Access control. Frank Piessens KATHOLIEKE UNIVERSITEIT LEUVEN

Similar documents
Access control. Frank Piessens KATHOLIEKE UNIVERSITEIT LEUVEN

Access Control. Discretionary Access Control

A Survey of Access Control Policies. Amanda Crowell

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Discretionary Vs. Mandatory

Server. Client LSA. Winlogon LSA. Library SAM SAM. Local logon NTLM. NTLM/Kerberos. EIT060 - Computer Security 2

Access Control. Discretionary Access Control

Access Control (slides based Ch. 4 Gollmann)

Operating system security models

Access Control Models

Computer Security 3e. Dieter Gollmann. Chapter 5: 1

Outline. Security. Security Ratings. TCSEC Rating Levels. Key Requirements for C2. Met B-Level Requirements

Security. Outline. Security Ratings. Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Chapter 4: Access Control

CS 356 Lecture 7 Access Control. Spring 2013

Secure Architecture Principles

Access control models and policies. Tuomas Aura T Information security technology

Computer Security. Access control. 5 October 2017

Access Control Mechanisms

Secure Architecture Principles

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Module 4: Access Control

Secure Architecture Principles

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Information Security Theory vs. Reality

Operating system security

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Post-Class Quiz: Access Control Domain

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week

General Access Control Model for DAC

Policy, Models, and Trust

IBM Security Identity Manager Version Planning Topics IBM

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

Advanced Systems Security: Principles

CIS433/533 - Introduction to Computer and Network Security. Access Control

Unix, History

Access control models and policies

RBAC: Motivations. Users: Permissions:

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

CSE Computer Security

Discretionary Access Control (DAC)

Configure advanced audit policies

Security Models Trusted Zones SPRING 2018: GANG WANG

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Access control models and policies

Network Security: Kerberos. Tuomas Aura

IS 2150 / TEL 2810 Information Security and Privacy

Operating systems and security - Overview

Operating systems and security - Overview

Core Role Based Access Control (RBAC) mechanism for MySQL

Windows Server 2008 Active Directory Resource Kit

Week 10 Part A MIS 5214

P1L5 Access Control. Controlling Accesses to Resources

Sandboxing untrusted code: policies and mechanisms

Access Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy

Secure Architecture Principles

Access Control Part 3 CCM 4350

Label-Based Access Control: An ABAC Model with Enumerated Authorization Policy

Protection Kevin Webb Swarthmore College April 19, 2018

Labels and Information Flow

Access Control Part 1 CCM 4350

Policy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Multifactor authentication:

Protection and Security

CSE 380 Computer Operating Systems

CSN11111 Network Security

Login und Authentifizierung

Access Control. Protects against accidental and malicious threats by

CS 290 Host-based Security and Malware. Christopher Kruegel

Mobile and Heterogeneous databases Security. A.R. Hurson Computer Science Missouri Science & Technology

Jérôme Kerviel. Dang Thanh Binh

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

How Windows Security Really Works?

Access Control. Access control: ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions

Report Documentation Page

Improving the Granularity of Access Control for Windows 2000

Identity, Authentication and Authorization. John Slankas

Mandatory access control and information flow control

Formal methods and access control. Dr. Hale University of Nebraska at Omaha Information Security and Policy Lecture 8

Advanced Systems Security: Integrity

Information Security & Privacy

Security Principles and Policies CS 136 Computer Security Peter Reiher January 15, 2008

Advanced Systems Security: Multics

Operating Systems Security Access Control

Access Control. Steven M. Bellovin September 13,

CS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms

Chapter 9: Key Management

Windows Access Control List (ACL) 2

Introduction to Security

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Distributed Systems Principles and Paradigms

Roadmap for This Lecture

OS security mechanisms:

Transcription:

Access control Frank Piessens (Frank.Piessens@cs.kuleuven.be) Secappdev 2010 1

Overview Introduction: Lampson s model for access control Classical Access Control Models Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) Other Access Control Models Access Control in Windows 2000/XP/Vista Conclusion Secappdev 2010 2

Access Control: introduction Security = prevention and detection of unauthorized actions on information Two important cases: An attacker has access to the raw bits representing the information => need for cryptographic techniques There is a software layer between the attacker and the information => access control techniques Secappdev 2010 3

General access control model Principal Action Guard Protected system Authentication Authorization Secappdev 2010 4

Examples Principal Action Guard Protected system Host Packet send Firewall intranet User Open file OS kernel File system Java Program Open file Java Security Manager File User Query DBMS Database User Get page Web server Web site Secappdev 2010 5

Entity Authentication Definition Verifying the claimed identity of an entity (usually called principal) that the guard is interacting with Different cases need different solutions: Principal is a (human) user Principal is a (remote) computer Principal is a user working at a remote computer Principal is a user running a specific piece of code See separate session on entity authentication Secappdev 2010 6

Authorization by the Guard Guard can have local state protection state Upon receipt of an action Decides what to do with the action We only consider pass/drop Alternatives are: modify/replace, first insert other action, If necessary: updates the local state Modeled by means of a security automaton Set of states described by a number of typed state variables Transition relation described by predicates on the action and the local state Secappdev 2010 7

Guard Notation: Actions are written as procedure invocations Behavior of the guard is specified by: Declaration of state variables Determine the state space Implementations of the action procedures Preconditions determine acceptability of action Implementation body determines state update Example: no network send after file read bool hasread = false; void send() requires!hasread { } void read() { hasread = true; } Secappdev 2010 8

Policies and models Access control policy = rules that say what is allowed and what not Semantics of a policy is a security automaton in a particular state Access control model = A class of policies with similar characteristics Hard to define precisely An access control model makes particular choices about what is in the protection state and how actions are treated Secappdev 2010 9

Overview Introduction: Lampson s model for access control Classical Access Control Models Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) Other Access Control Models Access Control in Windows 2000/XP/Vista Conclusion Secappdev 2010 10

Discretionary Access Control (DAC) Objective = creator-controlled sharing of information Key Concepts Principals are users Protected system manages objects, passive entities requiring controlled access Objects are accessed by means of operations on them Every object has an owner Owner can grant right to use operations to other users Variants: Possible to pass on ownership or not? Possible to delegate right to grant access or not? Constraints on revocation of rights. Secappdev 2010 11

Security automaton for DAC type Right = <User, Obj, {read, write}>; Set<User> users = new Set(); Set<Obj> objects = new Set(); Set<Right> rights = new Set(); // represents the Access Control Matrix Map<Obj,User> ownerof = new Map(); // Access checks void read(user u, Obj o) requires <u,o, read> in rights; {} void write(user u, Obj o) requires <u,o,write> in rights; {} // Actions that impact the protection state void addright(user u, Right <u,o,r>) requires (u in users) && (u in users) && (o in objects) && ownerof[o] == u; { rights[r] = true; } void deleteright(user u, Right <u,o,r>) requires (u in users) && (u in users) && (o in objects) && ownerof[o] == u; { rights[r] = true; } Secappdev 2010 12

Security automaton for DAC (ctd) void addobject(user u, Obj o) requires (u in users) && (o notin objects); { objects[o] = true; ownerof[o] = u; } void delobject(user u, Obj o) requires (o in objects) && (ownerof[o] == u); { objects[o] = false; ownerof[o] = none; rights = rights \ { <u,o,r > in rights where o ==o}; } // Administrative functions void adduser(user u, User u ) requires u notin users; { users[u ] = true; } Secappdev 2010 13

Disadvantages: DAC Cumbersome administration E.g user leaving the company or user being promoted to another function in the company Not so secure: Social engineering Trojan horse problem Secappdev 2010 14

Structuring users: Groups Negative permissions DAC Extensions But: insufficient to make administration much easier Structuring operations: access modes : observe / alter / Procedures: business procedure involving many operations on many objects Structuring objects: E.g. Inheritance of folder permissions Secappdev 2010 15

Implementation structures DAC is typically not implemented with a centralized protection state Typical implementation structures include: Access Control List: e.g. ACL s in Windows 2000 Capabilities: e.g. Open file handles in Unix... Secappdev 2010 16

Overview Introduction: Lampson s model for access control Classical Access Control Models Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) Other Access Control Models Access Control in Windows 2000/XP/Vista Conclusion Secappdev 2010 17

Mandatory Access Control (MAC) Objective = strict control of information flow Concrete example MAC model: Lattice Based Access Control (LBAC) Objective = A lattice of security labels is given Objects and users are tagged with security labels Enforce that: Users can only see information below their clearance Information can only flow upward, even in the presence of Trojan Horses Secappdev 2010 18

Example lattices Top secret Secret Confidential Project A & B Confidential Confidential Project A Confidential Project B Unclassified Unclassified Secappdev 2010 19

Typical construction of lattice Security label = (level, compartment) Compartment = set of categories Category = keyword relating to a project or area of interest Levels are ordered linearly E.g. Top Secret Secret Confidential Unclassified Compartments are ordered by subset inclusion Secappdev 2010 20

Example lattice (S,{A,B}) (C,{A,B}) (S,{A}) (S,{B}) (C,{A}) (C,{B}) (S,{}) (C,{}) Secappdev 2010 21

LBAC Key concepts of the model: Users initiate subjects or sessions, and these are labeled on creation Users of clearance L can start subjects with any label L L Enforced rules: Simple security property: subjects with label L can only read objects with label L L (no read up) *-property: subjects with label L can only write objects with label L L (no write down) The *-property addresses the Trojan Horse problem Secappdev 2010 22

LBAC and the Trojan Horse problem S1 read File F S2 no write no read write File F Secret level Confidential level Secappdev 2010 23

Security automaton for LBAC // Stable part of the protection state Set<User> users; Map<User,Label> ulabel; // label of users //Dynamic part of the protection state Set<Obj> objects = new Set(); Set<Session> sessions = new Set(); Map<Session, Label> slabel = new Map(); // label of sessions Map<Obj,Label> olabel = new Map(); // label of objects // No read up void read(session s, Obj o) requires s in sessions && o in objects && slabel[s] >= olabel[o]; {} // No write down void write(session s, Obj o) requires s in sessions && o in objects && slabel[s] <= olabel[o]; {} Secappdev 2010 24

Security automaton for LBAC (ctd) // Managing sessions and objects void createsession(user u, Label l) requires (u in users) && ulabel[u] >= l ; { s = new Session(); sessions[s] = true; slabel[s] = l; } void addobject(session s, Obj o, Label l) requires (s in sessions) && (o notin objects) && slabel[s] <= l; { objects[o] = true; olabel[o] = l; } Secappdev 2010 25

LBAC Problems and disadvantages Too rigid => need for trusted subjects Not well suited for commercial environments Covert channel problems Secappdev 2010 26

Overview Introduction: Lampson s model for access control Classical Access Control Models Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) Other Access Control Models Access Control in Windows 2000/XP/Vista Conclusion Secappdev 2010 27

Role-Based Access Control (RBAC) Main objective: manageable access control Key concepts of the model: Role: many-to-many relation between users and permissions Corresponds to a well-defined job or responsibility Think of it as a named set of permissions that can be assigned to users When a user starts a session, he can activate some or all of his roles A session has all the permissions associated with the activated roles Secappdev 2010 28

Security automaton for RBAC // stable part of the protection state Set<User> users; Set<Role> roles; Set<Permission> perms; Map<User, Set<Role>> ua; // set of roles assigned to each user Map<Role, Set<Permission>> pa; // permissions assigned to each role // dynamic part of the protection state Set<Session> sessions; Map<Session,Set<Role>> session_roles; Map<User,Set<Session>> user_sessions; // access check void checkaccess(session s, Permission p) requires s in sessions && Exists{ r in session_roles[s]; p in pa[r]}; { } Secappdev 2010 29

Security automaton for RBAC (ctd) void createsession(user u, Set<Role> rs) requires (u in users) && rs < ua[u]; { Session s = new Session(); sessions[s] = true; session_roles[s] = rs; user_sessions[u][s] = true; } void droprole(user u, Session s, Role r) requires (u in users) && (s in user_sessions[u]) && (r in session_roles[s]); { session_roles[s][r] = false; } Secappdev 2010 30

RBAC - Extensions Hierarchical roles: senior role inherits all permissions from junior role Director of Eng Dept Project A Eng Project B Eng Engineering Dept. Secappdev 2010 31

Constraints: Static constraints RBAC - Extensions Constraints on the assignment of users to roles E.g. Static separation of duty: nobody can both: Order goods Approve payment Dynamic constraints Constraints on the simultaneous activation of roles E.g. to enforce least privilege Secappdev 2010 32

RBAC in practice Implemented in databases or into specific applications Can be simulated in operating systems using the group concept Implemented in a generic way in application servers Secappdev 2010 33

Overview Introduction: Lampson s model for access control Classical Access Control Models Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) Other Access Control Models Access Control in Windows 2000/XP/Vista Conclusion Secappdev 2010 34

Other Access Control Models Biba model: enforcing integrity by information flow Chinese wall model: dynamic access control model A consultant can only see company confidential information of one company in each potentialconflict-of-interest class Theoretical models to study theoretical limits of security decision problems Secappdev 2010 35

Overview Introduction: Lampson s model for access control Classical Access Control Models Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) Other Access Control Models Access Control in Windows 2000/XP/Vista Conclusion Secappdev 2010 36

Implementing Access Control in Applications Basically three options 1. Delegate to OS 2. Rely on middleware / application server 3. Roll your own Secappdev 2010 37

Approach #1: delegate to the OS All modern operating system have a built-in access control system, usually DAC based. If application resources can be mapped to OS resources, the OS access control can be reused User command Access check Application Operating System Resources Secappdev 2010 38

Approach #2: application servers Application server intercepts commands and performs access check E.g. J2EE and COM+, typically simple RBAC Access check User command Application Application server Operating System Resources Secappdev 2010 39

Approach #3: in the application Application performs explicit checks in the application code It makes sense to externalize at least the policy to an authorization engine User command Access checks crosscut application Application Authorization Engine Operating System Resources Policy Secappdev 2010 40

OS Access Control In the rest of this session: Helicopter overview of the Windows security architecture Access control system in Windows 2000/XP/Vista A brief look at Windows Vista s implementation of the Biba Model. Secappdev 2010 41

Windows 2000/XP/Vista Access Control Principals are users or machines Identified by Security Identifiers (SID) s E.g. S-1-5-21-XXX-XXX-XXX-1001 Hierarchical and globally unique Authorities manage principals and their credentials Local Security Authority on each PC Domain controller is authority for a domain Flexible mechanisms for slowly growing Secappdev 2010 42

Windows 2000/XP/Vista Access Control Trust between authorities Machine that is part of a domain trusts the domain Domains can establish trust links Authentication Via local password check on a standalone machine Customizable via GINA Via Kerberos or NTLM on a machine that is part of a domain Customizable via SSPI Secappdev 2010 43

Windows 2000/XP/Vista Access Control Successful authentication leads to the creation of a logon session Different types of logon sessions, e.g. Interactive logon session, for a user that logs on locally Network logon session, for a user that logs on remotely Service logon session, for a service running as a given user Logon session gets an access token that contains all authorization attributes for the user Processes and threads created in the logon session by default inherit the access token Secappdev 2010 44

Machines and logon sessions Bob s network LS Service LS Alice s interactive LS Bob s interactive LS Alice System LS System LS Bob Machine A Machine B Secappdev 2010 45

Windows 2000/XP/Vista Access Control Securable objects include: files, devices, registry keys, shared memory sections, Every securable object carries a security descriptor, including a.o. an ACL. Secappdev 2010 46

Windows 2000/XP/Vista Access tokens Contain: SID for the user SID s for the groups a user belongs to Defined by the authority (typically domain) Should reflect organizational structure SID s for the local groups (aliases) a user belongs to Defined locally Should reflect logical roles of applications on this machine Privileges of the user, e.g. Shutdown machine Take ownership privilege (e.g. for Administrators) Secappdev 2010 47

Contain: Owner SID Win 2000/XP/Vista security descriptors (Primary group SID) DACL (Discretionary ACL): the ACL used for access control SACL (System ACL): ACL specifying what should be audited Created at object creation time from a default template attached to the creating process Secappdev 2010 48

Windows 2000/XP/Vista DACL s A DACL contains a sorted list of access control entries Each access control entry denies or grants specific access rights to a group or user Access control entries that deny access should be placed in front of the list Deny User x Read/Write Allow Group g Read/Write Allow Group Everyone Read Secappdev 2010 49

Windows 2000/XP/Vista access control The kernel performs access checks for each securable object by: Iterating over the access control entry in the DACL of the object Each access control entry is matched to the access token of the accessing thread The first match decides (hence deny entries should be before allow entries!) Secappdev 2010 50

Example (Example from MSDN Library documentation) Secappdev 2010 51

Caching mechanisms Extensive caching is used to boost performance Access token caches authorization attributes Once a file is opened, the file handle is used as a capability, and no further access checks occur Such a handle can be passed to other users Hence policy changes are not effective immediate if the affected user is currently logged on Secappdev 2010 52

Access control in applications Impersonation: Server authenticates client, and puts access token on the thread servicing the request Role-based Look for a local group SID corresponding to a role in the client access token COM+ provides extensive support for this approach Object-based Use an API for managing ACL s yourself Secappdev 2010 53

Running Least Privilege The OS Access Control system can also be used to sandbox applications to protect against: Exploits of server programs Trojans / viruses / bugs in any application Writing software to run in low-privileged accounts requires attention to: What secured objects the application accesses What privileged API s the application uses Secappdev 2010 54

Win 2000/XP/Vista access control Summary: Access control based on: Discretionary ACL s Privileges (safer than Unix root level access) Protected operations depend on the type of object Access control only performed during opening of an object. If access is granted, the opening process gets a capability for the requested access rights RBAC can be simulated using local groups, but: No sessions with limited activation of roles Permissions associated with a role are spread over ACL s Secappdev 2010 55

Windows Vista s Integrity Protection Windows Vista adds a lattice-based access control model But used for integrity control (as the Biba model) Securable objects get an integrity level representing how important their integrity is Access Tokens get an integrity level Representing how contaminated they are Three levels are distinguished: High (admin), medium (user), low (untrusted) Secappdev 2010 56

Overview Introduction: Lampson s model for access control Classical Access Control Models Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) Other Access Control Models Access Control in Windows 2000/XP/Vista Conclusion Secappdev 2010 57

Conclusion Most access control mechanisms implement the Lampson model Principal Action Guard Protected system Three important categories of access control policy models each have their own area of applicability DAC in operating systems RBAC in applications and databases LBAC starting to find its use for integrity protection Secappdev 2010 58

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback