Access Control. Steven M. Bellovin September 13,

Similar documents
Access Control. Steven M. Bellovin September 2,

Web Servers and Security

Web Servers and Security

Case Study: Access Control. Steven M. Bellovin October 4,

Architecture. Steven M. Bellovin October 31,

Complex Access Control. Steven M. Bellovin September 10,

Security Architecture

Architecture. Steven M. Bellovin October 27,

Confinement. Steven M. Bellovin November 1,

Case Studies in Access Control

Operating system security models

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Advanced Systems Security: Ordinary Operating Systems

Operating System Security

Process Time. Steven M. Bellovin January 25,

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Unix, History

I m paranoid, but am I paranoid enough? Steven M. Bellovin February 20,

Protection Kevin Webb Swarthmore College April 19, 2018

Advanced Systems Security: Multics

Security Models Trusted Zones SPRING 2018: GANG WANG

Secure Programming II. Steven M. Bellovin September 29,

File Access Control Lists (ACLs)

Keys and Passwords. Steven M. Bellovin October 17,

A Survey of Access Control Policies. Amanda Crowell

Hardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users

Access Control Models

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Operating System Security

Computer Security. 02. Operating System Access Control. Paul Krzyzanowski. Rutgers University. Spring 2018

ELEC 377 Operating Systems. Week 1 Class 2

Access Control. Discretionary Access Control

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

Exploring UNIX: Session 3

CSE 380 Computer Operating Systems

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Data Security and Privacy. Unix Discretionary Access Control

CS 326: Operating Systems. Process Execution. Lecture 5

Information Security Theory vs. Reality

CSE 390a Lecture 4. Persistent shell settings; users/groups; permissions

General Access Control Model for DAC

5/8/2012. Encryption-based Protection. Protection based on Access Permission (Contd) File Security, Setting and Using Permissions Chapter 9

COS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy

CST8207: GNU/Linux Operating Systems I Lab Six Linux File System Permissions. Linux File System Permissions (modes) - Part 1

Advanced Systems Security: Principles

Discretionary Access Control

CSE 390a Lecture 4. Persistent shell settings; users/groups; permissions

I m paranoid, but am I paranoid enough? Steven M. Bellovin October 2,

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

Operating systems and security - Overview

Operating systems and security - Overview

Group Editing of Files and Web Sites

CSE 390a Lecture 3. Multi-user systems; remote login; editors; users/groups; permissions

Introduction to Unix May 24, 2008

System Configuration as a Privilege

Access Control. Tom Chothia Computer Security, Lecture 5

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

Policy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems

CS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

CIS 5373 Systems Security

Chapter 4: Access Control

Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

OS security mechanisms:

Introduction CHAPTER. Review Questions

CSE II-Sem)

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Access Control (slides based Ch. 4 Gollmann)

Module 4: Access Control

cs642 /operating system security computer security adam everspaugh

Storage and File System

ELEC 377 Operating Systems. Week 8 Class 1

User Commands chmod ( 1 )

File Properties and Permissions

CSE 565 Computer Security Fall 2018

Exercise 4: Access Control and Filesystem Security

Exercise Sheet 2. (Classifications of Operating Systems)

FreeBSD Advanced Security Features

When we start? 10/24/2013 Operating Systems, Beykent University 1

Information Security CS 526

OS Security. Authorization. Radboud University Nijmegen, The Netherlands. Winter 2015/2016

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

Linux Systems Security. Security Design NETS Fall 2016

Discretionary Access Control (DAC)

CS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms

Unix as a Platform Exercises. Course Code: OS-01-UNXPLAT

Week 10 Part A MIS 5214

Formal methods and access control. Dr. Hale University of Nebraska at Omaha Information Security and Policy Lecture 8

CPS221 Lecture: Operating System Protection

Adding Groups to Groups

Discretionary Vs. Mandatory

IT Service Delivery And Support Week Four - OS. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

: the User (owner) for this file (your cruzid, when you do it) Position: directory flag. read Group.

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Transcription:

Access Control Steven M. Bellovin September 13, 2016 1

Security Begins on the Host Even without a network, hosts must enforce the CIA trilogy Something on the host the operating system aided by the hardware must provide those guarantees Steven M. Bellovin September 13, 2016 2

Access Control Hardware Software Operating systems Databases Other multi-access programs Distributed (including web servers) Steven M. Bellovin September 13, 2016 3

Hardware What is the minimum necessary? What do other mechanisms buy us? Steven M. Bellovin September 13, 2016 4

Minimum Functionality Protect the OS from applications Protect applications from each other Change state from application to OS Timer interrupt Steven M. Bellovin September 13, 2016 5

Why a Timer? Availability is a security feature Must prevent uncooperative applications from hogging CPU Not going to discuss this more here, but it s a major topic in W4118 (Operating Systems) Steven M. Bellovin September 13, 2016 6

Historical Mechanisms Single privileged mode bit restrict ability to execute certain instructions Memory protection Interrupts hardware and software cause state transition The two states are (today) commonly called kernel and user mode Steven M. Bellovin September 13, 2016 7

What Are Privileged Instructions? Ability to do I/O without the OS s intervention allowing that could bypass file permission checking Ability to manipulate timers Ability to access other programs memory without OS intervention Steven M. Bellovin September 13, 2016 8

Example: IBM System/360 Mainframe Designed in the early 1960s Much of the architecture still in use... 4-bit protection key associated with each 4K block of memory, plus read-protect bit Single supervisor mode bit 4-bit state key of 0 can write to anything But operating systems of that time didn t use the hardware to its full capabilites Steven M. Bellovin September 13, 2016 9

Memory-Mapped Control On some machines, privileged operations work by memory access If applications have no access to such memory, they can t do sensitive things But must have way to enter privileged state Steven M. Bellovin September 13, 2016 10

Multics Virtual memory Ring structure 8 different privilege levels (i386 has rings, too) OS could use rings 0-3; applications could use 4-7. (Original design had 64 rings!) Each ring is protected against higher-numbered rings Special form of subroutine call to cross rings Most of the OS didn t run in Ring 0 Steven M. Bellovin September 13, 2016 11

What is the Advantage of Rings? A single bit is theoretically sufficient Assurance! Don t need to trust all parts of the system equally Principle of Least Privilege Steven M. Bellovin September 13, 2016 12

Assurance How do you know something is secure Much harder to provide later than features A trustable secure system has to be designed that way from the beginning: designed, documented, coded, and tested and maybe proved Steven M. Bellovin September 13, 2016 13

Underlying Principles of Privilege Two basic approaches to privilege: identity and attribute Hardware protection is attribute: the state of various registers controls what can and cannot be done Easier to manage in a single system Steven M. Bellovin September 13, 2016 14

What is the role of the OS? Protect itself Separate different applications More? Steven M. Bellovin September 13, 2016 15

Operating Systems and Hardware The hardware provides the minimum functionality The OS has to provide its own services on top of that This is the application s virtual execution environment Must manage access to I/O devices as well Steven M. Bellovin September 13, 2016 16

What Protections do Operating Systems Provide? User authentication (why?) File protection Process protection Resource scheduling (CPU, RAM, disk space, etc) Steven M. Bellovin September 13, 2016 17

User Authentication (Much more on this later) Why authenticate users? Most operating system privileges are granted by identity, not attributes Procedure: Authenticate user Grant access based on userid Steven M. Bellovin September 13, 2016 18

File Permissions Besides user authentication, the most visible aspect of OS security Read protection provide confidentiality Write protection provide integrity protection Other permissions as well Steven M. Bellovin September 13, 2016 19

Classical Unix File Permissions All files have owners All files belong to a group Users, when logged in, have one userid and several groupids. 3 sets of 3 bits: read, write, execute, for user, group, other (512 possible settings. Do they all make sense?) Written rwxrwxrwx 111 101 001: User has read/write/exec; group has read/exec; other has exec-only Steven M. Bellovin September 13, 2016 20

Permission-Checking Algorithm if curr_user.uid == file.uid check_owner_permissions(); else if curr_user.gid == file.gid check_group_permissions(); else check_other_permissions(); fi Note the else clauses if you own a file, group and other permissions aren t checked Steven M. Bellovin September 13, 2016 21

Execute Permission Why is it separate from read? To permit only execution Cannot copy the file Readable only by the OS, for specific purposes Steven M. Bellovin September 13, 2016 22

Directory Permissions write : create a file in the directory read : list the directory execute : trace a path through a directory Steven M. Bellovin September 13, 2016 23

Example: Owner Permissions $ id uid=54047(smb) gid=54047(smb) groups=0(wheel),3(sys),54047(smb) $ ls -l not me ----r--r-- 1 smb wheel 29 Sep 12 01:35 not me $ cat not me cat: not me: Permission denied I own the file but don t have read permission on it Steven M. Bellovin September 13, 2016 24

Example: Directory Permissions $ ls -ld oddball dr--r--r-- 2 smb wheel 512 Sep 12 01:36 oddball $ ls oddball cannot get at $ ls -l oddball ls: cannot_get_at: Permission denied $ cat oddball/cannot get at cat: oddball/cannot get at: Permission denied I can read the directory, but not trace a path through it to oddball/cannot get at Steven M. Bellovin September 13, 2016 25

Deleting Files What permissions are needed to delete files? On Unix, you need write permission on the parent directory You can delete files that you can t write. You can also write to files that you can neither create nor delete Other systems make this choice differently Steven M. Bellovin September 13, 2016 26

Historical Note Unix has never been fond of asking do you really mean that? That said, at least as long ago as February 1973 the original Bell Labs Unix rm command prompted if you tried to delete a file you couldn t write In other words, the Unix model is philosophically correct but perhaps incorrect from a human factors perspective Steven M. Bellovin September 13, 2016 27

Access Control Lists 9-bit model not always flexible enough Many systems (Multics, Windows XP and later, Solaris, Linux, MacOS) have more general Access Control Lists ACLs are explicit lists of permissions for different parties Wildcards are often used Steven M. Bellovin September 13, 2016 28

Sample ACL smb.* rwx 4187-ta.* rwx *.faculty rx *.* x Users smb and 4187-ta have read/write/execute permission. Anyone in group faculty can read or execute the file. Others can only execute it. Steven M. Bellovin September 13, 2016 29

Order is Significant With this ACL: *.faculty rx smb.* rwx 4187-ta.* rwx *.* x I would not have write access to the file Steven M. Bellovin September 13, 2016 30

MacOS ACLs Steven M. Bellovin September 13, 2016 31

Windows Vista ACLs Steven M. Bellovin September 13, 2016 32

Linux/Solaris ACLs $ getfacl acl.pdf # file: acl.pdf # owner: smb # group: smb user::rwuser:postfix:-wgroup::r-- group:landscape:--x mask::rwx other::r-- The standard Unix permissions are translated into ACL entries Steven M. Bellovin September 13, 2016 33

Setting File Permissions Where do initial file permssions come from? Who can change file permissions? Steven M. Bellovin September 13, 2016 34

Unix Initial File Permissions Unix uses umask a set of bits to turn off when a program creates a file Example: if umask is 022 and a program tries to create a file with permissions 0666 (rw for user, group, and other), the actual permissions will be 0644. Default system umask setting has a great effect on system file security Set your own value in startup script; value inherited by child processes Steven M. Bellovin September 13, 2016 35

Why Umask? Suppose files were always created with rw,r,r permissions What s wrong with the application simply changing the file permissions after creating the file? Race conditions Steven M. Bellovin September 13, 2016 36

What is a Race Condition? A race condition is when two or more asynchronous processes try to access the same resource simultaneously but it is not possible to control or predict which will happen first. Sequence 1 Create file mode 666 Change permissions to 600 Attacker tries to read the file Sequence 2 Create file mode 666 Attacker tries to read the file Change permissions to 600 It is impossible to predict which will happen! Steven M. Bellovin September 13, 2016 37

Multics Initial File Permissions Directories contain initial access control list values set by default for new files Common setting: smb.faculty rw *.sysdaemon r *.* - If group sysdaemon doesn t have read permission, the file can t be backed up! Linux and Solaris also have default ACLs for new files Steven M. Bellovin September 13, 2016 38

MAC versus DAC Who has the right to set file permissions? Discretionary Access Control (DAC) the file owner can set permissions Mandatory Access Control (MAC) only the security officer can set permissions Enforce site security rules Note: viruses and other malware change change DAC permissions, but not MAC permissions Steven M. Bellovin September 13, 2016 39

Implementing MAC Often side-by-side with DAC: system has both Processes need to pass both sets of permissions to access files Or can have a special ACL-changing attribute in an ACL: security officer.wheel But can security officer give him/herself privileges? In reality, MAC is often used for classification levels (next class), rather than ACLs p Steven M. Bellovin September 13, 2016 40

Privileged Users Root or Administrator can override file permissions This is a serious security risk there is no protection if a privileged account has been compromised There is also no protection against a rogue superuser... Secure operating systems do not have the concept of superusers Steven M. Bellovin September 13, 2016 41

Database Access Control Often have their own security mechanisms Permit user logins, just like operating systems Some have groups as well Permissions are according to database concepts: protect rows and columns Different types of operations: select, insert, update, delete, and more Steven M. Bellovin September 13, 2016 42

Databases versus OS Security The database has many objects in a single OS file The OS can control access to the file The DBMS has to control access to objects within the file The set of database users is not the same as the set of OS users Steven M. Bellovin September 13, 2016 43

Web Server ACLs Can restrict access based on web login (not OS login!) Can also use network concepts, e.g., IP address or cryptographic criteria More on this later in the semester Steven M. Bellovin September 13, 2016 44

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback