? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week

Similar documents
Secure Architecture Principles

Information Security Theory vs. Reality

Secure Architecture Principles

Secure Architecture Principles

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Secure Architecture Principles

CIS 5373 Systems Security

Secure Architecture Principles

? Resource. Outline. Lecture 9: Access Control and Operating System Security. Access control. Access control matrix. Two implementation concepts

Operating system security models

IS 2150 / TEL 2810 Information Security and Privacy

Introduction to Security

Introduction to Security

Secure Architecture Principles

Secure Architecture Principles

Operating system security

General Access Control Model for DAC

P1L5 Access Control. Controlling Accesses to Resources

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Module 4: Access Control

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Unix Basics. UNIX Introduction. Lecture 14

Data Security and Privacy. Unix Discretionary Access Control

CS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms

cs642 /operating system security computer security adam everspaugh

CS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms

Exercise 4: Access Control and Filesystem Security

Announcements. is due Monday April 1 needs to include a paragraph write-up about the results of using the two different scheduling algorithms

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Access Control Mechanisms

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

Chapter 4: Access Control

5/8/2012. Encryption-based Protection. Protection based on Access Permission (Contd) File Security, Setting and Using Permissions Chapter 9

OS Security Basics CS642: Computer Security

OS Security Basics CS642: Computer Security

Rich Powell Director, CIP Compliance JEA

Discretionary Access Control

CS 356 Lecture 7 Access Control. Spring 2013

412 Notes: Filesystem

Introduction to Computer Security

Jérôme Kerviel. Dang Thanh Binh

Access Control. Discretionary Access Control

Access Control Mechanisms

CIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017

Outline. Security. Security Ratings. TCSEC Rating Levels. Key Requirements for C2. Met B-Level Requirements

Privileges: who can control what

Security. Outline. Security Ratings. Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik

Protection and Security

Hardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users

Operating Systems Security Access Control

Processes are subjects.

The Kerberos Authentication Service

Operating System Security

These selected protocol definitions are extremely helpful in learning the

IT Service Delivery And Support Week Four - OS. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Login und Authentifizierung

Week 6: Capabilities Advanced Operating Systems ( L)

CSE 380 Computer Operating Systems

Chapter 14: Protection. Operating System Concepts 9 th Edition

CSE 565 Computer Security Fall 2018

O/S & Access Control. Aggelos Kiayias - Justin Neumann

Protection Kevin Webb Swarthmore College April 19, 2018

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

Identity, Authentication and Authorization. John Slankas

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

BEST PRACTICES FOR IMPLEMENTING ACCESS CONTROL SYSTEMS

Introduction to Computer Security

Chapter 13: Protection. Operating System Concepts Essentials 8 th Edition

Architecture. Steven M. Bellovin October 31,

Case Study: Access Control. Steven M. Bellovin October 4,

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

Access Control CSC WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Fall 2014

Access Control. Steven M. Bellovin September 13,

Chapter 9: Key Management

Operating systems and security - Overview

Operating systems and security - Overview

File Systems. What do we need to know?

Access Control. Discretionary Access Control

Server. Client LSA. Winlogon LSA. Library SAM SAM. Local logon NTLM. NTLM/Kerberos. EIT060 - Computer Security 2

Web Servers and Security

Case Studies in Access Control

Access Control Part 1 CCM 4350

Policy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems

Access Control. Tom Chothia Computer Security, Lecture 5

Access Control Models

Architecture. Steven M. Bellovin October 27,

Operating Systems. Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring Paul Krzyzanowski. Rutgers University.

CS 416: Operating Systems Design April 22, 2015

CS/CIS 249 SP18 - Intro to Information Security

A Survey of Access Control Policies. Amanda Crowell

User Commands chmod ( 1 )

Web Servers and Security

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

FreeBSD Advanced Security Features

OS Security III: Sandbox and SFI

Windows Server 2008 Active Directory Resource Kit

Transcription:

Announcements Access control John Mitchell u Homework Due today. Next assignment out next week u Graders If interested in working as grader, send email to Anupam u Projects Combine some of the project ideas Two more project assignments Next one posted next week References u Viega and McGraw Chapter 8, Access Control u Windows http://www.microsoft.com/ u CFS, EFS Use Google to find web sites Access control in operating systems u Assumption System knows who the user is User has entered a name and password, or other info Access requests pass through gatekeeper Global property; OS must be designed so that this is true User process Reference monitor? Resource Secure OS: also apply controls to kernel processes 1

Access control decision Access control matrix [Lampson] Given: user and request for privilege Decide: whether to grant request File 1 File 2 File 3 File n User 1 User process filename /? Resource User 2 User 3 Terminology: privilege = resource, rightò User m Roles u Role = set of users Administrator, PowerUser, User, Guest Assign permissions to roles; each user gets permission u Role hierarchy Partial order of roles Administrator Each role gets PowerUser permissions of roles below List only new permissions User given to each role Guest Resource, Right groups u Like roles, but for resources or rights If user has right r for resource, and r>s, then user has right s If user has access to directory, user has access to every file in directory u Big problem with access control Complex mechanisms require complex input Difficult to configure and maintain Roles, other organizing ideas try to simplify problem 2

Unix file security u Each file has owner and group u Permissions set by owner setid Read,, execute Owner, group, other rwx rwx rwx Represented by vector of four octal values ownr grp othr Unix file security u File can set effective user id (EUID) u Only owner, root can change permissions This privilege cannot be delegated or shared u Umask Permissions to be denied when new file is created Question u Suppose owner has fewer privileges What happens? User gets access? User does not? u Prioritized resolution of differences if user = owner then owner permission else if user in group then group permission else other permission Effective user id (EUID) u Each process has two Ids Real user ID same as the user ID of parent (unless changed) used to determine which user started the process Effective user ID from set user ID bit on the file being executed determines what permissions the process has file access and port binding u Real group ID, effective group ID, used similarly 3

Setid Bits Compare to stack inspection u Three setid bits Setuid set EUID of process to ID of file owner Setgid set EGID of process to GID of file Sticky Off: if user has permission on directory, can rename or remove files, even if not owner On: only file owner, directory owner, and root can rename or remove file in the directory u Careful with Setuid! Can do anything that owner of file is allowed to do Be sure not to Take action for untrusted user Return secret data to untrusted user A 1 B 1 C 1 Programming interface Setuid programming u Can, modify permissions from program u Setreuid(x_uid, y_uid) Set real and effective uid to given values Can be used to set EUID back to UID after done with operation that needed setuid If program not owned by root, both x_uid and y_uid must be UID or EUID u Note: lots of things are possible if root; no middle ground between user and root u Dan talked about this before u Be Careful! Root can do anything; don t get tricked Principle of least privilege change EUID when root privileges no longer needed u Setuid scripts This is a bad idea Historically, race conditions Begin executing setuid program; change contents of program before it loads and is executed 4

Unix summary u We re all very used to this So probably seems pretty good We overlook ways it might be better u Good things Some protection from most users Flexible enough to make things possible u Main bad thing Too tempting to use root privileges No way to assume some root privileges without all root privileges Access control in Windows (NTFS) u Basic functionality similar to Unix Specify access for groups and users Read, modify, change owner, delete u Some additional concepts Tokens Security attributes u Generally More flexibility than Unix Can define new permissions Can give some but not all administrator privileges Sample permission options u SID Identity (replaces UID) SID revision number 48bit authority value variable number of Relative Identifiers (RIDs), for uniqueness Users, groups, computers, domains, domain members all have SIDs Permission Inheritance u Static permission inheritance (Win NT) Initially, subfolders inherit permissions of folder Folder, subfolder changed independently Replace Permissions on Subdirectories command Eliminates any differences in permissions u Dynamic permission inheritance (Win 2000) Child inherits parent permission, remains linked Parent changes are inherited, except explicit settings Inherited and explicitlyset permissions may conflict Resolution rules Positive permissions are additive Negative permission (deny access) takes priority 5

Tokens u Security Reference Monitor uses tokens to identify the security context of a process or th u Security context privileges, accounts, and groups associated with the process or th u Impersonation token th uses temporarily to adopt a different security context, usually of another user Token fields u Token Source Description of the entity that created the token u Token Identifier Locally unique identifier u Expiration Time Present but unused in NT since NT 3.1 Security Descriptor Example access request u Information associated with an object who can perform what actions on the object u Several fields Header Descriptor revision number Control flags, attributes of the descriptor E.g., memory layout of the descriptor SID of the object's owner SID of the primary group of the object Two attached optional lists: Discretionary Access Control List (DACL) users, groups, System Access Control List (SACL) system logs,.. Access token Security descriptor User: Mark Group1: Administrators Group2: Writers Revision Number Control flags Owner SID Group SID DACL Pointer SACL Pointer Deny Writers Read, Write Allow Mark Read, Write Access request: Action: denied User Mark requests permission Descriptor denies permission to group Reference Monitor denies request 6

Impersonation Tokens (setuid?) u Process uses security attributes of another Client passes impersonation token to server u Client specifies impersonation level of server Anonymous Token has no information about the client Identification server obtain the SIDs of client and client's privileges, but server cannot impersonate the client Impersonation server identify and impersonate the client Delegation lets server impersonate client on local, remote systems Encrypted File Systems (EFS, CFS) u Store files in encrypted form Key management: user s key decrypts file Useful protection if someone steals disk u Windows EFS User marks a file for encryption Unique file encryption key is created Key is encrypted, can be stored on smart card u Unix CFS [Matt Blaze] Transparent use Local NFS server running on "loopback" interface Key protected by passphrase Capabilities u Operating system concept of the future and always will be u Examples Dennis and van Horn, MIT PDP1 Timesharing Hydra, StarOS, Intel iapx 432, Amoeba, Eros, u Reference Henry Levy, Capabilitybased Computer Systems http://www.cs.washington.edu/homes/levy/capabook/index.html ACL vs Capabilities u Access control list Associate list with each object Check user/group against list Relies on authentication: need to know user u Capabilities Capability is unforgeable ticket Random bit sequence, or managed by OS Can be passed from one process to another Reference monitor checks ticket Does not need to know identify of user/process 7

ACL vs Capabilities ACL vs Capabilities User U Process P User U Process Q User U Process R Capabilty c,d Process P Capabilty c Process Q Capabilty c Process R u Delegation Cap: Process can pass capability at run time ACL:???? u Revocation ACL: Remove user or group from list Cap: Try to get capability back from process? Possible in some systems if appropriate bookkeeping OS knows what data is capability If capability is used for multiple resources, have to revoke all or none Other details Rolebased access control (RBAC) Example: The Three Musketeers u Main ideas Users are associated with roles Roles are associated with permissions A user has a permission only if the user has an authorized role which is associated with that permission User/Permission Association Athos palace uniform Aramis Porthos weapons D'Artagnan u Source: John Barkley, NIST RBAC Project 8

Example: The Three Musketeers Quantifying RBAC Advantage RBAC Athos Porthos Aramis D'Artagnan Musketeer palace uniform weapons u For each job position, let: U = Number of individuals in job position P = Number of permissions required for position (U + P) < (U P) fi RBAC Advantage u For all job positions, Sum up advantage for each position S i (U i + P i ) < S (U i P i ) Example: D Artagnon becomes a Musketeer NIST RBAC Model D'Artagnan D'Artagnan Musketeer palace uniform palace uniform weapons u Role Hierarchies, e.g, teller inherits employee u Conflict of Interest Constraints Static Separation of Duty: user cannot be authorized for both roles, e.g., teller and auditor Dynamic Separation of Duty: user cannot act simultaneously in both roles, e.g., teller and account holder u Role Cardinality: maximum number of users authorized for role, e.g., branch manager weapons 9

Distributed Access Control Single signon systems e.g. Securant, Netegrity, Oblix u Resources distributed across network How do we control use of resources? How to identify users, establish privileges? u Centralized solutions Authenticate users Use policy determine privileges u Distributed solutions Need to combine policies from different sites Resource monitor must authenticate requests user name password Rules Authentication LAN Data Application Data u Limitations Centralized access point is a performance and administration bottleneck Developed for single enterprise; not extensible to multiple organizations User name / password authentication does not support nonrepudiation Distributed Access Control Certificate Authority Policies Credentials Credentials Policies Deduction Engine Deduction Engine Resource Monitors 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback