COEN 150: Intro to IA Authorization
Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example: OS Subjects = Processes Objects = System Resources Access Rights: read, write, execute
Fundamental Mechanisms: Access Matrix Example: DBMS Subjects = Users Objects = Relations Access Rights: retrieve, update, insert, delete
Fundamental Mechanisms: Access Matrix Row for each object Column for each subject Entry is a set of access rights. Later Security Models: Allow for administrative operations that change the access matrix. Example: Owner of file can give permissions to others.
Fundamental Mechanisms: Access Matrix Access Control Lists ACL for each object. Lists all the subjects and their rights. Capabilities Capability list for each subject. Contains all the objects and the rights of the subject.
Fundamental Mechanisms: Access Matrix Authorization Relation Database table with fields owner, access mode, object. Subject Access Mode Object Bob Owner File 1 Bob Read File 1 Bob Write File 1 Alice Read File 1 Alice Owner File 2 Alice Read File 2 Alice Write File 2 Bob Read File 2 Bob Write File 2
Fundamental Mechanisms: Intermediate Controls Access matrix too storage intensive Access matrices make it hard to change policies. Mechanism 1: Groups Ideally, all access privileges mediated through group membership. Negative permissions implement exceptions
Fundamental Mechanisms: Intermediate Control Protection Rings Example: Group processes and system resources into four categories Operating System Kernel Operating System Utilities User Processes Access to an object is only granted to a subject of lower level. Unix only has two levels. Sometimes protection rings have hardware support.
Fundamental Mechanisms: Security Classes Each object has a Security class (Security Label) Denning: Information Control Policy consists of Security Classes “Can flow” relationship Join operation Join A B combines rights and restrictions of both. US DoD Security Levels Top Secret Secret Confidential Unclassified
Fundamental Mechanisms Access Control Policies Discretionary Access Control (DAC) Specifies authorization solely based on object and subject identity. Flexible and simple. Difficult to control information flow. (Classical) Mandatory Access Control (MAC) Each user and object has a security level. Security level reflects trust that user will not pass information to users with lower level clearance. Access to an object based on security level.
Fundamental Mechanisms Access Control Policies (Refined) Mandatory Access Control (MAC) Security Levels and Compartments. Example: CRYPTO for cryptographic algorithms. COMSEC for communication security. Possible to have top secret clearance in CRYPTO and unclassified clearance in COMSEC Discretionary policies typical in low security (academic) environments. Mandatory policies typical in high security (military) environments. Neither policy adequate for commercial systems.
Fundamental Mechanisms Access Control Policies Role Based Access Control (RBAC) Regulate user’s access to information based on the activities the users execute in the system. “Role” is a set of actions and responsibilities associated with a particular working activity. Access based on role, not identity of user.
Fundamental Mechanisms Access Control Policies Role Based Access Control (RBAC) User authorization is broken into two tasks: Granting roles to users Granting rights to roles Roles can be hierarchical Engineers inherent employee rights. User can login with the least privilege for a set of particular tasks. Roles make it easier to enforce separation of duties: “No single user can subvert the system by herself/himself.”
Covert Channels A mechanism to circumvent automatic confinement within a security perimeter. Example: Person with TOP SECRET clearance runs (inadvertently) Trojan horse. Trojan horse has free access to files in the compartment. Trojan horse cannot write down to an unclassified file. But: Trojan horse can do things that are visible from the outside and thus send contents of TOP SECRET files through a covert channel. T.H. either runs or waits. System load will vary. Small bandwidth channel. T.H. can or cannot use shared resources. To send a bit, T.H. fills up the printer line to send 1 bit, or empties it for a 0 bit.
UNIX Woes: SUID programs Programs can execute the setuid system call. Executable runs as if executed by user. Sendmail uses setuid to implement email. User can cause programs to run as root with input they provide. Favorite targets of buffer overflow attacks.
Access Control: Details Static access control matrix: Easy to evaluate Easy to reflect security Can be implemented in a number of ways: Access Control List List of Rights Database Matrix Useless in practice because subjects and objects are constantly created. Therefore: Need updatable access control matrix
Access Control: Details Transformation Procedures update Access Control Matrix Harrison, Ruzzo, Ullman CACM 1975 Create subject s Create object o Enter right into ACM[s,o] Delete right from ACM[s,o] Destroy subject s Destroy subject o
Access Control: Details Transformation Procedures update Access Control Matrix Harrison, Ruzzo, Ullman CACM 1975 System uses these primitives to update ACM But not directly: Use commands Some commands are mono-operational They only involve a single primitive Most are more complex Conditional commands
Access Control: Details Harrison, Ruzzo, Ullman CACM 1975 Two special rights: Copy right / Grant right Allows possessor to grant rights to others, but only those that they also possess “Change Permission right” in Windows Own right Allows possessor to grant right over an object to others UNIX chown command changes permissions that others have over an object.
Access Control: Details Principle of Attenuation of Privilege A subject might not give rights it does not possess to another
Access Control: Details General Question: Given a system, how can we determine that it is secure? Define secure:
Access Control: Details Definition (Leaking): When we can add a right through ACM transformations to an element of the ACM that does not have this right, we say that the right has been leaked.
Access Control: Details ACM is in a given state. Transformations alter the state. Definition: If a system in initial state S0 can never leak the right r, then it is called safe with respect to the right r. Otherwise, it is called unsafe.
Access Control: Details Results (Harrison, Ruzzo, Ullman) There exists an algorithm that will determine whether a given mono-operational protection system with initial state S0 is safe with respect to a generic right r. It is undecidable whether a given state of a given system is safe for a given generic right.
Confidentiality Policies Confidentiality policy a.k.a Information Flow policy prevents unauthorized disclosure of information
Bell-LaPadula Model Combines mandatory and discretionary access controls. Mandatory access control supersedes discretionary access control. Only models reads and writes.
Bell-LaPadula Model I Hierarchical Levels for Objects and Subjects: Unclassified (UC) – Confidential (C) – Secret (S) – Top Secret (TS) S can read O if and only if level(O) level(S) and S has discretionary read access to O. [*property] S can write O level(O) level(S) S has discretionary write access to O
Bell-LaPadula Model I Example: To read a secret file, you need to have top secret or secret classification. To write to a secret file, you cannot have top secret classification. Rationale: Someone with Secret classification is not allowed to write a file that will be given unclassified classification.
Bell – LaPadula Model II Expand model by introducing categories Categories reflect “Need to know” Example: ComSec, InfoSec
Excurse: Lattices Security levels do not need to be arranged in a complete ordering Lattices: Rich enough mathematical structure with a partial ordering.
Excurse: Lattices Totally Ordered Set (left) vs. Lattice (right)
Excurse: Lattices A partial ordering on a set S is reflexive, transitive, and antisymmetric. (S, ) is a total order if for any two elements a, b S we have a b or b a. A least upper bound u for a, b in a partially ordered set S has the properties a u b u v S: [a v and b v] v u.
Excurse: Lattices A greatest lower bound g for a, b in a partially ordered set S has the properties g a g b v S: [v a and v b] u v.
Excurse: Lattices A set with a partial ordering is a lattice if any two elements have a least upper bound and a greatest lower bound.
Bell – LaPadula Model II Model consists of Set of subjects S Set of objects O Set of access operations A = {read, execute, append, write} Lattice of security levels Set of security level assignments F.
Bell – LaPadula Model II An element of F is a triple maximum security level a subject can have current security level a subject can have classification of all objects. The current security level is smaller or equal to the maximum security level.
Bell – LaPadula Model II Simple Security Property: No read-up security policy * Property For writes / appends: Current security level of writer needs to be smaller than the security level of the object No write-down
Bell – LaPadula Model II Definition does not allow high-level subjects to write to low level subjects. In this case, either: Temporarily downgrade writer. Identify a set of subjects (aka Trusted Subjects), which are permitted to violate the * policy.
Bell – LaPadula Model II Discretionary Security Policy An access is only allowed if it is allowed by the discretionary access matrix. Basic Security Theorem: If all state transitions in a system are secure and if the initial state is secure then all states of the system are secure.
Bell – LaPadula Model II Limitations: BLP can become meaningless if there are state transitions that allow changes of access rights. BLP only deals with confidentiality BLP does not address management of access control. (See Harrison-Ruzzo-Ullman model) BLP does not prevent covert channels.
Chinese Wall Chinese Wall model (Brewer & Nash) Models access rules in a consultancy business Analysts should not have conflicts of interests: Alice first helps Client 1, gaining knowledge over a market. Alice then helps Client 2 with the knowledge gained from helping Client 1
Chinese Wall Set of subjects S are consultants Set of companies is C Set of objects O is items of information concerning a single company Conflict of interest classes indicate which companies are in competition Security label of an object is List of competitors of company
Chinese Wall Sanitizing Remove all information from an object that can be used.
Chinese Wall Chinese Wall rules: Access is granted only if: The object belongs to a company dataset already held by the user. Or: An entirely different conflict of interest class. Write access is granted only if: No other object can be read which is in a different company dataset and contains unsanitized information.
Security Kernel Orange Book Trusted Computer Security Evaluation Criteria (TCSEC) yardstick for users to assess the degree of trust that can be placed in a computer system guidance for manufacturers of computer security systems basis for specifying security requirements when acquiring a computer security system
Security Kernel Orange Book Security Divisions: D – Minimal protection C1 – Discretionary Security Protection C2 – Controlled Access Protection B1 – Labeled Security Protection B2 – Structured Protection B3 – Security Domains A1 – Verified Design
Security Kernel Computer Systems are designed in layers. A security mechanism at one layer can be subverted by an attack at a lower level/ Implementing security mechanisms at lower levels can lead to less performance overhead.
Security Kernel Orange Book Definitions: REFERENCE MONITOR: Access control concepts that refers to an abstract machine that mediates all accesses to objects by subjects. SECURITY KERNEL: Hardware, firmware, software elements of a trusted computing base that implements the reference monitor concept. TRUSTED COMPUTING BASE: The totality of protection mechanisms within a computer system.
Security Kernel Users must not be able to modify the operating system. Users should be able to invoke the OS Users should not be able to invoke the OS Tools: status information controlled invocation = restricted privilege
Security Kernel OS needs to distinguish between operations on behalf of the OS and on behalf of a user. Motorola 68000: One status bit allows to distinguish between user mode and kernel mode. Intel 80386: Two status bits giving 4 modes. Example: How to allow processes to switch between root and user level? SUID, …
Security Kernel Motorola 68000: Has a 16b status register including T – trace bit S – supervisor bit Interrupt level in 3 bits. Operating systems are implemented with TRAP calls Processor uses memory mapped I/O Address decoder receives input from status bits. Based on status, processes can access: user data user program supervisor data supervisor program interrupt acknowledge
Security Kernel Intel 80386 Supports 4 privilege levels Stores information about system objects in descriptors. Stored in descriptor table. Accessed via selectors. Privilege level of object stored in descriptor. Selectors contain a Requested Privilege Level (RPL) field
Security Kernel Intel 80386 Assume application level program needs service from an OS service. Done by gates System object that points to a procedure. To be used, gate needs to have same level as invoking procedure. When invoking a subroutine through a gate, current privilege level changes to that of the procedure pointed to by gate. Part of the stack is copied to a more privileged stack segment.
Security Kernel 80836 Security policy needs to take both current privilege level and privilege level of triggering application into account. Done by the RPL field and the adjusted requested privilege level instruction.