Access Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy

Transcription

1 Access Control: enacting a security policy Access Control COMP 435 Fall 2017 Prof. Cynthia Sturton Which users can access which resources and with which rights 2 Access Control: enacting a security policy Access Control: enacting a security policy Who How Subject Right or Type Which users can access which resources and with which rights Which users can access which resources and with which rights What Object 3 4

2 Users Subjects Users Objects Processes Processes Files Memory 5 I/O devices 6 Users Objects Read Access Type Processes Subjects Write Files Execute Memory Create I/O devices 7 Transfer 8

3 Best Practice Universal application Best Practices for Access Control Least privilege Type checking 9 10 Universal Application Non-Universal Application Random checking Every access by a subject to an object should be checked Random auditing Selective checking 11 12

4 Least Privilege Type Checking Every subject should be granted the least amount of access necessary to do its job Operations should be meaningful for the object accessed Discretionary Access Control (DAC) Access Control Policies Access Control Policies Mandatory Access Control (MAC) Role-based Access Control (RBAC) Attribute-based Access Control (ABAC) 15 16

5 Objects Access Control Matrix Discretionary Access Control (DAC) Subjects 17 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: ). Copyright 2015 by Pearson Education, Inc. All rights reserved. 18 Access Control Matrix Access Control List + Single listing of all objects + Eases revocation + No aliasing - Sparse - Inefficient 19 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: ). Copyright 2015 by Pearson Education, Inc. All rights reserved. 20

6 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: ). Copyright 2015 by Pearson Education, Inc. All rights reserved. Access Control Directory Access Control Directory + Easy to implement + Easy to understand - Long lists - Revoking access requires a search through every list - Aliasing may cause ambiguous access rights Permissions Permission vs. Authority Type of actions or rights granted directly to a process for a given object 23 24

7 Authority Ambient Authority Type of actions or rights granted directly or indirectly to a process for a given object All the extant permissions of the current execution context Confused Deputy SetUID Group SetUID A program running with multiple sets of permissions uses all permissions indiscriminately r w x r w x r w x suid guid Owner Users myfile.exe 27 28

8 \\gcc program int main(int argc, char *argv[]) { //compile code //write to log FILE *fp = fopen(argv[2], "w"); //write out statistics: fp = fopen("/etc/compiler_stats", "a"); } $ gcc prog.c log.txt \\gcc program int main(int argc, char *argv[]) { //compile code //write to log FILE *fp = fopen(argv[2], "w"); //write out statistics: fp = fopen("/etc/compiler_stats", "a"); } $ gcc prog.c log.txt $ gcc prog.c "/etc/passwd" Capabilities Unforgeable token Analogy: Confused Valet Possession of the token grants access rights Directly ties access right to object Think physical key 31 32

9 \\compiler program int main(int argc, char *argv[]) { //compile code //write to log FILE *fp = fopen(argv[2], user_cap); //write out statistics: fp = fopen("/etc/compiler_stats", system_cap); } $ gcc prog.c log.txt $ gcc prog.c "/etc/passwd" > ERROR: no capability for passwd file! 33 Mandatory Access Control 34 Discretionary Access Control Discretionary Access Control Alice Access List for secretfile.pdf Bob - R Alice Secret File I have a file! Can I see it? Bob Sure! 35 36

10 Security Levels Bell-LaPadula Model Confidentiality top secret > secret > confidential > restricted > unclassified No read up Simple security property Bell-LaPadula Model Biba Integrity Model Confidentiality No read up Simple security property No write down *-property Integrity No write up No read down 39 40

11 Reference Monitor Complete mediation A Reference Monitor Tamperproof Verifiable 41 42