CS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms

Similar documents
CS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms

IS 2150 / TEL 2810 Information Security and Privacy

Operating system security

Unix, History

Introduction to Security

Access Control Mechanisms

Operating system security models

Introduction to Security

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Information Security Theory vs. Reality

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

CIS 5373 Systems Security

Secure Architecture Principles

Discretionary Access Control

Module 4: Access Control

Access Control Mechanisms

INSE 6130 Operating System Security

Hardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users

? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week

Operating System Security

Access Control CSC WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Fall 2014

Secure Architecture Principles

Operating Systems Security Access Control

P1L5 Access Control. Controlling Accesses to Resources

Secure Architecture Principles

Access Control. Steven M. Bellovin September 13,

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

CSE 380 Computer Operating Systems

Protection Goals of Protection Principles of Protection principle of least privilege Domain Structure need to know principle

Introduction to Computer Security

Operating systems and security - Overview

Operating systems and security - Overview

Protection and Security

Secure Architecture Principles

cs642 /operating system security computer security adam everspaugh

A Survey of Access Control Policies. Amanda Crowell

Files (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1

Silberschatz and Galvin Chapter 19

Access Control. Steven M. Bellovin September 2,

Policy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

5/8/2012. Encryption-based Protection. Protection based on Access Permission (Contd) File Security, Setting and Using Permissions Chapter 9

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

Data Security and Privacy. Unix Discretionary Access Control

OS security mechanisms:

SECURITY IN COMPUTING, Access Control Matrix

Chapter 4 Protection in General-Purpose Operating Systems

Networks: Access Management Windows NT Server Class Notes # 10 Administration October 24, 2003

INSE 6130 Operating System Security. Overview of Design Principles

Table 12.2 Information Elements of a File Directory

Login und Authentifizierung

Files. File Structure. File Systems. Structure Terms. File Management System. Chapter 12 File Management 12/6/2018

Chapter 13: Protection. Operating System Concepts Essentials 8 th Edition

PROCESS CONTROL BLOCK TWO-STATE MODEL (CONT D)

CSC 553 Operating Systems

Secure Architecture Principles

Amplifying. Examples

CST8207: GNU/Linux Operating Systems I Lab Six Linux File System Permissions. Linux File System Permissions (modes) - Part 1

UNIX Administration Course

INSE 6130 Operating System Security

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

General Access Control Model for DAC

Formal methods and access control. Dr. Hale University of Nebraska at Omaha Information Security and Policy Lecture 8

Chapter 14: Protection. Operating System Concepts 9 th Edition

Access Control: The Matrix Model. by Amit Konar Dept. of Math and CS, UMSL

Chapter 8: Security under Linux

Multifactor authentication:

Privileges: who can control what

Secure Architecture Principles

Introduction to Computer Security

FluidFS in a Multi-protocol (SMB/NFS) Environment

Processes are subjects.

Configure advanced audit policies

Why secure the OS? Operating System Security. Privilege levels in 80X86 processors. The basis of protection: Seperation. Privilege levels - A problem

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Datasäkerhet/Data security EDA625 Lect5

Amplifying. Only stack module can alter, read x So process doesn t get capability, but needs it when x is referenced a problem!

Operating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07

Windows Server 2008 Active Directory Resource Kit

Processes are subjects.

IT Service Delivery And Support Week Four - OS. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Access Control. Tom Chothia Computer Security, Lecture 5

Operating systems fundamentals - B10

Exercise 4: Access Control and Filesystem Security

User accounts and authorization

Pre-Assessment Answers-1

0Activity Answers. Table A1-1: Operating system elements and security mechanisms. The Security Accounts Manager (SAM)

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

Improving the Granularity of Access Control for Windows 2000

Basic File Attributes

Getting Started with Linux

O/S & Access Control. Aggelos Kiayias - Justin Neumann

CSE 565 Computer Security Fall 2018

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

Case Study: Access Control. Steven M. Bellovin October 4,

Chapter 17: System Protection

Basic File Attributes

CPS221 Lecture: Operating System Protection

Permission and Ownership

Transcription:

CS 392/681 - Computer Security Module 6 Access Control: Concepts and Mechanisms

Course Policies and Logistics Midterm grades Thursday. Read Chapter 2 and 15 th of text Lab 4 postponed - due next week. 10/23/2002 Module 6 - Access Control 2

Access Control Any system consists of objects and subjects (active objects such as processes, users etc.) which access these objects. The security policy of a system defines What a subject is allowed to do What may be done with an object In other words Access Control Two issues How do you specify access control to be performed? How do you implement access control policy? 10/23/2002 Module 6 - Access Control 3

Reference Monitor Concept Subject Request Reference Monitor Grant Request Deny Request Above is just a conceptual model An actual system may not include an explicit reference monitor But we need to define functionality of the reference monitor and design mechanisms for its implementation. 10/23/2002 Module 6 - Access Control 4

Protection System The state of a system. For computer systems values of all memory locations including secondary storage, registers, components etc. Protection state subset that deals with protection (access control). Protection system system that controls the state transitions that affect the protection states. 10/23/2002 Module 6 - Access Control 5

Access Control Matrix (ACM) Model Simplest framework for describing protection system. A Matrix A with a[s, o] R, where s S the set of subjects, o O the set of objects and R is the set of rights the subject has over the object. The triple (S, O, A) represents the protection state of the system. File 1 File 2 Process 1 Process 2 Process 1 r,w,o r r,w,x,o w Process 2 a r,o r r,w,x,o 10/23/2002 Module 6 - Access Control 6

Meaning of Rights The set of objects, subjects and rights vary from system to system Hostname Telegraph Nob Toadfax Telegraph Own ftp ftp Nob ftp,nfs,mail,own ftp,nfs,mail Toadfax ftp,mail ftp,nfs, own Interpretation of rights varies from system to system. For example, a process reading a process. 10/23/2002 Module 6 - Access Control 7

Generality Model is general. For example, programming language accesses: Inc_ctr Dec_ctr manager counter + - Inc_ctr call Dec_ctr call manager call In fact, entries in ACM can even be functions that determine rights based on state, history, time of day etc. For example, a locking function that ensures no access while write. Your text has even more elaborate examples. 10/23/2002 Module 6 - Access Control 8

Access Control Mechanisms Various access control mechanisms have been proposed: Access Control Matrix Access Control List Capability based access control Lock and Key based access control. 10/23/2002 Module 6 - Access Control 9

Discretionary and Mandatory Controls A discretionary access control mechanism is defined as those procedures and mechanisms that enforce specified mediation at the discretion of individual users. A mandatory access control mechanism is defined as those procedures and mechanisms that enforce specified mediation not at the discretion of individual users but rather at the discretion of a centralized system administration facility. 10/23/2002 Module 6 - Access Control 10

Access Control Matrix (ACM) An Access Control Matrix is a table in which each row represents a subject, each column represents an object, and each entry is the set of access rights for that subject to that object. 10/23/2002 Module 6 - Access Control 11

ACM - Example Consider system with two files and two processes. Set of rights is - r,w,x,a,o (read, write, execute, append, own). File 1 File 2 Process 1 Process 2 Process 1 r,w,o r r,w,x,o w Process 2 a r,o r r,w,x,o Can get very large and hence inefficient in general purpose scenarios seldom used. 10/23/2002 Module 6 - Access Control 12

Access Control Lists Instead of using ACM, Access Control List (ACL). Essentially store each column of ACM with the object it represents. Definition: Let S be set of subjects and R the set of rights of a system. An access control list l is a set of pairs l = {( s, r) : s S, r R}. Let acl be a function that determines the access control list associated with a particular object o. acl( o) = {( si, ri):1 i n} means that subject s i may access o using any right in r i. 10/23/2002 Module 6 - Access Control 13

ACL - Example For ACM shown earlier, corresponding ACL s are: acl(file 1) = {(proc.1, {r,w,o}) (proc. 2, {a})} acl(file 2) = {(proc.1, {r}) (proc. 2, {r,o})} acl(proc.1) = {(proc.1,{r,w,x,o}) (proc.2, {r}) acl(proc.2) = {(proc.1,{rw}) (proc.2, {r,w,x,o}) 10/23/2002 Module 6 - Access Control 14

Abbreviated ACL s Although same amount of storage, it is now distributed. To further reduce storage, one can abbreviate ACL s as in UNIX. One can also assign default access to groups of subjects as well as specific rights to individual subjects. Two ways of doing this: 1) What is not prohibited is permitted 2) What is not permitted is prohibited. Latter always better!! Example: Unix hosts.allow and hosts.deny files. 10/23/2002 Module 6 - Access Control 15

Example - File Protection in Unix UNIX - allow read, write, execute, delete to each of the individual groups - owner, group, world. Difficult for users in different groups to share files, since each user may belong to exactly one group. NT - Combination of groups, Access Control Lists and capability based control. The Unix set userid (suid) scheme allows another user to temporarily acquire the protection level of a files owner. While executing the program to change their own password, Unix users actually acquire temporary modify access to the systems password file, but in a controlled way using suid. 10/23/2002 Module 6 - Access Control 16

Unix special users Special user with extra privileges root. UID is 0. Can do (almost) anything!! Holy grail of hackers! Other special users daemon or sys handles some network services ftp used for anonymous FTP access. uucp manages UUCP system. guest used for site visitors. lp - used by printer system Etc. 10/23/2002 Module 6 - Access Control 17

Unix Groups Every user belongs to one or more groups. The GID of primary group the user belongs to is stored in passwd file. Groups useful for access control features. /etc/groups contains a list of all groups in the system along with GID s. Some special groups wheel - group of administrators uucp, lp, etc. groups corresponding to special users. 10/23/2002 Module 6 - Access Control 18

Unix file access control Each file entry in a directory is a pointer to a data structure called inode. mode uid gid atime mtime itime Block count Type of file and access rights User who owns the file Group which owns the file Access time Modification time Inode alteration Size of file Pointer to physical location 10/23/2002 Module 6 - Access Control 19

Unix file permission bits Two examples of file permissions obtained by ls l command -rw------- drwxr-xr-x First character indicates type of file - plain file d directory c character device (tty or printer) b block device l symbolic link Etc. 10/23/2002 Module 6 - Access Control 20

File permission bits (contd.) Next nine characters taken in groups of three indicate who can do what with the file R Permission to read W Permission to write X Permission to execute The three classes of permission correspond respectively to Owner Group Other 10/23/2002 Module 6 - Access Control 21

File permission bits special cases File permission bits do not apply to symbolic links. If you have x access but no r access you can execute the program without reading it (not on linux). Execute permission in a directory means you can change to the directory. Secret Files! File permission bits also commonly specified in octal notation. 0777 mean -rwxrwxrwx, 0600 means -r_x------, etc. 10/23/2002 Module 6 - Access Control 22

Umask and default permissions umask (User file creation mode mask) is a four digit octal number used to determine file permissions for newly created files. It defines permission you do not want to be given (the bit-wise complement of the permission you want a file to have by default). 0666 default mode means 0222 umask. 0077 umask means 0022 means Set up at log in time in environment variables. 10/23/2002 Module 6 - Access Control 23

The suid bit Sometimes unprivileged users must perform tasks that are privileged. Change password thereby modify /etc/passwd. UNIX allows certain programs to change UID to their owner when executed. SUID programs change UID to owner. SGID programs change GID to owners group. ls l command indicates if SUID or SGID -rwsr-xr-x indicates SUID -rwxr-sr-x indicates SGID 10/23/2002 Module 6 - Access Control 24

Limitations of UNIX file permission system Abbreviated ACL s in general and UNIX in particular may not be flexible enough for many circumstances. Consider the following example: 5 users, Anne, Beth, Caroline, Della and Elizabeth. Anne wants Beth to read her file and nothing else. She wants Caroline to write Della to only read and write Elizabeth to only execute Above not possible with Unix file permission bits!! 10/23/2002 Module 6 - Access Control 25

Augmenting abbreviated ACL s AIX uses extended permissions to augment base permissions. attributes: base permissions: owner (bishop): rwgroup (sys): r others: --- extended permissions enabled specify rw- u:heberlei permit -w- u:nelson, g=sys permit rw- u:levitt deny -w- u:heberlei, g=faculty 10/23/2002 Module 6 - Access Control 26

Issues to consider while designing an ACL based system Which subject can modify an objects ACL? Does ACL apply to privileged user (root), if any? Does ACL support groups or wildcards? How are contradictory permissions handled? If default permissions allowed, do ACL s modify it? Or is default used only when subject not explicitly mentioned in ACL? Read text for examples of how above are handled in different systems. 10/23/2002 Module 6 - Access Control 27

Revoking Rights Revoking involves deletion of subject s rights from object s ACL. Typically owner of object has ability to provide or delete rights. If ownership does not control the giving of rights, then revocation is more complex. 10/23/2002 Module 6 - Access Control 28

Capability based access control. Conceptually, capability is row of ACM i.e. list of rights for a subject. Definition: Let O be set of objects, and R the set of rights of a system. A capability list c is a set of pairs c= {( o, r) : o O, r R}. Let cap be function that determines capability list c associated with subject s. Then cap() s = {( oi, ri):1 i n} is that subject s may access o i using any right in r i. 10/23/2002 Module 6 - Access Control 29

Example For the ACM we saw earlier, capability lists are: cap(proc. 1) = {(file1, {r,w,o}), (file2, {r}), (proc 1, {r,w,x,o}), (proc 2, {w})}. cap(proc. 1) = {(file1, {r,w,o}), (file2, {r}), (proc 1, {r}), (proc 2, {r,w,x,o})}. 10/23/2002 Module 6 - Access Control 30

Capability Based Access Control Implementation. A capability is an unforgeable token giving the possessor certain rights to an object. Analogous to movie ticket or ID card. Could be made transferable with appropriate entry in ticket. Used by Kerberos (WIN 2K). To make sure capability cannot be forged: Maintained by OS. Stored in a region not accessible to users. Use cryptography (example, digital signatures) to prevent forgery. 10/23/2002 Module 6 - Access Control 31

Example - Amoeba On creation of an object, capability corresponding to object is returned to owner. To later use object, owner presents capability. Capability encoded name of object (24 bits), the server that created it (48 bits), rights (8 bits, initially all set), and 48 bit random check field. Random number stored in table of server that created object. When capability presented, number checked. Attacker who does not know random number cannot forge capability. If capability disclosed, system becomes vulnerable. 10/23/2002 Module 6 - Access Control 32

Copying Capability Copying capability means giving rights. How do you allow copying? Amoeba: X wants Y to read object O which X owns. X asks server for copy of capability to access O, but restricted to reading. Server sets only read bit in rights field, XOR s with random check and result is hashed. Output of hash is used as random check for this new capability. On receiving capability with at least one bit set to zero, server takes rights field and XOR s with original random check and hashes. If hash matches that presented in the capability, access is allowed. Different capability cannot be forged. 10/23/2002 Module 6 - Access Control 33

Revoking rights in capability based system Check each process and delete capability? Too inefficient. How to do this efficiently? One method: Use indirection. Capability does not name object but contains a pointer to object in global table. To revoke entry, just invalidate entry in global table. Amoeba: Change random check and issue new capability. This validates all existing capabilities. 10/23/2002 Module 6 - Access Control 34

Comparison of ACL and capability Two questions arise in access control systems: Given a subject, what objects can access it and how? Given an object, what subjects can access it and how? Former easier with capabilities and latter with ACL. Why? Latter more often asked, hence ACL s used more often. With more distributed processing and agent based systems, perhaps the former question will be asked more in the future. 10/23/2002 Module 6 - Access Control 35

Example: NT Access Tokens and Security Identifiers (SID) Created by the Local Security Authority after SAM validation, as part of a successful logon process. Stays with that particular user's session for as long as they stay logged on. Whenever a user initiates a process during the course of the session, a copy of the token is attached to that process. Once the user logs off, the token is destroyed and will never be used again. 10/23/2002 Module 6 - Access Control 36

NT Tokens Each token contains the following information: User s Security Identifier (SID) Group Security Identifiers User privileges Owner (SID assigned to any objects created during the session) Primary Group SID Default ACL (assigned to any object created by the user) 10/23/2002 Module 6 - Access Control 37

NT User Rights 27 specific 'user rights' that can be assigned (or restricted) to users or groups in NT. These include the ability to access a computer from the network, to change the system time, to log onto the system locally, the ability to take ownership of objects, and even to shut down the system. password restrictions, logon times, remote access capabilities, group memberships etc. 10/23/2002 Module 6 - Access Control 38

NT Built-in Groups Built-in users and groups have pre-defined rights and permissions Global built-in groups Domain Admins, Domain Users, Domain Guests Local built-in groups Administrators, Backup Operators, Users, Guests, Etc. Special built-in groups exist that can be used to define appropriate access permissions Everyone Interactive Network Creator Owner System Etc. 10/23/2002 Module 6 - Access Control 39

NT Mandatory Profiles User profile defines the users environment and the programs he is able to invoke. Mandatory profiles cannot be changed by a user For example editlevel can be used to limit how users cam modify their program manager 0 All changes permitted 1 Prevents users from creating, deleting or renaming groups 2 All of above plus no creating or deleting program items 3 All of above plus prevents users from changing command lines for program items 4 All of above plus prevents users from changing any program item information. 10/23/2002 Module 6 - Access Control 40

NT Discretionary Access Controls (DAC) Provide object and resource owners the means to control who can access resources as well as how much access they may have. Access to system resources, such as files, directories and folders, printers, network shares, and system services, can be controlled either through GUI-based system tools or through the command line. The NT Explorer, Print Manager, User Manager for Domains, and Server Manager 10/23/2002 Module 6 - Access Control 41

NT Access Control Lists (ACL) Each object contains a security descriptor, which has Security Identifier of the person who owns the object, The regular ACL for access permissions, The system ACL (SACL) which is used for auditing, A group security identifier. ACL may be composed of Access Control Entries (ACE) which are composed of Basic permissions (six individual permissions), Standard permissions which are combinations derived from the basic permissions. 10/23/2002 Module 6 - Access Control 42

Basic Permissions Read (R) Write (W) Execute (X) Delete (D) Change Access Permissions (P) Take Ownership (O) 10/23/2002 Module 6 - Access Control 43

NTFS ACL Standard Permissions Permission Name Directory Permission File Permission Explanation No Access None None No access to files and directories. List RX Not Specified List Directory Contents Change to subdirectories No access to files unless granted explicitly Read RX RX List Directory Contents Change to subdirectories Read data from files Execute programs Add WX Not Specified Create subdirectories Create files No access to existing files unless granted explicitly 10/23/2002 Module 6 - Access Control 44

NTFS ACL Standard Permissions Permission Name Directory Permission File Permission Explanation Add & Read RWX RX List Directory Contents, Change to subdirectories Create subdirectories, Read data from files Execute programs Change RWXD RWXD List Directory Contents Change to subdirectories Delete subdirectories, Create subdirectories Read data from files Create and modify files Execute programs, Delete files Full Control All All All directory permissions All file permissions, Change permissions Take ownership 10/23/2002 Module 6 - Access Control 45

NT Domains A domain is a set of computers with a central security authority, the primary domain controller (PDC), that grants access to a domain. PDC and the BDC (Backup) must be Windows NT. A domain can be set up to Ease viewing and access to resources, Share a common user account database and security policy, Enforce a common security stance across physical, divisional, or corporate boundaries. Elimination of the need for every machine to provide its own authentication service. Users authenticated to the domain, can gain access to resources, such as printing, file sharing or applications, across all of the servers. 10/23/2002 Module 6 - Access Control 46

Access control with Locks and Keys Combines features of ACL s and capabilities. A piece of information (lock) associated with the object. Another piece of information (key) associated with subjects authorized to access the object. Example implementation: Encrypt object and provide key to subject. To have n subjects needed to access object, encrypt with n keys and give one to each subject. All keys needed to access. 10/23/2002 Module 6 - Access Control 47

Locks and Keys in IBM 370 Each process assigned access key and each page a storage key and fetch bit. If fetch bit is cleared, only read access allowed. Process with access key 0 can write any page with fetch bit set. If storage key matches access key of process then process allowed to write to page. If no match and access key not 0, then no access allowed. 10/23/2002 Module 6 - Access Control 48

Type checking Type checking controls access based on type of subject and object. It is a kind of lock and key access with the pieces of information being the type. Simplest example of type checking is distinguishing instructions from data. Execute allowed only on instructions and read and write only on data. One approach to limit buffer overflow problem is to mark stack memory as data. 10/23/2002 Module 6 - Access Control 49

Ring based access control Used by MULTICS. Generalizes notion of user and supervisor modes. Segments in memory and disk are of two types data and procedure. Segments have r, w, x, and a rights associated. In addition, notion of protection ring associated with segments. Ring is a number r, 0 <= r <= 63. A process is said to reside in ring r if it is currently executing a segment in ring r. Kernel resides in ring 0. Higher the ring number, lower the privileges. Crossing ring boundaries causes traps to the kernel which invokes ring gatekeeper. 10/23/2002 Module 6 - Access Control 50

Access brackets for data segments Each data segment as access bracket, which is a ring (a 1, a 2 ) with a 1 <= a 2. Assume data segments permission allow desired access to a process in ring r. The access bracket add additional constraints: If r <= a 1 ; access permitted; If a 1 < r <= a 2, r (read) and x permitted, w and a denied. If a 2 < r; all access denied. 10/23/2002 Module 6 - Access Control 51

Call brackets for procedures. In addition to access brackets, procedure segments may also have call bracket (c 1,c 2 ). This leads to protection (a 1,a 2,a 3 ) where (a 1, a 2 ) -access bracket & (a 2, a 3 ) - call bracket. Access rules are: If r <= a 1 access permitted; but ring crossing fault occurs. If a 1 <= r <= a 2 all access permitted and no fault occurs. If a 2 < r <= a 3 access permitted if made through valid gate. If a 3 < r all access denied. 10/23/2002 Module 6 - Access Control 52

Why call brackets? Consider a service routine in ring a. We need to allow user set A to invoke this routine. We allow user set B to invoke only in specific ways We do not allow user set C to invoke at all. Access brackets can take care of A and C. To handle set B we need call brackets so that we can regulate their access. 10/23/2002 Module 6 - Access Control 53

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback