CIS 5373 Systems Security

Similar documents
Secure Architecture Principles

Secure Architecture Principles

Secure Architecture Principles

Secure Architecture Principles

Secure Architecture Principles

Data Security and Privacy. Unix Discretionary Access Control

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Information Security Theory vs. Reality

Information Security CS 526

? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week

CSE 565 Computer Security Fall 2018

Access Control Mechanisms

Secure Architecture Principles

Unix Basics. UNIX Introduction. Lecture 14

IS 2150 / TEL 2810 Information Security and Privacy

Introduction to Security

CSC 405 Introduction to Computer Security

Introduction to Security

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

cs642 /operating system security computer security adam everspaugh

Operating system security models

? Resource. Outline. Lecture 9: Access Control and Operating System Security. Access control. Access control matrix. Two implementation concepts

Discretionary Access Control

Module 4: Access Control

OS Security III: Sandbox and SFI

Hardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users

Operating System Security

CIS 5373 Systems Security

Discretionary Access Control (DAC)

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Secure Architecture Principles

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

412 Notes: Filesystem

CSE 380 Computer Operating Systems

OS security mechanisms:

Chapter 4: Access Control

Discretionary Access Control (DAC)

Operating system security

Introduction to Computer Security

Policy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems

CS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms

Processes are subjects.

Processes are subjects.

P1L5 Access Control. Controlling Accesses to Resources

Announcements. is due Monday April 1 needs to include a paragraph write-up about the results of using the two different scheduling algorithms

CS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms

General Access Control Model for DAC

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

OS Security Basics CS642: Computer Security

CIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017

INSE 6130 Operating System Security

Protection Kevin Webb Swarthmore College April 19, 2018

OS Security Basics CS642: Computer Security

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Chapter 13: Protection. Operating System Concepts Essentials 8 th Edition

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Chapter 14: Protection. Operating System Concepts 9 th Edition

Privileges: who can control what

CPS221 Lecture: Operating System Protection

5/8/2012. Encryption-based Protection. Protection based on Access Permission (Contd) File Security, Setting and Using Permissions Chapter 9

Access Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy

Multifactor authentication:

Access Control Part 1 CCM 4350

The golden age of hacking. OS UNIX GNU/Linux UNIX access control

Access Control CSC WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Fall 2014

Linux Capability Exploration Lab

COS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

LAB #7 Linux Tutorial

O/S & Access Control. Aggelos Kiayias - Justin Neumann

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

Operating Systems 3. Operating Systems. Content. What is an Operating System? What is an Operating System? Resource Abstraction and Sharing

Operating Systems. Copyleft 2005, Binnur Kurt

Outline. Last time. (System) virtual machines. Virtual machine technologies. Virtual machine designs. Techniques for privilege separation

PROCESS CONTROL BLOCK TWO-STATE MODEL (CONT D)

CSE 390a Lecture 4. Persistent shell settings; users/groups; permissions

Privilege Separation

Shellbased Wargaming

Datasäkerhet/Data security EDA625 Lect5

Programming Project # 2. cs155 Due 5/5/05, 11:59 pm Elizabeth Stinson (Some material from Priyank Patel)

Fall 2014:: CSE 506:: Section 2 (PhD) Securing Linux. Hyungjoon Koo and Anke Li

Linux System Administration

Operating systems and security - Overview

Operating systems and security - Overview

CSE 390a Lecture 3. Multi-user systems; remote login; editors; users/groups; permissions

Operating Systems Security

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

Chapter 4 Protection in General-Purpose Operating Systems

Storage and File System

Access Control. Steven M. Bellovin September 13,

Files (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1

Operating Systems Lab 1 (Users, Groups, and Security)

CSE 390a Lecture 4. Persistent shell settings; users/groups; permissions

(32 KB) 216 * 215 = 231 = 2GB

Computer Security 3e. Dieter Gollmann. Chapter 5: 1

FreeBSD Advanced Security Features

RBAC in Solaris 10. Darren J Moffat Staff Engineer, Networking & Security Sun Microsystems, Inc. 7 th October 2004

CS2506 Quick Revision

PESIT Bangalore South Campus

Transcription:

CIS 5373 Systems Security Topic 3.2: OS Security Access Control Endadul Hoque

Slide Acknowledgment Contents are based on slides from Ninghui Li (Purdue), John Mitchell (Stanford), Bogdan Carbunar (FIU) 2

OS Security ACCESS CONTROL CONCEPTS 3

Access Control A reference monitor mediates all access to resources Principle: Complete mediation: control all accesses to resources Reference monitor User process access request? Resource policy 4

Access Matrix Model (Lampson 1971) Objects (and Subjects) F G S u b j e c t s U V r w own r r w own rights 5

Basic Abstractions Subjects Objects Rights The rights in a cell specify the access of the subject (row) to the object (column) 6

Objects An object is anything on which a subject can perform operations (mediated by rights) Usually objects are passive, for example: File Directory (or Folder) Memory segment But, subjects (i.e. processes) can also be objects, with operations performed on them kill, suspend, resume, send inter-process communication, etc. 7

Principals and Subjects A subject is a program (application) executing on behalf of some principal(s) A principal may at any time be idle, or have one or more subjects executing on its behalf What are subjects in UNIX? What are principals in UNIX? 8

Users and Principals USERS Real World User PRINCIPALS Unit of Access Control and Authorization the system authenticates the human user to a particular principal (in essence principal account) 9

Users and Principals There should be a one-to-many mapping from users to principals a user may have many principals, but each principal is associated with an unique user This ensures accountability of a user's actions Shared accounts (principals) are bad for accountability 10

Example Student Mail client TA PDF reader Webmaster User Principals Subjects 11

Principals and Subjects Usually (but not always) Each subject is associated with a unique principal All subjects of a principal have identical rights (equal to the rights of the invoking principal) This case can be modeled by a one-to-one mapping between subjects and principals For simplicity, we treat a principal and subject as identical concepts A user should always be viewed as multiple principals! 12

Access Matrix Model Objects (and Subjects) F G S u b j e c t s U V r w own r r w own rights 13

Access Matrix Implementation Access Matrix can be sparse Space inefficient Access Control Lists Capabilities 14

Access Control List ACL Maintained for each object (or subject) No entries when no permissions G: ACL U V V V r r w own Each column of the access matrix is stored with the object corresponding to that column 15

Capability Unforgeable token that gives possessor (user) certain rights Object to which access is permitted Right for the object F r How to make it unforgeable Capability giving the right to read object F 1. Only OS can access capability user gets a pointer 2. Encrypted capabilities access control mechanism has key 16

Capability List: C-List U F r F w F own F r Each row of the access matrix is stored with the subject corresponding to that row 17

ACLs vs Capabilities Access control list Associate list with each object Check user/group against list Relies on authentication: need to know user Capabilities Capability is unforgeable ticket Random bit sequence (or managed by OS) Can be passed from one process to another Reference monitor checks ticket Does not need to know identify of user/process 18

ACLs vs Capabilities ACL's provide for superior access review on a per-object basis Who has access to this object But hard to see to what a subject has access Capabilities provide for superior access review on a per-subject basis What capabilities does this subject have But hard to see who has access to an object 19

ACLs vs Capabilities Revocation: How to revoke access of a subject to an object ACL's provide for superior revocation facilities on a per-object basis Scan object s ACL Remove subject from list (if present) But hard to revoke all rights of a subject Capabilities provide for superior revocation facilities on a per-subject basis Hard to revoke all rights on an object (for all subjects) 20

ACLs vs Capabilities In real world, the per-object basis usually wins Most OSs protect files by means of ACL's Operations centered on objects Unix: use an abbreviated form of ACL's with just three entries owner group other 21

Roles (aka Groups) Role = set of users Administrator, PowerUser, User, Guest Assign permissions to roles; each user gets roles Role hierarchy Partial order of roles Each role gets permissions of roles below List only new permissions given to each role Administrator PowerUser User Guest 22

Role-Based Access Control (RBAC) Individuals Roles Resources engineering Server 1 marketing Server 2 human res Server 3 Advantage: users change more frequently than roles 23

Access Control Summary Access control involves reference monitor Check permissions: user info, action yes/no Important: must be no way to bypass this check Access control matrix Two implementations: access control lists vs capabilities Advantages and disadvantages of each Role-based access control Use group as user info ; use group hierarchies 24

OS Security UNIX ACCESS CONTROL 25

Unix What access control concepts are used? Truncated access control list A form of role-based access control File 1 File 2 User 1 read write - User 2 write write - User 3 - - read Role r Read write write File 1 File 2 Owner read write - Group write write - Other - - read 26

Unix access control Process has user id Inherit from creating process Process can change id Restricted set of options Special root id All access allowed File 1 File 2 Owner read write - Group write write - Other - - read File has access control list (ACL) Grants permission to users Three roles : owner, group, other

Unix file access control list Each file has owner and group Permissions set by owner Read, write, execute Owner, group, other Represented by vector of four octal values rwx rwx rwx ownr grp othr Only owner, root can change permissions This privilege cannot be delegated or shared Setid bits Discuss in a few slides

Example directory listing access owner group size modification name

Process effective user id (EUID) Each process has three Ids (+ more under Linux) Real user ID (RUID) same as the user ID of parent (unless changed) used to determine which user started the process Effective user ID (EUID) from set user ID bit on the file being executed, or sys call determines the permissions for process (file access and port binding) Saved user ID (SUID) So previous EUID can be restored Real group ID, effective group ID, used similarly

Process Operations and IDs Root ID=0 for superuser root; can access any file Fork and Exec Inherit three IDs, except exec of file with setuid bit Setuid system call seteuid(newid) can set EUID to Real ID or saved ID, regardless of current EUID Any ID, if EUID is root Details are actually more complicated Several different calls: setuid, seteuid, setreuid

Setid bits on executable Unix file Three setid bits Setuid set EUID of process to ID of file owner Setgid set EGID of process to GID of file Sticky Off: if user has write permission on directory, can rename or remove files, even if not owner On: only file owner, directory owner, and root can rename or remove file in the directory Used only for directories

Example RUID 25 ; ; exec( ); Owner 18 SetUID program Owner 18 -rw-r--r-- file Owner 25 -rw-r--r-- file read/write read/write ; ; i=getruid() setuid(i); ; ; RUID 25 EUID 18 RUID 25 EUID 25

The need for setid bits Some operations are not modeled as files and require user id = 0 halting the system bind/listen on privileged ports (TCP/UDP ports below 1024) non-root users need these privileges File level access control is not fine-grained enough System integrity requires more than controlling who can write, but also how it is written 34

Security issues with setid bits These programs are typically setuid root Violates the least privilege principle every program and every user should operate using the least privilege necessary to complete the job Why violating least privilege is bad? How would an attacker exploit this problem? How to solve this problem? 35

Drop privilege A process that executes a set-uid program can drop its privilege; it can drop privilege permanently removes the privileged user id from all three user IDs drop privilege temporarily removes the privileged user ID from its effective uid but stores it in its saved uid, later the process may restore privilege by restoring privileged user ID in its effective uid 36

Example: User login login pid 2235 euid 0 ruid 0 suid 0 setuid(500) After the login process verifies that the entered password is correct, it issues a setuid system call. login pid 2235 euid 500 ruid 500 suid 500 exec( bash ) The login process then loads the shell, giving the user a login shell. bash pid 2235 euid 500 ruid 500 suid 500 fork() The user types in the passwd command to change his password. 37

bash pid 2235 euid 500 ruid 500 suid 500 bash pid 2297 euid 500 ruid 500 suid 500 exec( passwd ) passwd pid 2297 euid 0 ruid 500 suid 0 The fork call creates a new process, which loads passwd, which is owned by root user, and has setuid bit set. Drop privilege permanently Drop privilege temporarily passwd pid 2297 euid 500 ruid 500 suid 500 passwd pid 2297 euid 500 ruid 500 suid 0 38

Other Objects in Unix Accesses other than read/write/execute Who can change the permission bits? The owner can Who can change the owner? Only the superuser Rights not related to a file Affecting another process Operations such as shutting down the system, mounting a new file system, listening on a low port traditionally reserved for the root user 39

Unix access control summary Good things Some protection from most users Flexible enough to make practical systems possible Main limitation Coarse-grained ACLs user, group, other Too tempting to use root privileges No way to assume some root privileges without all

Coming up Network security 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback