ACCESS CONTROL & SECURITY MODELS (REVIEW) Center of gravity of computer security.
-
date post
22-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of ACCESS CONTROL & SECURITY MODELS (REVIEW) Center of gravity of computer security.
ACCESS CONTROL & SECURITY MODELS (REVIEW)
Center of gravity of computer security
Access Control Srini & Nandita 2
CSE2500 System Security & Privacy
Fundamental Model of Access Control
subject Access request Reference
Monitorsobject
Access Control Srini & Nandita 3
CSE2500 System Security & Privacy
Possible Access Control Mechanisms are Control Matrix Control lists Groups and Roles Extension to Distributed (+file) Systems
Access Control Srini & Nandita 4
CSE2500 System Security & Privacy
Example Access Control Matrix for Bookkeeping
Operating system
Accounts Program
Accounting Data
Audit Trail
Sam rwx rwx r r
Alice rx x - -
Accounts program
rx r rw w
Bob rx r r r
Srini rx r r r
Access Control Srini & Nandita 5
CSE2500 System Security & Privacy
Basic UNIX file security-rw-rw-r-- 1 root sys 1344 Jul 2 22:57 /etc/vfstab
Owner
Group
-rwxrwxrwx Owner permissions
-rwxrwxrwx Group permissions
-rwxrwxrwx Other permissions
Others
Access Control Srini & Nandita 6
CSE2500 System Security & Privacy
SUID and SGID Security
Owner of a program can mark it as suid, enabling a user, special privileges of access control attributes
sgid for groups What is the security issue here?
Access Control Srini & Nandita 7
CSE2500 System Security & Privacy
SUID and SGID Security(cont.)
SUID root programs are particularly vulnerable to attack.
If it is possible to subvert the program in some way, then root access can be gained.
A very well known method of such subversion is the buffer overflow.
Buffer overflow vulnerability results from bad coding practices on the part of the original programmer of the SUID root program!
ACCESS CONTROL & SECURITY MODELS(2)
Center of gravity of computer security
Access Control Srini & Nandita 9
CSE2500 System Security & Privacy
Buffer OverflowHundreds of Buffer Overflow vulnerabilities have been documented in various versions of UNIX
Not restricted to UNIX, Windows and other operating systems can also be vulnerable.
Writing a buffer overflow attack requires some knowledge of the stack architecture for the particular hardware (e.g. Intel stacks implemented in a different way from SPARC stacks)
Access Control Srini & Nandita 10
CSE2500 System Security & Privacy
Buffer Overflow – The problem
void function(char *str) {char buffer[16];strcpy(buffer,str);}
void main(){char string[256];int i;for( i = 0; i < 255; i++)string[i] = 'A';function(string);}
Access Control Srini & Nandita 11
CSE2500 System Security & Privacy
void function(char *str) {char buffer[16];strcpy(buffer,str);}
void main(){char string[256];int i;for( i = 0; i < 255; i++)string[i] = 'A';function(string);}
Buffer Overflow
string
…
…
…
string pushed onto stack
Access Control Srini & Nandita 12
CSE2500 System Security & Privacy
void function(char *str) {char buffer[16];strcpy(buffer,str);}
void main(){char string[256];int i;for( i = 0; i < 255; i++)string[i] = 'A';function(string);}
Buffer Overflow
return address
string
…
…
return address pushed onto stack
Access Control Srini & Nandita 13
CSE2500 System Security & Privacy
void function(char *str) {char buffer[16];strcpy(buffer,str);}
void main(){char string[256];int i;for( i = 0; i < 255; i++)string[i] = 'A';function(string);}
Buffer Overflow
buffer[0]
buffer[1]
…
buffer[15]
return address
string
…
buffer[16] (local variable) pushed onto stack
Access Control Srini & Nandita 14
CSE2500 System Security & Privacy
void function(char *str) {char buffer[16];strcpy(buffer,str);}
void main(){char string[256];int i;for( i = 0; i < 255; i++)string[i] = 'A';function(string);}
Buffer Overflow
A
A
A
A
A
A
A
…
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Access Control Srini & Nandita 15
CSE2500 System Security & Privacy
Buffer Overflow Attack Instead of writing ‘A’ past the allocated local buffer and
into the rest of the stack, write data into the stack such that:
– The return address is replaced by an address which points to a bit of code written by the attacker (which can also be written onto the stack)
– This code may, for example, spawn a shell.
– If the original program was SUID root, this will be a root shell!
Access Control Srini & Nandita 16
CSE2500 System Security & Privacy
Buffer Overflow Attack
If no patch is available from O/S vendor to fix the vulnerability, then at least remove SUID root permissions from the program in question.
Access Control Srini & Nandita 17
CSE2500 System Security & Privacy
Authentication means
to establish the proof of identity. Authentication techniques may vary
depending on the kind of resource being accessed.
The various kinds of access can be classified into– user-to-host– host-to-host– user(or process) –to – user (process)
Access Control Srini & Nandita 18
CSE2500 System Security & Privacy
Trusted hosts
UNIX allows hosts to trust another. If host A trusts host B, then a user who has
the same user name on B and A can access resources on A from B without a password.
Implemented using .rhosts and /etc/hosts.equiv
rlogin, rsh, rcp
Access Control Srini & Nandita 19
CSE2500 System Security & Privacy
Trusted hosts - advantages
Password cannot be sniffed because it is not transmitted.
Users can log in once and then subsequently move to any machine in the trusted network.
Convenience.
Access Control Srini & Nandita 20
CSE2500 System Security & Privacy
Trusted hosts - disadvantages
If one host is compromised (e.g. boot B to single user mode then change to any user you like), then the other host is also compromised – read that user’s files on A.
Even if B cannot be booted to single user mode without a password, can physically replace B with another machine.
Trusted hosts uses IP address authentication. Vulnerable to IP spoofing.
Access Control Srini & Nandita 21
CSE2500 System Security & Privacy
NFS
Network File System Developed by Sun Microsystems Supported by most UNIX systems Allows remote access to local file systems
Access Control Srini & Nandita 22
CSE2500 System Security & Privacy
NFS example (Solaris)
mount –t nfs A:/files /mnt/files
/files
Host ANFS Server
Host B
NetworkNetwork
share -F nfs -o rw=B,root=B /files
NFS calls
NFS calls
Access Control Srini & Nandita 23
CSE2500 System Security & Privacy
NFS Security Considerations Export only to trusted hosts Export only those parts of the filesystem which
require remote access Export read-only unless writing absolutely
required Be very careful mapping root on the server to root
on the client. Remove group write permissions for exported
files and directories. Be careful exporting user home directories
Access Control Srini & Nandita 24
CSE2500 System Security & Privacy
NFS Security Considerations
Do not allow users to log into NFS server. Do not accept incoming NFS call requests
on non-privileged ports. Use Secure NFS. Don’t use NFS! (Is it absolutely necessary?)
Access Control Srini & Nandita 25
CSE2500 System Security & Privacy
Threats to Availability
“Denial of Service” attacks Probably more of a threat when carried out
via the network than on the local machine alone.
Not UNIX specific
Access Control Srini & Nandita 26
CSE2500 System Security & Privacy
Windows accounts
Each user has an account– On a computer and/or an Active Directory domain– Non-human accounts are for system processes
Account typically has name and password– Authentication based on Kerberos or hashed password
(for NT compatibility only)– OS supports password strength, aging policies– Certificates and smartcards are also supported (in
2000/XP, but not commonly used yet) A user may belong to many groups
– Has the union of the groups’ rights at any time
Access Control Srini & Nandita 27
CSE2500 System Security & Privacy
Windows file systems (1/3) FAT (for backward compatibility)
– FAT supports no access control
NTFS (NT File System)– Access control based on user IDs and file permissions
– Basic permissions are Read, Write, Execute, Delete, Change Permissions, Take Ownership RWXDPO
– Standard permissions are basic ones combined
– Different permissions to a file can be granted to individual users/groups using ACL
– More fine-grained, flexible than UNIX
Access Control Srini & Nandita 28
CSE2500 System Security & Privacy
Windows file systems (2/3)
The following access permissions apply to files:
NoAccess Read(RX): read and execute Change(RWXD): read,write,exe,delete Full Control(all): RWXDPO Special Access: any combination of
RWXDPO
Access Control Srini & Nandita 29
CSE2500 System Security & Privacy
Windows file systems (2/3) Files sharing using Common Internet File System
(CIFS)– Shares are managed in directory (in common with
domain management – more later)– Machine access to shares is based on computer account
in domain and inter-domain trust– User access to shares is based on share passwords or
standard ACLs– NT systems use hashed password SMB auth.– Windows 2000/XP use Kerberos authentication
Encrypting File System (EFS)– Files encryption using random secret keys, which are in
turn encrypted with EFS public keys
Access Control Srini & Nandita 30
CSE2500 System Security & Privacy
Windows networking
Essentially similar tools– telnet, ftp with clear-text passwords– SSH, and augmented versions of telnet, ftp
more secure
Integrated networking explained later– Server Message Block (SMB) based integrated
domain authentication, file shares access
Access Control Srini & Nandita 31
CSE2500 System Security & Privacy
Windows security internals: Architecture (1/2)
Windows (NT/2000/XP) have layered components on top of a kernel
Security Reference Monitor (SRM)– Part of the kernel
– Handles core of access control checks
Protected security services include– Winlogon process
– Local Security Authority (LSA) and policy database
– Security Account Manager (SAM) and database
– These services perform user authentication, and non-core part of access control
Access Control Srini & Nandita 32
CSE2500 System Security & Privacy
Windows security internals: Architecture (2/2)
Security identifiers (SID)– Represent uniquely each user or group
Access control entry (ACE)– Contains permissions to an object explicitly denied or granted
to a subject (SID)
Access control list (ACL)– List of ACE’s for an object
Security descriptor of an object– Contains is owner SID, primary group SID, its ACL, the
applicable system ACL
Access token for a logged on user– Contains the user’s SID, primary group SID, etc.
Access Control Srini & Nandita 33
CSE2500 System Security & Privacy
Windows security internals: Authentication
NT uses NTLM authentication– NT (MD4) and LM (DES-based) hashed password– Domains integration relies on sending hashed passwords
through insecure SMB protocols– Inter-domain trusts are one-way, non-transitive
Windows 2000/XP in domains use Kerberos– NTLM supported for backward compatibility– Domains are managed by Active Directory– Integrated Kerberos auth. as domain controllers are KDCs– Enable hierarchical organisation and delegation– Inter-domain trusts are two-way, transitive thereby simplifying
trust management Logged on users run processes with their access tokens,
basis for access control, impersonation
Access Control Srini & Nandita 34
CSE2500 System Security & Privacy
Windows security internals: Access control
Discretionary access control– Based on subject SIDs and object ACLs
– Each object has an ACL• Null ACL or empty means no restrictions or no access
– Each process has access token with owner SID, group SIDs
– Access control check matches of access tokens against ACLs
– Administrators group can access everything
– SRM performs core matching
Less so discretionary access control– Some system-wide policies applying to subjects, regardless of
individual object’s ACL
Access Control Srini & Nandita 35
CSE2500 System Security & Privacy
Windows security internals: Impersonation
No equivalence of UNIX suid, sgid or “su”, “sudo” programs
But processes frequently programmatically impersonate others– A thread takes on access token of another subject
– This access token may be exact copy or variant of a primary access token
– Thread gets security privileges of the impersonated subject
Impersonation is application-controlled, as opposed to administrator-controlled in UNIX
Access Control Srini & Nandita 36
CSE2500 System Security & Privacy
Windows security internals: Logging & auditing
The LSA and SRM create logs through the system event logger
The LSA logs mostly logon events based on its audit policy
The SRM logs access check events based on the system access control list (SACL)– Each object has an SACL
Logs are stored locally
Access Control Srini & Nandita 37
CSE2500 System Security & Privacy
UNIX and Windows security: some evaluations Windows security more complex, less mature
– More susceptible to faults
Windows integrated Kerberos auth. more secure than hashed passwords
Windows access control more fine-grained But Windows has more viruses?
– Default security leaves programs writable
– Users education
Historically more UNIX buffer flow attacks?– Longer lifetime, more accessible source code
– Windows code inaccessible, but faults will show up eventually (obscurity not good security)
Access Control Srini & Nandita 38
CSE2500 System Security & Privacy
Other Access Control methods
Sandboxing– Software that provides limited access rights to
programs of unknown origins
Proof-carrying code– Programs to be executed must carry a proof that
it doesn’t do anything that contravenes the local security policy
Access Control Srini & Nandita 39
CSE2500 System Security & Privacy
Policies (1) Historical considerations
– The history of information systems and their automation is a history of compromise. Automation had to fit into existing schemes of information management. Similarly, the addition of security mechanisms has to fit into existing structures and systems. Highly secure systems are often a consequence of redesign and re-engineering of existing systems.
Mandatory Security Policies– A system wide policy decrees that all subjects and all objects
are classified. Access classes are associated with every subject-object pair.
– Access rights depend on the triple subject-object-access class for all triplets
<Sam, Production Log, Write>
Access Control Srini & Nandita 40
CSE2500 System Security & Privacy
Policies (2) Discretionary Security Policies
– Users are allowed to grant access to other users - often the OWNER of an object can grant access privileges to other users, (at the owners discretion )
Discretionary Policies may allow one user to pass data to another user without the authority of the creator of the data
Access Control Srini & Nandita 41
CSE2500 System Security & Privacy
Security Models Formal Methods
One benefit of using formal models is that mathematical (sometimes called formal) methods can be used to confirm that all transitions allowed by the model preserve the secure state of the system being modeled
For real systems, modeling is not easy
Access Control Srini & Nandita 42
CSE2500 System Security & Privacy
Access Control - Ranked Model (1)
Multi-level Often called Lattice methods Basis of military and commercial security Set of ordered security levels, users assigned to a
level User subjects are privileged to access a rank
and all lower ranks Students do not need to master the notation used
in ‘Gollman’
Access Control Srini & Nandita 43
CSE2500 System Security & Privacy
Access Control - Ranked Model (2)
We are also concerned about need to know
Compartment the information to be secured Granting access :
– A subject is cleared to access object – only if rank(subject) >= rank (object) AND– The set of all compartments that contain the object are
contained within the set of compartments that the subject is cleared to access
– (The personnel manager will not be allowed to access confidential production data)
Access Control Srini & Nandita 44
CSE2500 System Security & Privacy
Access Control - Ranked Model (3) Companies often use the ranks:
– Public, Company Confidential, Executive-only
Deciding what lies in what compartment keeps security staff occupied
Access Control Srini & Nandita 45
CSE2500 System Security & Privacy
Bell - LaPadula (1) Earliest formal model Each user subject and information object
has a fixed security class Use the notation >= to indicate dominance Simple Security (ss) property:
the no read-up (NRU) property– A subject has read access to an object if the – class of the subject C(s) is greater than or equal to the
class of the object C(o)– need C(s) >= C(o)
Access Control Srini & Nandita 46
CSE2500 System Security & Privacy
Bell - LaPadula (2) * property (star):
the no write-down (NRD) property
– While a subject has read access to object O, the subject can only write to object P ifC(P) >= C (O)
Leads to concentration of irrelevant detail at upper levels
Discretionary Security (ds) propertyIf discretionary policies are in place, accesses are further limited to this access matrix
– Although all users in the personnel department can read all [personnel] documents, the personnel manager would expect to limit the readers of a document that dealt with redundancies in the personnel department !
Access Control Srini & Nandita 47
CSE2500 System Security & Privacy
Transitions If a system starts in a secure state, and all
transitions are secure, then the system remains in a secure state.
But what if we allow users to downgrade all objects, and then modify the access control matrix so all modes are allowed for each entry
?
So we need to beware of transitions that change access rights
Access Control Srini & Nandita 48
CSE2500 System Security & Privacy
Tranquility Gollman p 49 Pfleeger (3ed) p 305 Starting with a Bell-LaPadula model, with ranked
classes of users– Say Executive, Company-confidential, Public
And segregated compartments, – Say Sales, Production
And all users assigned a rank, And all files assigned a rank and a compartment
TRANQUILITY is when these assignments do not change – or are not allowed to change
Access Control Srini & Nandita 49
CSE2500 System Security & Privacy
Tranquility in practice
Production program systems need to open and use work files, and open and use spool print files, class or subroutine libraries need to be accessed.
For systems with mandatory security, these entities all need labels and levels.
In practice assigning security levels to these sorts of entities is not easy.
Access Control Srini & Nandita 50
CSE2500 System Security & Privacy
Limitations of BLP model
Only deals with confidentiality aspect of security and not integrity
Not addressing the management of access control
Containing covert channels
Access Control Srini & Nandita 51
CSE2500 System Security & Privacy
Chinese Wall Model(1/2) Suppose a consultancy has several airlines as clients
– It is a conflict of interest if a consultant working with Quantas has access to confidential data on Gulf gathered from another assignment
– Security policy builds on 3 levels of abstraction:• Objects: lowest levels, eg. Files• Company groups : all objects concerning a particular company are
grouped together• Conflict classes: at the highest level, all groups of objects for
competing companies are clustered.
– No information flow that causes a conflict of interest• For this model to work, a history of access rights has to be
maintained
– (Also, if confidential information is written across conflict classes, an effective conflict of interest is created)
Access Control Srini & Nandita 52
CSE2500 System Security & Privacy
Chinese Wall Model(2/2)
Simple security(ss) policy:Access is granted only if the object requested
belongs to a company dataset already held by user or entirely different conflict of interest class
*-property:A subject is granted write access to an object
if no other object can be read which is in a different company dataset.
Access Control Srini & Nandita 53
CSE2500 System Security & Privacy
Biba Concerned with integrity of information We wish to prevent the spread of untrusted information A Cold war issue - the intelligence services of the UK
were known to have been compromised by the Soviets.
How then could the USA ensure that USA intelligence data was not ‘corrupted’ by possibly misleading data flowing from UK sources ?
Simple integrity property: Subject s can only modify object o
if I(s) >= I(o) ( no write up)
Integrity * propertyIf s can read o, s can only write to p if I(o) >= I(p)
So ‘clean’ objects do not become ‘contaminated’
Access Control Srini & Nandita 54
CSE2500 System Security & Privacy
Biba(1/2)
Covers untrustworthy information in a natural way.
Suppose John is untruthful, all documents created/modified by John are untrustworthy
An untrusted subject who has write access to an object reduces the integrity of that object
Low integrity of source objects implies low integrity for any object based on the source object.
Access Control Srini & Nandita 55
CSE2500 System Security & Privacy
Clark-Wilson (1/3) The security requirements of commercial transactions
are about data integrity, and the prevention of error and fraud.
There is an established principle of separation of duties, which aims to ensure that users must collaborate to validly manipulate data, and hence users must collude to commit fraud.
Clark-Wilson aim to define well-formed transactions, so users cannot directly access data,
and specific data items can only be modified by defined programs.
Access Control Srini & Nandita 56
CSE2500 System Security & Privacy
Clark-Wilson (2/3) Internal consistency of data items should be
ensured by the system Overall:– Subjects have to be identified and authenticated– Objects can be manipulated by a restricted set of
programs– Subjects can execute only a restricted set of
programs– A proper audit has to be maintained.– The system has to be certified to work properly.
An application oriented IT system model, a framework and guideline for security policy
Access Control Srini & Nandita 57
CSE2500 System Security & Privacy
Clark-Wilson (3/3)
Policy in terms of constrained data items(CDI)
CDIs are processed by transformation procedures(TP)
TP is like a monitor that performs only particular operations on specific data items
Access triples combine TP, one or more CDI and user ID who is authorised to operate on those CDIs by means of the TP.