Access Control/Capabili1es
|
|
- Blanche Norton
- 6 years ago
- Views:
Transcription
1 Access Control/Capabili1es Some slides/ideas adapted from Ninghui Li 1
2 Why Computers are Vulnerable? Programs are buggy Humans make mistakes Access control is not good enough Discretionary Access Control (DAC) used in Unix and Windows assume that programs are not buggy 2
3 Access Control Check Given an access request, return an access control decision based on the policy allow / deny A Request Access Control Check Allow / Deny The Policy 3
4 Discretionary Access Control No precise definition. Basically, DAC allows access rights to be propagated at subject s discretion often has the notion of owner of an object used in UNIX, Windows, etc. According to TCSEC (Trusted Computer System Evaluation Criteria) "A means of restricting access to objects based on the identity and need-to-know of users and/or groups to which they belong. Controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (directly or indirectly) to any other subject." 4
5 The Confused Deputy Problem System Admin User SYSX/FORT $OUTPUT Compiler Program SYSX (Dir) FORT STAT BILL Write to the bill file SYSX/BILL $Output Write output file The Confused Deputy by Norm Hardy: 5
6 Analysis of The Confused Deputy Problem UCR The compiler runs with authority from two sources the invoker (i.e., the programmer) the system admin (who installed the compiler and controls billing and other info) It is the deputy of two masters There is no way to tell which master the deputy is serving when performing a write 6
7 Analysis why DAC is not Good enough DAC causes the Confused Deputy problem Solution: use capability-based systems? DAC does not preserves confidentiality when facing Trojan horses Solution: use Mandatory Access Control? DAC implementation fails to keep track of for which principals a subject (process) is acting on behalf of Solution: fixing the DAC implementation to better keep track of principals Hierarchical authority: OS has access to all Solution: decouple resource management from access control? 7
8 ACCESS MATRIX MODEL Objects (and Subjects) F G S u b j e c t s U V r w own r r w own rights 8
9 Implementa1on of the Access Matrix Access Control Lists Encode columns Capabilities Encode rows Some other ways (access control triplets, ) 9
10 Capability vs. ACL Consider two security mechanisms for bank accounts. One is identity-based. Each account has multiple authorized owners. You go into the bank and shows your ID, then you can access all accounts you are authorized. Once you show ID, you can access all accounts. You have to tell the bank which account to take money from. The other is token-based. When opening an account, you get a passport to that account and a PIN, whoever has the passport and the PIN can access 10
11 Capabilities vs. ACL: Ambient Authority Ambient authority means that a user s authority is automatically exercised, without the need of being selected. causes the confused deputy problem No Ambient Authority in capability systems 11
12 DAC s Weaknesses Caused by The Gap A request: a subject wants to perform an action E.g., processes in OS The policy: each principal has a set of privileges E.g., user accounts in OS UCR Challenging to fill the gap between the subjects and the principals relate the subject to the principals 12
13 Unix DAC Revisited (1) Action Process Effective UID Real Principals User A Logs In shell User A User A Load Binary Goodie Controlled by user B Goodie User A?? When the Goodie process issues a request, what principal(s) is/are responsible for the request? Under what assumption, it is correct to say that User A is responsible for the request? Assumption: Programs are benign, i.e., they only do what they are told to do. 13
14 UNIX DAC Revisited (2) Action Process Effective UID Real Principals shell User A User A Load AcroBat Reader Binary AcroBat User A User A Read File Downloaded from Network AcroBat User A?? When the AcroBat process (after reading the file) issues a request, which principal(s) is/are responsible for the request? Under what assumption, it is correct to say that User A is responsible for the request? Assumption: Programs are correct, i.e., they handle inputs correctly. 14
15 Hierarchical Authority compounding the problem OS is super-user has DAC access to all processes OS Both resource manager and access control manager Can we decouple these roles? OS exploits are deadly full authority to access anything is obtained 15
16 Hierarchical authority and cross-layer acacks 16
17 What should we do instead? Other models of access control Mandatory access control: remove the discre1onary part--you cannot pass on permissions Permissions specified by the system and cannot be changed (e.g., using labels) Role based access control: permissions associated with role S1ll have to solve the hierarchical authority problem Security vs. usability 17
18 Can we do this in solware? Can we, at least, do becer? Are there quick and dirty fixes? Consider, SMEP/SMAP, kguard, secvisor Plan for today: Nithin presents Hyperwall Nael presents NIMP: finer-grained mandatory access control Nael overviews SELinux (solware supported access control) possibly next Nme? Nael presents CHERI: pracncal hardware supported capabilines (next Nme) 18
19 Security Enhanced Linux (SELinux) Developed by National Security Agency (NSA) and Secure Computing Corporation (SCC) to promote MAC technologies MAC functionality is provided through the FLASK architecture Policies based on type-enforcement model Integrated into 2.6 kernels Available in most (all?) modern Linux distributions 19
20 FLASK Flux Advanced Security Kernel Developed over the years (since 1992) in several projects: DTMach, DTOS, Fluke General MAC architecture Supports flexible security policies, user friendly security language (syntax) Separates policies from enforcement Enables using more information when making access control decisions E.g., User ids, Domains/Types, Roles 20
21 Type Enforcement (or Domain Type Enforcement) Type enforcement first proposed by W. E. Boebert and R. Y. Kain. A Practical Alternative to Hierarchical Integrity Policies. In In Proceedings of the 8 National Computer Security Conference, Aim at ensuring integrity Key Idea for Type Enforcement: Use the binary being executed to determine access. What do DAC and MAC use? 21
22 Rationale of Type Enforcement (1) Integrity level should be associated with programs (rather than processes) Trust in programs is required for integrity Examples of assured pipelines: Labeling: All printouts of documents must have security labels corrected printed by a labeller. Encrypting: Before sending certain data to an output channel, it must be encrypted by an encryption module Data must pass certain transforming system before going to certain outputs 22
23 Domain-type Enforcement: Highlevel Idea Add a new access matrix One row for each subject domain (more or less ) One column for each pair (object type, security class) Each cell contains all operations the subject can perform on objects of a particular type and security class 23
24 Domain-type Enforcement (1) Each object is labeled by a type Object semanncs Example: /etc/shadow etc_t /etc/rc.d/init.d/htpd htpd_script_exec_t Objects are grouped by object security classes Such as files, sockets, IPC channels, capabilines The security class determines what operanons can be performed on the object Each subject (process) is associated with a domain E.g., htpd_t, sshd_t, sendmail_t 24
25 Domain-type Enforcement (2) Access control decision When a process wants to access an object Considers the following: process domain, object type, object security class, operation Example: access vector rules allow sshd_t sshd_tmp_t: file { create read write getattr setattr link unlink rename } 25
26 Limitations of the Type Enforcement Model Result in very large policies Hundreds of thousands of rules for Linux Difficult to understood Using only programs, but not information flow tracking cannot protect against certain attacks Consider for example: httpd -> shell -> load kernel module 26
27 SELinux in Practice Theoretically, can be configured to provide high security. In practice, mostly used to confine daemons like web servers They have more clearly defined data access and activity rights. They are often targets of attacks A confined daemon that becomes compromised is thus limited in the harm it can do. Ordinary user processes often run in the unconfined domain not restricted by SELinux, but still restricted by the classic Linux access rights. 27
28 Non-inclusive Memory Permissions Idea: We don t give full permissions to the OS/hypervisor We also don t let them manage permissions But we need to let them manage some permissions to do their work Specify the set of legal permission transinons 28
29 NIMP Design 29
Advanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationData Security and Privacy. Topic 3: Operating System Access Control Enhancement
Data Security and Privacy Topic 3: Operating System Access Control Enhancement 1 Readings for this lecture Readings On Trusting Trust wikipedia topics: Operating system-level virtualization, Paravirtualization,
More informationOS Security III: Sandbox and SFI
1 OS Security III: Sandbox and SFI Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab2 VMs on lab machine Extension? 3 Users and processes FACT: although ACLs use users as subject, the OS
More informationCERIAS Tech Report Trojan Horse Resistant Discretionary Access Control by Ziqing Mao, Ninghui Li, Hong Chen, Xuxian Jiang Center for Education
CERIAS Tech Report 2008-8 Trojan Horse Resistant Discretionary Access Control by Ziqing Mao, Ninghui Li, Hong Chen, Xuxian Jiang Center for Education and Research Information Assurance and Security Purdue
More informationSecurity Enhanced Linux
Security Enhanced Linux Bengt Nolin beno9295@student.uu.se October 13, 2004 Abstract A very brief introduction to SELinux; what it is, what is does and a little about how it does it. 1 1 Background 1.1
More informationA Survey of Access Control Policies. Amanda Crowell
A Survey of Access Control Policies Amanda Crowell What is Access Control? Policies and mechanisms that determine how data and resources can be accessed on a system. The Players Subjects Objects Semi-objects
More informationThe Case for Security Enhanced (SE) Android. Stephen Smalley Trusted Systems Research National Security Agency
The Case for Security Enhanced (SE) Android Stephen Smalley Trusted Systems Research National Security Agency Background / Motivation Increasing desire to use mobile devices throughout the US government.
More informationComputer Security. Access control. 5 October 2017
Computer Security Access control 5 October 2017 Policy and mechanism A security policy is a statement of what is, and what is not, allowed. A security mechanism is a method, tool or procedure for enforcing
More informationDiscretionary Access Control (DAC)
CS 5323 Discretionary Access Control (DAC) Prof. Ravi Sandhu Executive Director and Endowed Chair Lecture 7 ravi.utsa@gmail.com www.profsandhu.com Ravi Sandhu 1 Authentication, Authorization, Audit AAA
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationAccess Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.
Access Control CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Access Control Describe the permissions available to computing processes
More informationData Security and Privacy. Unix Discretionary Access Control
Data Security and Privacy Unix Discretionary Access Control 1 Readings for This Lecture Wikipedia Filesystem Permissions Other readings UNIX File and Directory Permissions and Modes http://www.hccfl.edu/pollock/aunix1/filepermissions.htm
More informationAccess Control. Tom Chothia Computer Security, Lecture 5
Access Control Tom Chothia Computer Security, Lecture 5 The Crypto Wars 1993-1996: Clipper chip considered in US congress and rejected. Due partly to Matt Blaze s analysis and strongly attack by John Kerry
More informationOperating system security models
Operating system security models Unix security model Windows security model MEELIS ROOS 1 General Unix model Everything is a file under a virtual root diretory Files Directories Sockets Devices... Objects
More informationWe ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?
We ve seen: Protection: ACLs, Capabilities, and More Some cryptographic techniques Encryption, hashing, types of keys,... Some kinds of attacks Viruses, worms, DoS,... And a distributed authorization and
More informationCSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger
CSCI 420: Mobile Application Security Lecture 7 Prof. Adwait Nadkarni Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger 1 cryptography < security Cryptography isn't the solution to
More informationLINUX SECURITY PRIMER: SELINUX AND SMACK FRAMEWORKS KATHY TUFTO, PRODUCT MANAGER
LINUX SECURITY PRIMER: SELINUX AND SMACK FRAMEWORKS KATHY TUFTO, PRODUCT MANAGER E M B E D D E D S Y S T E M S W H I T E P A P E R w w w. m e n t o r. c o m INTRODUCTION With the proliferation of smart
More informationP1L5 Access Control. Controlling Accesses to Resources
P1L5 Access Control Controlling Accesses to Resources TCB sees a request for a resource, how does it decide whether it should be granted? Authentication establishes the source of a request Authorization
More informationFall 2014:: CSE 506:: Section 2 (PhD) Securing Linux. Hyungjoon Koo and Anke Li
Securing Linux Hyungjoon Koo and Anke Li Outline Overview Background: necessity & brief history Core concepts LSM (Linux Security Module) Requirements Design SELinux Key elements Security context: identity
More informationComputer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 04r. Pre-exam 1 Concept Review Paul Krzyzanowski Rutgers University Spring 2018 February 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Key ideas from the past four lectures February 15, 2018
More informationModule: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Operating System Security Professor Trent Jaeger 1 OS Security So, you have built an operating system that enables user-space processes to
More informationSecurity Enhanced Linux
Security Enhanced Linux Security Group Meeting 29 November 2002 Steven J. Murdoch http://www.cl.cam.ac.uk/users/sjm217/ Computer Laboratory, University of Cambridge Copyright c Steven. J. Murdoch p.1 Summary
More informationSecurity Enhanced Linux. Thanks to David Quigley
Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999: 2.2 Linux Kernel (patch) 2000: 2001: 2.4
More informationMANDATORY ACCESS CONTROL SECURITY ENHANCED LINUX (SELINUX)
OPERATING SYSTEM SECURITY GUEST LECTURE MANDATORY ACCESS CONTROL SECURITY ENHANCED LINUX (SELINUX) PATRICK UITERWIJK PUITERWIJK@REDHAT.COM / PATRICK.UITERWIJK.ORG GPG KEY: 4096R/0X9AB51E50 0 MANDATORY
More informationDiscretionary Vs. Mandatory
Discretionary Vs. Mandatory Discretionary access controls (DAC) Privilege propagated from one subject to another Possession of an access right is sufficient to access the object Mandatory access controls
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 3.2: OS Security Access Control Endadul Hoque Slide Acknowledgment Contents are based on slides from Ninghui Li (Purdue), John Mitchell (Stanford), Bogdan Carbunar (FIU)
More informationAdvanced Systems Security: Principles
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationCSE543 - Introduction to Computer and Network Security. Module: Operating System Security
CSE543 - Introduction to Computer and Network Security Module: Operating System Security Professor Trent Jaeger 1 OS Security An secure OS should provide (at least) the following mechanisms Memory protection
More informationOperating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008
Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008 Page 1 Outline Designing secure operating systems Assuring OS security TPM and trusted computing Page 2 Desired
More informationAccess Control. Steven M. Bellovin September 13,
Access Control Steven M. Bellovin September 13, 2016 1 Security Begins on the Host Even without a network, hosts must enforce the CIA trilogy Something on the host the operating system aided by the hardware
More informationDiscretionary Access Control
Operating System Security Discretionary Seong-je Cho ( 조성제 ) (sjcho at dankook.ac.kr) Fall 2018 Computer Security & Operating Systems Lab, DKU - 1-524870, F 18 Discretionary (DAC) Allows the owner of the
More informationSecure Architecture Principles
Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Original slides were created by Prof. John Mitchel 1 Secure
More informationDiscretionary Access Control (DAC)
CS 5323 Discretionary Access Control (DAC) Prof. Ravi Sandhu Executive Director and Endowed Chair Lecture 2 ravi.utsa@gmail.com www.profsandhu.com Ravi Sandhu 1 Authentication Ravi Sandhu 2 Authentication,
More informationAsset Analysis -I. 1. Fundamental business processes 2.Critical ICT resources for these processes 3.The impact for the organization if
Asset Analysis Asset Analysis -I It discovers the assets that result in an impact (a loss for the organization) if successfully attacked It should discover which ICT resources an organization needs to
More informationOutline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines
Outline Operating System Security CS 239 Computer Security February 23, 2004 Introduction Memory protection Interprocess communications protection File protection Page 1 Page 2 Introduction Why Is OS Security
More informationWhy secure the OS? Operating System Security. Privilege levels in 80X86 processors. The basis of protection: Seperation. Privilege levels - A problem
Why secure the OS? Operating System Security Works directly on the hardware but can be adapted during runtime Data and process are directly visible Application security can be circumvented from lower layers
More informationLast time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control
Last time Security Policies and Models Bell La-Padula and Biba Security Models Information Flow Control Trusted Operating System Design Design Elements Security Features 10-1 This time Trusted Operating
More informationAdvanced Systems Security: Multics
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationSecure Architecture Principles
CS 155 Spring 2016 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Acknowledgments: Lecture slides are from
More informationSELinux: A New Approach to Secure Systems
SELinux: A New Approach to Secure Systems by Chris Runge Abstract In this whitepaper, we will examine Security-Enhanced Linux (SELinux), the benefits it brings, and how Red Hat is working to make those
More informationSE Linux Implementation LINUX20
SE Linux Implementation LINUX20 Russell Coker IBM eserver pseries, Linux, Grid Computing and Storage Technical University 7/7/2004 Licensed under the GPL Topic Objectives In this topic students will learn
More informationMiddleware MAC for Android. Stephen Smalley Trusted Systems Research National Security Agency
Middleware MAC for Android Stephen Smalley Trusted Systems Research National Security Agency Motivation Many attacks on Android can occur entirely at the middleware layer. Not directly visible to kernel
More informationAdvanced Systems Security: Security-Enhanced Linux
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationSELinux. Daniel J Walsh SELinux Lead Engineer
SELinux Daniel J Walsh SELinux Lead Engineer 0 Day Exploits Patch Cycle Someone discovers a vulnerability in software Package Maintainer and OS Vendor Notified Fix generated/distributed Fix installed by
More informationUnix, History
Operating systems Examples from Unix, VMS, Windows NT on user authentication, memory protection and file and object protection. Trusted Operating Systems, example from PitBull Unix, History Unix, History
More informationMultifactor authentication:
Multifactor authentication: Authenticating people can be based on 2 factors: Something the user KNOWS : e.g. a password or PIN Something the user HAS: e.g. An ATM card, smartcard or hardware token, or
More informationAdvanced Systems Security: Principles
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationPríprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku
Univerzita Komenského v Bratislave Fakulta matematiky, fyziky a informatiky Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku ITMS: 26140230008 dopytovo orientovaný projekt Moderné
More informationSELinux type label enforcement
SELinux type enforcement -Demonstration -General description David Morgan Demonstration Trying to access a resource (permissions vs SELinux) permissions system cares which user account SELinux cares which
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 3.1: OS Security Basics of secure design Endadul Hoque Slide Acknowledgment Contents are based on slides from Ninghui Li (Purdue), John Mitchell (Stanford), Dan Boneh (Stanford)
More informationPREVENTING EXPLOITS WITH SECURITY ENHANCED LINUX
PREVENTING EXPLOITS WITH SECURITY ENHANCED LINUX Final Report 12/10/09 Mike Detwiler UMBC Student CMSC Course 426 Baltimore, MD Det1@umbc.edu Peter Coddington UMBC Student CMSC Course 626 Baltimore, MD
More informationAccess Control. Discretionary Access Control
Access Control Discretionary Access Control 1 Outlines Access Control Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) 2 Access Control Access control
More informationComputer Security. 02r. Assignment 1 & Access Control Review. Paul Krzyzanowski David Domingo Ananya Jana. Rutgers University.
Computer Security 02r. Assignment 1 & Access Control Review Paul Krzyzanowski David Domingo Ananya Jana Rutgers University Spring 2019 Question 1 What three Internet-enabled vulnerability categories does
More informationCMPSC 497 Attack Surface
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Attack Surface
More informationSecure Architecture Principles
CS 155 Spring 2017 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Secure Architecture Principles Isolation
More informationSecure Architecture Principles
CS 155 Spring 2016 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Acknowledgments: Lecture slides are from
More informationAccess Control Mechanisms
Access Control Mechanisms Week 11 P&P: Ch 4.5, 5.2, 5.3 CNT-4403: 26.March.2015 1 In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection
More informationMeeting Critical Security Objectives with Security-Enhanced Linux
Meeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco Information Assurance Research Group National Security Agency Co-author: Stephen D. Smalley, NAI Labs Information Assurance
More informationInformation Security CS 526
Information Security CS 526 s Security Basics & Unix Access Control 1 Readings for This Lecture Wikipedia CPU modes System call Filesystem Permissions Other readings UNIX File and Directory Permissions
More informationStorage and File Hierarchy
COS 318: Operating Systems Storage and File Hierarchy Jaswinder Pal Singh Computer Science Department Princeton University (http://www.cs.princeton.edu/courses/cos318/) Topics Storage hierarchy File system
More informationCOS 318: Operating Systems
COS 318: Operating Systems File Systems: Abstractions and Protection Jaswinder Pal Singh Computer Science Department Princeton University (http://www.cs.princeton.edu/courses/cos318/) Topics What s behind
More informationGeneral Access Control Model for DAC
General Access Control Model for DAC Also includes a set of rules to modify access control matrix Owner access right Control access right The concept of a copy flag (*) Access control system commands General
More informationCOS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy
Topics COS 318: Operating Systems File Systems hierarchy File system abstraction File system operations File system protection 2 Traditional Data Center Hierarchy Evolved Data Center Hierarchy Clients
More informationSELinux Updates. Thorsten Scherf Senior Consultant. Red Hat Global Professional Services Berlin / Germany
SELinux Updates Thorsten Scherf Senior Consultant Red Hat Global Professional Services 01.12.2011 Berlin / Germany Agenda SELinux review What happened to strict policy Policy customization and development
More informationSystem Configuration as a Privilege
System Configuration as a Privilege Glenn Wurster, Paul C. van Oorschot School of Computer Science Carleton University, Canada HotSec 2009 11 Aug 2009 Glenn Wurster, Paul C. van Oorschot System Config
More informationInformation Flow Control For Standard OS Abstractions
Information Flow Control For Standard OS Abstractions Maxwell Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris MIT SOSP 2007 Presenter: Lei Xia Mar. 2 2009 Outline
More informationExtensible Kernel Security through the TrustedBSD MAC Framework
03/13/2004 Extensible Kernel Security through the TrustedBSD MAC Framework Robert Watson, Research Scientist HIP Group, 03/13/2004 Page 2 Introduction Rationale for Security Extensions TrustedBSD MAC Framework
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationComputer Security 3e. Dieter Gollmann. Chapter 5: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 5: 1 Chapter 5: Access Control Chapter 5: 2 Introduction Access control: who is allowed to do what? Traditionally, who is a person.
More information, Inc
Monthly Research SELinux in Virtualization and Containers, Inc http://www.ffri.jp Ver 1.00.02 1 SELinux in Virtualization and Containers Virtualization security with SELinux Threat model of operating system
More information10/23/12. Fundamentals of Linux Platform Security. Linux Platform Security. Roadmap. Security Training Course. Module 4 Introduction to SELinux
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Linux Platform Security Module 4 Introduction to SELinux Roadmap Why SELinux? Overview
More informationSELinux. Don Porter CSE 506
SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) Example: I may chmod o+a the file
More informationProtection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger
Protection CSE473 - Spring 2008 Professor Jaeger www.cse.psu.edu/~tjaeger/cse473-s08/ Protection Protect yourself from untrustworthy users in a common space They may try to access your resources Or modify
More informationSecurity. Advanced Operating Systems and Virtualization Alessandro Pellegrini A.Y. 2017/2018
Security Advanced Operating Systems and Virtualization Alessandro Pellegrini A.Y. 2017/2018 Basic Security Aspects 1. Systems must be usable by legitimate users only 2. Access is granted on the basis of
More informationCERIAS Tech Report
CERIAS Tech Report 2006-38 HOST INTEGRITY PROTECTION THROUGH USABLE NON-DISCRETIONARY ACCESS CONTROL by Ninghui Li, Ziqing Mao, Hong Chen Center for Education and Research in Information Assurance and
More informationSELinux. Thorsten Scherf. Red Hat EMEA. October 2015
SELinux Thorsten Scherf Red Hat EMEA October 2015 What is wrong with UNIX security? Programs have full control over the access given to files they create (Discretionary Access Control DAC) Therefore no
More informationProtecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets
Protecting Information Assets - Week 10 - Identity Management and Access Control MIS5206 Week 10 Identity Management and Access Control Presentation Schedule Test Taking Tip Quiz Identity Management and
More informationAccess Control. Steven M. Bellovin September 2,
Access Control Steven M. Bellovin September 2, 2014 1 Security Begins on the Host Even without a network, hosts must enforce the CIA trilogy Something on the host the operating system aided by the hardware
More informationConfinement. Steven M. Bellovin November 1,
Confinement Steven M. Bellovin November 1, 2016 1 Security Architecture We ve been looking at how particular applications are secured We need to secure not just a few particular applications, but many
More informationFreeBSD Advanced Security Features
FreeBSD Advanced Security Features Robert N. M. Watson Security Research Computer Laboratory University of Cambridge 19 May, 2007 Introduction Welcome! Introduction to some of the advanced security features
More informationAccess Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy
Access Control: enacting a security policy Access Control COMP 435 Fall 2017 Prof. Cynthia Sturton Which users can access which resources and with which rights 2 Access Control: enacting a security policy
More informationSEEdit: SELinux Security Policy Configuration System with Higher Level Language
SEEdit: SELinux Security Policy Configuration System with Higher Level Language Yuichi Nakamura, Yoshiki Sameshima Hitachi Software, Japan {ynakam,same}@hitachisoft.jp Toshihiro Tabata Okayama University,
More informationCSE Computer Security
CSE 543 - Computer Security Lecture 15 - Linux Security October 18, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1 Retrofit Security in Existing Systems Upside Operating systems are costly to
More informationLinux Kernel Security Update LinuxCon Europe Berlin, 2016
Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris james.l.morris@oracle.com Introduction Who am I? Kernel security subsystem maintainer Started kernel development w/ FreeS/WAN in 1999
More informationStorage and File System
COS 318: Operating Systems Storage and File System Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall10/cos318/ Topics Storage hierarchy File
More informationOutline. MLS operating systems. Another notation
Outline CSci 5271 Introduction to Computer Security Day 11: OS security: higher assurance Stephen McCamant University of Minnesota, Computer Science & Engineering Classification lattice example Lattice
More information2 Lecture Embedded System Security A.-R. Darmstadt, Android Security Extensions
2 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2014 Android Security Extensions App A Perm. P 1 App B Perm. P 2 Perm. P 3 Kirin [2009] Reference Monitor Prevents the installation
More informationProcesses are subjects.
Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path TCP wrappers Race conditions NOTE: filenames may differ between OS/distributions
More informationCPS221 Lecture: Operating System Functions
CPS221 Lecture: Operating System Functions Objectives last revised 6/23/10 1. To overview key hardware concepts 2. To iintroduce the process concept 3. To discuss the various kinds of functionality of
More informationSELinux Protected Paths Revisited
SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering Pennsylvania State University March 1, 2006 1 Talk Topics Mechanism for MAC enforcement between 2 machines
More informationChapter 13: Protection. Operating System Concepts Essentials 8 th Edition
Chapter 13: Protection Operating System Concepts Essentials 8 th Edition Silberschatz, Galvin and Gagne 2011 Chapter 13: Protection Goals of Protection Principles of Protection Domain of Protection Access
More informationCERIAS Tech Report Analysis of access control policies in operating systems by Hong Chen Center for Education and Research Information
CERIAS Tech Report 2009-37 Analysis of access control policies in operating systems by Hong Chen Center for Education and Research Information Assurance and Security Purdue University, West Lafayette,
More informationCS 591: Introduction to Computer Security. Lecture 3: Policy
CS 591: Introduction to Computer Security Lecture 3: Policy James Hook Objectives Explore what a security policy is; develop a vocabulary to discuss policies Examine the role of trust in policy 1 What
More information6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.
6.858 Lecture 4 OKWS Administrivia: Lab 1 due this Friday. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS. Privilege separation
More informationCCM Lecture 12. Security Model 1: Bell-LaPadula Model
CCM 4350 Lecture 12 Security Model 1: Bell-LaPadula Model Why Security Models? When we have implemented a security policy, do we know that it will (and can) be enforced? E.g., if policies get too intricate,
More informationPrivilege Escalation
Privilege Coleman Kane Coleman.Kane@ge.com February 9, 2015 Security Vulnerability Assessment Privilege 1 / 14 root, or Privilege or Elevation is the act of gaining access to resources which were intended
More informationAsbestos Operating System
Asbestos Operating System Presented by Sherley Codio and Tom Dehart This Talk Recap on Information Flow Asbestos Overview Labels Special Rules Discretionary Contamination Declassification/Decontamination
More informationUnit OS7: Security The Security Problem. Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze
Unit OS7: Security 7.1. The Security Problem Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze 2 Copyright Notice 2000-2005 David A. Solomon and Mark Russinovich
More informationComplex Access Control. Steven M. Bellovin September 10,
Complex Access Control Steven M. Bellovin September 10, 2013 1 Access Control Matrix List all proceses and files in a matrix Each row is a process ( subject ) Each column is a file ( object ) Each matrix
More information