Security Models Trusted Zones SPRING 2018: GANG WANG

Similar documents
Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

Access Control. Discretionary Access Control

Computer Security. Access control. 5 October 2017

Access control models and policies. Tuomas Aura T Information security technology

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

Access Control Mechanisms

Complex Access Control. Steven M. Bellovin September 10,

Policy, Models, and Trust

Discretionary Vs. Mandatory

Access control models and policies

Chapter 6: Integrity Policies

Access control models and policies

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Access Control Models

Access Control Part 3 CCM 4350

Access Control (slides based Ch. 4 Gollmann)

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

CSE361 Web Security. Access Control. Nick Nikiforakis

Information Security Theory vs. Reality

Summary. Final Week. CNT-4403: 21.April

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

CIS433/533 - Introduction to Computer and Network Security. Access Control

Intrusion Detection Types

May 1: Integrity Models

CSE509: (Intro to) Systems Security

Module 4: Access Control

CSE Computer Security

Lecture 4: Bell LaPadula

CS 356 Lecture 7 Access Control. Spring 2013

CS 392/ CS Computer Security. Nasir Memon Polytechnic University Module 7 Security Policies

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Advanced Systems Security: Multics

General Access Control Model for DAC

Access Control. Steven M. Bellovin September 13,

Computer Security. 02. Operating System Access Control. Paul Krzyzanowski. Rutgers University. Spring 2018

Access Control. Steven M. Bellovin September 2,

P1_L6 Mandatory Access Control Page 1

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

Security Principles and Policies CS 136 Computer Security Peter Reiher January 15, 2008

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Labels and Information Flow

Integrity Policies. Murat Kantarcioglu

Computer Security 3e. Dieter Gollmann. Chapter 5: 1

Access Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy

Computer Security Operating System Security & Access Control. Dr Chris Willcocks

System design issues

Advanced Systems Security: Integrity

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Mechanisms. Entity or procedure that enforces some part of the security policy

A Survey of Access Control Policies. Amanda Crowell

Chapter 4: Access Control

Lecture 21. Isolation: virtual machines, sandboxes Covert channels. The pump Why assurance? Trust and assurance Life cycle and assurance

Operating Systems Security Access Control

Dion Model. Objects and their classification

CCM Lecture 14. Security Models 2: Biba, Chinese Wall, Clark Wilson

Access Control and Protection

8.3 Mandatory Flow Control Models

Access Control. Tom Chothia Computer Security, Lecture 5

Verifiable Security Goals

Access Control. Chester Rebeiro. Indian Institute of Technology Madras

Operating Systems. Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring Paul Krzyzanowski. Rutgers University.

Intergrity Policies CS3SR3/SE3RA3. Ryszard Janicki. Outline Integrity Policies The Biba Integrity Model

CS 416: Operating Systems Design April 22, 2015

Security Basics. Ruby B. Lee Princeton University HotChips Security Tutorial August

Chapter 7: Hybrid Policies

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control

UNIVERSITY REGULAR EXAMINATIONS 2013 /2014 ACADEMIC YEAR FOR THE DEGREE OF BACHELOR OF SCIENCE IN COMPUTER SCIENCE

Unix, History

Access Control Part 1 CCM 4350

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Announcements. is due Monday April 1 needs to include a paragraph write-up about the results of using the two different scheduling algorithms

Discretionary Access Control

Secure Architecture Principles

INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

CSN11111 Network Security

Week 10 Part A MIS 5214

SELinux. Don Porter CSE 506

Advanced Systems Security: Integrity

Πανεπιστήμιο Αιγαίου Τμήμα μηχανικών πληροφοριακών & επικοινωνιακών συστημάτων. Ασφάλεια Συστημάτων. Πολιτικές. 15/1/2012 Π.

Multifactor authentication:

Advanced Systems Security: Integrity

Mandatory access control and information flow control

Protection Kevin Webb Swarthmore College April 19, 2018

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Secure Architecture Principles

Secure Architecture Principles

Operating system security models

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

Arvind Krishnamurthy Spring Implementing file system abstraction on top of raw disks

Secure Architecture Principles

Formal methods and access control. Dr. Hale University of Nebraska at Omaha Information Security and Policy Lecture 8

Outline. INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control

OS Security Basics CS642: Computer Security

Advanced Systems Security: Ordinary Operating Systems

? Resource. Outline. Lecture 9: Access Control and Operating System Security. Access control. Access control matrix. Two implementation concepts

Access Control. Discretionary Access Control

Transcription:

Security Models Trusted Zones SPRING 2018: GANG WANG

Access Control Slides credit to Ethan L. Miller and Scott A. Brandt

Protection Domains Three protection domains Each lists objects with permitted operations Domains can share objects & permissions Objects can have different permissions in different domains There need be no overlap between object permissions in different domains How can this arrangement be specified more formally? File1 [R] File2 [RW] File3 [R] File4 [RWX] File5 [RW] Printer [W] File3 [W] Screen1 [W] Mouse [R] 3 Domain 1 Domain 2 Domain 3

Access Matrix Domain File1 File2 File3 File4 File5 Printer1 Mouse 1 Read Read Write 2 Read Read Write Execute Each domain has a row in the matrix Each object has a column in the matrix Entry for <object,column> has the permissions Whoʼs allowed to modify the protection matrix? What changes can they make? How is this implemented efficiently? Read Write Write 3 Write Write Read 4

Representing the protection matrix Need to find an efficient representation of the protection matrix (also called the access matrix) Most entries in the matrix are empty! Compress the matrix by: Associating permissions with each object à access control list Associating permissions with each domain à capabilities How is this done, and what are the tradeoffs?

Access control lists Each object has a list Protection domain User name Group of users Access rights Read Write Execute (?) No entry for domain => no rights for that domain File1 elm: <R,W> znm: <R> root: <R,W,X> Operating system checks permissions when access is needed File2 elm: <R,X> uber: <R,W> root: <R,W> all: <R> 6

Access control lists in the real world Unix file system Access list for each file has exactly three domains on it User (owner), Group, Others Rights: read, write, execute AFS (Andrew File System) for client/server systems Access lists only apply to directories Files inherit rights from the directory are in Access list may have many entries on it with possible rights: read, write, lock (for files in the directory) lookup, insert, delete (for the directories themselves), administer (ability to add or remove rights from the ACL) 7

Capabilities Each process has a capability list List: one entry per object the process can access Object name Object permissions Objects not listed are not accessible How are these secured? Kept in kernel Cryptographically secured Process A File1: <R,W> File2: <R> File3: <R,W,X> Process B File2: <R,W> File4: <R,W,X> File7: <W> File9: <R,W> 8

Protecting the access matrix: summary OS must ensure that the access matrix isn t modified (or even accessed) in an unauthorized way Access control lists Reading or modifying the ACL is a system call OS makes sure the desired operation is allowed Capability lists Similar to ACLs: reading and modification done by OS Can be handed to processes and verified cryptographically later on May be better for widely distributed systems where capabilities can t be centrally checked 9

Security models for the confidentiality and integrity of files

Multi-Level Security (MLS) Military security policy is based on protecting classified information Hierarchy of Sensitivity ranks

Compartments and Sensitivity ranks project Least Sensitive 12 Compartments may not be hierarchical

Need-to-know Rule In Military Security Policy <rank, compartments> class or classification of information A clearance is an indication that a person is trusted to access data up to some rank Dominance relation between subjects and objects s dominates o (denoted by s o) s has a need to know all the compartments for which o is classified For subject s and object o, s o if and only if rank s rank o and compartments o compartments s e.g.,top secret > secret A subject s can read an object o only if s dominates o

Bell-LaPadula confidentiality model (BLP) Biba integrity model

Bell-LaPadula Model read down/write up Security levels arranged in linear ordering Top Secret: highest Secret Confidential Unclassified: lowest security level subject object Top Secret Tamara Personnel Files Secret Samuel E-Mail Files Confidential Claire Activity Logs Levels consist of security clearance L(s) Objects have security classification L(o) Tamara can read all files Claire cannot read Personnel or E-Mail Files Alice can only read Telephone Lists Unclassified Alice Telephone Lists

Reading/Writing Information Information flows up, not down Reads up disallowed, reads down allowed Subject s can read object o iff, L(o) L(s) and s has permission to read o (aka simple security condition) No reads up rule Writes up allowed, writes down disallowed *-Property Subject s can write object o iff L(s) L(o) and s has permission to write o. (aka *-property) No writes down rule

Basic Security Theorem in BLP model If a system is initially in a secure state, and every transition of the system satisfies the simple security condition, and the *-property, then every state of the system is secure

18 What s Wrong with BLP?

Biba multilevel integrity model Principles to guarantee integrity of data Simple integrity principle A process can write only objects at its security level or lower No way to plant fake information at a higher level The integrity * property A process can read only objects at its security level or higher Biba is in direct conflict with Bell-La Padula Difficult to implement both at the same time! 19

Biba Integrity Model Bell-La Padula model (read-down/write-up) Biba (read-up/write-down) dual of BLP model Subject cannot corrupt data in a higher level Subject cannot be corrupted by data with a lower level 1. s S can read o O iff i(s) i(o) 2. s S can write to o O iff i(o) i(s) 3. s 1 S can execute s 2 S iff i(s 2 ) i(s 1 ) i is integrity level

Key Points MAC vs. DAC (mandatory access control vs. discretionary access control) Confidentiality models restrict flow of information Bell-LaPadula models multilevel security Cornerstone of much work in computer security BLP model is generally believed to be very restrictive Integrity policies deal with trust As trust is hard to quantify, hard to evaluate completely Look for assumptions and trusted users to find possible weak points Clark-Wilson (another model) focuses on separation of duty and transactions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback