Discretionary Access Control (DAC)

Transcription

1 CS 5323 Discretionary Access Control (DAC) Prof. Ravi Sandhu Executive Director and Endowed Chair Lecture 2 ravi.utsa@gmail.com Ravi Sandhu 1

2 Authentication Ravi Sandhu 2

3 Authentication, Authorization, Audit AAA Authentication Authorization Audit Who are You? What are You Allowed to Do? What Did You Do? Ravi Sandhu 3

4 Authentication, Authorization, Audit AAA Authentication Authorization Audit Who are You? What are You Allowed to Do? What Did You Do? siloed integrated Ravi Sandhu 4

5 Authentication Techniques Authentication Something you know Something you have Something you are password secret questions smartphone registered device fingerprint iris keyboard dynamics signature dynamics Ravi Sandhu 5

6 Authentication Techniques Authentication Something you know Something you have Something you are password secret questions smartphone registered device fingerprint iris keyboard dynamics signature dynamics single factor multi factor Ravi Sandhu 6

7 Phishing Personalized image to authenticate webserver to user Ravi Sandhu 7

8 Phishing Man in the Middle Personalized image passed through Ravi Sandhu 8

9 Passwords Ravi Sandhu 9

10 Password Attacks Password Attacks Online Lock out Throttling Offline (Dictionary Attack) Complex passwords Salting Ravi Sandhu 10

11 Password Storage and Verification Password Storage Password Verification User ID Plaintext Password User ID Plaintext Password =? User ID Stored Password User ID Stored Password Loss of stored passwords = Catastrophic failure Ravi Sandhu 11

12 Password Storage and Verification Password Storage Password Verification User ID Plaintext Password User ID Plaintext Password Hashing Process Hashing Process User ID Stored Hash Computed Hash Loss of stored hashes = Attack by single dictionary User ID =? Stored Hash Ravi Sandhu 12

13 Password Storage and Verification Password Storage Password Verification User ID Random Salt Plaintext Password User ID Plaintext Password Hashing Process Hashing Process User ID Stored Salt Stored Hash Computed Hash =? Loss of stored hashes = Attack by different dictionary for each salt value User ID Stored Salt Stored Hash Ravi Sandhu 13

14 Access Matrix Model Ravi Sandhu 14

15 Access Matrix Model Objects (and Subjects) F G S u b j e c t s U V r w own r r w own rights Ravi Sandhu 15

16 Access Matrix Model Basic Abstractions Subjects Objects Rights The rights in a cell specify the access of the subject (row) to the object (column) Ravi Sandhu 16

17 Users and Subjects A subject is a program (application) executing on behalf of a user A user may at any time be idle, or have one or more subjects executing on its behalf User-subject distinction is important if subject s rights are different from a user s rights Usually a subset In many systems a subject has all the rights of a user A human user may manifest as multiple users (accounts, principals) in the system Ravi Sandhu 17

18 Users and Subjects JOE.TOP-SECRET JOE.SECRET JOE JOE.CONFIDENTIAL JOE.UNCLASSIFIED USER SUBJECTS Ravi Sandhu 18

19 Users and Subjects JANE.CHAIRPERSON JANE.FACULTY JANE JANE. EMPLOYEE JANE.SUPER-USER USER SUBJECTS Ravi Sandhu 19

20 Objects An object is anything on which a subject can perform operations (mediated by rights) Usually objects are passive, for example: File Directory (or Folder) Memory segment with CRUD operations (create, read, update, delete) But, subjects can also be objects, with operations kill suspend resume Ravi Sandhu 20

21 Access Matrix Model Objects (and Subjects) F W S u b j e c t s U W r w own r w own parent Ravi Sandhu 21

22 Implementation Access Control Lists Capabilities Relations Ravi Sandhu 22

23 Access Control Lists F U:r U:w U:own G U:r V:r V:w V:own each column of the access matrix is stored with the object corresponding to that column Ravi Sandhu 23

24 Capabilities U V F/r, F/w, F/own, G/r G/r, G/w, G/own each row of the access matrix is stored with the subject corresponding to that row Ravi Sandhu 24

25 Relations Subject Access Object U r F U w F U own F U r G V r G V w G V own G commonly used in relational database management systems Ravi Sandhu 25

26 ACLs versus Capabilities Authentication ACL's require authentication of subjects and ACL integrity Capabilities require integrity and propagation control Access review ACL's are superior on a per-object basis Capabilities are superior on a per-subject basis Revocation ACL's are superior on a per-object basis Capabilities are superior on a per-subject basis Least privilege Capabilities provide for finer grained least privilege control with respect to subjects, especially dynamic short-lived subjects created for specific tasks Ravi Sandhu 26

27 ACLs versus Capabilities Authentication ACL's require authentication of subjects and ACL integrity Capabilities require integrity and propagation control Access review ACL's are superior on a per-object basis Capabilities are superior on a per-subject basis Revocation ACL's are superior on a per-object basis Capabilities are superior on a per-subject basis Least privilege Capabilities provide for finer grained least privilege control with respect to subjects, especially dynamic short-lived subjects created for specific tasks Most Operating Systems use ACLs often in abbreviated form: owner, group, world Ravi Sandhu 27

28 Content-Dependent Controls content dependent controls you can only see salaries less than 50K, or you can only see salaries of employees who report to you beyond the scope of Operating Systems and are provided by Database Management Systems Ravi Sandhu 28

29 Context-Dependent Controls context dependent controls cannot access classified information via remote login salary information can be updated only at year end company's earnings report is confidential until announced at the stockholders meeting can be partially provided by the Operating System and partially by the Database Management System more sophisticated context dependent controls such as based on past history of accesses definitely require Database support Ravi Sandhu 29

30 Trojan Horse Vulnerability of DAC Information from an object which can be read can be copied to any other object which can be written by a subject Suppose our users are trusted not to do this deliberately. It is still possible for Trojan Horses to copy information from one object to another. Ravi Sandhu 30

31 Trojan Horse Vulnerability of DAC File F ACL A:r File G B:r A:w User B cannot read file F Ravi Sandhu 31

32 Trojan Horse Vulnerability of DAC User A executes Program Goodies read File F ACL A:r Trojan Horse write File G B:r A:w User B can read contents of file F copied to file G Ravi Sandhu 32

33 Copy Difference for rw Read of a digital copy is as good as read of original Write to a digital copy is not so useful Ravi Sandhu 33

34 DAC Subtleties Chains of grants and revokes Inheritance of permissions Negative rights Ravi Sandhu 34

35 HRU Model Harrison, M. A., Ruzzo, W. L., & Ullman, J. D. (1976). Protection in operating systems. Communications of the ACM, 19(8), Ravi Sandhu 35