CMSC 414 Computer and Network Security Lecture 10
description
Transcript of CMSC 414 Computer and Network Security Lecture 10
![Page 1: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/1.jpg)
CMSC 414Computer and Network Security
Lecture 10
Jonathan Katz
![Page 2: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/2.jpg)
Administrative stuff Office hours today Exam review?
![Page 3: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/3.jpg)
Paging Similar to segmentation, but with fixed-size
segments called pages– Addressing via (page, offset)
Avoids fragmentation problem…as well as “large offset” issue
Inefficient as program grows, since pages cannot be dynamically resized– “Re-paging” also causes potential security problems as
data is shifted from one page to another– Also can be difficult to describe desired protection, since
pages are no longer logical units
![Page 4: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/4.jpg)
Best of both worlds? Can combine paging with segmentation
– Logical units, each broken into same-size pages
Advantages/disadvantages?
![Page 5: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/5.jpg)
Access to general objects Memory protection is only one example Need a way to protect more general objects Before we begin, some design principles…
![Page 6: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/6.jpg)
Overview Seminal article by Saltzer and Schroeder
(1975)– Eight principles underlying design and
implementation of security mechanisms
Linked from the course homepage
![Page 7: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/7.jpg)
Key point I Simplicity
– Make designs/mechanisms easy to understand– Less chance of error
![Page 8: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/8.jpg)
Key point II Restriction
– Minimize the “power” of an entity• E.g., only allow access to information it needs• E.g., only allow necessary communication; restrict
type of communication allowed– Less chance of harm!
![Page 9: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/9.jpg)
Principle 1 “Principle of least privilege”
– A subject should be given only the privileges it needs to accomplish its task
– The function of a subject (not its identity) should determine this
• I.e., if a subject needs certain privileges only to complete a specific task, it should relinquish those privileges upon completion of the task
![Page 10: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/10.jpg)
In practice… Systems are often not designed with the
necessary granularity– E.g., “append” may not be distinct from “write”– E.g., in UNIX, no access controls for root
• Anyone who can make backup files can also delete those files
![Page 11: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/11.jpg)
Principle 2 “Principle of Fail-Safe Defaults”
– Unless a subject is given explicit access to an object, it should be denied access
• I.e., the default is no access– E.g., a process reporting an error message
should not try to expand its rights in an attempt to correct the error
![Page 12: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/12.jpg)
Principle 3 “Economy of Mechanism”
– Security mechanisms should be as simple as possible…
– …but no simpler!– Can simplify formal proofs of security (or even
informal audits)
![Page 13: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/13.jpg)
Consequences If design/implementation are simple, less
chance for error Software testing is also simpler Software interfaces especially suspect
– Typically make assumptions about the input/output format of the other module
– E.g., finger protocol: DoS attack by returning infinite stream of characters
![Page 14: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/14.jpg)
Principle 4 “Principle of Complete Mediation”
– All accesses to objects should be checked to ensure they are allowed
– OS should mediate any request to read an object --- even on the second such request by the same subject!
• Don’t cache authorization results
![Page 15: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/15.jpg)
Insecure example…– In UNIX, when a process tries to read a file, the
system checks access rights – If allowed, it gives the process a file descriptor– File descriptor is presented to OS for access– If permissions are subsequently revoked, the
process still has a valid file descriptor!• Insufficient mediation
![Page 16: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/16.jpg)
Principle 5 “Open Design”
– No “security through obscurity”– Security of a system should not depend on the
secrecy of its implementation• Of course, secret keys do not violate this principle!
![Page 17: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/17.jpg)
Principle 6 “Separation of Privilege”
– (As much as is feasible…) a system should not grant permission based on a single condition
– E.g., require more than one sys admin to issue a critical command, or more than one teller to issue an ATM card
![Page 18: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/18.jpg)
Principle 7 “Principle of Least Common Mechanism”
– Minimize mechanisms depended upon by all users
– Shared mechanisms are a potential information path, and should not compromise security
– Also expose the system to potential DoS attacks
![Page 19: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/19.jpg)
Principle 8 “Psychological Acceptability”
– Security mechanisms should not make access to the resource more difficult
– If mechanisms are too cumbersome, they will be circumvented!
– Even if they are used, they may be used incorrectly
![Page 20: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/20.jpg)
Back to more specifics…
![Page 21: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/21.jpg)
Back to specifics… File protection as the running example
– But everything said here is more generally applicable
![Page 22: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/22.jpg)
Access control matrix One central matrix indexed by all subjects and
objects– Characterizes rights of each subject with respect to
each object
Formally: set of objects O and subjects S Matrix A contains an entry for every pair (s, o)
– The entry contains the rights for s on o– Examples: read/write/execute/etc.
![Page 23: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/23.jpg)
More complex access control In general, “rights” may be functions
– “Actual” rights depend on the system state– Equivalently, may depend on system history
![Page 24: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/24.jpg)
Drawbacks… Number of subjects/objects is very large Most entries blank/default One central matrix is modified every time
subjects/objects are created/deleted or rights are modified
![Page 25: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/25.jpg)
Directories Can be viewed as storing the columns of the
access control matrix with the appropriate subject Each user has file directory, which lists files to
which user has access and relevant access rights– Read, write, execute, “owner” - can change access
rights on a file Drawbacks
– File directories can be large and difficult to manage– E.g., when a file is made public, all user’s directories
must be updated!– Or, revoking all access to a file
![Page 26: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/26.jpg)
Access control lists (ACLs) Can be viewed as storing the rows of the access
control matrix with the appropriate object One list per object, showing all subjects with
access and their rights Possible to assign “default rights” to an object
– Easy to make an object public
Example: access based on user, group, and compartment– Use of wildcards
![Page 27: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/27.jpg)
Some design decisions How fine-grained to allow ACLs?
– E.g., user-level, group-level, or only public/private?– Granularity of rights (e.g., “append”?)
How to handle conflicts if two subjects give different permissions on an object– Disallow multiple owners– Allow access if any entry gives rights– Allow access only if no entry denies rights– Apply first applicable entry– Revocation?
![Page 28: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/28.jpg)
Design decisions… What is the default access level? Two approaches
– Apply ACL entry, if it exists; otherwise, apply default rule
• I.e., ACL entries override default permissions– Augment the default permissions with those in
the appropriate ACL entry• Example: default allows “read” and ACL entry
states “write”
![Page 29: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/29.jpg)
Capabilities Some burden for implementing protection
placed on the user rather than just the OS– Analogy: user has a “ticket” which grants
access to an object– A capability is an unforgeable token giving user
access to an object and describing the level of allowable access
– Object owners can specify new types of rights
![Page 30: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/30.jpg)
Two general approaches Ticket is held by OS, which returns to the
subject a pointer to the ticket Ticket is held by the user, but protected
from forgery by cryptographic mechanisms– How…?– Not encrypted as mistakenly claimed in book!– Two possibilities: ticket verified by the object
or by the OS itself• Who holds the key in each case…?
![Page 31: CMSC 414 Computer and Network Security Lecture 10](https://reader036.fdocuments.us/reader036/viewer/2022062814/568167a0550346895ddcec0e/html5/thumbnails/31.jpg)
Drawback Does not really satisfy principle of complete
mediation– Can add automatic expiration to mitigate this