Computer Security. Access control. 5 October 2017

Similar documents
Security Models Trusted Zones SPRING 2018: GANG WANG

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

Access Control. Discretionary Access Control

Access control models and policies. Tuomas Aura T Information security technology

Complex Access Control. Steven M. Bellovin September 10,

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

Access Control Models

Access control models and policies

Access Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

Computer Security 3e. Dieter Gollmann. Chapter 5: 1

Access Control Part 1 CCM 4350

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Access Control (slides based Ch. 4 Gollmann)

Access control models and policies

Access Control Mechanisms

General Access Control Model for DAC

Policy, Models, and Trust

CS 356 Lecture 7 Access Control. Spring 2013

CSE Computer Security

Module 4: Access Control

A Survey of Access Control Policies. Amanda Crowell

Discretionary Vs. Mandatory

Formal methods and access control. Dr. Hale University of Nebraska at Omaha Information Security and Policy Lecture 8

CS 392/ CS Computer Security. Nasir Memon Polytechnic University Module 7 Security Policies

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

Labels and Information Flow

CSE509: (Intro to) Systems Security

Lecture 4: Bell LaPadula

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Chapter 6: Integrity Policies

CCM Lecture 14. Security Models 2: Biba, Chinese Wall, Clark Wilson

Operating Systems Security Access Control

Chapter 7: Hybrid Policies

May 1: Integrity Models

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

CSN11111 Network Security

Access Control. Discretionary Access Control

Chapter 13: Design Principles

CIS433/533 - Introduction to Computer and Network Security. Access Control

P1L5 Access Control. Controlling Accesses to Resources

Post-Class Quiz: Access Control Domain

Chapter 4: Access Control

Access Control Part 3 CCM 4350

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

CSE361 Web Security. Access Control. Nick Nikiforakis

Asset Analysis -I. 1. Fundamental business processes 2.Critical ICT resources for these processes 3.The impact for the organization if

Access Control/Capabili1es

8.3 Mandatory Flow Control Models

Access Control Models Part II

INFSCI 2935: Introduction of Computer Security 1. Courtesy of Professors Chris Clifton & Matt Bishop. INFSCI 2935: Introduction to Computer Security 2

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Multifactor authentication:

Advanced Systems Security: Ordinary Operating Systems

INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control

Identity, Authentication and Authorization. John Slankas

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Jérôme Kerviel. Dang Thanh Binh

Discretionary Access Control (DAC)

CS 591: Introduction to Computer Security. Lecture 3: Policy

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

Access control. Frank Piessens KATHOLIEKE UNIVERSITEIT LEUVEN

Intergrity Policies CS3SR3/SE3RA3. Ryszard Janicki. Outline Integrity Policies The Biba Integrity Model

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control

Intrusion Detection Types

Integrity Policies. Murat Kantarcioglu

Unix, History

Access Control. Steven M. Bellovin September 2,

Advanced Access Control. Role-Based Access Control. Common Concepts. General RBAC Rules RBAC96

Advanced Systems Security: Integrity

Security Principles and Policies CS 136 Computer Security Peter Reiher January 15, 2008

An Attribute-Based Access Matrix Model

Outline. INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control

Issues of Operating Systems Security

Introduction to Assurance

RBAC: Motivations. Users: Permissions:

Summary. Final Week. CNT-4403: 21.April

CSE 565 Computer Security Fall 2018

Computer Security. 02. Operating System Access Control. Paul Krzyzanowski. Rutgers University. Spring 2018

Access Control. Protects against accidental and malicious threats by

Advanced Systems Security: Integrity

Mandatory access control and information flow control

MULTILEVEL POLICY BASED SECURITY IN DISTRIBUTED DATABASE

Access Control. Tom Chothia Computer Security, Lecture 5

Verifiable Security Goals

CS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms

Discretionary Access Control (DAC)

CS52600: Information Security

Advanced Systems Security: Integrity

Access Control. Access control: ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions

Information Security Theory vs. Reality

Access Control. Chester Rebeiro. Indian Institute of Technology Madras

CS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms

Content-based Management of Document Access. Control

Discretionary Access Control

Core Role Based Access Control (RBAC) mechanism for MySQL

CSC 474/574 Information Systems Security

Security Enhanced Linux

Transcription:

Computer Security Access control 5 October 2017

Policy and mechanism A security policy is a statement of what is, and what is not, allowed. A security mechanism is a method, tool or procedure for enforcing a security policy. Bishop, Computer Security: Art and Science we need to check if the mechanism is correct A mechanism may be: safe (does not allow states disallowed by the policy) precise (allows exactly what the policy specifies) broad (allows more than the policy does)

Access control a mechanism to allow or deny an entity s access to a resource principal /subject request guard/monitor object Access control consists of two steps: authentication: Who made the access request? authorization: Does subject s have access rights for resource o?

Formalizing access control We distinguish: a set of subjects or principals S a set of objects O a set of access modes A. Simplest: A = {observe, alter}. Usually not enough. The Bell-LaPadula model refines this to: A = {execute, read, append, write}. When are distinctions between these modes useful?

Formalizing access control We distinguish: a set of subjects or principals S a set of objects O a set of access modes A. Simplest: A = {observe, alter}. Usually not enough. The Bell-LaPadula model refines this to: A = {execute, read, append, write}. When are distinctions between these modes useful? log: append, without changing prior contents execute encryption, without knowing the key

Access Control Matrix The simplest and most general organization of access control Two dimensions: subiects and objects every matrix entry S O: set of rights/permissions a subject may also be an object (e.g. a process): has the right to read/write(to)/execute another process file1 /etc/passwd /bin/rlogin Alice r, w r x Bob r - r, x

Mechanisms: Access Control Lists (ACL) A representation of the access control matrix where each object has associated a list of subjects and their permissions simple case: Unix permissions Richer set of permissions: Andrew File System (distributed) read list (for directories: content) insert (new file in directory) delete (file from directory) write lock (may use lock in directory) administer

Rights and their propagation copy right (grant right): the right to give others permission own right (admin): the right to give oneself permissions Principle of attenuation of privilege: A subject may not give rights it does not possess to another Q: In Unix, the owner of a file may grant others (group/others) read rights on the file, even if (s)he does not have these rights. Is the above principle violated?

Fundamental results Is it possible to design a correct access control system? Def: A system is safe with respect to a given right (of a subject over an object), if there is no sequence of transitions (operations) by which the right could be added, assuming it does not exist at first.

Fundamental results Is it possible to design a correct access control system? Def: A system is safe with respect to a given right (of a subject over an object), if there is no sequence of transitions (operations) by which the right could be added, assuming it does not exist at first. Theorem: The safety of an arbitrary system in a state, relative to a given access right is undecidable. Proof: a Turing machine can be reduced to (encoded into) such a system essentially because of the ability to create objects There are simpler subclasses of systems that are decidable if only there are no create primitives if the systems are monotonic (if create, no destroy) and only single conditions are allowed

Types of access control Discretionary Access Control (DAC) allows individual users (typically: owner) to set mechanisms by which access is granted/forbidden Mandatory Access Control (MAC) access is controlled by the system, cannot be changed by the user usually: based on a set of rules rule-based access control Q: What are advantages and disadvantages of each category?

Role-Based Access Control (RBAC) system-determined policy, depending on the active role of a subiect 3 (or more) levels: subject role object Permissions are defined depending on the role a subject may have access when acting in one role, not in another role hierarchy (some may be included in others) attending physician physician medical personnel can model various requirements, e.g. separation of duty ex. a bank loan must be approved by two different bank officers Security policies must be carefully specified and checked policy description languages

A classic problem: Confused Deputy Norman Hardy, The Confused Deputy(or why capabilities might have been invented), ACM SIGOPS Operating Systems Review, 22(4), 1988 [Marc Stiegler, skyhunter.com]

The Confused Deputy Who is to blame? The code to deposit the debugging output in the file named by the user? Must the compiler check to see if the output file name is in another directory? Should the compiler check for directory name SYSX? Should the compiler check for the name (SYSX)BILL?

Mechanisms: Capabilities Term with slightly different meanings: in operating systems, an identifier that denotes an object and the rights associated with it ex. file descriptor/handle (on open, the access mode is also set) in security, a capability is a list of rights of a subject (corresponds to a row in the access control matrix) E.g.: POSIX/Linux Capabilities capability.h for a new process: new = forced (allowed & inheritable) Examples: CAP_CHOWN, CAP_KILL, CAP_SETUID, CAP_SETPCAP

Multilevel Security (MLS) Inspired from military domain. Defines security levels e.g. public restricted confidential top secret also: compartmentalized by domain of interest (need-to-know basis) The set of security attributes is ordered in a lattice Bell-La Padula Model: enforces confidentiality. 2 rules: no read up: a subject may not read above its security clearance level no write down: may not write (disclose) something under its own level Biba Model: follows integrity. Has dual rules: prohibits writing above one s own level and reading (using) data found underneath this level: both may corrupt integrity To attain both, in practice, a subject may voluntarily drop his/her privilege level

Non-interference a security property for multi-level security systems In a system with two classes of input/output (observable actions) high (confidential) and low (non-confidential) it should not be possible to derive something about high level actions by observing low level actions If the property is not satisfied, we have an unauthorized information flow (covert channel) Important to analyze (from hardware to programming languages)

Integrity: from theory to practice Security principles in developing commercial software (Lipner) users will not write their own programs, but will use existing production software programmers will develop and test on a separate system (not the production system) installing a program must constitute a special process this process is subject to control and audit managers/auditors will have access to system state and logs Principles: separation of duty separation of function audit/accountability

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback