CSE361 Web Security. Access Control. Nick Nikiforakis
|
|
- Myron Mitchell
- 6 years ago
- Views:
Transcription
1 CSE361 Web Security Access Control Nick Nikiforakis
2 Access Control: introduction How do we protect our confidential data from unauthorized usage? Two important cases: An attacker has access to the raw bits representing the information need for cryptographic techniques There is a software layer between the attacker and the information => access control techniques 2
3 Access Control (Authorization) Limiting access to sensitive resources Informally Who can access what and in what way? Application Middleware Operating System Hardware 3
4 Access Control is Pervasive 1. Application Complex, custom security policy. Ex: Amazon account: wish list, reviews, CC 2. Middleware Database, system libraries, 3 rd party software Ex: Credit card authorization center 3. Operating System File ACLs, IPC 4. Hardware Memory management, hardware device access. 4
5 Access Control Matrix Precisely describes protection state of system. P Q Sets of system states: P: Set of all possible states. Q: Set of allowed states, according to security policy. P-Q: Set of disallowed states. ACM describes the set of states Q. 5
6 Access Control Matrix As system changes, state changes. State transitions. Only concerned with protection state. ACM must be enforced by a mechanism that limits state transitions to those that go from one element of Q to another. 6
7 subjects ACM Description s 1 s 2 s n objects (entities) Objects O = { o 1,,o m } All protected entities. o 1 o m s 1 s n Subjects S = { s 1,,s n } Active entities, S O Rights R = { r 1,,r k } Entries A[s i, o j ] R A[s i, o j ] = { r x,, r y } means subject s i has rights r x,, r y over object o j 7
8 Example: File/Process Processes p, q Files f, g Rights r, w, x, a, o f g p q p rwo r rwxo w q a ro r rwxo 8
9 Free text to ACM Alice, who owns file1, trusts Bob to read and write that particular file. Bob, on the other hand, is afraid that Alice will edit his files so he only allows her to read file2, but nothing more. Steve, who no one trusts, has made a program called prog1 who he wants others to execute, but not modify. Lastly, everyone but Bob, can read Joe s diary. 9
10 Ownership Right Usually allows possessor to change entries in ACM column So owner of object can add, delete rights for others May depend on what system allows Can t give rights to specific (set of) users Can t pass copy flag to specific (set of) users 10
11 Attenuation of Privilege Principle: Subject may not give rights it does not possess to another. Restricts addition of rights within a system Usually ignored for owner Why? Owner gives herself rights, gives them to others, deletes her rights. 11
12 How can we implement the ACM? Problem: scale Thousands of subjects. Millions of objects. Yet most entries are blank or default. Solutions Implement by column: Access Control Lists Implement by row: Capabilities Group users together in a flat or hierarchical model 12
13 Access Control Lists (ACLs) Implement ACM by column. Access control by object. Example: UNIX ACLs Short rwx user/group/other. Long POSIX ACLs. ACL is stored close to the object User root alice bob audit data rw r 13
14 Some ACL Questions 1. Which subjects can modify an object s ACL? 2. Do ACLs apply to privileged users? 3. How can a subject s rights be revoked? 4. What are the default permissions? 14
15 Which subjects can modify an ACL? Create an own right for an ACL. Only subjects with own right can modify ACL. Creating an object also creates object s ACL. Usually creator given own right at this time. Other default rights may be set at creation too. 15
16 Do ACLs apply to privileged users? Many systems have privileged users. UNIX: root. Windows NT: administrator. Should ACLs apply to privileged users? Need read access to all objects for backups. What security problems are produced by ignoring ACLs for privileged users? 16
17 How are rights revoked? Removal of subject s rights to object. Delete entries for subject from ACL. If ownership doesn t control granting rights, matters can be complex: If A has granted rights to B, what should happen to B s rights if you remove A s rights? Removal of subject s rights to all objects. Very expensive (millions of objects.) Why isn t disabling subject s account sufficient? 17
18 What are the default permissions? Interaction of ACLs with base permissions. POSIX ACLs modify UNIX base permissions. How are default ACLs determined? Subject Subject sets default permissions, like UNIX umask. Inheritance Objects in hierarchical system inherit ACLs of parent object. Subjects inherit sets of default permissions from their parent subjects. 18
19 Capabilities Implement ACM by row, instead of by column Access Control associated with subject. Example: UNIX file descriptors System checks ACL on file open, returns fd. Process subsequently uses fd to read and write file. If ACL changes, process still has access via fd. User ls homedir rootdir alice rx rw r 19
20 Some Capability Questions 1. How to prevent user from modifying capabilities? 2. How to prevent user from copying capabilities? 3. How to revoke rights to an object? 20
21 How to prevent user from modifying? Memory protection Capabilities are readable, but not writable. Indirection Capability is pointer to per-process table whose access control prevents user from touching. Cryptography Cryptographically secure checksum associated with capability and checked before usage. 21
22 How to prevent user from copying? Copying capabilities allows users to grant rights to others. Solution: Use indirection or cryptographic techniques from previous slide to prevent direct access. Add copy flag to capability, as a specific right given to copy capabilities in order to give rights to other users. 22
23 How to revoke rights to an object? Direct solution Check capabilities of every process. Remove those that grant access to object. Computationally expensive. Alternative solution Create a global object table. Capabilities reference objects indirectly via their entries in the global object table. Invalidate entry in global object table to revoke. 23
24 ACLs vs Capabilities ACLs Slow: OS has to read ACL for each object accessed. Easy to find/change rights on a particular object. Difficult to revoke privileges for a specific subject. Capabilities Fast: OS always knows subject identity. Easy to find/change rights on a particular subject. Difficult to revoke privileges to a subject object. 24
25 Discretionary Access Control Discretionary Access Control, or DAC, refers to a scheme where users are given the ability to determine the permissions governing access to their own files. DAC typically features the concept of both users and groups, and allows users to set accesscontrol measures in terms of these categories. In addition, DAC schemes allow users to grant privileges on resources to other users on the same system. 25
26 Concept: Reference monitor Which ever system we use to represent the Access Control Matrix, we still need a piece of code that will read that representation and enforce it Reference monitor: the part of systems that enforces access control decisions 3 properties: Complete mediation: must always be called Tamper proof: adversary cannot influence it Small: Easy to verify its correctness 26
27 Mandatory Access Control Mandatory access control is a more restrictive scheme that does not allow users to define permissions on files, regardless of ownership. Instead, security decisions are made by a central policy administrator. Each security rule consists of a subject, which represents the party attempting to gain access, an object, referring to the resource being accessed, and a series of permissions that define the extent to which that resource can be accessed. 27
28 3 Formal MAC Examples Bell La Padula model for the confidentiality of data Biba model for the integrity of data Chinese wall model for protecting the confidentiality (and integrity) of data from conflict of interest 28
29 Bell-LaPadula Model: A MAC Model for Achieving Multi-level Security Introduced in 1973 Air Force was concerned with security in timesharing systems Many OS bugs Accidental misuse Main Objective: Prevent read access to objects at a security classification higher than the subject s clearance Enable one to formally show that a computer system can securely process classified information 29
30 Security Goal of BLP There are security classifications or security levels Users/principals/subjects have security clearances Objects have security classifications Example Top Secret Secret Confidential Unclassified In this case Top Secret > Secret > Confidential > Unclassified Security goal (confidentiality): ensures that information do not flow to those not cleared for that level 30
31 Bell-LaPadula 31
32 Approach of BLP Use state-transition systems to describe computer systems Define a system as secure iff. every reachable state satisfies 3 properties simple-security property, *-property, discretionarysecurity property Prove a Basic Security Theorem (BST) so that one can prove a system is secure by proving things about the system description 32
33 Preliminary rules L(S): Security clearance of Subject S L(O):Security classification of object O Eg. L( Thomas ) = Top Secret L( Document1 ) = Secret 33
34 Preliminary rules Simple Security Property, preliminary version: S can read O, iff L(O) <= L(S) and S has discretionary read access to O Rule known as No read up This rule, by itself, allows for leakage of information towards lower levels of clearance E.g. Someone with a top secret clearance reads a top secret file, and writes the contents to a classified file, where it can then be read by users with classified clearance 34
35 Preliminary rules *-Property, Preliminary version: Subject S can write Object O iff L(S) <= L(O) and has discretionary write access to O Rule known as No write down Together, the two rules enforce the desired information flow. 35
36 Need-to-know principle Even if someone has all the necessary official approvals (such as a security clearance) to access certain information they should not be given access to such information unless they have a need to know: that is, unless access to the specific information necessary for the conduct of one's official duties. The security model can be expanded to include this notion, through the use of categories (sometimes called compartments) Levels={top secret, secret} Categories={army,navy} These together create a lattice 36
37 An Example Security Lattice Top Secret, {army, navy} Top Secret, {army} Top Secret, {navy} Secret, {army, navy} Top Secret, {} Secret, {army} Secret, {navy} Secret, {} 37
38 One more definition The security level (L,C) dominates the security level (L,C ) iff L <= L and C C When considering the subset condition, don t forget that the empty set is a subset of any other set Let s rewrite the security rules of BLP using the concept of domination 38
39 BLP Simple Security Property: A subject S can read an object O iff S dominates O and S has discretionary read access to O *-Property: A subject S can write an object O iff O dominates S and S has discretionary write access to O The two together: No read up, no write down 39
40 BLP Example George has clearance (SECRET, {NUC,EUR}) DocA has clearance (CONFIDENTIAL, {NUC}) DocB has clearance (SECRET, {EUR,US}) DocC has clearance (SECRET,{EUR}) George dominates DocA CONFIDENTIAL <= SECRET & {NUC} {NUC,EUR} George does not dominate DocB {EUR,US} {NUC,EUR} George dominates DocC SECRET <= SECRET & {EUR} {NUC, EUR} 40
41 First limitation The BLP model, as it stands right now, does not allow a higher-ranked subject to communicate with a lower-ranked object Sometimes it is necessary Solution: Differentiate between current clearance level L c (S) and maximum clearance level L m (S) E.g. A top-secret-clearance subject can choose to lower her clearance-level to temporarily speak with a lower-clearance subject Rule: Maximum level must dominate Current level 41
42 Second limitation How about declassifying documents? We should be able to remove the top-secret portion of a top-secret document and give it to a subject with a secret security clearance Solution: Trusted subjects These subjects are trusted to remove sensitive information of their level and are not restricted by the *-property 42
43 One more problem Security objective of multilevel security in general, BLP in particular high-classified information cannot flow to low-cleared users Overt channels of information flow read/write an object These are covered in BLP Covert channels of information flow communication channel based on the use of system resources not normally intended for communication between the subjects (processes) in the system 43
44 3 Formal MAC examples Bell La Padula model for the confidentiality of data Biba model for the integrity of data Chinese wall model for protecting the confidentiality (and integrity) of data from conflict of interest 44
45 Biba Integrity Model Biba Integrity model In this model, we care about integrity of information, not confidentiality Thus, if we want confidentiality, we need to combine it with another mechanism Biba is called the dual of BLP That s because the rules seem to be opposite from BLP 45
46 Biba rules I(S): Integrity of subject S I(O):Integrity of object O Simple integrity property: Subject S can read object O, iff I(S) <= I(O) Rule known as, No Read Down Integrity *-property: Subject S can write to object O, iff I(O) <= I(S) Rule known as, No Write Up 46
47 Meaning of rules A subject can read objects at it s own integrity levels or above (opposite from BLP) Do not taint the subject s integrity by reading data with lower integrity A subject can only write at it s own integrity level or below (opposite from BLP) Do not taint the integrity of high-integrity data by allowing a lower-integrity subject to write them 47
48 Windows Integrity Mechanism Windows Vista introduced a Biba-like integrity mechanism to limit the ability of malware to spread into the rest of the system Process (and files created by them) have integrity labels A process with a low integrity level cannot interact with a process of medium/high integrity level All files, by default, get medium integrity label Internet Explorer (and other browsers), as well as their downloaded files, get a low integrity label Need user action to elevate it 48
49 Integrity Checks in action 49
50 3 Formal MAC examples Bell La Padula model for the confidentiality of data Biba model for the integrity of data Chinese wall model for protecting the confidentiality (and integrity) of data from conflict of interest 50
51 Conflict of Interest A consultant is offering her services to Bank of America and as such has access to certain confidential information, necessary for the task at hand. It would be a breach of confidentiality for her to also consult for Chase. A simultaneous contract with Delta (the airlines) is not a conflict. 51
52 Chinese Wall model The security policy builds on the following: Objects e.g. files. Objects contain information for only one specific company Company Dataset (CD) Collect all objects concerning one specific company Conflict-of-interest (COI) class cluster the company groups of competing (and thus conflicting) companies {Toyota, Ford, Volkswagen} {Bank of America, Chase, TD Bank} {McDonalds} 52
53 Chinese Wall model (Chinese Wall) Simple Security Rule: Subject S can read object O iff any of the following conditions hold: 1. There is an object O such that S has accessed O and CD(O ) = CD(O) 2. For all objects O, O PR(S) => COI(O ) COI(O) 3. O is a sanitized object Containing only public information Set of objects that a subject has read in the past 53
54 Chinese Wall model (Chinese Wall) *-Property: A subject S may write to object O iff both of the following conditions hold: 1. The Chinese Wall Simple Security condition allows S to read O 2. For all unsanitized objects O to which S has (or has had) access, S can read O => CD(O ) = CD(O) In other words, there should exist no unsanitized objects that can be accessed and belong to a different Company Dataset 54
55 Role-Based Access Control The role-based access control (RBAC) model can be viewed as an evolution of the notion of group-based permissions in file systems. Non-DAC model Middle of the road between MAC and DAC An RBAC system is defined with respect to an organization, such as company, a set of resources, such as documents, print services, and network services, and a set of users, such as employees, suppliers, and customers. 55
56 RBAC Components A user is an entity that wishes to access resources of the organization to perform a task. A role is defined as a collection of users with similar functions and responsibilities in the organization. Examples of roles in a university may include student, alum, faculty, dean, staff, and contractor. In general, a user may have multiple roles. A permission describes an allowed method of access to a resource. Fine grained all the way to coarse grained. E.g. read a file vs. open a new account A session consists of the activation of a subset of the roles of a user for the purpose of performing a certain task. For example, a laptop user may create a session with the administrator role to install a new program. Sessions support the principle of least privilege. 56
57 Hierarchical RBAC In the role-based access control model, roles can be structured in a hierarchy similar to an organization chart. More formally, we define a partial order among roles by saying that a role R1 inherits role R2, which is denoted R1 > R2, if R1 includes all permissions of R2 and R2 includes all users of R1. When R1 > R2, we also say that role R1 is senior to role R2 and that role R2 is junior to role R1. For example, in a company, the role manager inherits the role employee and the role vice president inherits the role manager. Also, in a university, the roles undergraduate student and graduate student inherit the role student. 57
58 Visualizing Role Hierarchy 58
59 RBAC in Joomla 59
60 Constrained RBAC Constrained RBAC allows for defined relationships among roles and conditions related to roles. Types of constraints Mutually exclusive roles User can be assigned only to one role in a set, either statically or during a session Increase the difficulty of collusion to thwart security policies Cardinality Limits (in terms of maximums) with respect to roles Maximum number of users assigned to a role, maximum number of roles assigned to one user, etc. Prerequisite roles Users can be assigned to some roles only if they are already assigned other roles E.g. in order to get the role of senior engineer you must already 60 have the role junior engineer
61 Attribute-based Access Control Attribute-based Access Control (ABAC) is more recent than the access control schemes we have looked at so far Access rights are granted to users through policies that combine many attributes together Attributes can be based: On the subject trying to perform the access On the object being accessed On the environment over which the access is happening 61
62 ABAC Scheme Image source: 62
63 Example Online streaming service, streaming movies to registered users for a monthly fee Movie Rating Users Allowed to Stream R Age 17 and older PG-13 Age 13 and older G Everyone 63
64 Example continued In RBAC, we would need three roles Adult, Juvenile, Child and three permissions Can view R-rated Can view PG-13-rated Can view G-rated The administrator would have to manually assign users to roles and permissions to roles 64
65 Example continued In ABAC, we can instead use attributes of the users and movies to make access control decisions R1: can_access(u,m,e) <- (Age(u) 17 AND Rating(m) {R, PG-13, G}) OR (Age(u) 13 AND Age(u) < 17 AND Rating(m) {PG-13, G}) OR (Age(u) < 13 AND Rating(m) {G}) We can easily expand the above to add premium membership and promotional periods Time, Date, Country of users are all Environment attributes The same would be very cumbersome in RBAC 65
66 UNIX Access Control Model UID integer user ID UID=0 is root GID integer group ID Users can belong to multiple groups Objects have both a user + group owner. System compares object UID with EUID. EUID identical except after su or SETUID. 66
67 UNIX File Permissions Three sets of permissions: User owner Group owner Other (everyone else) Three permissions per group read write execute UID 0 can access regardless of permissions. Files: directories, devices (disks, printers), IPC 67
68 UNIX File Permissions Best-match policy OS applies permission set that most closely matches. You can be denied access by best match even if you match another set. Directories read = listing of directory execute = traversal of directory write = add or remove files from directory 68
69 Special File Permissions Each object has set of special permission bits sticky setuid setgid On a directory, means users can only delete files that they own Execute program with EUID = owner s UID Execute program with EGID = owner s GID On directories, causes default group owner to be that of directory owner s GID. 69
70 Changing Permissions: chmod Set specifiers u = user g = group o = other Permissions r = read w = write x = execute # remove other access chmod o-rwx *.c # add group r/w access chmod g+rw *.c # allow only you access chmod u=rwx * 70
71 Octal Permission Notation Each set (u,g,o) is represented by an octal digit. Each permission (r,w,x) is one bit within a digit. ex: chmod 0644 file u: rw, g: r, o: r ex: chmod 0711 bin u: rwx, g: x, o: x 4 read setuid 2 write setgid 1 execute sticky 71
72 Changing Ownership newgrp Group owner of files is your default group. Changes default group to another group to which you belong. chgrp Changes group owner of existing file. Only root can use this command chown Changes owner of existing file. Only root can use this command. 72
73 Default Permissions: umask Determines permissions given to newly created files Three-digit octal number Programs default to 0666 Umask modifies to: 0666 & ~umask ex: umask=022 => file has mode 0644 ex: umask=066 => file has mode
74 setuid/setgid Solution to UNIX ACLs inability to directly handle (user, program, file) triplets. Process runs with EUID/EGID of file, not of user who spawned the process. Follow principle of least privilege create special user/groups for most purposes Follow principle of separation of privilege keep setuid functions/programs small drop privileges when unnecessary 74
75 Limitations of Classic ACLs ACL control list only contains 3 entries Limited to one user. Limited to one group. Root (UID 0) can do anything. 75
76 POSIX Extended ACLs Supported by most UNIX/Linux systems. Slight syntax differences may exist. getfacl setfacl chmod 600 file setfacl -m user:jake:r-- file File unreadable by other, but ACL allows jake 76
77 Immutable Files Immutable Files on Linux chattr +i Cannot delete, rename, write to, link to Applies to root too Only root can add/remove immutable flag (Ubuntu) Use lsattr to identify what flags are set on any given file 77
78 Host-based Access Control /etc/hosts.allow and /etc/hosts.deny used by tcpd, sshd, other servers Identify subjects by hostname IP address network address/mask Allow before Deny use last rule in /etc/hosts.deny to deny all 78
79 SQL Access Control Subjects Users. Roles. create role faculty grant faculty to jake Objects Databases, tables, table columns. Rights Select, insert, update, delete, references, grant. 79
80 SQL Access Control The grant command gives access to a user GRANT SELECT ON students TO jake or a role: GRANT SELECT, INSERT, UPDATE ON grades TO faculty and includes power to grant options: GRANT INSERT ON students TO registrar WITH GRANT OPTION The revoke command removes access REMOVE INSERT ON grades FROM faculty 80
81 Why is Access Control hard? Complex Objects Identifying objects of interest. Is your choice of objects too coarse or fine-grained? Inheritance in Hierarchical structures like filesystem Subjects are Complex Identifying subjects of interest. What are the relationships between subjects? Access Control states change. Security objectives often unclear. 81
82 Summary 1. Access Control: Center of gravity of security; pervasive. 2. Access Control Matrix simplest abstraction mechanism for representing protection state. 3. ACM is too big, so real systems typically use either: 1. ACLs: columns (objects) of ACM. 2. Capabilities: rows (subjects) of ACM. 4. Formal MAC systems, RBAC, ABAC 5. Access Control in Practice: UNIX. 82
83 Credits Slides based on James Walden slides on Access Control 83
Security Models Trusted Zones SPRING 2018: GANG WANG
Security Models Trusted Zones SPRING 2018: GANG WANG Access Control Slides credit to Ethan L. Miller and Scott A. Brandt Protection Domains Three protection domains Each lists objects with permitted operations
More informationModule 4: Access Control
Module 4: Access Control Dr. Natarajan Meghanathan Associate Professor of Computer Science Jackson State University, Jackson, MS 39232 E-mail: natarajan.meghanathan@jsums.edu Access Control In general,
More informationAccess Control Models
Access Control Models Dr. Natarajan Meghanathan Associate Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Access Control Models Access Control to regulate
More informationPolicy, Models, and Trust
Policy, Models, and Trust 1 Security Policy A security policy is a well-defined set of rules that include the following: Subjects: the agents who interact with the system, Objects:the informational and
More informationOperating system security models
Operating system security models Unix security model Windows security model MEELIS ROOS 1 General Unix model Everything is a file under a virtual root diretory Files Directories Sockets Devices... Objects
More informationAccess control models and policies. Tuomas Aura T Information security technology
Access control models and policies Tuomas Aura T-110.4206 Information security technology 1. Access control 2. Discretionary AC 3. Mandatory AC 4. Other AC models Outline 2 ACCESS CONTROL 3 Access control
More informationOperating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)
Operating System Security Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own) Hw1 grades out this Friday Announcement Travel: out of town
More informationGeneral Access Control Model for DAC
General Access Control Model for DAC Also includes a set of rules to modify access control matrix Owner access right Control access right The concept of a copy flag (*) Access control system commands General
More informationAccess Control. Discretionary Access Control
Access Control Discretionary Access Control 1 Outlines Access Control Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) 2 Access Control Access control
More informationInformation Security Theory vs. Reality
Information Security Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 4: Access Control Eran Tromer 1 Slides credit: John Mitchell, Stanford course CS155, 2010 Access control Assumptions System knows
More informationChapter 4: Access Control
(DAC) Chapter 4: Comp Sci 3600 Security Outline (DAC) 1 2 (DAC) 3 4 5 Attribute-based control (DAC) The prevention of unauthorized use of a resource, including the prevention of use of a resource in an
More informationCSE Computer Security
CSE 543 - Computer Security Lecture 11 - Access Control October 10, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/ Access Control System Protection Domain What can be accessed by a process Default
More informationCIS433/533 - Introduction to Computer and Network Security. Access Control
CIS433/533 - Introduction to Computer and Network Security Access Control Professor Butler Winter 2011 Computer and Information Science Trusted Computing Base The trusted computing base is the infrastructure
More informationComputer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 04r. Pre-exam 1 Concept Review Paul Krzyzanowski Rutgers University Spring 2018 February 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Key ideas from the past four lectures February 15, 2018
More informationDiscretionary Vs. Mandatory
Discretionary Vs. Mandatory Discretionary access controls (DAC) Privilege propagated from one subject to another Possession of an access right is sufficient to access the object Mandatory access controls
More informationAccess control models and policies
Access control models and policies Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2013 1. Access control 2. Discretionary AC 3. Mandatory AC 4. Other AC models Outline
More informationComputer Security. Access control. 5 October 2017
Computer Security Access control 5 October 2017 Policy and mechanism A security policy is a statement of what is, and what is not, allowed. A security mechanism is a method, tool or procedure for enforcing
More informationAccess control models and policies
Access control models and policies Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011 1. Access control 2. Discretionary AC 3. Mandatory AC 4. Other AC models Outline
More informationAccess Control Mechanisms
Access Control Mechanisms Week 11 P&P: Ch 4.5, 5.2, 5.3 CNT-4403: 26.March.2015 1 In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection
More informationCCM Lecture 12. Security Model 1: Bell-LaPadula Model
CCM 4350 Lecture 12 Security Model 1: Bell-LaPadula Model Why Security Models? When we have implemented a security policy, do we know that it will (and can) be enforced? E.g., if policies get too intricate,
More informationAccess Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.
Access Control CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Access Control Describe the permissions available to computing processes
More informationCS 392/ CS Computer Security. Nasir Memon Polytechnic University Module 7 Security Policies
CS 392/ CS 681 - Computer Security Nasir Memon Polytechnic University Module 7 Security Policies Course Logistics Security Week Questions about Midterm grading Read parts of chapters 4, 5, 6 and 7. Homework
More informationChapter 7: Hybrid Policies
Chapter 7: Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Slide #7-1 Overview Chinese Wall Model Focuses on conflict of interest CISS Policy Combines
More informationA Survey of Access Control Policies. Amanda Crowell
A Survey of Access Control Policies Amanda Crowell What is Access Control? Policies and mechanisms that determine how data and resources can be accessed on a system. The Players Subjects Objects Semi-objects
More informationDiscretionary Access Control
Operating System Security Discretionary Seong-je Cho ( 조성제 ) (sjcho at dankook.ac.kr) Fall 2018 Computer Security & Operating Systems Lab, DKU - 1-524870, F 18 Discretionary (DAC) Allows the owner of the
More informationWe ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?
We ve seen: Protection: ACLs, Capabilities, and More Some cryptographic techniques Encryption, hashing, types of keys,... Some kinds of attacks Viruses, worms, DoS,... And a distributed authorization and
More informationProtection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger
Protection CSE473 - Spring 2008 Professor Jaeger www.cse.psu.edu/~tjaeger/cse473-s08/ Protection Protect yourself from untrustworthy users in a common space They may try to access your resources Or modify
More informationComplex Access Control. Steven M. Bellovin September 10,
Complex Access Control Steven M. Bellovin September 10, 2013 1 Access Control Matrix List all proceses and files in a matrix Each row is a process ( subject ) Each column is a file ( object ) Each matrix
More informationLast time. User Authentication. Security Policies and Models. Beyond passwords Biometrics
Last time User Authentication Beyond passwords Biometrics Security Policies and Models Trusted Operating Systems and Software Military and Commercial Security Policies 9-1 This time Security Policies and
More informationComputer Security 3e. Dieter Gollmann. Chapter 5: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 5: 1 Chapter 5: Access Control Chapter 5: 2 Introduction Access control: who is allowed to do what? Traditionally, who is a person.
More informationSecurity Principles and Policies CS 136 Computer Security Peter Reiher January 15, 2008
Security Principles and Policies CS 136 Computer Security Peter Reiher January 15, 2008 Page 1 Outline Security terms and concepts Security policies Basic concepts Security policies for real systems Page
More informationTEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control
TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control Version 1.0, Last Edited 09/20/2005 Name of Students: Date of Experiment: Part I: Objective The objective of the exercises
More informationProtection Kevin Webb Swarthmore College April 19, 2018
Protection Kevin Webb Swarthmore College April 19, 2018 xkcd #1200 Before you say anything, no, I know not to leave my computer sitting out logged in to all my accounts. I have it set up so after a few
More informationCSE509: (Intro to) Systems Security
CSE509: (Intro to) Systems Security Fall 2012 Radu Sion Integrity Policies Hybrid Policies 2005-12 parts by Matt Bishop, used with permission Integrity Policies: Overview Requirements Very different than
More informationComputer Security. 02. Operating System Access Control. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 02. Operating System Access Control Paul Krzyzanowski Rutgers University Spring 2018 February 17, 2018 CS 419 2018 Paul Krzyzanowski 1 Protection is essential to security Protection The
More information? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week
Announcements Access control John Mitchell u Homework Due today. Next assignment out next week u Graders If interested in working as grader, send email to Anupam u Projects Combine some of the project
More informationLabels and Information Flow
Labels and Information Flow Robert Soulé March 21, 2007 Problem Motivation and History The military cares about information flow Everyone can read Unclassified Few can read Top Secret Problem Motivation
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 3.2: OS Security Access Control Endadul Hoque Slide Acknowledgment Contents are based on slides from Ninghui Li (Purdue), John Mitchell (Stanford), Bogdan Carbunar (FIU)
More informationAccess Control (slides based Ch. 4 Gollmann)
Access Control (slides based Ch. 4 Gollmann) Preliminary Remarks Computer systems and their use have changed over the last three decades. Traditional multi-user systems provide generic services to their
More informationOperating Systems Security Access Control
Authorization and access control Operating Systems Security Access Control Ozalp Babaoglu From authentication to authorization Once subjects have been authenticated, the next problem to confront is authorization
More informationSecure Architecture Principles
CS 155 Spring 2016 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Acknowledgments: Lecture slides are from
More informationCS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms
CS 392/681 - Computer Security Module 5 Access Control: Concepts and Mechanisms Course Policies and Logistics Midterm next Thursday!!! Read Chapter 2 and 15 of text 10/15/2002 Module 5 - Access Control
More informationAccess Control Models Part II
Access Control Models Part II CERIAS and CS &ECE Departments Pag. 1 Introduction Other models: The Chinese Wall Model it combines elements of DAC and MAC RBAC Model it is a DAC model; however, it is sometimes
More informationCS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms
CS 392/681 - Computer Security Module 6 Access Control: Concepts and Mechanisms Course Policies and Logistics Midterm grades Thursday. Read Chapter 2 and 15 th of text Lab 4 postponed - due next week.
More informationCS 356 Lecture 7 Access Control. Spring 2013
CS 356 Lecture 7 Access Control Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive,
More informationP1L5 Access Control. Controlling Accesses to Resources
P1L5 Access Control Controlling Accesses to Resources TCB sees a request for a resource, how does it decide whether it should be granted? Authentication establishes the source of a request Authorization
More informationSecure Architecture Principles
CS 155 Spring 2017 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Secure Architecture Principles Isolation
More informationAccess Control and Protection
Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access
More informationExercise 4: Access Control and Filesystem Security
Exercise 4: Access Control and Filesystem Security Introduction Duration: 90 min Maximum Points: 30 Note: The solutions of theorethical assignments should be handed out before the practical part in the
More informationSecure Architecture Principles
CS 155 Spring 2016 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Acknowledgments: Lecture slides are from
More informationAccess Control. Steven M. Bellovin September 13,
Access Control Steven M. Bellovin September 13, 2016 1 Security Begins on the Host Even without a network, hosts must enforce the CIA trilogy Something on the host the operating system aided by the hardware
More informationAccess Control. Steven M. Bellovin September 2,
Access Control Steven M. Bellovin September 2, 2014 1 Security Begins on the Host Even without a network, hosts must enforce the CIA trilogy Something on the host the operating system aided by the hardware
More informationSecure Architecture Principles
Computer Security Course. Secure Architecture Principles Slides credit: John Mitchell Basic idea: Isolation A Seaman's Pocket-Book, 1943 (public domain) http://staff.imsa.edu/~esmith/treasurefleet/treasurefleet/watertight_compartments.htm
More informationUser Commands chmod ( 1 )
NAME chmod change the permissions mode of a file SYNOPSIS chmod [-fr] absolute-mode file... chmod [-fr] symbolic-mode-list file... DESCRIPTION The chmod utility changes or assigns the mode of a file. The
More informationSecure Architecture Principles
Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Original slides were created by Prof. John Mitchel 1 Secure
More informationSummary. Final Week. CNT-4403: 21.April
Summary Final Week CNT-4403: 21.April.2015 1 List of Final Topics User Authentication Protocols Key Distribution and Public Key Certificates Symmetric Key Crypto Access Control Public Key Crypto Cryptographic
More informationFormal methods and access control. Dr. Hale University of Nebraska at Omaha Information Security and Policy Lecture 8
Formal methods and access control Dr. Hale University of Nebraska at Omaha Information Security and Policy Lecture 8 Today s topics: Access control basics Model Matrix and protection states Access control
More informationCSE 380 Computer Operating Systems
CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms 1 Policy vs. Mechanism q Access control policy is a specification
More informationTEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control
TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control Version 2.0, Last Edited 10/1/2006 Students Name: Date of Experiment: Part I: Objective The objective of the exercises
More informationIS 2150 / TEL 2810 Information Security and Privacy
IS 2150 / TEL 2810 Information Security and Privacy James Joshi Professor, SIS Access Control OS Security Overview Lecture 2, Sept 6, 2016 1 Objectives Understand the basics of access control model Access
More informationDAC vs. MAC. Most people familiar with discretionary access control (DAC)
p. 1/1 DAC vs. MAC Most people familiar with discretionary access control (DAC) - Example: Unix user-group-other permission bits - Might set a fileprivate so only groupfriends can read it Discretionary
More informationInformation Security & Privacy
IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Hybrid Models Role based Access Control Feb 3, 2016 1 Objective Define/Understand various Integrity models Clark-Wilson
More informationCS/CIS 249 SP18 - Intro to Information Security
Lab assignment CS/CIS 249 SP18 - Intro to Information Security Lab #2 - UNIX/Linux Access Controls, version 1.2 A typed document is required for this assignment. You must type the questions and your responses
More informationLecture 4: Bell LaPadula
CS 591: Introduction to Computer Security Lecture 4: Bell LaPadula James Hook Objectives Introduce the Bell LaPadula framework for confidentiality policy Discuss realizations of Bell LaPadula References:
More informationPríprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku
Univerzita Komenského v Bratislave Fakulta matematiky, fyziky a informatiky Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku ITMS: 26140230008 dopytovo orientovaný projekt Moderné
More informationCSE 390a Lecture 3. Multi-user systems; remote login; editors; users/groups; permissions
CSE 390a Lecture 3 Multi-user systems; remote login; editors; users/groups; permissions slides created by Marty Stepp, modified by Jessica Miller and Ruth Anderson http://www.cs.washington.edu/390a/ 1
More informationCSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger
CSCI 420: Mobile Application Security Lecture 7 Prof. Adwait Nadkarni Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger 1 cryptography < security Cryptography isn't the solution to
More informationChapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao
Chapter 9: Database Security: An Introduction Nguyen Thi Ai Thao thaonguyen@cse.hcmut.edu.vn Spring- 2016 Outline Introduction to Database Security Issues Types of Security Threats to databases Database
More informationProcesses are subjects.
Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path TCP wrappers Race conditions NOTE: filenames may differ between OS/distributions
More informationAccess Control Lists. Don Porter CSE 506
Access Control Lists Don Porter CSE 506 Background (1) ò If everything in Unix is a file ò Everything in Windows is an object ò Why not files? ò Not all OS abstractions make sense as a file ò Examples:
More informationP1_L6 Mandatory Access Control Page 1
P1_L6 Mandatory Access Control Page 1 We discussed access control in the last lesson. But that was only one kind of access control called discretionary access control, or DAC. That allows you to decide
More informationIntroduction to Security
IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 6 October 6, 2009 Hybrid Models Role based Access Control 1 Objective Define/Understand various Integrity models
More informationAccess Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy
Access Control: enacting a security policy Access Control COMP 435 Fall 2017 Prof. Cynthia Sturton Which users can access which resources and with which rights 2 Access Control: enacting a security policy
More informationPolicy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems
Policy vs. Mechanism CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms q Access control policy is a specification
More informationData Security and Privacy. Unix Discretionary Access Control
Data Security and Privacy Unix Discretionary Access Control 1 Readings for This Lecture Wikipedia Filesystem Permissions Other readings UNIX File and Directory Permissions and Modes http://www.hccfl.edu/pollock/aunix1/filepermissions.htm
More informationOperating system security
Operating system security Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011 Outline Access control models in operating systems: 1. Unix 2. Windows Acknowledgements: This
More informationCSE 390a Lecture 4. Persistent shell settings; users/groups; permissions
CSE 390a Lecture 4 Persistent shell settings; users/groups; permissions slides created by Marty Stepp, modified by Jessica Miller and Ruth Anderson http://www.cs.washington.edu/390a/ 1 2 Lecture summary
More informationLast time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control
Last time Security Policies and Models Bell La-Padula and Biba Security Models Information Flow Control Trusted Operating System Design Design Elements Security Features 10-1 This time Trusted Operating
More informationAccess control. Frank Piessens KATHOLIEKE UNIVERSITEIT LEUVEN
Access control Frank Piessens (Frank.Piessens@cs.kuleuven.be) Secappdev 2010 1 Overview Introduction: Lampson s model for access control Classical Access Control Models Discretionary Access Control (DAC)
More informationCPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:
CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME: There are 6 questions on this quiz. Each question is individually weighted. If you do not understand the question, please ask for clarification. 1 I. (24
More informationFiles (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1
Files (review) and Regular Expressions Todd Kelley kelleyt@algonquincollege.com CST8207 Todd Kelley 1 midterms (Feb 11 and April 1) Files and Permissions Regular Expressions 2 Sobel, Chapter 6 160_pathnames.html
More informationFreeBSD Advanced Security Features
FreeBSD Advanced Security Features Robert N. M. Watson Security Research Computer Laboratory University of Cambridge 19 May, 2007 Introduction Welcome! Introduction to some of the advanced security features
More informationCSE 390a Lecture 4. Persistent shell settings; users/groups; permissions
CSE 390a Lecture 4 Persistent shell settings; users/groups; permissions slides created by Marty Stepp, modified by Jessica Miller and Ruth Anderson http://www.cs.washington.edu/390a/ 1 2 Lecture summary
More informationComputer Security Operating System Security & Access Control. Dr Chris Willcocks
Computer Security Operating System Security & Access Control Dr Chris Willcocks Lecture Content Access Control ACMs ACLs Introduction to *NIX security - we ll cover this more due to server popularity -
More informationChapter 8: Security under Linux
Chapter 8: Security under Linux 8.1 File and Password security Linux security may be divided into two major parts: a) Password security b) File security 8.1.1 Password security To connect to a Linux system
More informationIntroduction to Computer Security
Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Genesis: UNIX vs. MULTICS MULTICS (Multiplexed Information and Computing Service) a high-availability,
More informationOS security mechanisms:
OS security mechanisms: Memory Protection: One of the important aspects of Operating system security is Memory Protection. Memory provides powerful indirect way for an attacker to circumvent security mechanism,
More informationAccess Control CSC WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Fall 2014
Access Control CSC 348 648 WAKE FOREST U N I V E R S I T Y Department of Computer Science Fall 2014 Attempted Topics Describe language/models for talking about security systems ACM, Capabilities and ACLs
More informationProtecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets
Protecting Information Assets - Week 10 - Identity Management and Access Control MIS5206 Week 10 Identity Management and Access Control Presentation Schedule Test Taking Tip Quiz Identity Management and
More informationAsset Analysis -I. 1. Fundamental business processes 2.Critical ICT resources for these processes 3.The impact for the organization if
Asset Analysis Asset Analysis -I It discovers the assets that result in an impact (a loss for the organization) if successfully attacked It should discover which ICT resources an organization needs to
More informationCCM Lecture 14. Security Models 2: Biba, Chinese Wall, Clark Wilson
CCM 4350 Lecture 14 Security Models 2: Biba, Chinese Wall, Clark Wilson Introduction Bell-LaPadula model designed to capture a specific military security policy. At one time treated as the model of security.
More informationUnix Basics. UNIX Introduction. Lecture 14
Unix Basics Lecture 14 UNIX Introduction The UNIX operating system is made up of three parts; the kernel, the shell and the programs. The kernel of UNIX is the hub of the operating system: it allocates
More informationCase Study: Access Control. Steven M. Bellovin October 4,
Case Study: Access Control Steven M. Bellovin October 4, 2015 1 Case Studies in Access Control Joint software development Mail Steven M. Bellovin October 4, 2015 2 Situations Small team on a single machine
More informationRED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 2. 3 June 2013
RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 2 3 June 2013 Developed by Red Hat, NSA, and DISA for the DoD Trademark Information Names, products,
More informationMultifactor authentication:
Multifactor authentication: Authenticating people can be based on 2 factors: Something the user KNOWS : e.g. a password or PIN Something the user HAS: e.g. An ATM card, smartcard or hardware token, or
More informationUser accounts and authorization
User accounts and authorization Authentication vs authorization Authentication: proving the identity of someone Authorization: allowing a user to access certain resources 1 Government authorization documents
More informationUNIX File Hierarchy: Structure and Commands
UNIX File Hierarchy: Structure and Commands The UNIX operating system organizes files into a tree structure with a root named by the character /. An example of the directory tree is shown below. / bin
More informationProcesses are subjects.
Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path Race conditions NOTE: filenames may differ between OS/distributions Principals
More informationAccess Control Part 1 CCM 4350
Access Control Part 1 CCM 4350 Overview of Access Control Lectures Three Lectures on Access Control following D. Gollmann. Computer Security. Wiley: Chapter 4. Part 1: Authorisation and Access Operation
More informationAccess Control Mechanisms
Access Control Mechanisms Chapter 16 Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide 16-1 Overview Access control lists Capability lists Locks and keys Secret sharing Rings-based access
More information