entity or procedure that enforces some part of a
  security policy.

5
Dirty Politics

• Republican Senate staffers gained access to
  Democrat computer files 2002-2003.
• Both parties share computer server.
• 2001 misconfiguration allowed access w/o pw.
• Defence "The bottom line here is that the
  technology staff of the Democrats was negligent.
  They put these memos in a shared hard drive. It
  was like putting the memos on our desk. Manuel
  Miranda

6
Types of Access Control

• Discretionary Access Control (DAC, IBAC)
• Individual user sets access control mechanism to
  allow or deny access to an object. UNIX and NT
  ACLs.
• Mandatory Access Control (MAC)
• System mechanism controls access to object, and
  individual cannot alter that access.
• Originator Controlled Access Control (ORCON)
• Originator (creator, not current owner of file)
  of information controls who can access
  information. DRM-controlled files.

7
MAC Example SELinux

• What is SELinux?
• Linux kernel modifications to provide MAC.
• Whats the problem with DAC?
• TCB large Security depends on kernel, all
  privileged aplications, and their configurations.
• Coarse-grained Applications run with all user
  privileges, even for root user.
• Security of MAC depends on
• kernel
• SElinux security policy configuration

8
SELinux Advantages and Issues

• Advantages
• Fine-grained control by program, not by user.
• Protects system from flawed or malicious code.
• Security policy configuration is complex.
• Policy language resembles DTEL.
• Fine-grained can control program accesses to
  individual files, signals, etc.
• Difficult to find security policies that work for
  everyone.
• Fedora Core 2s strict policy caused many
  problems.
• Fedora Core 3 applies policies to known server
  and system process, lets other programs run w/o
  restriction.

9
SELinux Command Extensions

• gt id -Z
• user_usystem_runconfined_t
• gt ps -eZ head
• LABEL PID TTY TIME
  CMD
• user_usystem_runconfined_t 1 ? 000000
  init
• user_usystem_runconfined_t 21 ? 000000
  kacpid
• user_usystem_rsyslogd_t 3826 ? 000000
  syslogd
• user_usystem_runconfined_t 3841 ? 000000
  irqbalance
• user_usystem_rportmap_t 3852 ? 000000
  portmap
• user_usystem_rypbind_t 4024 ? 000000
  ypbind
• gt ls -lZ /boot/vmlinuz-2.6.10-1.741_FC3smp
• -rw-r--r-- root root system_uobject_rbo
  ot_t /boot/vmlinuz-2.6.10-1.741_FC3smp

10
ORBAC Example CSS

• Content Scrambling System (CSS)
• Used to encrypt DVDs.
• DVD reader needs CSS decryption key.
• CSS limits use of DVDs even though you control
  the OS (MAC) and filesystem ACLs.
• Region-coding.
• Unskippable commercials.

11
Types of Security Policies

• Confidentiality
• Military/government policies.
• Integrity
• Commercial policies.
• Availability
• Quality of service agreements.

12
Confidentiality

• X set of entities, I information.
• I has confidentiality property with respect to X
  if no x in X can obtain information from I.
• I can be disclosed to others.
• Example
• X is the set of students.
• I is the final exam answer key.
• I is confidential with respect to X if students
  cannot obtain final exam answer key.

13
Integrity

• X set of entities, I information.
• I has integrity property with respect to X if all
  x in X trust information in I.
• Types of integrity
• trust I, its conveyance and protection (data
  integrity)
• I information about origin of something or an
  identity (origin integrity, authentication)
• I resource means resource functions as it should
  (assurance)

14
Availability

• X set of entities, I resource.
• I has availability property with respect to X if
  all x in X can access I.
• Types of availability
• traditional x gets access or not
• quality of service promise specific level of
  access (e.g., a specific level of bandwidth)

15
Multilevel Security Policies

• Bell-LaPadula Model

• Classifications
• Top Secret
• Secret
• Confidential
• Unclassified

Simple Security Property No read
up. -Property No write down.
16
Multilateral Security Policies

• Chinese Wall Model

If you read one CD of a COI, you never can
read any other CDs from that COI.

• CD Company dataset
• COI Conflict of interest class

17
Policy Languages

• Express security policies in a precise way.
• High-level languages
• Policy constraints expressed abstractly.
• Low-level languages
• Policy constraints expressed in terms of program
  options, input, or specific characteristics of
  entities on system.

18
High-Level Policy Languages

• Constraints expressed independent of enforcement
  mechanism.
• Constraints restrict entities, actions.
• Constraints expressed unambiguously
• Requires a precise language, usually a
  mathematical, logical, or programming-like
  language.

19
Example Web Browser

• Goal restrict actions of Java programs that are
  downloaded and executed under control of web
  browser.
• Policy language specific to Java programs.
• Expresses constraints as conditions restricting
  invocation of entities.

20
Expressing Constraints

• Entities are classes, methods
• Class set of objects that an access constraint
  constrains.
• Method set of ways an operation can be invoked.
• Operations
• Instantiation s creates instance of class c s
  - c
• Invocation s1 executes object s2 s1 -gt s2
• Access constraints
• deny(s op x) when b
• While b is true, subject s cannot perform op on
  (subject or class) x empty s means all subjects.

21
Sample Constraints

• Downloaded program cannot access password
  database file on UNIX system
• Programs class and methods for files
• class File
• public file(String name)
• public String getfilename()
• public char read()
• Constraint
• deny( -gt file.read) when
• (file.getfilename() /etc/passwd)

22
Another Sample Constraint

• At most 100 network connections open.
• Socket class defines network interface
• Network.numconns method giving number of active
  network connections.
• Constraint
• deny( - Socket) when (Network.numconns gt 100)

23
Discussion Buying HDs on Ebay

• 2 MIT grad students bought 158 used HDs.
• 28 (17) had fully functioning operating systems.
• 57 (36) were formatted, but recoverable.
• 29 (18) didnt work at all.
• In total, 117 (74) had recoverable data.
• Recovered data included
• Personal and corporate financial records.
• Personal e-mail and credit cards.
• Is discarded data a security issue?

24
Low-Level Policy Languages

• Set of inputs or arguments to commands.
• Check or set constraints on system.
• Low level of abstraction.
• Need details of system, commands.

25
Example X Window System

• UNIX X11 Windowing System.
• Access to X11 display controlled by list
• List says what hosts allowed, disallowed access
• xhost groucho -chico
• Connections from host groucho allowed.
• Connections from host chico not allowed.

26
Example tripwire

• File scanner that reports changes to file
  system and file attributes
• tw.config describes what may change
• /usr/mab/tripwire gimnpsu012345678-a
• Check everything but time of last access (-a)
• database holds previous values of attributes

27
Example Database Record

• /usr/mab/tripwire/README 0 ..../. 100600 45763 1
  917 10 33242 .gtPvf .gtPvY .gtPvY 0
  .ZD4cc0Wr8i21ZKaI..LUOr3 .0fwo5hf4e4.8TAqd0V4ubv
  ?...... ...9b3 1M4GX01xbGIX0oVuGo1h15z3
  ?Y9jfa04rdzM1qeqt1APgHk ?.Eb9yo.2zkEh1XKovX1d0w
  F0kfAvC ?1M4GX01xbGIX2947jdyrior38h15z3 0
• file name, version, bitmask for attributes, mode,
  inode number, number of links, UID, GID, size,
  times of creation, last modification, last
  access, cryptographic checksums

28
Comments

• System administrators not expected to edit
  database to set attributes properly.
• Checking for changes with tripwire is easy.
• Just run once to create the database, run again
  to check.
• Checking for conformance to policy is harder.
• Need to either edit database file, or (better)
  set system up to conform to policy, then run
  tripwire to construct database.

29
Example PAM

• Pluggable Authentication Modules
• Config /etc/pam.conf or /etc/pam.d/prog
• login auth required pam_unix.so
• login account required pam_unix.so
• login password required pam_unix.so
• login session required pam_unix.so
• Format service modtype controlflag module

30
Example PAM (cont.)

• Module Types
• Auth authenticates user
• Account non-auth access control (time, place)
• Password updates auth token
• Session user setup (including logging)
• Control Flags
• required must succeed for access, all entries
  checked
• requisite required, but returns immediately on
  failure
• sufficient access granted if this condition true

31
Key Points

• Policies describe what is allowed.
• Mechanisms control how policies are enforced.
• Types of Access Control
• Discretionary (DAC)
• Mandatory (MAC)
• Originator Based (ORBAC)
• Trust underlies everything.

32
References

1. Anderson, Ross, Security Engineering, Wiley,
   2001.
2. David E. Bell and Leonard J. LaPadula, Secure
   Computer System Unified Exposition and MULTICS
   Interpretation, MTR-2997 Rev. 1, The MITRE
   Corporation, Bedford, MA 01730 (Mar. 1976)
   http//csrc.nist.gov/publications/history/bell76.p
   df
3. Bishop, Matt, Introduction to Computer Security,
   Addison-Wesley, 2005.
4. Department of Defense, Trusted Computer System
   Evaluation Criteria, DoD 5200.28-STD (Orange
   Book), National Computer Security Center, Ft.
   Meade, MD 20755 (Dec. 1985) http//csrc.nist.gov/p
   ublications/history/dod85.pdf
5. Peter Loscocco and Stephen Smalley, Integrating
   Flexible Support for Security Policies into the
   Linux Operating System, Proceedings of the
   FREENIX Track of the 2001 USENIX Annual Technical
   Conference, 2001.