Security Principles and Policies CS 136 Computer Security Peter Reiher January 15, 2008

Similar documents
Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Outline Key Management CS 239 Computer Security February 9, 2004

Access Control Mechanisms

Access Control. Discretionary Access Control

CSE509: (Intro to) Systems Security

Security Models Trusted Zones SPRING 2018: GANG WANG

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Access control models and policies. Tuomas Aura T Information security technology

Chapter 7: Hybrid Policies

Issues of Operating Systems Security

The Eight Rules of Security

CS 392/ CS Computer Security. Nasir Memon Polytechnic University Module 7 Security Policies

Advanced Systems Security: Multics

P1_L6 Mandatory Access Control Page 1

Access Control. Steven M. Bellovin September 13,

CSE Computer Security

Asset Analysis -I. 1. Fundamental business processes 2.Critical ICT resources for these processes 3.The impact for the organization if

Complex Access Control. Steven M. Bellovin September 10,

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

Advanced Systems Security: Ordinary Operating Systems

COMPUTER SECURITY: THE GOOD, THE BAD, AND THE UGLY (with applications to embedded systems)

Access Control Models

Access control models and policies

CIS433/533 - Introduction to Computer and Network Security. Access Control

CS6501: Great Works in Computer Science

Discretionary Vs. Mandatory

Access control models and policies

Security Philosophy. Humans have difficulty understanding risk

Operating systems and security - Overview

Operating systems and security - Overview

Access Control. Steven M. Bellovin September 2,

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Wrapup. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

Policy, Models, and Trust

Introduction to Computer Security

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

Computer Security. Access control. 5 October 2017

Bitcoin, Security for Cloud & Big Data

SECURITY AND DATA REDUNDANCY. A White Paper

Summary. Final Week. CNT-4403: 21.April

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Usability Test Report: Requesting Library Material 1

Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Symbolic Links 4. Deploy A Firewall 5

19.1. Security must consider external environment of the system, and protect it from:

Advanced Systems Security: Ordinary Operating Systems

Introduction to Assurance

1.7 Limit of a Function

1 Achieving IND-CPA security

Recursively Enumerable Languages, Turing Machines, and Decidability

Chapter01.fm Page 1 Monday, August 23, :52 PM. Part I of Change. The Mechanics. of Change

Using the Zoo Workstations

CCM Lecture 14. Security Models 2: Biba, Chinese Wall, Clark Wilson

Memory Management: Virtual Memory and Paging CS 111. Operating Systems Peter Reiher

It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to

10 Hidden IT Risks That Might Threaten Your Business

CS 591: Introduction to Computer Security. Lecture 3: Policy

Hardware, Modularity, and Virtualization CS 111

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

Security. 1 Introduction. Alex S. 1.1 Authentication

CS 161 Computer Security

These are notes for the third lecture; if statements and loops.

Copyright ECSC Group plc 2017 ECSC - UNRESTRICTED

Securing trust in electronic supply chains

CS 147: Computer Systems Performance Analysis

CHAPTER 8 FIREWALLS. Firewall Design Principles

Dooblo SurveyToGo: Security Overview

Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

Final Examination CS 111, Fall 2016 UCLA. Name:

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

It s possible to get your inbox to zero and keep it there, even if you get hundreds of s a day.

Operating System Principles: Memory Management Swapping, Paging, and Virtual Memory CS 111. Operating Systems Peter Reiher

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

6 Tips to Help You Improve Configuration Management. by Stuart Rance

BASELINE GENERAL PRACTICE SECURITY CHECKLIST Guide

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

Segmentation for Security

Architecture. Steven M. Bellovin October 31,

CS 111. Operating Systems Peter Reiher

Discretionary Access Control (DAC)

Figure 11-1: Organizational Issues. Managing the Security Function. Chapter 11. Figure 11-1: Organizational Issues. Figure 11-1: Organizational Issues

Waterfall Life Cycle Model

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Secure Programming Techniques

Cryptography III Want to make a billion dollars? Just factor this one number!

CS 161 Computer Security

Architecture. Steven M. Bellovin October 27,

Rescuing Lost Files from CDs and DVDs

System Structure. Steven M. Bellovin December 14,

Robbing the Bank with a Theorem Prover

Web Security Computer Security Peter Reiher December 9, 2014

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Top considerations for implementing secure backup and recovery. A best practice whitepaper by Zmanda

Grade 6 Math Circles November 6 & Relations, Functions, and Morphisms

Eoin Woods Secure by Design security design principles for the rest of us

IAM Problems with managing identities and access of University Guests

Transcription:

Security Principles and Policies CS 136 Computer Security Peter Reiher January 15, 2008 Page 1

Outline Security terms and concepts Security policies Basic concepts Security policies for real systems Page 2

Security and Protection Security is a policy E.g., no unauthorized user may access this file Protection is a mechanism E.g., the system checks user identity against access permissions Protection mechanisms implement security policies Page 3

Policy vs. Mechanism People shouldn t drive that fast in my neighborhood! That s a mechanism That s a policy That s a different type of mechanism Page 4

Trust An extremely important security concept You do certain things for those you trust You don t do them for those you don t Seems simple, but... Page 5

Problems With Trust How do you express trust? Why do you trust something? How can you be sure who you re dealing with? What if trust is situational? What if trust changes? Page 6

An Important Example Consider a typical home computer Let s say it only has one user What s trust got to do with this case? What if it connects to the Internet? Do we treat everything out on the Internet as trusted? If not, how do we tell what to trust? And just how much? Page 7

Continuing Our Example Main() { Main()..{. Main() }. {. Main(). }. {. Main(). }. {.. }... } And what about the software it runs? Is it all equally trusted? If not, how do we determine exactly what each program should be allowed to do? Page 8

Trust Is Not a Theoretical Issue Most vulnerabilities that are actually exploited are based on trust problems Attackers exploit overly trusting elements of the computer From the access control model to the actual human user Taking advantage of trust that shouldn t be there Such a ubiquitous problem that some aren t aware of its existence Page 9

A Trust Problem A user is fooled into downloading a Trojan horse program He runs it and it deletes a bunch of files on his computer Why was this program trusted at all? Why was it trusted to order the deletion of unrelated files? Page 10

Another Example of Trust Problems Phishing Based on fooling users into clicking on links leading to bad sites Usually resulting in theft of personal information Why does the user (or his computer) trust those sites? Or the email message telling him to go there? Page 11

A Third Example of Trust Problems Buffer overflows A mechanism for taking control of a running program Allows attacker to tell the program to do things it wasn t designed to Why should that program be able to do arbitrary things, anyway? Why did we trust it to do things it didn t need to do? Page 12

Transitive Trust So do I trust Carol? Should I? I trust Alice Alice trusts Bob David trusts Carol Bob trusts David Page 13

Examples of Transitive Trust Trust systems in peer applications Chains of certificates But also less obvious things Like a web server that calls a database The database perhaps trusts the web server itself But does it necessarily trust the user who invoked the server? Programs that call programs that call programs are important cases of transitive trust Page 14

Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least common mechanism Acceptability Fail-safe defaults Page 15

Economy in Security Design Economical to develop And to use And to verify Should add little or no overhead Should do only what needs to be done Generally, try to keep it simple and small Page 16

Complete Mediation Apply security on every access to a protected object E.g., each read of a file, not just the open Also involves checking access on everything that could be attacked Page 17

Open Design Don t rely on security through obscurity Assume all potential attackers know everything about the design And completely understand it This doesn t mean publish everything important about your security system Though sometimes that s a good idea Obscurity can provide some security, but it s brittle When the fog is cleared, the security disappears Page 18

Separation of Privileges Provide mechanisms that separate the privileges used for one purpose from those used for another To allow flexibility in security systems E.g., separate access control on each file Page 19

Least Privilege Give bare minimum access rights required to complete a task Require another request to perform another type of access E.g., don t give write permission to a file if the program only asked for read Page 20

Least Common Mechanism Avoid sharing parts of the security mechanism among different users among different parts of the system Coupling leads to possible security breaches Page 21

Acceptability Mechanism must be simple to use Simple enough that people will use it without thinking about it Must rarely or never prevent permissible accesses Page 22

Fail-Safe Designs Default to lack of access So if something goes wrong or is forgotten or isn t done, no security lost If important mistakes are made, you ll find out about them Without loss of security But if it happens too often... Page 23

Thinking About Security When considering the security of any system, ask these questions: 1. What assets are you trying to protect? 2. What are the risks to those assets? 3. How well does the security solution mitigate those risks? 4. What other security problems does the security solution cause? 5. What tradeoffs does the security solution require? (This set of questions was developed by Bruce Schneier, for his book Beyond Fear) Page 24

An Example Access to computers in the graduate workstation room Current security solution Entry to room requires swipe card Must provide valid CS department user ID and password to log in Page 25

Think About the Questions What assets are we trying to protect? What are the risks to those assets? How well does the security solution mitigate those risks? What other security problems does the security solution cause? What tradeoffs does the security solution require? Page 26

Security Policies Security policies describe how a secure system should behave Generally, if you don t have a clear policy, you don t have a secure system Since you don t really know what you re trying to do Page 27

What Is a Security Policy? A complete description of the security goals the system should achieve Not a description of how to achieve them Sometimes described informally Sometimes described very formally Using mathematical models Page 28

Informal Security Policies Users should only be able to access their own files, in most cases. Only authorized users should be able to log in. System executables should only be altered by system administrators. The general idea is pretty clear But it can be hard to determine if a system meets these goals Page 29

Access Control Policies Describe who can access what resources Mandatory access control The system enforces its own policy Discretionary access control Policy set by individual users Most systems provide only discretionary access control Page 30

Formal Security Policies Typically expressed in a mathematical security policy language Tending towards precision Allowing formal reasoning about the system and policy Often matched to a particular policy model E.g., Bell-La Padula model Page 31

Some Important Security Policies Bell-La Padula Biba integrity policy Chinese Wall policy Page 32

Bell-La Padula Model Probably best-known computer security model Corresponds to military classifications Combines mandatory and discretionary access control Two parts: Clearances Classifications Page 33

Clearances Subjects (people, programs, etc.) have a clearance Clearance describes how trusted the subject is E.g., unclassified, confidential, secret, top secret Page 34

Classifications Each object (file, database entry, etc.) has a classification The classification describes how sensitive the object is Using same categories as clearances Informally, only people with the same (or higher) clearance should be able to access objects of a particular classification Page 35

Goal of Bell-La Padula Model Prevent any subject from ever getting read access to objects at higher classification levels than subject s clearance I.e., don t let untrusted people see your secrets Concerned not just with objects Also concerned with the objects contents Includes discretionary access control Which we won t cover in lecture Page 36

Bell-La Padula Simple Security Condition Subject S can read object O iff l O l S Simple enough: If S isn t granted top secret clearance, S can t read top secret objects Are we done? Page 37

Why Aren t We Done? Remember, we really care about the information in an object A subject with top secret clearance can read a top secret object If careless, he could write that information to a confidential object Then someone with confidential clearance can read top secret information Page 38

The Bell-La Padula *-Property S can write O iff l S l O Prevents write-down Privileged subjects writing highclassification information to lowclassification objects E.g., a top secret user can t write to a confidential data file Can be proven that a system meeting these properties is secure Page 39

Bell-La Padula Example TOP SECRET read ORDERS Classified Top Secret Write (attack the red tank) write Bell-La Padula doesn t allow write-down! Classified Secret Page 40

So How Do You Really Use The System? There have to be mechanisms for reclassification Typically, a document at a higher classification is set to a lower one Usually requiring explicit operation Danger that reclassification process will be done incautiously Page 41

Bell-La Padula Caveats A provably secure Bell-La Padula system may be impossible to really use Says nothing about some other important security properties Like integrity Information is generally put in different categories, in real use Classifications and access permissions set separately on each category Need to know principle Page 42

Integrity Security Policies Designed to ensure that information is not improperly changed Often the key issue for commercial systems Secrecy is nice, but not losing track of your inventory is crucial Page 43

Example: Biba Integrity Policy Subject set S, object set O Set of ordered integrity levels I Subjects and objects have integrity levels Subjects at high integrity levels are less likely to screw up data E.g., trusted users or carefully audited programs Data at a high integrity level is less likely to be screwed up Probably because it badly needs not to be screwed up Page 44

Biba Integrity Policy Rules s can write to o iff i(o) i(s) s 1 can execute s 2 iff i(s 2 ) i(s 1 ) A subject s can read object o iff i(s) i(o) Why do we need the read rule? Page 45

Vista and Mandatory Integrity Control A limited form of the Biba model in Microsoft s Vista OS Users have an access token with a security level Processes run by them run at that level Low-level processes can t write files marked with high integrity levels No read component to this access control Page 46

More Details on Vista MIC Five defined integrity levels Default is middle level, IE runs at next level down Objects created by processes inherit their level Can t write to files at higher integrity levels Failures lead to prompts asking if level should be elevated Is that a good idea? If not, what should they do instead? Page 47

An Example Foo Outlook User Integrity Level: Medium Application Integrity Level: Low Application Integrity Level: Low User Integrity Level: High The application downloads an executable foo foo runs and tries to write to the Outlook executable Vista MIC denies the write Page 48

Hybrid Models Sometimes the issue is keeping things carefully separated E.g., a brokerage that handles accounts for several competing businesses Microsoft might not like the same analyst working on their account and IBM s There are issues of both confidentiality and integrity here Page 49

The Chinese Wall Model Keep things that should be separated apart Objects O are items of information related to a company A company dataset CD contains all of a company s objects A conflict-of-interest class COI contains the datasets of companies in competition I.e., the things needing to be kept apart Page 50

Chinese Wall Security Conditions S can read O iff any of the following holds: 1. There is an object O that S has accessed and CD(O) = CD(O ) 2. For all objects O, O PR(S) COI(O ) COI(O) (PR(S) is the set of objects S has already read) 3. O is a sanitized object While O may be in a forbidden CD for S, anything sensitive has been removed Page 51

Chinese Wall Example The Acme Dynamite Company Strategic Plan? Explosions R Us Sales Projections Page 52

Should This Be Allowed? This access violates CW rule 2 Acme Dynamite Company Explosions R Us Acme Bubblegum Company Chewy Gumballs Inc. Boom! Enterprises COI 1 Lockjaw Jawbreakers Ltd. COI 2 Page 53

What Policies Are Commonly Used? Most installations only use discretionary access control Offered by Windows, Linux, other widely used operating systems We ll discuss these forms of access control in more detail later Page 54

The Realities of Discretionary Access Control Most users never change the defaults on anything Unless the defaults prevent them from doing something they want Most users don t think about or understand access control Probably not wise to rely on it to protect information you care about Unless you re the one setting it And you know what you re doing Page 55

Other Kinds of Policy Not all security policies are about access control You must keep logs of accesses You must have a properly configured firewall You must run a security audit every year Every user must take a course educating him about viruses and phishing Potentially very general Not as formally defined as access control But possibly even more important than access control policies Page 56

Designing a Policy for an Installation Need to determine what security goals your system has Everything you mandate in the policy will have a cost Try to specify the minimal restrictions you really need But think broadly about what is important to you Page 57

For Example, Consider the UCLA Computer Science Department facility Provides computing and networking services to all faculty, staff, grad students Does not support undergrads Equipment located on 3 d and 4 th floors of Boelter Hall Page 58

Services Offered by CS Facility Storage and compute facilities E-mail General network access (e.g., web browsing), including wireless Web server and department web pages Support for some grad class labs Page 59

What Do People Use Facility For? Classwork Both students and professors Research support Departmental business Some, not all Reasonable personal use Page 60

So, What Should the Department s? Policy Be? Page 61

The Problems With Security Policies Hard to define properly How do you determine what to allow and disallow? Hard to go from policy to the mechanisms that actually implement it Hard to understand implications of policy Defining and implementing policies is a lot of work Page 62

The Result? Security policies get a lot of lip service But an awful lot of places haven t actually got one Even some very important places "If you have a policy, and you don't enforce it, and you don't hold people accountable for violating it, then - do you have a policy? Marcus Ranum Page 63

How Policies Often Work in the Real World Your policy is what your tools allow by default Your policy is a vague version of what your sysadmin thinks is best Your policy is perhaps reasonably well defined, but not implemented by any real mechanisms If you re in charge of security, though, treat your policy more seriously Page 64

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback