Identity-based Access Control

Similar documents
Outline. V Computer Systems Organization II (Honors) (Introductory Operating Systems) Language-based Protection: Solution

Software Security. Case Study: Java 2 Security. Copyright of HeathWallace 2008

Java Security. A Brief Introduction. Fred Long. The University of Wales, Aberystwyth UK. U.W. Aberystwyth CS25610/CHM5610. Java Security p.

The security mechanisms of Java

Java Internals. Frank Yellin Tim Lindholm JavaSoft

Protection Goals of Protection Principles of Protection principle of least privilege Domain Structure need to know principle

Bypassing Browser Memory Protections

When Java technology burst onto the Internet scene in 1995,

Java 2 Security. Dean Wette Senior Software Engineer Object Computing, Inc.

Security context. Technology. Solution highlights

CMPSC 497: Java Security

Separating Access Control Policy, Enforcement, and Functionality in Extensible Systems. Robert Grimm University of Washington

The Java Language Implementation

Today. Instance Method Dispatch. Instance Method Dispatch. Instance Method Dispatch 11/29/11. today. last time

Labels and Information Flow

Java Security. Compiler. Compiler. Hardware. Interpreter. The virtual machine principle: Abstract Machine Code. Source Code

Access Control Lists. Don Porter CSE 506

3A01:.Net Framework Security

Security and the.net Framework

Security and the.net Framework

High-Level Language VMs

Distributed Systems Security: Java, CORBA, and COM+ April L. Moreno September 14, Abstract

Addressing Security In The Eclipse Core Runtime (RCP)

Microsoft Core Solutions of Microsoft SharePoint Server 2013

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

2 rd class Department of Programming. OOP with Java Programming

Recent Java Exploitation Techniques HackPra

CSE543 - Computer and Network Security Module: Virtualization

Sandboxing untrusted code: policies and mechanisms

Java An example of a secured architecture

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Operating System Security

Advanced Systems Security: Ordinary Operating Systems

0x1A Great Papers in Computer Security

W H IT E P A P E R. Salesforce Security for the IT Executive

Java Security HotJava to Netscape and Beyond

CSE543 - Computer and Network Security Module: Virtualization

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

Language Techniques for Provably Safe Mobile Code

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Microsoft SharePoint Server 2013 Plan, Configure & Manage

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 4

Influential OS Research Security. Michael Raitza

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

20331B: Core Solutions of Microsoft SharePoint Server 2013

Code42 Security. Tech Specs Data Protection & Recovery

CSE 565 Computer Security Fall 2018

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Chapter 10 Web-based Information Systems

An Operational Semantics of Java 2 Access Control

Architectures for secure portable executable content

CS2110 Fall 2011 Lecture 25. Under the Hood: The Java Virtual Machine, Part II

Pass Microsoft Exam

Confinement (Running Untrusted Programs)

assembler Machine Code Object Files linker Executable File

Protection. Thierry Sans

Configuration of Windows 2000 operational consoles and accounts for the CERN accelerator control rooms

Tabular Presentation of the Application Software Extended Package for Web Browsers

Advanced Access Control. Role-Based Access Control. Common Concepts. General RBAC Rules RBAC96

CSE543 - Computer and Network Security Module: Virtualization

Course : Planning and Administering SharePoint 2016

MWR InfoSecurity Security Advisory. IBM Lotus Domino Accept- Language Stack Overflow. 20 th May Contents

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Requirements for IT Infrastructure

MOC 6232A: Implementing a Microsoft SQL Server 2008 Database

C and C++ Secure Coding 4-day course. Syllabus

Real Application Security Administration

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Some Lessons Learned from Designing the Resource PKI

Module 4: Access Control

Method-Level Phase Behavior in Java Workloads

1. Introduction to the Common Language Infrastructure

Web Servers and Security

ELEC 377 Operating Systems. Week 1 Class 2

Aventail README ASAP Platform version 8.0

Security Vulnerability Notice

Advanced Systems Security: Ordinary Operating Systems

Programming Languages FILS Andrei Vasilateanu

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

FUSION REGISTRY COMMUNITY EDITION SETUP GUIDE VERSION 9. Setup Guide. This guide explains how to install and configure the Fusion Registry.

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

Oracle Database. Installation and Configuration of Real Application Security Administration (RASADM) Prerequisites

KAIST Graduate School of Information Security SAR(Security Analysis Report)

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall 2011.

Security. Principles of Security Design. Morris Worm [Robert Morris, Jr] Trojan Horse [Ken Thompson] Stack Smashing.

Secure Architecture Principles

A: PLANNING AND ADMINISTERING SHAREPOINT 2016

Operating systems and security - Overview

Operating systems and security - Overview

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Outline. (Old) Java Security. What is Java? Java Modes of Use. Java Virtual Machine (VM) and Class File Format. Java Language

NAC 2007 Spring Conference

Towards Introducing Code Mobility on J2ME. Laurentiu Lucian Petrea and Dan Grigoras Computer Science Department UCC Cork, Ireland

Buffer overflow background

6.858 Quiz 2 Review. Android Security. Haogang Chen Nov 24, 2014

Security Architecture

Non conventional attacks Some things your security scanner won t find OWASP 23/05/2011. The OWASP Foundation.

NetDefend Firewall UTM Services

Secure Architecture Principles

Transcription:

Identity-based Access Control The kind of access control familiar from operating systems like Unix or Windows based on user identities This model originated in closed organisations ( enterprises ) like universities, research labs, that have authority over its members. Members (users) can be physically located. Access control policies refer naturally to user identities. Audit logs point to users who can be held accountable. Access control seems to require by definition that identities of persons are verified. Other Aspects Access rules are local: no need to search for the rule that should be applied since stored in ACL with the object. Enforcement of rules is centralized: reference monitor is independent when making a decision. Simple access operations: read, write, execute; single subject per rule; no rules based on object content. Homogeneity: same organisation defines organizational security policy and automated security policy.

Changes in the 1990s Internet connections to parties never met before: identity cannot be part of our access rules. not always able to hold them accountable. Java sandbox shows it is not necessary to refer to users when describing or enforcing access control. Access controlled at level of applets, not at granularity of read/write/execute. Instead of asking who made the request, ask what to do with it. What changed with the web? Separation of program and data is blurred; executable content (applets, scripts) embedded in interactive web pages that can process user input. Computation moved to the client who needs protection from rogue content providers. Lesson from early PC age: floppy disks from arbitrary sources were the route for computer virus infections. Client asked to make decisions on security policy and on enforcing security: end user becomes system administrator and policy maker. Browser becomes part of the TCB.

Changes in the Environment When organisations collaborate, access control can be based on more than one policy and potential conflicts between policies have to be addressed. How to export security identifiers from one system into another system? Decision on access requests may be made by entity other than the one enforcing it How does a user know which credentials to present? Code-based Access Control If not possible to rely on principal who requests an access control decision, look at the request itself. Requests can be programs, rather than elementary read/write instructions. Code-based access control: access control where permissions are assigned to (parts of) code. Major examples: Java security model,.net security framework (code access control).

Access Control Parameters Security attributes of code could be: Site of code origin: local or remote? URL of code origin: intranet or Internet? Code signature: signed by trusted author? Code proof: code author provides proof of security properties Identity of sender: principal the code comes from Questions central to code-based access control. In code-based access control, when process calls another function, access decisions refer to access rights assigned to that function. Should calling process also delegate some of its access rights to process executing the function being called? Should calling process limit access rights of the function executing the program being called? Which privileges should be valid when one function calls another function?

Call Chains A B R Example 1: function A has access right to resource R, B does not; A calls B, B requests access to R: Should access be granted? Conservative answer is no, but A could explicitly delegate the access right to B. Example 2: function B has access right to resource R, A does not; A calls B, B requests access to R: Should access be granted? Conservative answer is no, but B could explicitly assert its access right. Enforcing Policies How to compute current permissions granted to code? Access decisions should know about entire call chain. Information about callers maintained on call stack used by Java VM for managing executions. Design decision: re-use call stack for policy evaluation. Lazy evaluation: evaluate granted permissions just when a permission is required to access a resource.

Dynamic Stack Inspection Record, for each stack frame, the security permissions of the function. Rights of final caller are computed as the intersection of permissions for all entries on call stack. A B effective rights = rights(b) rights(a) Limits of Stack Inspection Access control explained in terms of runtime stack for implementation reasons (lazy evaluation). Performance? Common optimizations are disabled. Security: What guaranteed by stack inspection? Hard to relate to high-level security policies. Two concerns for developers: Untrusted component may take advantage of my code. Permissions may be missing when running my code. Stack inspection blind to many control and data flows: Parameters, results, mutable data, objects, inheritance, callbacks, events, exceptions, concurrency Each case requires a specific discipline or mechanism.

Java Security Java: strongly typed - type safe - object-oriented general purpose programming language. Static (and dynamic) type checking to examine whether arguments received during execution always of correct type. Security: no pointers arithmetic; memory access through pointers one of main causes for security flaws in C or C++. Java source code translated into machine independent byte code (similar to assembly language) and stored in class files. Platform specific virtual machine interprets byte code translating it into machine specific instructions. When running a program, a Class Loader loads any additional classes required. Security Manager enforces the given security policy. Java Execution Model Java Source Code Compiler Java Byte Code Java Runtime Byte Code Verifier Class Loader executable Security Manager

JDK 1.1 Security Model local code remote code (applet) trusted (signed) code (added in version 1.1) full access to resources Sandbox restricted access Security Manager system resources Discussion Basic policy inflexible: Local/signed code is unrestricted. Applet/unsigned code is restricted to sandbox. No intermediate level: how to give some privileges to a home banking application? Local/remote is not a precise security indicator: Parts of local file system could reside on other machines Downloaded software becomes trusted once cached or installed on local system. For more flexible security policies a customized security manager needed to be implemented. Requires security AND programming skills.

Java 2 Security Model Java 2 security model no longer based on distinction between local code and applets, and applets and applications controlled by same mechanisms. Reference monitor of Java security model performs fine-grained access control based on security policies and permissions. Policy definition separated from policy enforcement. Single method checkpermissions() handles all security checks. Byte Code Verifier Analyzes Java class files: performs syntactic checks, uses theorem-provers and data flow analysis for static type checking. There is still dynamic type checking at run time Verification guarantees properties like: Class file is in proper format. Stacks will not overflow. All operands have arguments of correct type. No data conversion between types. All references to other classes are legal.

Class Loaders Protect integrity of run time environment; applets not allowed to create their own Class Loaders and to interfere with each other. Vulnerabilities in a class loader are particularly security critical (if exploited by attacker to insert rogue code). Each Class Loader has own name space; each class labeled with Class Loader that installed it. Security Policies Security policy: maps set of properties characterizing running code to set of access permissions granted to the code. Code characterized by CodeSource: origin (URL) digital certificates Permissions contain target name and set of actions and granted to protection domains: Classes and objects belong to protection domains and inherit the granted permissions. Each class belongs to one and only one domain.

Security Manager Security Manager: reference monitor in JVM; security checks defined in AccessController class. Uniform access decision algorithm for all permissions. Access (normally) only granted if all methods in the current sequence of invocations have the required permissions ( stack walk ). Controlled invocation: privileged operations; doprivileged() tells the Java runtime to ignore the status of the caller. Summary Java 2 security model flexible and feature-rich; it gives a framework but does not prescribe a fixed security policy. JAAS (Java Authentication and Authorization Service) adds user-centric access control. Sandbox enforces security at service layer; security can be undermined by access to layer below: users running applications other than web browser. attacks by breaking the type system.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback